qakbot | bc70e3e36cc5f2443fb95bbfb74c494001c2e0e8520ca4000bffe38772273ddd

General

Target

Complaint-Letter_2082718428_12042020.xls
Size

43KB
MD5

af743920f1c2a88671efd757f7eaa9b7
SHA1

d1743d50f044da581d99ffd7a81956c74262d896
SHA256

bc6bb3e5c68a9624544780f6f1a7b411b4a0906b7662110b38e7cfff280731c3
SHA512

69b6fcfabba261bea736c097d362ff8aa7255e71d0ec6a0c99624e4dd5033824fa6a279a10fcbbd6462e98b41d53df1ab3a94aea78dc0f1771786dffac504644

Score

10^/10

qakbot abc107 1607078484 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

abc107

Campaign

1607078484

C2

32.212.117.188:443

109.205.204.229:2222

72.36.59.46:2222

173.18.126.193:2222

96.225.88.23:443

89.137.211.239:443

110.142.205.182:443

82.76.47.211:443

193.83.25.177:995

67.40.253.209:995

73.244.83.199:443

2.90.186.243:995

189.252.62.238:995

141.237.135.194:443

82.78.70.128:443

185.125.151.172:443

79.117.239.22:2222

86.189.252.131:2222

83.114.243.80:2222

2.50.56.81:443

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	368	1824	rundll32.exe	EXCEL.EXE

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Loads dropped DLL 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

368 rundll32.exe
1680 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

616 schtasks.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

pid	process
368	rundll32.exe
1680	regsvr32.exe

pid	process
616	schtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1824 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

368 rundll32.exe
368 rundll32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

368 rundll32.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1824 EXCEL.EXE
1824 EXCEL.EXE
1824 EXCEL.EXE

pid	process
1824	EXCEL.EXE

pid	process
368	rundll32.exe
368	rundll32.exe

pid	process
368	rundll32.exe

pid	process
1824	EXCEL.EXE
1824	EXCEL.EXE
1824	EXCEL.EXE

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

EXCEL.EXErundll32.exeexplorer.exetaskeng.exeregsvr32.exe

description	pid	process	target process
PID 1824 wrote to memory of 368	1824	EXCEL.EXE	rundll32.exe
PID 1824 wrote to memory of 368	1824	EXCEL.EXE	rundll32.exe
PID 1824 wrote to memory of 368	1824	EXCEL.EXE	rundll32.exe
PID 1824 wrote to memory of 368	1824	EXCEL.EXE	rundll32.exe
PID 1824 wrote to memory of 368	1824	EXCEL.EXE	rundll32.exe
PID 1824 wrote to memory of 368	1824	EXCEL.EXE	rundll32.exe
PID 1824 wrote to memory of 368	1824	EXCEL.EXE	rundll32.exe
PID 368 wrote to memory of 1000	368	rundll32.exe	explorer.exe
PID 368 wrote to memory of 1000	368	rundll32.exe	explorer.exe
PID 368 wrote to memory of 1000	368	rundll32.exe	explorer.exe
PID 368 wrote to memory of 1000	368	rundll32.exe	explorer.exe
PID 368 wrote to memory of 1000	368	rundll32.exe	explorer.exe
PID 368 wrote to memory of 1000	368	rundll32.exe	explorer.exe
PID 1000 wrote to memory of 616	1000	explorer.exe	schtasks.exe
PID 1000 wrote to memory of 616	1000	explorer.exe	schtasks.exe
PID 1000 wrote to memory of 616	1000	explorer.exe	schtasks.exe
PID 1000 wrote to memory of 616	1000	explorer.exe	schtasks.exe
PID 1916 wrote to memory of 1528	1916	taskeng.exe	regsvr32.exe
PID 1916 wrote to memory of 1528	1916	taskeng.exe	regsvr32.exe
PID 1916 wrote to memory of 1528	1916	taskeng.exe	regsvr32.exe
PID 1916 wrote to memory of 1528	1916	taskeng.exe	regsvr32.exe
PID 1916 wrote to memory of 1528	1916	taskeng.exe	regsvr32.exe
PID 1528 wrote to memory of 1680	1528	regsvr32.exe	regsvr32.exe
PID 1528 wrote to memory of 1680	1528	regsvr32.exe	regsvr32.exe
PID 1528 wrote to memory of 1680	1528	regsvr32.exe	regsvr32.exe
PID 1528 wrote to memory of 1680	1528	regsvr32.exe	regsvr32.exe
PID 1528 wrote to memory of 1680	1528	regsvr32.exe	regsvr32.exe
PID 1528 wrote to memory of 1680	1528	regsvr32.exe	regsvr32.exe
PID 1528 wrote to memory of 1680	1528	regsvr32.exe	regsvr32.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Complaint-Letter_2082718428_12042020.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\SysWOW64\rundll32.exe
rundll32 ..\AppData\Roaming\Herti.klaciiaa,DllRegisterServer
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:368

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn umlmpqasl /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Roaming\Herti.klaciiaa\"" /SC ONCE /Z /ST 15:08 /ET 15:20
4⤵
- Creates scheduled task(s)
PID:616

C:\Windows\system32\taskeng.exe
taskeng.exe {BEA35088-1961-411A-BB7A-AAEC49452098} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Roaming\Herti.klaciiaa"
2⤵
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Roaming\Herti.klaciiaa"
3⤵
- Loads dropped DLL
PID:1680

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Herti.klaciiaa
MD5
5707f51f0b092a06abf4f605dc1c9b43

SHA1
8094f644906400da76925802d8dea4432ee9b86b

SHA256
ac89662e83fd7ff5b5b28be5ec582c864c76d6f14de7f2dddf47b63b089048b6

SHA512
566a001ed203cae8a0db617c621841f6358bd13e86cda6bd6ea31d03c24818a2716b5935f578855fdb9572d11d1bfe9811b682b7d31b96bc1244efba1754a8a0

Download Submit
C:\Users\Admin\AppData\Roaming\Herti.klaciiaa
MD5
d816fe5f31af4196f84333384692e8a3

SHA1
9e9bd6ae31de39496e15a2a3968d4a2cbc8a5f9b

SHA256
5936a37a90f3c7ab44d79d93388f38eba56e8b0f391b7aeaa0a1a65e4cd97b76

SHA512
65b3dbcf089e8ac3dc700f85f35c6a2a14ebfee6efbc87d73c23b408d58feb20cd0a0641a05ac8acf665b29efd75d6f3368fce0f2d7245447ad99189c0857f33

Download Submit
\Users\Admin\AppData\Roaming\Herti.klaciiaa
MD5
5707f51f0b092a06abf4f605dc1c9b43

SHA1
8094f644906400da76925802d8dea4432ee9b86b

SHA256
ac89662e83fd7ff5b5b28be5ec582c864c76d6f14de7f2dddf47b63b089048b6

SHA512
566a001ed203cae8a0db617c621841f6358bd13e86cda6bd6ea31d03c24818a2716b5935f578855fdb9572d11d1bfe9811b682b7d31b96bc1244efba1754a8a0

Download Submit
\Users\Admin\AppData\Roaming\Herti.klaciiaa
MD5
d816fe5f31af4196f84333384692e8a3

SHA1
9e9bd6ae31de39496e15a2a3968d4a2cbc8a5f9b

SHA256
5936a37a90f3c7ab44d79d93388f38eba56e8b0f391b7aeaa0a1a65e4cd97b76

SHA512
65b3dbcf089e8ac3dc700f85f35c6a2a14ebfee6efbc87d73c23b408d58feb20cd0a0641a05ac8acf665b29efd75d6f3368fce0f2d7245447ad99189c0857f33

Download Submit
memory/368-3-0x0000000000000000-mapping.dmp

Download
memory/368-7-0x00000000001F0000-0x0000000000211000-memory.dmp

Filesize
132KB

Download
memory/368-9-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/616-10-0x0000000000000000-mapping.dmp

Download
memory/1000-8-0x0000000000000000-mapping.dmp

Download
memory/1000-11-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1000-6-0x00000000000B0000-0x00000000000B2000-memory.dmp

Filesize
8KB

Download
memory/1408-2-0x000007FEF7020000-0x000007FEF729A000-memory.dmp

Filesize
2.5MB

Download
memory/1528-12-0x0000000000000000-mapping.dmp

Download
memory/1680-14-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads