qakbot | aed3b7b54243021aa6b20fda0ea7bb46a2065a1371202b3bab86482fa3f5bd46

General

Target

CompensationClaim-2000459547-02022021.xls
Size

67KB
MD5

cb555300cee97b3250f5ca1650197f7b
SHA1

702beedaaef076fa9f8fd6510493925f090fe4a1
SHA256

aed3b7b54243021aa6b20fda0ea7bb46a2065a1371202b3bab86482fa3f5bd46
SHA512

a57dfeb94bf437df67bf7b13137aebe08b0ba1c04f3bf94cf98105c34683e96e6986495c157f83ff9cc93332680b1f280d9aa72c6f5d1196f5c7606dd4755ddf

Score

10^/10

qakbot abc123 1612349986 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

abc123

Campaign

1612349986

C2

222.154.253.111:995

50.244.112.106:443

83.110.108.181:2222

105.198.236.99:443

74.77.162.33:443

106.250.150.98:443

196.151.252.84:443

45.118.216.157:443

140.82.49.12:443

80.11.173.82:8443

71.88.193.17:443

68.186.192.69:443

46.153.119.255:995

81.214.126.173:2222

108.31.15.10:995

197.45.110.165:995

81.88.254.62:443

86.97.8.249:443

202.187.58.21:443

41.39.134.183:443

Signatures

Process spawned unexpected child process 5 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1064	1072	rundll32.exe	EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	528	1072	rundll32.exe	EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1312	1072	rundll32.exe	EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	696	1072	rundll32.exe	EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	572	1072	rundll32.exe	EXCEL.EXE

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Loads dropped DLL 3 IoCs

Processes:

rundll32.exerundll32.exeregsvr32.exe

pid process

528 rundll32.exe
572 rundll32.exe
1628 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1904 schtasks.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

pid	process
528	rundll32.exe
572	rundll32.exe
1628	regsvr32.exe

pid	process
1904	schtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1072 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exerundll32.exe

pid process

528 rundll32.exe
528 rundll32.exe
572 rundll32.exe
572 rundll32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

528 rundll32.exe
572 rundll32.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

1072 EXCEL.EXE
1072 EXCEL.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1072 EXCEL.EXE
1072 EXCEL.EXE
1072 EXCEL.EXE

pid	process
1072	EXCEL.EXE

pid	process
528	rundll32.exe
528	rundll32.exe
572	rundll32.exe
572	rundll32.exe

pid	process
528	rundll32.exe
572	rundll32.exe

pid	process
1072	EXCEL.EXE
1072	EXCEL.EXE

pid	process
1072	EXCEL.EXE
1072	EXCEL.EXE
1072	EXCEL.EXE

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

EXCEL.EXErundll32.exeexplorer.exerundll32.exetaskeng.exeregsvr32.exe

description	pid	process	target process
PID 1072 wrote to memory of 1064	1072	EXCEL.EXE	rundll32.exe
PID 1072 wrote to memory of 1064	1072	EXCEL.EXE	rundll32.exe
PID 1072 wrote to memory of 1064	1072	EXCEL.EXE	rundll32.exe
PID 1072 wrote to memory of 1064	1072	EXCEL.EXE	rundll32.exe
PID 1072 wrote to memory of 1064	1072	EXCEL.EXE	rundll32.exe
PID 1072 wrote to memory of 1064	1072	EXCEL.EXE	rundll32.exe
PID 1072 wrote to memory of 1064	1072	EXCEL.EXE	rundll32.exe
PID 1072 wrote to memory of 528	1072	EXCEL.EXE	rundll32.exe
PID 1072 wrote to memory of 528	1072	EXCEL.EXE	rundll32.exe
PID 1072 wrote to memory of 528	1072	EXCEL.EXE	rundll32.exe
PID 1072 wrote to memory of 528	1072	EXCEL.EXE	rundll32.exe
PID 1072 wrote to memory of 528	1072	EXCEL.EXE	rundll32.exe
PID 1072 wrote to memory of 528	1072	EXCEL.EXE	rundll32.exe
PID 1072 wrote to memory of 528	1072	EXCEL.EXE	rundll32.exe
PID 528 wrote to memory of 564	528	rundll32.exe	explorer.exe
PID 528 wrote to memory of 564	528	rundll32.exe	explorer.exe
PID 528 wrote to memory of 564	528	rundll32.exe	explorer.exe
PID 528 wrote to memory of 564	528	rundll32.exe	explorer.exe
PID 528 wrote to memory of 564	528	rundll32.exe	explorer.exe
PID 528 wrote to memory of 564	528	rundll32.exe	explorer.exe
PID 1072 wrote to memory of 1312	1072	EXCEL.EXE	rundll32.exe
PID 1072 wrote to memory of 1312	1072	EXCEL.EXE	rundll32.exe
PID 1072 wrote to memory of 1312	1072	EXCEL.EXE	rundll32.exe
PID 1072 wrote to memory of 1312	1072	EXCEL.EXE	rundll32.exe
PID 1072 wrote to memory of 1312	1072	EXCEL.EXE	rundll32.exe
PID 1072 wrote to memory of 1312	1072	EXCEL.EXE	rundll32.exe
PID 1072 wrote to memory of 1312	1072	EXCEL.EXE	rundll32.exe
PID 1072 wrote to memory of 696	1072	EXCEL.EXE	rundll32.exe
PID 1072 wrote to memory of 696	1072	EXCEL.EXE	rundll32.exe
PID 1072 wrote to memory of 696	1072	EXCEL.EXE	rundll32.exe
PID 1072 wrote to memory of 696	1072	EXCEL.EXE	rundll32.exe
PID 1072 wrote to memory of 696	1072	EXCEL.EXE	rundll32.exe
PID 1072 wrote to memory of 696	1072	EXCEL.EXE	rundll32.exe
PID 1072 wrote to memory of 696	1072	EXCEL.EXE	rundll32.exe
PID 1072 wrote to memory of 572	1072	EXCEL.EXE	rundll32.exe
PID 1072 wrote to memory of 572	1072	EXCEL.EXE	rundll32.exe
PID 1072 wrote to memory of 572	1072	EXCEL.EXE	rundll32.exe
PID 1072 wrote to memory of 572	1072	EXCEL.EXE	rundll32.exe
PID 1072 wrote to memory of 572	1072	EXCEL.EXE	rundll32.exe
PID 1072 wrote to memory of 572	1072	EXCEL.EXE	rundll32.exe
PID 1072 wrote to memory of 572	1072	EXCEL.EXE	rundll32.exe
PID 564 wrote to memory of 1904	564	explorer.exe	schtasks.exe
PID 564 wrote to memory of 1904	564	explorer.exe	schtasks.exe
PID 564 wrote to memory of 1904	564	explorer.exe	schtasks.exe
PID 564 wrote to memory of 1904	564	explorer.exe	schtasks.exe
PID 572 wrote to memory of 2004	572	rundll32.exe	explorer.exe
PID 572 wrote to memory of 2004	572	rundll32.exe	explorer.exe
PID 572 wrote to memory of 2004	572	rundll32.exe	explorer.exe
PID 572 wrote to memory of 2004	572	rundll32.exe	explorer.exe
PID 572 wrote to memory of 2004	572	rundll32.exe	explorer.exe
PID 572 wrote to memory of 2004	572	rundll32.exe	explorer.exe
PID 628 wrote to memory of 272	628	taskeng.exe	regsvr32.exe
PID 628 wrote to memory of 272	628	taskeng.exe	regsvr32.exe
PID 628 wrote to memory of 272	628	taskeng.exe	regsvr32.exe
PID 628 wrote to memory of 272	628	taskeng.exe	regsvr32.exe
PID 628 wrote to memory of 272	628	taskeng.exe	regsvr32.exe
PID 272 wrote to memory of 1628	272	regsvr32.exe	regsvr32.exe
PID 272 wrote to memory of 1628	272	regsvr32.exe	regsvr32.exe
PID 272 wrote to memory of 1628	272	regsvr32.exe	regsvr32.exe
PID 272 wrote to memory of 1628	272	regsvr32.exe	regsvr32.exe
PID 272 wrote to memory of 1628	272	regsvr32.exe	regsvr32.exe
PID 272 wrote to memory of 1628	272	regsvr32.exe	regsvr32.exe
PID 272 wrote to memory of 1628	272	regsvr32.exe	regsvr32.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\CompensationClaim-2000459547-02022021.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\SysWOW64\rundll32.exe
rundll32 ..\HYGFR.HYGF,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:1064

C:\Windows\SysWOW64\rundll32.exe
rundll32 ..\HYGFR.HYGF1,DllRegisterServer
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:528

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:564

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn huhivovrey /tr "regsvr32.exe -s \"C:\Users\Admin\HYGFR.HYGF1\"" /SC ONCE /Z /ST 09:26 /ET 09:38
4⤵
- Creates scheduled task(s)
PID:1904

C:\Windows\SysWOW64\rundll32.exe
rundll32 ..\HYGFR.HYGF2,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:1312

C:\Windows\SysWOW64\rundll32.exe
rundll32 ..\HYGFR.HYGF3,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:696

C:\Windows\SysWOW64\rundll32.exe
rundll32 ..\HYGFR.HYGF4,DllRegisterServer
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:572

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
PID:2004

C:\Windows\system32\taskeng.exe
taskeng.exe {130C1354-E457-4C72-9FCD-8EC6C4BC0063} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\HYGFR.HYGF1"
2⤵
- Suspicious use of WriteProcessMemory
PID:272

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\HYGFR.HYGF1"
3⤵
- Loads dropped DLL
PID:1628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\HYGFR.HYGF1
MD5
e39c08b2c423fd1ffae2562ed49c2a94

SHA1
accfd937448d905fc81a612a281e257df426fca1

SHA256
3649ae486a4880c5b5eef8c74adb7119a455922fff5299697c7a34f6a8d5e797

SHA512
2af0545f6b849b0ca2d25c0a79f45dfb49add720c84b675a3cf921be89e015d37fe1d25cae0d5acd4519ae183dc3910eec535bc155e53473d467ca57b5404f0d

Download Submit
C:\Users\Admin\HYGFR.HYGF1
MD5
8aae6871c1faf6ae798522d9b0b0d517

SHA1
e6bd8a2a29f157e6789bd0bff25f98eb9cd8267a

SHA256
2da6429585e5527eb56041aa10038230b853e01fcb6872679024942c166d78e1

SHA512
bdb73af955fa732c0e5a0919494cde8f6881dabd93aefa1c637650c969f89c3052be8772521f5df1ca41e0ffb0eced26c107296a60f38ff6fc5f928bd0425789

Download Submit
C:\Users\Admin\HYGFR.HYGF4
MD5
e39c08b2c423fd1ffae2562ed49c2a94

SHA1
accfd937448d905fc81a612a281e257df426fca1

SHA256
3649ae486a4880c5b5eef8c74adb7119a455922fff5299697c7a34f6a8d5e797

SHA512
2af0545f6b849b0ca2d25c0a79f45dfb49add720c84b675a3cf921be89e015d37fe1d25cae0d5acd4519ae183dc3910eec535bc155e53473d467ca57b5404f0d

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\HYGFR.HYGF1
MD5
e39c08b2c423fd1ffae2562ed49c2a94

SHA1
accfd937448d905fc81a612a281e257df426fca1

SHA256
3649ae486a4880c5b5eef8c74adb7119a455922fff5299697c7a34f6a8d5e797

SHA512
2af0545f6b849b0ca2d25c0a79f45dfb49add720c84b675a3cf921be89e015d37fe1d25cae0d5acd4519ae183dc3910eec535bc155e53473d467ca57b5404f0d

Download Submit
\Users\Admin\HYGFR.HYGF1
MD5
8aae6871c1faf6ae798522d9b0b0d517

SHA1
e6bd8a2a29f157e6789bd0bff25f98eb9cd8267a

SHA256
2da6429585e5527eb56041aa10038230b853e01fcb6872679024942c166d78e1

SHA512
bdb73af955fa732c0e5a0919494cde8f6881dabd93aefa1c637650c969f89c3052be8772521f5df1ca41e0ffb0eced26c107296a60f38ff6fc5f928bd0425789

Download Submit
\Users\Admin\HYGFR.HYGF4
MD5
e39c08b2c423fd1ffae2562ed49c2a94

SHA1
accfd937448d905fc81a612a281e257df426fca1

SHA256
3649ae486a4880c5b5eef8c74adb7119a455922fff5299697c7a34f6a8d5e797

SHA512
2af0545f6b849b0ca2d25c0a79f45dfb49add720c84b675a3cf921be89e015d37fe1d25cae0d5acd4519ae183dc3910eec535bc155e53473d467ca57b5404f0d

Download Submit
memory/272-39-0x0000000000000000-mapping.dmp

Download
memory/272-40-0x000007FEFC011000-0x000007FEFC013000-memory.dmp

Filesize
8KB

Download
memory/528-8-0x0000000000000000-mapping.dmp

Download
memory/528-12-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/528-13-0x0000000000860000-0x00000000008A7000-memory.dmp

Filesize
284KB

Download
memory/528-14-0x0000000000C80000-0x0000000000CB5000-memory.dmp

Filesize
212KB

Download
memory/528-18-0x0000000000C80000-0x0000000000CB5000-memory.dmp

Filesize
212KB

Download
memory/564-15-0x0000000000000000-mapping.dmp

Download
memory/564-17-0x000000006C831000-0x000000006C833000-memory.dmp

Filesize
8KB

Download
memory/564-29-0x00000000000D0000-0x0000000000105000-memory.dmp

Filesize
212KB

Download
memory/564-22-0x00000000000D0000-0x0000000000105000-memory.dmp

Filesize
212KB

Download
memory/572-32-0x00000000003F0000-0x0000000000425000-memory.dmp

Filesize
212KB

Download
memory/572-24-0x0000000000000000-mapping.dmp

Download
memory/572-37-0x00000000003F0000-0x0000000000425000-memory.dmp

Filesize
212KB

Download
memory/572-30-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/696-21-0x0000000000000000-mapping.dmp

Download
memory/1064-6-0x0000000000000000-mapping.dmp

Download
memory/1064-7-0x0000000075251000-0x0000000075253000-memory.dmp

Filesize
8KB

Download
memory/1072-3-0x0000000071671000-0x0000000071673000-memory.dmp

Filesize
8KB

Download
memory/1072-2-0x000000002FA61000-0x000000002FA64000-memory.dmp

Filesize
12KB

Download
memory/1072-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1312-19-0x0000000000000000-mapping.dmp

Download
memory/1628-42-0x0000000000000000-mapping.dmp

Download
memory/1744-5-0x000007FEF77C0000-0x000007FEF7A3A000-memory.dmp

Filesize
2.5MB

Download
memory/1904-28-0x0000000000000000-mapping.dmp

Download
memory/2004-33-0x0000000000000000-mapping.dmp

Download
memory/2004-38-0x00000000000D0000-0x0000000000105000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads