qakbot | ebc65a0de1181cf74562042be9a2c87fadc0e3982fb5c15d27a58570ed155746

Analysis

max time kernel
125s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29-02-2024 16:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22e2bcca5afd5e52dd8c3f38733f0536.dll
Size

2.0MB
MD5

22e2bcca5afd5e52dd8c3f38733f0536
SHA1

daa357db2376cd8bacf90ec54d463ae01285a0d7
SHA256

ebc65a0de1181cf74562042be9a2c87fadc0e3982fb5c15d27a58570ed155746
SHA512

a657978d60524ffae6635a946b534c2c9001035d54ca0d1ed53cd9e3c5abbcdd93b65dd9f1c947fb3de32ee9286f766b5cf971ac337dc3d4bca0a6508fd35d49
SSDEEP

3072:RrUbfrh/TP/lpDbIqUKQ0yzMrPye1TMhj4fujyaVzm28NaU:ybFLP/bXHUFzAae1bujL9d8Nd

Score

10^/10

qakbot abc109 1607499808 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

401.72

Botnet

abc109

Campaign

1607499808

37.210.255.225:443

83.110.13.182:2222

74.75.237.11:443

5.193.106.230:2078

86.125.205.97:443

58.152.9.133:443

83.110.221.218:443

178.87.49.9:443

217.128.117.218:2222

78.63.226.32:443

85.204.189.105:443

217.133.54.140:32100

87.27.110.90:2222

90.23.117.67:2222

94.69.242.254:2222

72.182.209.97:2222

89.137.211.239:443

197.45.110.165:995

105.198.236.99:443

39.32.72.187:995

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid	Process
1508	regsvr32.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exe

pid	Process
2628	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid	Process
1708	rundll32.exe
1708	rundll32.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid	Process
1708	rundll32.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exe

description	pid	Process	procid_target
PID 2172 wrote to memory of 1708	2172	rundll32.exe	28
PID 2172 wrote to memory of 1708	2172	rundll32.exe	28
PID 2172 wrote to memory of 1708	2172	rundll32.exe	28
PID 2172 wrote to memory of 1708	2172	rundll32.exe	28
PID 2172 wrote to memory of 1708	2172	rundll32.exe	28
PID 2172 wrote to memory of 1708	2172	rundll32.exe	28
PID 2172 wrote to memory of 1708	2172	rundll32.exe	28
PID 1708 wrote to memory of 1032	1708	rundll32.exe	29
PID 1708 wrote to memory of 1032	1708	rundll32.exe	29
PID 1708 wrote to memory of 1032	1708	rundll32.exe	29
PID 1708 wrote to memory of 1032	1708	rundll32.exe	29
PID 1708 wrote to memory of 1032	1708	rundll32.exe	29
PID 1708 wrote to memory of 1032	1708	rundll32.exe	29
PID 1032 wrote to memory of 2628	1032	explorer.exe	30
PID 1032 wrote to memory of 2628	1032	explorer.exe	30
PID 1032 wrote to memory of 2628	1032	explorer.exe	30
PID 1032 wrote to memory of 2628	1032	explorer.exe	30
PID 2132 wrote to memory of 1552	2132	taskeng.exe	35
PID 2132 wrote to memory of 1552	2132	taskeng.exe	35
PID 2132 wrote to memory of 1552	2132	taskeng.exe	35
PID 2132 wrote to memory of 1552	2132	taskeng.exe	35
PID 2132 wrote to memory of 1552	2132	taskeng.exe	35
PID 1552 wrote to memory of 1508	1552	regsvr32.exe	36
PID 1552 wrote to memory of 1508	1552	regsvr32.exe	36
PID 1552 wrote to memory of 1508	1552	regsvr32.exe	36
PID 1552 wrote to memory of 1508	1552	regsvr32.exe	36
PID 1552 wrote to memory of 1508	1552	regsvr32.exe	36
PID 1552 wrote to memory of 1508	1552	regsvr32.exe	36
PID 1552 wrote to memory of 1508	1552	regsvr32.exe	36

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\22e2bcca5afd5e52dd8c3f38733f0536.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\22e2bcca5afd5e52dd8c3f38733f0536.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1032
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn jadymzuf /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\22e2bcca5afd5e52dd8c3f38733f0536.dll\"" /SC ONCE /Z /ST 16:19 /ET 16:31
      4⤵
      Creates scheduled task(s)
      PID:2628

C:\Windows\system32\taskeng.exe
taskeng.exe {871C217F-DC11-46E6-8419-4784CE793BEF} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\22e2bcca5afd5e52dd8c3f38733f0536.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Windows\SysWOW64\regsvr32.exe
    -s "C:\Users\Admin\AppData\Local\Temp\22e2bcca5afd5e52dd8c3f38733f0536.dll"
    3⤵
    - Loads dropped DLL
    PID:1508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\22e2bcca5afd5e52dd8c3f38733f0536.dll

Filesize
2.0MB

MD5
e1789b42dce9f998c860c680058c0122

SHA1
31341ebc0fe77d0a3dec77dad35c6cd7885adbdb

SHA256
b08ca3c948d7ee738457a34d9d176bc571fdd182688ebe62e1690b4e9bca6bec

SHA512
28df4e8869ebe81ee0253753435b03db9c8f60eb09c9077cb572c14eeda7a2f9814f980bd52022853b050aa626d8973d75d28c6141e1e18d8447c733a7db53ad

Download Submit
memory/1032-2-0x0000000000080000-0x0000000000082000-memory.dmp

Filesize
8KB

Download
memory/1032-6-0x0000000000660000-0x00000000008E1000-memory.dmp

Filesize
2.5MB

Download
memory/1032-7-0x00000000000D0000-0x00000000000F1000-memory.dmp

Filesize
132KB

Download
memory/1032-8-0x00000000000D0000-0x00000000000F1000-memory.dmp

Filesize
132KB

Download
memory/1032-9-0x00000000000D0000-0x00000000000F1000-memory.dmp

Filesize
132KB

Download
memory/1032-10-0x00000000000D0000-0x00000000000F1000-memory.dmp

Filesize
132KB

Download
memory/1032-12-0x00000000000D0000-0x00000000000F1000-memory.dmp

Filesize
132KB

Download
memory/1708-0-0x0000000001FC0000-0x00000000021AA000-memory.dmp

Filesize
1.9MB

Download
memory/1708-1-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/1708-5-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download