qakbot | d92c94030dca29964cb4e5cd8a31c6fc73ce0b0e01734450aed7e3327f132e78

General

Target

Document_314379760-Copy.xls
Size

59KB
MD5

24e2b1dc895e185efb45e60cda15abbf
SHA1

6e49f02ddab975d859f401d4ea59fb6fec37ce7f
SHA256

d92c94030dca29964cb4e5cd8a31c6fc73ce0b0e01734450aed7e3327f132e78
SHA512

93b0f7cb2c948123b7bd13db860b891686522a0bbc16890a6cbfcff1a4b0c91475f56d2b079612bd75daec415cf42688f82d202509533b3512cd4c80b7911b3e

Score

10^/10

qakbot abc110 1607524278 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

abc110

Campaign

1607524278

C2

78.63.226.32:443

72.252.201.69:443

68.190.152.98:443

72.240.200.181:2222

216.137.142.200:2222

87.27.110.90:2222

94.69.242.254:2222

189.183.209.211:443

94.26.119.221:443

186.189.208.238:443

161.199.180.159:443

197.45.110.165:995

83.110.221.218:443

105.198.236.99:443

83.110.158.22:2222

24.37.178.158:443

185.105.131.233:443

79.101.206.250:995

92.154.83.96:2078

83.202.68.220:2222

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1980	996	rundll32.exe	EXCEL.EXE

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Loads dropped DLL 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

1980 rundll32.exe
620 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1424 schtasks.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

pid	process
1980	rundll32.exe
620	regsvr32.exe

pid	process
1424	schtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

996 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

1980 rundll32.exe
1980 rundll32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

1980 rundll32.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

EXCEL.EXE

pid process

996 EXCEL.EXE
996 EXCEL.EXE
996 EXCEL.EXE
996 EXCEL.EXE
996 EXCEL.EXE
996 EXCEL.EXE
996 EXCEL.EXE

pid	process
996	EXCEL.EXE

pid	process
1980	rundll32.exe
1980	rundll32.exe

pid	process
1980	rundll32.exe

pid	process
996	EXCEL.EXE
996	EXCEL.EXE
996	EXCEL.EXE
996	EXCEL.EXE
996	EXCEL.EXE
996	EXCEL.EXE
996	EXCEL.EXE

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

EXCEL.EXErundll32.exeexplorer.exetaskeng.exeregsvr32.exe

description	pid	process	target process
PID 996 wrote to memory of 1980	996	EXCEL.EXE	rundll32.exe
PID 996 wrote to memory of 1980	996	EXCEL.EXE	rundll32.exe
PID 996 wrote to memory of 1980	996	EXCEL.EXE	rundll32.exe
PID 996 wrote to memory of 1980	996	EXCEL.EXE	rundll32.exe
PID 996 wrote to memory of 1980	996	EXCEL.EXE	rundll32.exe
PID 996 wrote to memory of 1980	996	EXCEL.EXE	rundll32.exe
PID 996 wrote to memory of 1980	996	EXCEL.EXE	rundll32.exe
PID 1980 wrote to memory of 908	1980	rundll32.exe	explorer.exe
PID 1980 wrote to memory of 908	1980	rundll32.exe	explorer.exe
PID 1980 wrote to memory of 908	1980	rundll32.exe	explorer.exe
PID 1980 wrote to memory of 908	1980	rundll32.exe	explorer.exe
PID 1980 wrote to memory of 908	1980	rundll32.exe	explorer.exe
PID 1980 wrote to memory of 908	1980	rundll32.exe	explorer.exe
PID 908 wrote to memory of 1424	908	explorer.exe	schtasks.exe
PID 908 wrote to memory of 1424	908	explorer.exe	schtasks.exe
PID 908 wrote to memory of 1424	908	explorer.exe	schtasks.exe
PID 908 wrote to memory of 1424	908	explorer.exe	schtasks.exe
PID 1224 wrote to memory of 960	1224	taskeng.exe	regsvr32.exe
PID 1224 wrote to memory of 960	1224	taskeng.exe	regsvr32.exe
PID 1224 wrote to memory of 960	1224	taskeng.exe	regsvr32.exe
PID 1224 wrote to memory of 960	1224	taskeng.exe	regsvr32.exe
PID 1224 wrote to memory of 960	1224	taskeng.exe	regsvr32.exe
PID 960 wrote to memory of 620	960	regsvr32.exe	regsvr32.exe
PID 960 wrote to memory of 620	960	regsvr32.exe	regsvr32.exe
PID 960 wrote to memory of 620	960	regsvr32.exe	regsvr32.exe
PID 960 wrote to memory of 620	960	regsvr32.exe	regsvr32.exe
PID 960 wrote to memory of 620	960	regsvr32.exe	regsvr32.exe
PID 960 wrote to memory of 620	960	regsvr32.exe	regsvr32.exe
PID 960 wrote to memory of 620	960	regsvr32.exe	regsvr32.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Document_314379760-Copy.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:996

C:\Windows\SysWOW64\rundll32.exe
rundll32 ..\AppData\Kipofe.mmaallaauu,DllRegisterServer
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn iarolojz /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Kipofe.mmaallaauu\"" /SC ONCE /Z /ST 11:46 /ET 11:58
4⤵
- Creates scheduled task(s)
PID:1424

C:\Windows\system32\taskeng.exe
taskeng.exe {2D423688-00EF-4A21-A4C9-D3A2BD147EAC} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1224

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Kipofe.mmaallaauu"
2⤵
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Kipofe.mmaallaauu"
3⤵
- Loads dropped DLL
PID:620

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Kipofe.mmaallaauu
MD5
6262ac21d7a47c5914b64d2f9fb53547

SHA1
6acee3bbd3b6b12f4e7588ac7a925edf2012e4a8

SHA256
58be24e908a199d1f98254e69bedd539cb13558887b456cd71b843542f330c18

SHA512
0c02a873c515a2b7e9df6368fb606aa06fcd12b12abd2db1f00d9a6aef155e9d7b3599d3dc12ebf1c1e631f32e7e5cab24db1653fcd6206a7dc613397c82c4ac

Download Submit
C:\Users\Admin\AppData\Kipofe.mmaallaauu
MD5
271c50019420fd37f92c8b61c6dd408b

SHA1
c11d5431cdd42ea45ed930edb3fd9cce11410255

SHA256
ba6f04a27354fc119878403d50689d102260e86eb1b3a70190ab1a9533ee99f3

SHA512
d41d02d683ba34b931589d7e686087ff8756b4253a61d20a2e3c6f2d25df5377ff5dbb5aa2953fda72912887cf32cb1e57792bdf7075a05b38a4e2d31afa6b05

Download Submit
\Users\Admin\AppData\Kipofe.mmaallaauu
MD5
6262ac21d7a47c5914b64d2f9fb53547

SHA1
6acee3bbd3b6b12f4e7588ac7a925edf2012e4a8

SHA256
58be24e908a199d1f98254e69bedd539cb13558887b456cd71b843542f330c18

SHA512
0c02a873c515a2b7e9df6368fb606aa06fcd12b12abd2db1f00d9a6aef155e9d7b3599d3dc12ebf1c1e631f32e7e5cab24db1653fcd6206a7dc613397c82c4ac

Download Submit
\Users\Admin\AppData\Kipofe.mmaallaauu
MD5
271c50019420fd37f92c8b61c6dd408b

SHA1
c11d5431cdd42ea45ed930edb3fd9cce11410255

SHA256
ba6f04a27354fc119878403d50689d102260e86eb1b3a70190ab1a9533ee99f3

SHA512
d41d02d683ba34b931589d7e686087ff8756b4253a61d20a2e3c6f2d25df5377ff5dbb5aa2953fda72912887cf32cb1e57792bdf7075a05b38a4e2d31afa6b05

Download Submit
memory/620-14-0x0000000000000000-mapping.dmp

Download
memory/908-8-0x0000000000000000-mapping.dmp

Download
memory/908-11-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/908-6-0x00000000000F0000-0x00000000000F2000-memory.dmp

Filesize
8KB

Download
memory/960-12-0x0000000000000000-mapping.dmp

Download
memory/1424-10-0x0000000000000000-mapping.dmp

Download
memory/1448-2-0x000007FEF6890000-0x000007FEF6B0A000-memory.dmp

Filesize
2.5MB

Download
memory/1980-9-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/1980-7-0x00000000001E0000-0x0000000000201000-memory.dmp

Filesize
132KB

Download
memory/1980-3-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads