qakbot | 50262dd5d3fb500fb179039794e8734c2e79e05f6b763ea2c16f73cd055192df

General

Target

document-1692717528.xls
Size

88KB
MD5

4a775f6986621d7ef8279cb2a357e9c4
SHA1

4e7858505fad3da989137fd7bff246ac059ed256
SHA256

6fd7a7bdc82d2752c521a6da37b990ea143889e0fc6a638d0151f6a6bebb472d
SHA512

451abf1ff0b8e1087dc37d0b0d74f647bccb29f3797c810b699a1be7d1cf1fb8c950751118fab939a3bf45d8a81dbe2de5c26c2173e1be205235ddcca2d7cd61

Score

10^/10

qakbot tr 1613385567 banker stealer trojan

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

https://marcostrombetta.com.br/ds/1802.gif

Extracted

Family

qakbot

Botnet

tr

Campaign

1613385567

C2

78.63.226.32:443

197.51.82.72:443

193.248.221.184:2222

95.77.223.148:443

71.199.192.62:443

77.211.30.202:995

80.227.5.69:443

77.27.204.204:995

81.97.154.100:443

173.184.119.153:995

38.92.225.121:443

81.150.181.168:2222

90.65.236.181:2222

83.110.103.152:443

73.153.211.227:443

188.25.63.105:443

89.137.211.239:995

202.188.138.162:443

98.173.34.212:995

87.202.87.210:2222

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	620	328	rundll32.exe	EXCEL.EXE

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Loads dropped DLL 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

620 rundll32.exe
904 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1436 schtasks.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

pid	process
620	rundll32.exe
904	regsvr32.exe

pid	process
1436	schtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

328 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

620 rundll32.exe
620 rundll32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

620 rundll32.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXE

pid process

328 EXCEL.EXE
328 EXCEL.EXE
328 EXCEL.EXE
328 EXCEL.EXE
328 EXCEL.EXE

pid	process
328	EXCEL.EXE

pid	process
620	rundll32.exe
620	rundll32.exe

pid	process
620	rundll32.exe

pid	process
328	EXCEL.EXE
328	EXCEL.EXE
328	EXCEL.EXE
328	EXCEL.EXE
328	EXCEL.EXE

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

EXCEL.EXErundll32.exeexplorer.exetaskeng.exeregsvr32.exe

description	pid	process	target process
PID 328 wrote to memory of 620	328	EXCEL.EXE	rundll32.exe
PID 328 wrote to memory of 620	328	EXCEL.EXE	rundll32.exe
PID 328 wrote to memory of 620	328	EXCEL.EXE	rundll32.exe
PID 328 wrote to memory of 620	328	EXCEL.EXE	rundll32.exe
PID 328 wrote to memory of 620	328	EXCEL.EXE	rundll32.exe
PID 328 wrote to memory of 620	328	EXCEL.EXE	rundll32.exe
PID 328 wrote to memory of 620	328	EXCEL.EXE	rundll32.exe
PID 620 wrote to memory of 544	620	rundll32.exe	explorer.exe
PID 620 wrote to memory of 544	620	rundll32.exe	explorer.exe
PID 620 wrote to memory of 544	620	rundll32.exe	explorer.exe
PID 620 wrote to memory of 544	620	rundll32.exe	explorer.exe
PID 620 wrote to memory of 544	620	rundll32.exe	explorer.exe
PID 620 wrote to memory of 544	620	rundll32.exe	explorer.exe
PID 544 wrote to memory of 1436	544	explorer.exe	schtasks.exe
PID 544 wrote to memory of 1436	544	explorer.exe	schtasks.exe
PID 544 wrote to memory of 1436	544	explorer.exe	schtasks.exe
PID 544 wrote to memory of 1436	544	explorer.exe	schtasks.exe
PID 1352 wrote to memory of 1160	1352	taskeng.exe	regsvr32.exe
PID 1352 wrote to memory of 1160	1352	taskeng.exe	regsvr32.exe
PID 1352 wrote to memory of 1160	1352	taskeng.exe	regsvr32.exe
PID 1352 wrote to memory of 1160	1352	taskeng.exe	regsvr32.exe
PID 1352 wrote to memory of 1160	1352	taskeng.exe	regsvr32.exe
PID 1160 wrote to memory of 904	1160	regsvr32.exe	regsvr32.exe
PID 1160 wrote to memory of 904	1160	regsvr32.exe	regsvr32.exe
PID 1160 wrote to memory of 904	1160	regsvr32.exe	regsvr32.exe
PID 1160 wrote to memory of 904	1160	regsvr32.exe	regsvr32.exe
PID 1160 wrote to memory of 904	1160	regsvr32.exe	regsvr32.exe
PID 1160 wrote to memory of 904	1160	regsvr32.exe	regsvr32.exe
PID 1160 wrote to memory of 904	1160	regsvr32.exe	regsvr32.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\document-1692717528.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:328

C:\Windows\SysWOW64\rundll32.exe
rundll32 ..\idefje.ekfd,DllRegisterServer
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:620

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:544

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn wntixutlud /tr "regsvr32.exe -s \"C:\Users\Admin\idefje.ekfd\"" /SC ONCE /Z /ST 20:44 /ET 20:56
4⤵
- Creates scheduled task(s)
PID:1436

C:\Windows\system32\taskeng.exe
taskeng.exe {2D423688-00EF-4A21-A4C9-D3A2BD147EAC} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\idefje.ekfd"
2⤵
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\idefje.ekfd"
3⤵
- Loads dropped DLL
PID:904

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\idefje.ekfd
MD5
d64a0eaa481037030a4def6d5d958c8c

SHA1
55618ba84537ea39f5675b1d0cc3bc16a95d0037

SHA256
2a6dc00bdcacd9e65a4b99d9d8dd4db64554a2db3e5f0a2f9d2702b99d88ac0f

SHA512
ff5ad2d8cbb7087752da3b2fccf8c2c45059fa545dc0719aa90765d145df76bc77bf1589735acf01547c67763b64ae6998590a7dfa59ae41d0302453c0298b4b

Download Submit
C:\Users\Admin\idefje.ekfd
MD5
c932cf352c7f9a7748dc28b3b1a8ac1c

SHA1
d79ac5e409fc6ed8243c6824a7b5e8daef6320b6

SHA256
743677c0b3adcaad1c801e7b9ab5b116ca6aac844976a18520151a2310b7f4d8

SHA512
666446768759973fa4e09888e9980c6d91d4eb0ed34a5c94d05d25aba337e1624b43ae525203cd4e0f69d2c36fb7c2f0a8006ef8935a716c04537afc73c1cf65

Download Submit
\Users\Admin\idefje.ekfd
MD5
d64a0eaa481037030a4def6d5d958c8c

SHA1
55618ba84537ea39f5675b1d0cc3bc16a95d0037

SHA256
2a6dc00bdcacd9e65a4b99d9d8dd4db64554a2db3e5f0a2f9d2702b99d88ac0f

SHA512
ff5ad2d8cbb7087752da3b2fccf8c2c45059fa545dc0719aa90765d145df76bc77bf1589735acf01547c67763b64ae6998590a7dfa59ae41d0302453c0298b4b

Download Submit
\Users\Admin\idefje.ekfd
MD5
c932cf352c7f9a7748dc28b3b1a8ac1c

SHA1
d79ac5e409fc6ed8243c6824a7b5e8daef6320b6

SHA256
743677c0b3adcaad1c801e7b9ab5b116ca6aac844976a18520151a2310b7f4d8

SHA512
666446768759973fa4e09888e9980c6d91d4eb0ed34a5c94d05d25aba337e1624b43ae525203cd4e0f69d2c36fb7c2f0a8006ef8935a716c04537afc73c1cf65

Download Submit
memory/328-3-0x0000000071281000-0x0000000071283000-memory.dmp

Filesize
8KB

Download
memory/328-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/328-2-0x000000002FC71000-0x000000002FC74000-memory.dmp

Filesize
12KB

Download
memory/544-14-0x000000006C121000-0x000000006C123000-memory.dmp

Filesize
8KB

Download
memory/544-17-0x0000000000080000-0x00000000000B5000-memory.dmp

Filesize
212KB

Download
memory/544-15-0x0000000000080000-0x00000000000B5000-memory.dmp

Filesize
212KB

Download
memory/544-12-0x0000000000000000-mapping.dmp

Download
memory/620-7-0x00000000761E1000-0x00000000761E3000-memory.dmp

Filesize
8KB

Download
memory/620-10-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/620-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/620-6-0x0000000000000000-mapping.dmp

Download
memory/904-21-0x0000000000000000-mapping.dmp

Download
memory/1160-18-0x0000000000000000-mapping.dmp

Download
memory/1160-19-0x000007FEFBA81000-0x000007FEFBA83000-memory.dmp

Filesize
8KB

Download
memory/1436-16-0x0000000000000000-mapping.dmp

Download
memory/1652-5-0x000007FEF81B0000-0x000007FEF842A000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads