qakbot | ebc65a0de1181cf74562042be9a2c87fadc0e3982fb5c15d27a58570ed155746

General

Target

22e2bcca5afd5e52dd8c3f38733f0536.dll
Size

2.0MB
MD5

22e2bcca5afd5e52dd8c3f38733f0536
SHA1

daa357db2376cd8bacf90ec54d463ae01285a0d7
SHA256

ebc65a0de1181cf74562042be9a2c87fadc0e3982fb5c15d27a58570ed155746
SHA512

a657978d60524ffae6635a946b534c2c9001035d54ca0d1ed53cd9e3c5abbcdd93b65dd9f1c947fb3de32ee9286f766b5cf971ac337dc3d4bca0a6508fd35d49
SSDEEP

3072:RrUbfrh/TP/lpDbIqUKQ0yzMrPye1TMhj4fujyaVzm28NaU:ybFLP/bXHUFzAae1bujL9d8Nd

Score

10^/10

qakbot abc109 1607499808 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

401.72

Botnet

abc109

Campaign

1607499808

C2

37.210.255.225:443

83.110.13.182:2222

74.75.237.11:443

5.193.106.230:2078

86.125.205.97:443

58.152.9.133:443

83.110.221.218:443

178.87.49.9:443

217.128.117.218:2222

78.63.226.32:443

85.204.189.105:443

217.133.54.140:32100

87.27.110.90:2222

90.23.117.67:2222

94.69.242.254:2222

72.182.209.97:2222

89.137.211.239:443

197.45.110.165:995

105.198.236.99:443

39.32.72.187:995

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

4484 regsvr32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4056 4484 WerFault.exe regsvr32.exe

pid	process
4484	regsvr32.exe

pid	pid_target	process	target process
4056	4484	WerFault.exe	regsvr32.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service	rundll32.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4556 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exe

pid process

3588 rundll32.exe
3588 rundll32.exe
3588 rundll32.exe
3588 rundll32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

3588 rundll32.exe

pid	process
4556	schtasks.exe

pid	process
3588	rundll32.exe
3588	rundll32.exe
3588	rundll32.exe
3588	rundll32.exe

pid	process
3588	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exeregsvr32.exe

description	pid	process	target process
PID 2996 wrote to memory of 3588	2996	rundll32.exe	rundll32.exe
PID 2996 wrote to memory of 3588	2996	rundll32.exe	rundll32.exe
PID 2996 wrote to memory of 3588	2996	rundll32.exe	rundll32.exe
PID 3588 wrote to memory of 3292	3588	rundll32.exe	explorer.exe
PID 3588 wrote to memory of 3292	3588	rundll32.exe	explorer.exe
PID 3588 wrote to memory of 3292	3588	rundll32.exe	explorer.exe
PID 3588 wrote to memory of 3292	3588	rundll32.exe	explorer.exe
PID 3588 wrote to memory of 3292	3588	rundll32.exe	explorer.exe
PID 3292 wrote to memory of 4556	3292	explorer.exe	schtasks.exe
PID 3292 wrote to memory of 4556	3292	explorer.exe	schtasks.exe
PID 3292 wrote to memory of 4556	3292	explorer.exe	schtasks.exe
PID 4700 wrote to memory of 4484	4700	regsvr32.exe	regsvr32.exe
PID 4700 wrote to memory of 4484	4700	regsvr32.exe	regsvr32.exe
PID 4700 wrote to memory of 4484	4700	regsvr32.exe	regsvr32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\22e2bcca5afd5e52dd8c3f38733f0536.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2996

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\22e2bcca5afd5e52dd8c3f38733f0536.dll,#1
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3588

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3292

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn eajweqw /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\22e2bcca5afd5e52dd8c3f38733f0536.dll\"" /SC ONCE /Z /ST 16:19 /ET 16:31
4⤵
- Creates scheduled task(s)
PID:4556

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\22e2bcca5afd5e52dd8c3f38733f0536.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:4700

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\22e2bcca5afd5e52dd8c3f38733f0536.dll"
2⤵
- Loads dropped DLL
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 584
3⤵
- Program crash
PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4484 -ip 4484
1⤵
PID:3948

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\22e2bcca5afd5e52dd8c3f38733f0536.dll
Filesize
2.0MB

MD5
e1789b42dce9f998c860c680058c0122

SHA1
31341ebc0fe77d0a3dec77dad35c6cd7885adbdb

SHA256
b08ca3c948d7ee738457a34d9d176bc571fdd182688ebe62e1690b4e9bca6bec

SHA512
28df4e8869ebe81ee0253753435b03db9c8f60eb09c9077cb572c14eeda7a2f9814f980bd52022853b050aa626d8973d75d28c6141e1e18d8447c733a7db53ad

Download Submit
memory/3292-2-0x0000000000AB0000-0x0000000000AD1000-memory.dmp

Filesize
132KB

Download
memory/3292-6-0x0000000000AB0000-0x0000000000AD1000-memory.dmp

Filesize
132KB

Download
memory/3292-7-0x0000000000AB0000-0x0000000000AD1000-memory.dmp

Filesize
132KB

Download
memory/3292-8-0x0000000000AB0000-0x0000000000AD1000-memory.dmp

Filesize
132KB

Download
memory/3292-10-0x0000000000AB0000-0x0000000000AD1000-memory.dmp

Filesize
132KB

Download
memory/3588-0-0x0000000002880000-0x0000000002A6A000-memory.dmp

Filesize
1.9MB

Download
memory/3588-1-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/3588-5-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads