qakbot | ebc65a0de1181cf74562042be9a2c87fadc0e3982fb5c15d27a58570ed155746

General

Target

22e2bcca5afd5e52dd8c3f38733f0536.dll
Size

2.0MB
MD5

22e2bcca5afd5e52dd8c3f38733f0536
SHA1

daa357db2376cd8bacf90ec54d463ae01285a0d7
SHA256

ebc65a0de1181cf74562042be9a2c87fadc0e3982fb5c15d27a58570ed155746
SHA512

a657978d60524ffae6635a946b534c2c9001035d54ca0d1ed53cd9e3c5abbcdd93b65dd9f1c947fb3de32ee9286f766b5cf971ac337dc3d4bca0a6508fd35d49
SSDEEP

3072:RrUbfrh/TP/lpDbIqUKQ0yzMrPye1TMhj4fujyaVzm28NaU:ybFLP/bXHUFzAae1bujL9d8Nd

Score

10^/10

qakbot abc109 1607499808 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

401.72

Botnet

abc109

Campaign

1607499808

C2

37.210.255.225:443

83.110.13.182:2222

74.75.237.11:443

5.193.106.230:2078

86.125.205.97:443

58.152.9.133:443

83.110.221.218:443

178.87.49.9:443

217.128.117.218:2222

78.63.226.32:443

85.204.189.105:443

217.133.54.140:32100

87.27.110.90:2222

90.23.117.67:2222

94.69.242.254:2222

72.182.209.97:2222

89.137.211.239:443

197.45.110.165:995

105.198.236.99:443

39.32.72.187:995

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1508 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2628 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

1708 rundll32.exe
1708 rundll32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

1708 rundll32.exe

pid	process
1508	regsvr32.exe

pid	process
2628	schtasks.exe

pid	process
1708	rundll32.exe
1708	rundll32.exe

pid	process
1708	rundll32.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exe

description	pid	process	target process
PID 2172 wrote to memory of 1708	2172	rundll32.exe	rundll32.exe
PID 2172 wrote to memory of 1708	2172	rundll32.exe	rundll32.exe
PID 2172 wrote to memory of 1708	2172	rundll32.exe	rundll32.exe
PID 2172 wrote to memory of 1708	2172	rundll32.exe	rundll32.exe
PID 2172 wrote to memory of 1708	2172	rundll32.exe	rundll32.exe
PID 2172 wrote to memory of 1708	2172	rundll32.exe	rundll32.exe
PID 2172 wrote to memory of 1708	2172	rundll32.exe	rundll32.exe
PID 1708 wrote to memory of 1032	1708	rundll32.exe	explorer.exe
PID 1708 wrote to memory of 1032	1708	rundll32.exe	explorer.exe
PID 1708 wrote to memory of 1032	1708	rundll32.exe	explorer.exe
PID 1708 wrote to memory of 1032	1708	rundll32.exe	explorer.exe
PID 1708 wrote to memory of 1032	1708	rundll32.exe	explorer.exe
PID 1708 wrote to memory of 1032	1708	rundll32.exe	explorer.exe
PID 1032 wrote to memory of 2628	1032	explorer.exe	schtasks.exe
PID 1032 wrote to memory of 2628	1032	explorer.exe	schtasks.exe
PID 1032 wrote to memory of 2628	1032	explorer.exe	schtasks.exe
PID 1032 wrote to memory of 2628	1032	explorer.exe	schtasks.exe
PID 2132 wrote to memory of 1552	2132	taskeng.exe	regsvr32.exe
PID 2132 wrote to memory of 1552	2132	taskeng.exe	regsvr32.exe
PID 2132 wrote to memory of 1552	2132	taskeng.exe	regsvr32.exe
PID 2132 wrote to memory of 1552	2132	taskeng.exe	regsvr32.exe
PID 2132 wrote to memory of 1552	2132	taskeng.exe	regsvr32.exe
PID 1552 wrote to memory of 1508	1552	regsvr32.exe	regsvr32.exe
PID 1552 wrote to memory of 1508	1552	regsvr32.exe	regsvr32.exe
PID 1552 wrote to memory of 1508	1552	regsvr32.exe	regsvr32.exe
PID 1552 wrote to memory of 1508	1552	regsvr32.exe	regsvr32.exe
PID 1552 wrote to memory of 1508	1552	regsvr32.exe	regsvr32.exe
PID 1552 wrote to memory of 1508	1552	regsvr32.exe	regsvr32.exe
PID 1552 wrote to memory of 1508	1552	regsvr32.exe	regsvr32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\22e2bcca5afd5e52dd8c3f38733f0536.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2172

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\22e2bcca5afd5e52dd8c3f38733f0536.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn jadymzuf /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\22e2bcca5afd5e52dd8c3f38733f0536.dll\"" /SC ONCE /Z /ST 16:19 /ET 16:31
4⤵
- Creates scheduled task(s)
PID:2628

C:\Windows\system32\taskeng.exe
taskeng.exe {871C217F-DC11-46E6-8419-4784CE793BEF} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2132

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\22e2bcca5afd5e52dd8c3f38733f0536.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\22e2bcca5afd5e52dd8c3f38733f0536.dll"
3⤵
- Loads dropped DLL
PID:1508

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\22e2bcca5afd5e52dd8c3f38733f0536.dll
Filesize
2.0MB

MD5
e1789b42dce9f998c860c680058c0122

SHA1
31341ebc0fe77d0a3dec77dad35c6cd7885adbdb

SHA256
b08ca3c948d7ee738457a34d9d176bc571fdd182688ebe62e1690b4e9bca6bec

SHA512
28df4e8869ebe81ee0253753435b03db9c8f60eb09c9077cb572c14eeda7a2f9814f980bd52022853b050aa626d8973d75d28c6141e1e18d8447c733a7db53ad

Download Submit
memory/1032-2-0x0000000000080000-0x0000000000082000-memory.dmp

Filesize
8KB

Download
memory/1032-6-0x0000000000660000-0x00000000008E1000-memory.dmp

Filesize
2.5MB

Download
memory/1032-7-0x00000000000D0000-0x00000000000F1000-memory.dmp

Filesize
132KB

Download
memory/1032-8-0x00000000000D0000-0x00000000000F1000-memory.dmp

Filesize
132KB

Download
memory/1032-9-0x00000000000D0000-0x00000000000F1000-memory.dmp

Filesize
132KB

Download
memory/1032-10-0x00000000000D0000-0x00000000000F1000-memory.dmp

Filesize
132KB

Download
memory/1032-12-0x00000000000D0000-0x00000000000F1000-memory.dmp

Filesize
132KB

Download
memory/1708-0-0x0000000001FC0000-0x00000000021AA000-memory.dmp

Filesize
1.9MB

Download
memory/1708-1-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/1708-5-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads