qakbot | 53b9aaed11c3bff95b8baeef19467b11ab6ef362e2f8b550ee531babbddd9e0f

General

Target

bid,02.21.doc
Size

95KB
MD5

8d4ca32c865cbc75fb529bc64730c453
SHA1

334c4352dbda3759ca503a6118bc2ddb09b6f9d7
SHA256

53b9aaed11c3bff95b8baeef19467b11ab6ef362e2f8b550ee531babbddd9e0f
SHA512

3bd039c6d748008d76d5095be0130763e74dd68929e1f8878c557e92bff5742731fdfddbb38171b4f6c13ed42e7339ea4bd54c975d6f36015ea6f7b2bfb66f50

Score

10^/10

qakbot krk01 1611569149 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

krk01

Campaign

1611569149

C2

31.5.21.66:995

89.3.198.238:443

202.188.138.162:443

188.24.128.253:443

175.141.219.71:443

151.60.15.183:443

184.189.122.72:443

80.227.5.70:443

140.82.49.12:443

89.211.241.100:995

81.97.154.100:443

77.27.174.49:995

92.154.83.96:2078

42.3.8.54:443

71.187.170.235:443

46.153.36.53:995

71.182.142.63:443

105.186.102.16:443

50.244.112.106:443

78.63.226.32:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Executes dropped EXE 1 IoCs

Processes:

xml.com

pid process

1264 xml.com
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

2620 regsvr32.exe

pid	process
1264	xml.com

pid	process
2620	regsvr32.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

regsvr32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	regsvr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	regsvr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	regsvr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

496 WINWORD.EXE
496 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

regsvr32.exe

pid process

2620 regsvr32.exe
2620 regsvr32.exe
2620 regsvr32.exe
2620 regsvr32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

regsvr32.exe

pid process

2620 regsvr32.exe

pid	process
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe
2620	regsvr32.exe

pid	process
2620	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

xml.com

description	pid	process
Token: SeIncreaseQuotaPrivilege	1264	xml.com
Token: SeSecurityPrivilege	1264	xml.com
Token: SeTakeOwnershipPrivilege	1264	xml.com
Token: SeLoadDriverPrivilege	1264	xml.com
Token: SeSystemProfilePrivilege	1264	xml.com
Token: SeSystemtimePrivilege	1264	xml.com
Token: SeProfSingleProcessPrivilege	1264	xml.com
Token: SeIncBasePriorityPrivilege	1264	xml.com
Token: SeCreatePagefilePrivilege	1264	xml.com
Token: SeBackupPrivilege	1264	xml.com
Token: SeRestorePrivilege	1264	xml.com
Token: SeShutdownPrivilege	1264	xml.com
Token: SeDebugPrivilege	1264	xml.com
Token: SeSystemEnvironmentPrivilege	1264	xml.com
Token: SeRemoteShutdownPrivilege	1264	xml.com
Token: SeUndockPrivilege	1264	xml.com
Token: SeManageVolumePrivilege	1264	xml.com
Token: 33	1264	xml.com
Token: 34	1264	xml.com
Token: 35	1264	xml.com
Token: 36	1264	xml.com
Token: SeIncreaseQuotaPrivilege	1264	xml.com
Token: SeSecurityPrivilege	1264	xml.com
Token: SeTakeOwnershipPrivilege	1264	xml.com
Token: SeLoadDriverPrivilege	1264	xml.com
Token: SeSystemProfilePrivilege	1264	xml.com
Token: SeSystemtimePrivilege	1264	xml.com
Token: SeProfSingleProcessPrivilege	1264	xml.com
Token: SeIncBasePriorityPrivilege	1264	xml.com
Token: SeCreatePagefilePrivilege	1264	xml.com
Token: SeBackupPrivilege	1264	xml.com
Token: SeRestorePrivilege	1264	xml.com
Token: SeShutdownPrivilege	1264	xml.com
Token: SeDebugPrivilege	1264	xml.com
Token: SeSystemEnvironmentPrivilege	1264	xml.com
Token: SeRemoteShutdownPrivilege	1264	xml.com
Token: SeUndockPrivilege	1264	xml.com
Token: SeManageVolumePrivilege	1264	xml.com
Token: 33	1264	xml.com
Token: 34	1264	xml.com
Token: 35	1264	xml.com
Token: 36	1264	xml.com

Suspicious use of SetWindowsHookEx 18 IoCs

Processes:

WINWORD.EXE

pid	process
496	WINWORD.EXE
496	WINWORD.EXE
496	WINWORD.EXE
496	WINWORD.EXE
496	WINWORD.EXE
496	WINWORD.EXE
496	WINWORD.EXE
496	WINWORD.EXE
496	WINWORD.EXE
496	WINWORD.EXE
496	WINWORD.EXE
496	WINWORD.EXE
496	WINWORD.EXE
496	WINWORD.EXE
496	WINWORD.EXE
496	WINWORD.EXE
496	WINWORD.EXE
496	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

WINWORD.EXExml.comregsvr32.exeregsvr32.exe

description	pid	process	target process
PID 496 wrote to memory of 1264	496	WINWORD.EXE	xml.com
PID 496 wrote to memory of 1264	496	WINWORD.EXE	xml.com
PID 1264 wrote to memory of 2588	1264	xml.com	regsvr32.exe
PID 1264 wrote to memory of 2588	1264	xml.com	regsvr32.exe
PID 2588 wrote to memory of 2620	2588	regsvr32.exe	regsvr32.exe
PID 2588 wrote to memory of 2620	2588	regsvr32.exe	regsvr32.exe
PID 2588 wrote to memory of 2620	2588	regsvr32.exe	regsvr32.exe
PID 2620 wrote to memory of 1624	2620	regsvr32.exe	explorer.exe
PID 2620 wrote to memory of 1624	2620	regsvr32.exe	explorer.exe
PID 2620 wrote to memory of 1624	2620	regsvr32.exe	explorer.exe
PID 2620 wrote to memory of 1624	2620	regsvr32.exe	explorer.exe
PID 2620 wrote to memory of 1624	2620	regsvr32.exe	explorer.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\bid,02.21.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:496

C:\programdata\xml.com
"C:\programdata\xml.com" process list /format : "c:\programdata\i.xsl"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1264

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32 c:\programdata\1271.jpg
3⤵
- Suspicious use of WriteProcessMemory
PID:2588

C:\Windows\SysWOW64\regsvr32.exe
c:\programdata\1271.jpg
4⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2620

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
5⤵
PID:1624

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\xml.com
MD5
4191f61f2449ccc2bc2f2ac6d8898ce7

SHA1
d49936fc8a03561214ce4bf9791ca59e94ab8fe9

SHA256
74d21e1349aab027cd02d15f2428028c028592f265d1830c8dfc407f9bf76173

SHA512
fe67059bc374cc2d39dd01c22c2183ca44a8e04050d633f78d4eac415ae4528c378c7504ea3cc4b6923675256ae3af199b3a498243a4ca1a4d0f61f2e086821f

Download Submit
C:\programdata\xml.com
MD5
4191f61f2449ccc2bc2f2ac6d8898ce7

SHA1
d49936fc8a03561214ce4bf9791ca59e94ab8fe9

SHA256
74d21e1349aab027cd02d15f2428028c028592f265d1830c8dfc407f9bf76173

SHA512
fe67059bc374cc2d39dd01c22c2183ca44a8e04050d633f78d4eac415ae4528c378c7504ea3cc4b6923675256ae3af199b3a498243a4ca1a4d0f61f2e086821f

Download Submit
\??\c:\programdata\1271.jpg
MD5
4a2a46cfca30f739994362c22f0d2f46

SHA1
f0c75c3e93907f66e1f747d1eb099d144f30deeb

SHA256
c335c63f7587348d5c65235379f76f5298fe90264857675cf08539a6be9e990b

SHA512
1024ef1bff08cf739c90e04fae00e4ab1fb96a6bd77baebb258901a86d4626149c9197cfe4f025e7e0e4bce7db53ed5d80e4fadf83d7680832a640bda6876a5b

Download Submit
\??\c:\programdata\i.xsl
MD5
3bfe49781b0c5ebfce69bf1815076111

SHA1
12af9552ed24477939ad337973643ec758e62721

SHA256
5243d6b20c66df6fb8e02b17b4963a8b33d4b907209fa08bf024becb341628a3

SHA512
65a8535574bad660a9b4bc8b1bbcb0e479a40843c51432f8313248064bb6457bd2a9846c5a6fc382090942efb3b6ac9860a67a3876ff40a20923347ab45c0e3c

Download Submit
\ProgramData\1271.jpg
MD5
4a2a46cfca30f739994362c22f0d2f46

SHA1
f0c75c3e93907f66e1f747d1eb099d144f30deeb

SHA256
c335c63f7587348d5c65235379f76f5298fe90264857675cf08539a6be9e990b

SHA512
1024ef1bff08cf739c90e04fae00e4ab1fb96a6bd77baebb258901a86d4626149c9197cfe4f025e7e0e4bce7db53ed5d80e4fadf83d7680832a640bda6876a5b

Download Submit
memory/496-6-0x00007FF8052D0000-0x00007FF805907000-memory.dmp

Filesize
6.2MB

Download
memory/496-9-0x000001D7B2130000-0x000001D7B2134000-memory.dmp

Filesize
16KB

Download
memory/496-2-0x00007FF7E5FB0000-0x00007FF7E5FC0000-memory.dmp

Filesize
64KB

Download
memory/496-5-0x00007FF7E5FB0000-0x00007FF7E5FC0000-memory.dmp

Filesize
64KB

Download
memory/496-4-0x00007FF7E5FB0000-0x00007FF7E5FC0000-memory.dmp

Filesize
64KB

Download
memory/496-3-0x00007FF7E5FB0000-0x00007FF7E5FC0000-memory.dmp

Filesize
64KB

Download
memory/1264-7-0x0000000000000000-mapping.dmp

Download
memory/1624-18-0x0000000000000000-mapping.dmp

Download
memory/1624-19-0x0000000002F60000-0x0000000002F95000-memory.dmp

Filesize
212KB

Download
memory/2588-12-0x0000000000000000-mapping.dmp

Download
memory/2620-14-0x0000000000000000-mapping.dmp

Download
memory/2620-16-0x00000000736E0000-0x0000000073715000-memory.dmp

Filesize
212KB

Download
memory/2620-17-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads