qakbot | bcc1731e3f2dc4772be5ad445247f717b82ec84eda5f86adc57824241dc77823

General

Target

Complaint-Letter_1492841762_12042020.xls
Size

43KB
MD5

e1bddad335af1cbf14788dfd3b898a59
SHA1

1bbc9138c1f5fbd83c0484b2e00fc7d0ec03bb4d
SHA256

bcc1731e3f2dc4772be5ad445247f717b82ec84eda5f86adc57824241dc77823
SHA512

7aaf789e6fbdea965773046e966ae57d097c8b07fd5ccdf3ed90a380160c56ea105dfe6da48fb7981b618180f22976e9db0d3f6edd46cec23f83ac0d78526e51

Score

10^/10

qakbot abc107 1607078484 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

abc107

Campaign

1607078484

C2

32.212.117.188:443

109.205.204.229:2222

72.36.59.46:2222

173.18.126.193:2222

96.225.88.23:443

89.137.211.239:443

110.142.205.182:443

82.76.47.211:443

193.83.25.177:995

67.40.253.209:995

73.244.83.199:443

2.90.186.243:995

189.252.62.238:995

141.237.135.194:443

82.78.70.128:443

185.125.151.172:443

79.117.239.22:2222

86.189.252.131:2222

83.114.243.80:2222

2.50.56.81:443

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1680	1744	rundll32.exe	EXCEL.EXE

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Loads dropped DLL 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

1680 rundll32.exe
1472 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

988 schtasks.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

pid	process
1680	rundll32.exe
1472	regsvr32.exe

pid	process
988	schtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1744 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

1680 rundll32.exe
1680 rundll32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

1680 rundll32.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1744 EXCEL.EXE
1744 EXCEL.EXE
1744 EXCEL.EXE

pid	process
1744	EXCEL.EXE

pid	process
1680	rundll32.exe
1680	rundll32.exe

pid	process
1680	rundll32.exe

pid	process
1744	EXCEL.EXE
1744	EXCEL.EXE
1744	EXCEL.EXE

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

EXCEL.EXErundll32.exeexplorer.exetaskeng.exeregsvr32.exe

description	pid	process	target process
PID 1744 wrote to memory of 1680	1744	EXCEL.EXE	rundll32.exe
PID 1744 wrote to memory of 1680	1744	EXCEL.EXE	rundll32.exe
PID 1744 wrote to memory of 1680	1744	EXCEL.EXE	rundll32.exe
PID 1744 wrote to memory of 1680	1744	EXCEL.EXE	rundll32.exe
PID 1744 wrote to memory of 1680	1744	EXCEL.EXE	rundll32.exe
PID 1744 wrote to memory of 1680	1744	EXCEL.EXE	rundll32.exe
PID 1744 wrote to memory of 1680	1744	EXCEL.EXE	rundll32.exe
PID 1680 wrote to memory of 928	1680	rundll32.exe	explorer.exe
PID 1680 wrote to memory of 928	1680	rundll32.exe	explorer.exe
PID 1680 wrote to memory of 928	1680	rundll32.exe	explorer.exe
PID 1680 wrote to memory of 928	1680	rundll32.exe	explorer.exe
PID 1680 wrote to memory of 928	1680	rundll32.exe	explorer.exe
PID 1680 wrote to memory of 928	1680	rundll32.exe	explorer.exe
PID 928 wrote to memory of 988	928	explorer.exe	schtasks.exe
PID 928 wrote to memory of 988	928	explorer.exe	schtasks.exe
PID 928 wrote to memory of 988	928	explorer.exe	schtasks.exe
PID 928 wrote to memory of 988	928	explorer.exe	schtasks.exe
PID 1596 wrote to memory of 1376	1596	taskeng.exe	regsvr32.exe
PID 1596 wrote to memory of 1376	1596	taskeng.exe	regsvr32.exe
PID 1596 wrote to memory of 1376	1596	taskeng.exe	regsvr32.exe
PID 1596 wrote to memory of 1376	1596	taskeng.exe	regsvr32.exe
PID 1596 wrote to memory of 1376	1596	taskeng.exe	regsvr32.exe
PID 1376 wrote to memory of 1472	1376	regsvr32.exe	regsvr32.exe
PID 1376 wrote to memory of 1472	1376	regsvr32.exe	regsvr32.exe
PID 1376 wrote to memory of 1472	1376	regsvr32.exe	regsvr32.exe
PID 1376 wrote to memory of 1472	1376	regsvr32.exe	regsvr32.exe
PID 1376 wrote to memory of 1472	1376	regsvr32.exe	regsvr32.exe
PID 1376 wrote to memory of 1472	1376	regsvr32.exe	regsvr32.exe
PID 1376 wrote to memory of 1472	1376	regsvr32.exe	regsvr32.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Complaint-Letter_1492841762_12042020.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\SysWOW64\rundll32.exe
rundll32 ..\AppData\Roaming\Herti.klaciiaa,DllRegisterServer
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:928

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn rpiocrpl /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Roaming\Herti.klaciiaa\"" /SC ONCE /Z /ST 17:08 /ET 17:20
4⤵
- Creates scheduled task(s)
PID:988

C:\Windows\system32\taskeng.exe
taskeng.exe {8268D2D6-6FA7-47CB-B14A-57EC9986FF8E} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Roaming\Herti.klaciiaa"
2⤵
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Roaming\Herti.klaciiaa"
3⤵
- Loads dropped DLL
PID:1472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Herti.klaciiaa
MD5
62f22aeaeaa3a2d7ea7143746c307bea

SHA1
b93d53494d7ca2d6fbb753f23ee4b6a3c48d0f67

SHA256
4263d7a580a32040b17edca153a90feb2bf43962a5b6f5e931e1eb5915a3a748

SHA512
cef5d889ede6e5d41cd2f19212b05c1cb39f61c57720a995066fc547b6492697b89d9f2870e37897ae7983758ad5409008fa7aba12d48cd9a8f1f8476e5cd564

Download Submit
C:\Users\Admin\AppData\Roaming\Herti.klaciiaa
MD5
e824660bd9cdbd13c57a6d18cbfd05be

SHA1
0445446c25600aacad41cef204abd85f573f6fb0

SHA256
8614f431ffea53bde4b1da6e4b015925bb35a33d7098381c8199b832feb72b99

SHA512
f2c739f98aeca94dc88925f6fe88bca4b75c74549f97b19a7ba97acce99989a5eba976cd2d9812fa07e2190c11911a86547aa9d46a1f4704a7f53ab3165fc4ec

Download Submit
\Users\Admin\AppData\Roaming\Herti.klaciiaa
MD5
62f22aeaeaa3a2d7ea7143746c307bea

SHA1
b93d53494d7ca2d6fbb753f23ee4b6a3c48d0f67

SHA256
4263d7a580a32040b17edca153a90feb2bf43962a5b6f5e931e1eb5915a3a748

SHA512
cef5d889ede6e5d41cd2f19212b05c1cb39f61c57720a995066fc547b6492697b89d9f2870e37897ae7983758ad5409008fa7aba12d48cd9a8f1f8476e5cd564

Download Submit
\Users\Admin\AppData\Roaming\Herti.klaciiaa
MD5
e824660bd9cdbd13c57a6d18cbfd05be

SHA1
0445446c25600aacad41cef204abd85f573f6fb0

SHA256
8614f431ffea53bde4b1da6e4b015925bb35a33d7098381c8199b832feb72b99

SHA512
f2c739f98aeca94dc88925f6fe88bca4b75c74549f97b19a7ba97acce99989a5eba976cd2d9812fa07e2190c11911a86547aa9d46a1f4704a7f53ab3165fc4ec

Download Submit
memory/928-8-0x0000000000000000-mapping.dmp

Download
memory/928-11-0x00000000000D0000-0x00000000000F1000-memory.dmp

Filesize
132KB

Download
memory/928-6-0x0000000000080000-0x0000000000082000-memory.dmp

Filesize
8KB

Download
memory/988-10-0x0000000000000000-mapping.dmp

Download
memory/1344-2-0x000007FEF5BD0000-0x000007FEF5E4A000-memory.dmp

Filesize
2.5MB

Download
memory/1376-12-0x0000000000000000-mapping.dmp

Download
memory/1472-14-0x0000000000000000-mapping.dmp

Download
memory/1680-7-0x00000000001F0000-0x0000000000211000-memory.dmp

Filesize
132KB

Download
memory/1680-9-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/1680-3-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads