qakbot | b93a9e972d297bb2a0ae163d5c9a087bf29dc5db48eaab8d9e0e5560f48065c0

General

Target

documents-122179384.xlsm
Size

95KB
MD5

64ce728339d9ca928a4f2643b6098dda
SHA1

43fb58a8536b4b97cb812f8c02329703d3085cc7
SHA256

b93a9e972d297bb2a0ae163d5c9a087bf29dc5db48eaab8d9e0e5560f48065c0
SHA512

4b83a359690fc96c994d807ddf059393c916723dbcb5776c4cbfe1551c821365da6b8f85c1046739e563e357229a1eba6689967ce5dd20117cfc88440bd070ec

Score

10^/10

qakbot tr 1618225074 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

tr

Campaign

1618225074

C2

197.45.110.165:995

216.201.162.158:443

71.74.12.34:443

45.63.107.192:2222

149.28.101.90:2222

45.32.211.207:443

45.32.211.207:995

45.32.211.207:8443

45.32.211.207:2222

149.28.99.97:995

149.28.98.196:443

149.28.101.90:443

149.28.101.90:8443

207.246.77.75:2222

207.246.116.237:443

207.246.116.237:995

207.246.116.237:2222

45.77.117.108:995

149.28.99.97:443

45.63.107.192:443

Signatures

Process spawned unexpected child process 5 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4044	4048	rundll32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3904	4048	rundll32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3856	4048	rundll32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3712	4048	rundll32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1104	4048	rundll32.exe	EXCEL.EXE

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Loads dropped DLL 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

1048 rundll32.exe
860 regsvr32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2268 860 WerFault.exe regsvr32.exe

pid	pid_target	process	target process
2268	860	WerFault.exe	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1156 schtasks.exe

pid	process
1156	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4048 EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

rundll32.exeWerFault.exe

pid	process
1048	rundll32.exe
1048	rundll32.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

1048 rundll32.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2268 WerFault.exe
Token: SeBackupPrivilege 2268 WerFault.exe
Token: SeDebugPrivilege 2268 WerFault.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

4048 EXCEL.EXE
4048 EXCEL.EXE

description	pid	process
Token: SeRestorePrivilege	2268	WerFault.exe
Token: SeBackupPrivilege	2268	WerFault.exe
Token: SeDebugPrivilege	2268	WerFault.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

EXCEL.EXE

pid	process
4048	EXCEL.EXE
4048	EXCEL.EXE
4048	EXCEL.EXE
4048	EXCEL.EXE
4048	EXCEL.EXE
4048	EXCEL.EXE
4048	EXCEL.EXE
4048	EXCEL.EXE
4048	EXCEL.EXE
4048	EXCEL.EXE
4048	EXCEL.EXE
4048	EXCEL.EXE
4048	EXCEL.EXE
4048	EXCEL.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

EXCEL.EXErundll32.exerundll32.exeexplorer.exeregsvr32.exe

description	pid	process	target process
PID 4048 wrote to memory of 4044	4048	EXCEL.EXE	rundll32.exe
PID 4048 wrote to memory of 4044	4048	EXCEL.EXE	rundll32.exe
PID 4048 wrote to memory of 3904	4048	EXCEL.EXE	rundll32.exe
PID 4048 wrote to memory of 3904	4048	EXCEL.EXE	rundll32.exe
PID 4048 wrote to memory of 3856	4048	EXCEL.EXE	rundll32.exe
PID 4048 wrote to memory of 3856	4048	EXCEL.EXE	rundll32.exe
PID 4048 wrote to memory of 3712	4048	EXCEL.EXE	rundll32.exe
PID 4048 wrote to memory of 3712	4048	EXCEL.EXE	rundll32.exe
PID 4048 wrote to memory of 1104	4048	EXCEL.EXE	rundll32.exe
PID 4048 wrote to memory of 1104	4048	EXCEL.EXE	rundll32.exe
PID 1104 wrote to memory of 1048	1104	rundll32.exe	rundll32.exe
PID 1104 wrote to memory of 1048	1104	rundll32.exe	rundll32.exe
PID 1104 wrote to memory of 1048	1104	rundll32.exe	rundll32.exe
PID 1048 wrote to memory of 4068	1048	rundll32.exe	explorer.exe
PID 1048 wrote to memory of 4068	1048	rundll32.exe	explorer.exe
PID 1048 wrote to memory of 4068	1048	rundll32.exe	explorer.exe
PID 1048 wrote to memory of 4068	1048	rundll32.exe	explorer.exe
PID 1048 wrote to memory of 4068	1048	rundll32.exe	explorer.exe
PID 4068 wrote to memory of 1156	4068	explorer.exe	schtasks.exe
PID 4068 wrote to memory of 1156	4068	explorer.exe	schtasks.exe
PID 4068 wrote to memory of 1156	4068	explorer.exe	schtasks.exe
PID 3936 wrote to memory of 860	3936	regsvr32.exe	regsvr32.exe
PID 3936 wrote to memory of 860	3936	regsvr32.exe	regsvr32.exe
PID 3936 wrote to memory of 860	3936	regsvr32.exe	regsvr32.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\documents-122179384.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4048

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\urlefv.wir,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:4044

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\urlefv.wir1,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:3904

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\urlefv.wir2,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:3856

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\urlefv.wir3,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:3712

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\urlefv.wir4,DllRegisterServer
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\SysWOW64\rundll32.exe
rundll32 ..\urlefv.wir4,DllRegisterServer
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4068

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn dezyytvfak /tr "regsvr32.exe -s \"C:\Users\Admin\urlefv.wir4\"" /SC ONCE /Z /ST 16:41 /ET 16:53
5⤵
- Creates scheduled task(s)
PID:1156

\??\c:\windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\urlefv.wir4"
1⤵
- Suspicious use of WriteProcessMemory
PID:3936

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\urlefv.wir4"
2⤵
- Loads dropped DLL
PID:860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 596
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2268

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\urlefv.wir4
MD5
31a68eef07c6c6113152cf9cd86d196e

SHA1
3f23f15b220a9731c5a98ce90ad950d345de4fcf

SHA256
593ad02f675cb99b6645b26b2bc5bb92d8ab6962629eae6fbe1a1e330613e056

SHA512
9f478314a259ab6e2ae33076d59bc48fa395fa89189e3b01308d01de4abdad3e979a2bca5f33d689ee029edbe5962d4cdf71dd00b6f269fe732dfe601d6390a5

Download Submit
C:\Users\Admin\urlefv.wir4
MD5
01160c728a6c98035a8b48e54bfb84b5

SHA1
0162a30e2ef6323cdff4588cc3e90c1fca6bb1fa

SHA256
71a8c70c2793309b14822b94333aa3775d8f472402eb9afbdd07b62fa29f77ca

SHA512
dd1864972179da1004e9cb735de873bf70ed5c4794df2a49b4ddb6841bce59dc14e7c2e635c965054f60f717514fce4c29c7eee62fb5c26caa1c025452094938

Download Submit
\Users\Admin\urlefv.wir4
MD5
31a68eef07c6c6113152cf9cd86d196e

SHA1
3f23f15b220a9731c5a98ce90ad950d345de4fcf

SHA256
593ad02f675cb99b6645b26b2bc5bb92d8ab6962629eae6fbe1a1e330613e056

SHA512
9f478314a259ab6e2ae33076d59bc48fa395fa89189e3b01308d01de4abdad3e979a2bca5f33d689ee029edbe5962d4cdf71dd00b6f269fe732dfe601d6390a5

Download Submit
\Users\Admin\urlefv.wir4
MD5
01160c728a6c98035a8b48e54bfb84b5

SHA1
0162a30e2ef6323cdff4588cc3e90c1fca6bb1fa

SHA256
71a8c70c2793309b14822b94333aa3775d8f472402eb9afbdd07b62fa29f77ca

SHA512
dd1864972179da1004e9cb735de873bf70ed5c4794df2a49b4ddb6841bce59dc14e7c2e635c965054f60f717514fce4c29c7eee62fb5c26caa1c025452094938

Download Submit
memory/860-194-0x0000000000000000-mapping.dmp

Download
memory/1048-189-0x0000000004EC0000-0x0000000004ED9000-memory.dmp

Filesize
100KB

Download
memory/1048-188-0x0000000004E70000-0x0000000004E9D000-memory.dmp

Filesize
180KB

Download
memory/1048-187-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/1048-185-0x0000000000000000-mapping.dmp

Download
memory/1104-183-0x0000000000000000-mapping.dmp

Download
memory/1156-191-0x0000000000000000-mapping.dmp

Download
memory/3712-182-0x0000000000000000-mapping.dmp

Download
memory/3856-181-0x0000000000000000-mapping.dmp

Download
memory/3904-180-0x0000000000000000-mapping.dmp

Download
memory/4044-179-0x0000000000000000-mapping.dmp

Download
memory/4048-123-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmp

Filesize
64KB

Download
memory/4048-122-0x00007FFDC1130000-0x00007FFDC3025000-memory.dmp

Filesize
31.0MB

Download
memory/4048-121-0x00007FFDC3210000-0x00007FFDC42FE000-memory.dmp

Filesize
16.9MB

Download
memory/4048-118-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmp

Filesize
64KB

Download
memory/4048-114-0x00007FF79D320000-0x00007FF7A08D6000-memory.dmp

Filesize
53.7MB

Download
memory/4048-117-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmp

Filesize
64KB

Download
memory/4048-116-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmp

Filesize
64KB

Download
memory/4048-115-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmp

Filesize
64KB

Download
memory/4068-190-0x0000000000000000-mapping.dmp

Download
memory/4068-192-0x0000000000890000-0x00000000008A9000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads