qakbot | c9def02fd0b90810e1ac5af1906e461c8c1a5534ee19b5b2ce7aac77f2943b54

General

Target

document-1743692288.xls
Size

88KB
MD5

fa1f35763e1c13386feca469dd16a22b
SHA1

1cbfc5e62e085bba8366cc077dfc91923a8ceefd
SHA256

c9def02fd0b90810e1ac5af1906e461c8c1a5534ee19b5b2ce7aac77f2943b54
SHA512

31619aeebfdd1247252a9e3881c4ba5824b82558af2a814b1fe90b67b4403950f94f9ab02d968d30477031648cbf90c520b95f58f8beffa47952994a1c3b38dc

Score

10^/10

qakbot tr 1613385567 banker stealer trojan

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

https://miraclecollagen.co.za/ds/1802.gif

Extracted

Family

qakbot

Botnet

tr

Campaign

1613385567

C2

78.63.226.32:443

197.51.82.72:443

193.248.221.184:2222

95.77.223.148:443

71.199.192.62:443

77.211.30.202:995

80.227.5.69:443

77.27.204.204:995

81.97.154.100:443

173.184.119.153:995

38.92.225.121:443

81.150.181.168:2222

90.65.236.181:2222

83.110.103.152:443

73.153.211.227:443

188.25.63.105:443

89.137.211.239:995

202.188.138.162:443

98.173.34.212:995

87.202.87.210:2222

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	928	324	rundll32.exe	EXCEL.EXE

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Loads dropped DLL 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

928 rundll32.exe
456 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

620 schtasks.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

pid	process
928	rundll32.exe
456	regsvr32.exe

pid	process
620	schtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

324 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

928 rundll32.exe
928 rundll32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

928 rundll32.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXE

pid process

324 EXCEL.EXE
324 EXCEL.EXE
324 EXCEL.EXE
324 EXCEL.EXE
324 EXCEL.EXE

pid	process
324	EXCEL.EXE

pid	process
928	rundll32.exe
928	rundll32.exe

pid	process
928	rundll32.exe

pid	process
324	EXCEL.EXE
324	EXCEL.EXE
324	EXCEL.EXE
324	EXCEL.EXE
324	EXCEL.EXE

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

EXCEL.EXErundll32.exeexplorer.exetaskeng.exeregsvr32.exe

description	pid	process	target process
PID 324 wrote to memory of 928	324	EXCEL.EXE	rundll32.exe
PID 324 wrote to memory of 928	324	EXCEL.EXE	rundll32.exe
PID 324 wrote to memory of 928	324	EXCEL.EXE	rundll32.exe
PID 324 wrote to memory of 928	324	EXCEL.EXE	rundll32.exe
PID 324 wrote to memory of 928	324	EXCEL.EXE	rundll32.exe
PID 324 wrote to memory of 928	324	EXCEL.EXE	rundll32.exe
PID 324 wrote to memory of 928	324	EXCEL.EXE	rundll32.exe
PID 928 wrote to memory of 1116	928	rundll32.exe	explorer.exe
PID 928 wrote to memory of 1116	928	rundll32.exe	explorer.exe
PID 928 wrote to memory of 1116	928	rundll32.exe	explorer.exe
PID 928 wrote to memory of 1116	928	rundll32.exe	explorer.exe
PID 928 wrote to memory of 1116	928	rundll32.exe	explorer.exe
PID 928 wrote to memory of 1116	928	rundll32.exe	explorer.exe
PID 1116 wrote to memory of 620	1116	explorer.exe	schtasks.exe
PID 1116 wrote to memory of 620	1116	explorer.exe	schtasks.exe
PID 1116 wrote to memory of 620	1116	explorer.exe	schtasks.exe
PID 1116 wrote to memory of 620	1116	explorer.exe	schtasks.exe
PID 1688 wrote to memory of 1008	1688	taskeng.exe	regsvr32.exe
PID 1688 wrote to memory of 1008	1688	taskeng.exe	regsvr32.exe
PID 1688 wrote to memory of 1008	1688	taskeng.exe	regsvr32.exe
PID 1688 wrote to memory of 1008	1688	taskeng.exe	regsvr32.exe
PID 1688 wrote to memory of 1008	1688	taskeng.exe	regsvr32.exe
PID 1008 wrote to memory of 456	1008	regsvr32.exe	regsvr32.exe
PID 1008 wrote to memory of 456	1008	regsvr32.exe	regsvr32.exe
PID 1008 wrote to memory of 456	1008	regsvr32.exe	regsvr32.exe
PID 1008 wrote to memory of 456	1008	regsvr32.exe	regsvr32.exe
PID 1008 wrote to memory of 456	1008	regsvr32.exe	regsvr32.exe
PID 1008 wrote to memory of 456	1008	regsvr32.exe	regsvr32.exe
PID 1008 wrote to memory of 456	1008	regsvr32.exe	regsvr32.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\document-1743692288.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:324

C:\Windows\SysWOW64\rundll32.exe
rundll32 ..\idefje.ekfd,DllRegisterServer
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:928

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn goumgxsyra /tr "regsvr32.exe -s \"C:\Users\Admin\idefje.ekfd\"" /SC ONCE /Z /ST 19:46 /ET 19:58
4⤵
- Creates scheduled task(s)
PID:620

C:\Windows\system32\taskeng.exe
taskeng.exe {924969D1-1F33-4CD7-B1CC-1A5D6A4A40E9} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\idefje.ekfd"
2⤵
- Suspicious use of WriteProcessMemory
PID:1008

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\idefje.ekfd"
3⤵
- Loads dropped DLL
PID:456

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\idefje.ekfd
MD5
5d00236a63ba084e6c8e99d3f84500c0

SHA1
4a82505cbf31834ecd5b04344c121d2553f72811

SHA256
4c35a44fc0c64e5f0eb9801645dbe58e1176d5558f5060bca2a46f44ed6783b5

SHA512
8fcadfda0573210be163f6f2a761d03e11076ad2cfb193e428a3d4f7a970c0f903fd555cebd0221a2d6bce9e11c0dfcd5f0c13f341bcce2a0841f2be00cec005

Download Submit
C:\Users\Admin\idefje.ekfd
MD5
a8e2e77d6e1159face67ee36e5d4f199

SHA1
e3494981cfbc8c9a2c7a053c3ca4ab662b7f529c

SHA256
307dcd0bd76ec40e3297813e65542bc6480262578d6623825340a5add4fb6bf8

SHA512
c5e1f248a90e3406e690b1a7c3f6e09f4c1b3db5be40786669ba3aa1d48f0e6f2b0060dc3ee098fb76dfb59f2aec14aac5300556c69e214eef542561bc7df273

Download Submit
\Users\Admin\idefje.ekfd
MD5
5d00236a63ba084e6c8e99d3f84500c0

SHA1
4a82505cbf31834ecd5b04344c121d2553f72811

SHA256
4c35a44fc0c64e5f0eb9801645dbe58e1176d5558f5060bca2a46f44ed6783b5

SHA512
8fcadfda0573210be163f6f2a761d03e11076ad2cfb193e428a3d4f7a970c0f903fd555cebd0221a2d6bce9e11c0dfcd5f0c13f341bcce2a0841f2be00cec005

Download Submit
\Users\Admin\idefje.ekfd
MD5
a8e2e77d6e1159face67ee36e5d4f199

SHA1
e3494981cfbc8c9a2c7a053c3ca4ab662b7f529c

SHA256
307dcd0bd76ec40e3297813e65542bc6480262578d6623825340a5add4fb6bf8

SHA512
c5e1f248a90e3406e690b1a7c3f6e09f4c1b3db5be40786669ba3aa1d48f0e6f2b0060dc3ee098fb76dfb59f2aec14aac5300556c69e214eef542561bc7df273

Download Submit
memory/324-3-0x0000000071C91000-0x0000000071C93000-memory.dmp

Filesize
8KB

Download
memory/324-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/324-2-0x000000002F791000-0x000000002F794000-memory.dmp

Filesize
12KB

Download
memory/456-23-0x0000000000000000-mapping.dmp

Download
memory/620-18-0x0000000000000000-mapping.dmp

Download
memory/928-7-0x00000000766C1000-0x00000000766C3000-memory.dmp

Filesize
8KB

Download
memory/928-12-0x0000000000940000-0x0000000000975000-memory.dmp

Filesize
212KB

Download
memory/928-17-0x0000000000940000-0x0000000000975000-memory.dmp

Filesize
212KB

Download
memory/928-11-0x00000000006A0000-0x00000000006D3000-memory.dmp

Filesize
204KB

Download
memory/928-10-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/928-6-0x0000000000000000-mapping.dmp

Download
memory/1008-20-0x0000000000000000-mapping.dmp

Download
memory/1008-21-0x000007FEFC3E1000-0x000007FEFC3E3000-memory.dmp

Filesize
8KB

Download
memory/1116-13-0x0000000000000000-mapping.dmp

Download
memory/1116-15-0x000000006C9E1000-0x000000006C9E3000-memory.dmp

Filesize
8KB

Download
memory/1116-16-0x00000000000C0000-0x00000000000F5000-memory.dmp

Filesize
212KB

Download
memory/1116-19-0x00000000000C0000-0x00000000000F5000-memory.dmp

Filesize
212KB

Download
memory/2040-5-0x000007FEF7D30000-0x000007FEF7FAA000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads