qakbot | dfffacd10a8887ff9e48cb452696fa8a9b6b83ea3e285b4f7d3692677c8c30fc

General

Target

file.01.21.doc
Size

92KB
MD5

cfbd343882b57a2d395ddb566984a0dd
SHA1

8baa1cb1935bafa0f89bd4fc5d5c8c47d05d1f4c
SHA256

dfffacd10a8887ff9e48cb452696fa8a9b6b83ea3e285b4f7d3692677c8c30fc
SHA512

e3606d5bc2354c7e4b3eff6aa681ee77d8f9aeaec07641a93ac02aed063b952feaa8ffebbb1fb4e68e5d131ece24264c03a6f4a5191d15e42767203bf83e1653

Score

10^/10

qakbot krk01 1611569149 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

krk01

Campaign

1611569149

C2

31.5.21.66:995

89.3.198.238:443

202.188.138.162:443

188.24.128.253:443

175.141.219.71:443

151.60.15.183:443

184.189.122.72:443

80.227.5.70:443

140.82.49.12:443

89.211.241.100:995

81.97.154.100:443

77.27.174.49:995

92.154.83.96:2078

42.3.8.54:443

71.187.170.235:443

46.153.36.53:995

71.182.142.63:443

105.186.102.16:443

50.244.112.106:443

78.63.226.32:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Executes dropped EXE 1 IoCs

Processes:

hello.com

pid process

2160 hello.com
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

3824 regsvr32.exe

pid	process
2160	hello.com

pid	process
3824	regsvr32.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

regsvr32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	regsvr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	regsvr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	regsvr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

3992 WINWORD.EXE
3992 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

regsvr32.exe

pid process

3824 regsvr32.exe
3824 regsvr32.exe
3824 regsvr32.exe
3824 regsvr32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

regsvr32.exe

pid process

3824 regsvr32.exe

pid	process
3824	regsvr32.exe
3824	regsvr32.exe
3824	regsvr32.exe
3824	regsvr32.exe

pid	process
3824	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

hello.com

description	pid	process
Token: SeIncreaseQuotaPrivilege	2160	hello.com
Token: SeSecurityPrivilege	2160	hello.com
Token: SeTakeOwnershipPrivilege	2160	hello.com
Token: SeLoadDriverPrivilege	2160	hello.com
Token: SeSystemProfilePrivilege	2160	hello.com
Token: SeSystemtimePrivilege	2160	hello.com
Token: SeProfSingleProcessPrivilege	2160	hello.com
Token: SeIncBasePriorityPrivilege	2160	hello.com
Token: SeCreatePagefilePrivilege	2160	hello.com
Token: SeBackupPrivilege	2160	hello.com
Token: SeRestorePrivilege	2160	hello.com
Token: SeShutdownPrivilege	2160	hello.com
Token: SeDebugPrivilege	2160	hello.com
Token: SeSystemEnvironmentPrivilege	2160	hello.com
Token: SeRemoteShutdownPrivilege	2160	hello.com
Token: SeUndockPrivilege	2160	hello.com
Token: SeManageVolumePrivilege	2160	hello.com
Token: 33	2160	hello.com
Token: 34	2160	hello.com
Token: 35	2160	hello.com
Token: 36	2160	hello.com
Token: SeIncreaseQuotaPrivilege	2160	hello.com
Token: SeSecurityPrivilege	2160	hello.com
Token: SeTakeOwnershipPrivilege	2160	hello.com
Token: SeLoadDriverPrivilege	2160	hello.com
Token: SeSystemProfilePrivilege	2160	hello.com
Token: SeSystemtimePrivilege	2160	hello.com
Token: SeProfSingleProcessPrivilege	2160	hello.com
Token: SeIncBasePriorityPrivilege	2160	hello.com
Token: SeCreatePagefilePrivilege	2160	hello.com
Token: SeBackupPrivilege	2160	hello.com
Token: SeRestorePrivilege	2160	hello.com
Token: SeShutdownPrivilege	2160	hello.com
Token: SeDebugPrivilege	2160	hello.com
Token: SeSystemEnvironmentPrivilege	2160	hello.com
Token: SeRemoteShutdownPrivilege	2160	hello.com
Token: SeUndockPrivilege	2160	hello.com
Token: SeManageVolumePrivilege	2160	hello.com
Token: 33	2160	hello.com
Token: 34	2160	hello.com
Token: 35	2160	hello.com
Token: 36	2160	hello.com

Suspicious use of SetWindowsHookEx 18 IoCs

Processes:

WINWORD.EXE

pid	process
3992	WINWORD.EXE
3992	WINWORD.EXE
3992	WINWORD.EXE
3992	WINWORD.EXE
3992	WINWORD.EXE
3992	WINWORD.EXE
3992	WINWORD.EXE
3992	WINWORD.EXE
3992	WINWORD.EXE
3992	WINWORD.EXE
3992	WINWORD.EXE
3992	WINWORD.EXE
3992	WINWORD.EXE
3992	WINWORD.EXE
3992	WINWORD.EXE
3992	WINWORD.EXE
3992	WINWORD.EXE
3992	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

WINWORD.EXEhello.comregsvr32.exeregsvr32.exe

description	pid	process	target process
PID 3992 wrote to memory of 2160	3992	WINWORD.EXE	hello.com
PID 3992 wrote to memory of 2160	3992	WINWORD.EXE	hello.com
PID 2160 wrote to memory of 3632	2160	hello.com	regsvr32.exe
PID 2160 wrote to memory of 3632	2160	hello.com	regsvr32.exe
PID 3632 wrote to memory of 3824	3632	regsvr32.exe	regsvr32.exe
PID 3632 wrote to memory of 3824	3632	regsvr32.exe	regsvr32.exe
PID 3632 wrote to memory of 3824	3632	regsvr32.exe	regsvr32.exe
PID 3824 wrote to memory of 1248	3824	regsvr32.exe	explorer.exe
PID 3824 wrote to memory of 1248	3824	regsvr32.exe	explorer.exe
PID 3824 wrote to memory of 1248	3824	regsvr32.exe	explorer.exe
PID 3824 wrote to memory of 1248	3824	regsvr32.exe	explorer.exe
PID 3824 wrote to memory of 1248	3824	regsvr32.exe	explorer.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\file.01.21.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3992

\??\c:\programdata\hello.com
c:\programdata\hello.com pagefile get /format:"c:\programdata\hello.xsL"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32 c:\programdata\41401.jpg
3⤵
- Suspicious use of WriteProcessMemory
PID:3632

C:\Windows\SysWOW64\regsvr32.exe
c:\programdata\41401.jpg
4⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3824

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
5⤵
PID:1248

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\hello.com
MD5
4191f61f2449ccc2bc2f2ac6d8898ce7

SHA1
d49936fc8a03561214ce4bf9791ca59e94ab8fe9

SHA256
74d21e1349aab027cd02d15f2428028c028592f265d1830c8dfc407f9bf76173

SHA512
fe67059bc374cc2d39dd01c22c2183ca44a8e04050d633f78d4eac415ae4528c378c7504ea3cc4b6923675256ae3af199b3a498243a4ca1a4d0f61f2e086821f

Download Submit
\??\c:\programdata\41401.jpg
MD5
e64137072aa73702889674831b424cbb

SHA1
beb3fe4681e84941617ccaeb89169efc7268a0ba

SHA256
8f3f6fcef89bdf02fe1108b0452bd701860ef8ca111d09859daba97fc1d3ef9a

SHA512
56bdae98e5b186e342112b1ff44e4116c8e40f964f4c0cadd7ad09e2172b70c7019b7450a0a87574626cf4786f2d187592711c57f740d8d8757a9e36dc3d646c

Download Submit
\??\c:\programdata\hello.com
MD5
4191f61f2449ccc2bc2f2ac6d8898ce7

SHA1
d49936fc8a03561214ce4bf9791ca59e94ab8fe9

SHA256
74d21e1349aab027cd02d15f2428028c028592f265d1830c8dfc407f9bf76173

SHA512
fe67059bc374cc2d39dd01c22c2183ca44a8e04050d633f78d4eac415ae4528c378c7504ea3cc4b6923675256ae3af199b3a498243a4ca1a4d0f61f2e086821f

Download Submit
\??\c:\programdata\hello.xsL
MD5
886f82da2d65f460b35eb737d2897940

SHA1
bd75c902bb9b490cb38667e11ee5979187b82468

SHA256
04d407837c3a0a82ecc6d73c8d5685ca48621ee018b698f469bc954506a14f74

SHA512
fff94b2555fa49f7b4f03d2bfd1bdb14c24ed2947f0332f6e65046b98406c706224a612dac74bebad14cfe0f1cbe88e3df51b2b5b25fb2f436d53d29357d2ca8

Download Submit
\ProgramData\41401.jpg
MD5
e64137072aa73702889674831b424cbb

SHA1
beb3fe4681e84941617ccaeb89169efc7268a0ba

SHA256
8f3f6fcef89bdf02fe1108b0452bd701860ef8ca111d09859daba97fc1d3ef9a

SHA512
56bdae98e5b186e342112b1ff44e4116c8e40f964f4c0cadd7ad09e2172b70c7019b7450a0a87574626cf4786f2d187592711c57f740d8d8757a9e36dc3d646c

Download Submit
memory/1248-19-0x0000000003440000-0x0000000003475000-memory.dmp

Filesize
212KB

Download
memory/1248-18-0x0000000000000000-mapping.dmp

Download
memory/2160-7-0x0000000000000000-mapping.dmp

Download
memory/3632-12-0x0000000000000000-mapping.dmp

Download
memory/3824-14-0x0000000000000000-mapping.dmp

Download
memory/3824-17-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/3824-16-0x0000000073C80000-0x0000000073CB5000-memory.dmp

Filesize
212KB

Download
memory/3992-6-0x0000027C44540000-0x0000027C44B77000-memory.dmp

Filesize
6.2MB

Download
memory/3992-10-0x0000027C52FE0000-0x0000027C52FE4000-memory.dmp

Filesize
16KB

Download
memory/3992-2-0x00007FFC9C810000-0x00007FFC9C820000-memory.dmp

Filesize
64KB

Download
memory/3992-5-0x00007FFC9C810000-0x00007FFC9C820000-memory.dmp

Filesize
64KB

Download
memory/3992-4-0x00007FFC9C810000-0x00007FFC9C820000-memory.dmp

Filesize
64KB

Download
memory/3992-3-0x00007FFC9C810000-0x00007FFC9C820000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads