qakbot | e3154af64e8c0979c27748c4c445b3fff752188c780a46b98f4fdb96b028c85d

General

Target

qb.xls
Size

67KB
MD5

c9a898c5a3270a8afe2c5be7a1cda7d3
SHA1

8fcdd739624c60795d18d0f2d769f70ffcaf04a3
SHA256

e3154af64e8c0979c27748c4c445b3fff752188c780a46b98f4fdb96b028c85d
SHA512

50e3b721b3d715ce6b3c3d85b34c127f81cf2f32654d7d59bf054b944b39578231279c2308106f36ee27235bd3a5d4595d786b8c90f7049ffab92d9bad970161

Score

10^/10

qakbot abc123 1612275762 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

abc123

Campaign

1612275762

C2

196.151.252.84:443

216.201.162.158:443

83.110.12.140:2222

105.186.102.16:443

108.31.15.10:995

193.248.221.184:2222

68.225.60.77:995

197.45.110.165:995

89.3.198.238:443

81.97.154.100:443

81.214.126.173:2222

108.46.145.30:443

71.187.170.235:443

72.240.200.181:2222

81.88.254.62:443

98.240.24.57:443

86.97.8.249:443

75.136.40.155:443

79.129.121.81:995

37.211.90.175:995

Signatures

Process spawned unexpected child process 5 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1724	324	rundll32.exe	EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1556	324	rundll32.exe	EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1116	324	rundll32.exe	EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	436	324	rundll32.exe	EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	588	324	rundll32.exe	EXCEL.EXE

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Loads dropped DLL 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

1556 rundll32.exe
1592 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1884 schtasks.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

pid	process
1556	rundll32.exe
1592	regsvr32.exe

pid	process
1884	schtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

324 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

1556 rundll32.exe
1556 rundll32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

1556 rundll32.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

324 EXCEL.EXE
324 EXCEL.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

324 EXCEL.EXE
324 EXCEL.EXE
324 EXCEL.EXE

pid	process
324	EXCEL.EXE

pid	process
1556	rundll32.exe
1556	rundll32.exe

pid	process
1556	rundll32.exe

pid	process
324	EXCEL.EXE
324	EXCEL.EXE

pid	process
324	EXCEL.EXE
324	EXCEL.EXE
324	EXCEL.EXE

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

EXCEL.EXErundll32.exeexplorer.exetaskeng.exeregsvr32.exe

description	pid	process	target process
PID 324 wrote to memory of 1724	324	EXCEL.EXE	rundll32.exe
PID 324 wrote to memory of 1724	324	EXCEL.EXE	rundll32.exe
PID 324 wrote to memory of 1724	324	EXCEL.EXE	rundll32.exe
PID 324 wrote to memory of 1724	324	EXCEL.EXE	rundll32.exe
PID 324 wrote to memory of 1724	324	EXCEL.EXE	rundll32.exe
PID 324 wrote to memory of 1724	324	EXCEL.EXE	rundll32.exe
PID 324 wrote to memory of 1724	324	EXCEL.EXE	rundll32.exe
PID 324 wrote to memory of 1556	324	EXCEL.EXE	rundll32.exe
PID 324 wrote to memory of 1556	324	EXCEL.EXE	rundll32.exe
PID 324 wrote to memory of 1556	324	EXCEL.EXE	rundll32.exe
PID 324 wrote to memory of 1556	324	EXCEL.EXE	rundll32.exe
PID 324 wrote to memory of 1556	324	EXCEL.EXE	rundll32.exe
PID 324 wrote to memory of 1556	324	EXCEL.EXE	rundll32.exe
PID 324 wrote to memory of 1556	324	EXCEL.EXE	rundll32.exe
PID 1556 wrote to memory of 832	1556	rundll32.exe	explorer.exe
PID 1556 wrote to memory of 832	1556	rundll32.exe	explorer.exe
PID 1556 wrote to memory of 832	1556	rundll32.exe	explorer.exe
PID 1556 wrote to memory of 832	1556	rundll32.exe	explorer.exe
PID 1556 wrote to memory of 832	1556	rundll32.exe	explorer.exe
PID 1556 wrote to memory of 832	1556	rundll32.exe	explorer.exe
PID 324 wrote to memory of 1116	324	EXCEL.EXE	rundll32.exe
PID 324 wrote to memory of 1116	324	EXCEL.EXE	rundll32.exe
PID 324 wrote to memory of 1116	324	EXCEL.EXE	rundll32.exe
PID 324 wrote to memory of 1116	324	EXCEL.EXE	rundll32.exe
PID 324 wrote to memory of 1116	324	EXCEL.EXE	rundll32.exe
PID 324 wrote to memory of 1116	324	EXCEL.EXE	rundll32.exe
PID 324 wrote to memory of 1116	324	EXCEL.EXE	rundll32.exe
PID 324 wrote to memory of 436	324	EXCEL.EXE	rundll32.exe
PID 324 wrote to memory of 436	324	EXCEL.EXE	rundll32.exe
PID 324 wrote to memory of 436	324	EXCEL.EXE	rundll32.exe
PID 324 wrote to memory of 436	324	EXCEL.EXE	rundll32.exe
PID 324 wrote to memory of 436	324	EXCEL.EXE	rundll32.exe
PID 324 wrote to memory of 436	324	EXCEL.EXE	rundll32.exe
PID 324 wrote to memory of 436	324	EXCEL.EXE	rundll32.exe
PID 324 wrote to memory of 588	324	EXCEL.EXE	rundll32.exe
PID 324 wrote to memory of 588	324	EXCEL.EXE	rundll32.exe
PID 324 wrote to memory of 588	324	EXCEL.EXE	rundll32.exe
PID 324 wrote to memory of 588	324	EXCEL.EXE	rundll32.exe
PID 324 wrote to memory of 588	324	EXCEL.EXE	rundll32.exe
PID 324 wrote to memory of 588	324	EXCEL.EXE	rundll32.exe
PID 324 wrote to memory of 588	324	EXCEL.EXE	rundll32.exe
PID 832 wrote to memory of 1884	832	explorer.exe	schtasks.exe
PID 832 wrote to memory of 1884	832	explorer.exe	schtasks.exe
PID 832 wrote to memory of 1884	832	explorer.exe	schtasks.exe
PID 832 wrote to memory of 1884	832	explorer.exe	schtasks.exe
PID 316 wrote to memory of 864	316	taskeng.exe	regsvr32.exe
PID 316 wrote to memory of 864	316	taskeng.exe	regsvr32.exe
PID 316 wrote to memory of 864	316	taskeng.exe	regsvr32.exe
PID 316 wrote to memory of 864	316	taskeng.exe	regsvr32.exe
PID 316 wrote to memory of 864	316	taskeng.exe	regsvr32.exe
PID 864 wrote to memory of 1592	864	regsvr32.exe	regsvr32.exe
PID 864 wrote to memory of 1592	864	regsvr32.exe	regsvr32.exe
PID 864 wrote to memory of 1592	864	regsvr32.exe	regsvr32.exe
PID 864 wrote to memory of 1592	864	regsvr32.exe	regsvr32.exe
PID 864 wrote to memory of 1592	864	regsvr32.exe	regsvr32.exe
PID 864 wrote to memory of 1592	864	regsvr32.exe	regsvr32.exe
PID 864 wrote to memory of 1592	864	regsvr32.exe	regsvr32.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\qb.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:324

C:\Windows\SysWOW64\rundll32.exe
rundll32 ..\HYGFR.HYGF,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:1724

C:\Windows\SysWOW64\rundll32.exe
rundll32 ..\HYGFR.HYGF1,DllRegisterServer
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn qugyvdma /tr "regsvr32.exe -s \"C:\Users\Admin\HYGFR.HYGF1\"" /SC ONCE /Z /ST 11:19 /ET 11:31
4⤵
- Creates scheduled task(s)
PID:1884

C:\Windows\SysWOW64\rundll32.exe
rundll32 ..\HYGFR.HYGF2,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:1116

C:\Windows\SysWOW64\rundll32.exe
rundll32 ..\HYGFR.HYGF3,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:436

C:\Windows\SysWOW64\rundll32.exe
rundll32 ..\HYGFR.HYGF4,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:588

C:\Windows\system32\taskeng.exe
taskeng.exe {924969D1-1F33-4CD7-B1CC-1A5D6A4A40E9} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\HYGFR.HYGF1"
2⤵
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\HYGFR.HYGF1"
3⤵
- Loads dropped DLL
PID:1592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\HYGFR.HYGF1
MD5
41ac359f249268bbdd8ed4f3447cfdf4

SHA1
8fc0920076343dd55fcdcadd8a5bab88be0b2074

SHA256
73b0e961ea470ab4bed8173900d6e474965ace58bf1ee569c2fd41bc8bacfae4

SHA512
7135c19dcd62c07f0d87a45928e9db9298317f167e1fa1e15fdfd49dd9d7a745ca877a57321abc1dbbc082cafd9588361fe325f8e8a70900fc6f3af99677ad53

Download Submit
C:\Users\Admin\HYGFR.HYGF1
MD5
b5f469671eafaba549a52da7c7319f3b

SHA1
db3f4fd8c743826f2a5c9960a3ae8de7b9927937

SHA256
5479492deb88f9d62a24e9c506f3f66ebd4c4dc0851d73d98c19a6798ad98f60

SHA512
5d1d11e5a3a8800793d21a9bb8b289df8afaa8a75b4c50443779d41cc4533e1ca8b68ee93756832389a9635f027557464723e1ee07e57c9d9092e0a72cfbe7a3

Download Submit
C:\Users\Admin\HYGFR.HYGF2
MD5
d40f0d3acb5e264dcaae5935dfe9152e

SHA1
f90886590579d0eccd74a802b1272b6455b600f6

SHA256
aeb69d38aa46a1cf16a0b18d9fd7ecd01c2ba17e7ba8d4468fda019f37a59987

SHA512
2e5cd3486dcd0c17d38697fb0de0a740930a751d5b338ef79df349ab1f471f5faa434cfbd2f8efb335855d77e00a380ab2c90daec494703e9be1ee78bcc3a157

Download Submit
\Users\Admin\HYGFR.HYGF1
MD5
41ac359f249268bbdd8ed4f3447cfdf4

SHA1
8fc0920076343dd55fcdcadd8a5bab88be0b2074

SHA256
73b0e961ea470ab4bed8173900d6e474965ace58bf1ee569c2fd41bc8bacfae4

SHA512
7135c19dcd62c07f0d87a45928e9db9298317f167e1fa1e15fdfd49dd9d7a745ca877a57321abc1dbbc082cafd9588361fe325f8e8a70900fc6f3af99677ad53

Download Submit
\Users\Admin\HYGFR.HYGF1
MD5
b5f469671eafaba549a52da7c7319f3b

SHA1
db3f4fd8c743826f2a5c9960a3ae8de7b9927937

SHA256
5479492deb88f9d62a24e9c506f3f66ebd4c4dc0851d73d98c19a6798ad98f60

SHA512
5d1d11e5a3a8800793d21a9bb8b289df8afaa8a75b4c50443779d41cc4533e1ca8b68ee93756832389a9635f027557464723e1ee07e57c9d9092e0a72cfbe7a3

Download Submit
memory/324-3-0x0000000071C91000-0x0000000071C93000-memory.dmp

Filesize
8KB

Download
memory/324-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/324-2-0x000000002FFE1000-0x000000002FFE4000-memory.dmp

Filesize
12KB

Download
memory/436-20-0x0000000000000000-mapping.dmp

Download
memory/588-22-0x0000000000000000-mapping.dmp

Download
memory/832-25-0x00000000000E0000-0x0000000000115000-memory.dmp

Filesize
212KB

Download
memory/832-26-0x00000000000E0000-0x0000000000115000-memory.dmp

Filesize
212KB

Download
memory/832-16-0x000000006CD51000-0x000000006CD53000-memory.dmp

Filesize
8KB

Download
memory/832-14-0x0000000000000000-mapping.dmp

Download
memory/864-28-0x000007FEFC3E1000-0x000007FEFC3E3000-memory.dmp

Filesize
8KB

Download
memory/864-27-0x0000000000000000-mapping.dmp

Download
memory/1116-17-0x0000000000000000-mapping.dmp

Download
memory/1556-13-0x00000000001F0000-0x0000000000225000-memory.dmp

Filesize
212KB

Download
memory/1556-8-0x0000000000000000-mapping.dmp

Download
memory/1556-12-0x0000000000240000-0x0000000000274000-memory.dmp

Filesize
208KB

Download
memory/1592-30-0x0000000000000000-mapping.dmp

Download
memory/1724-7-0x00000000766C1000-0x00000000766C3000-memory.dmp

Filesize
8KB

Download
memory/1724-6-0x0000000000000000-mapping.dmp

Download
memory/1884-24-0x0000000000000000-mapping.dmp

Download
memory/1964-5-0x000007FEF7D30000-0x000007FEF7FAA000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads