qakbot | 15d7aea3e0ad3d6cb43bfe1f7e308cf05113a021fc6443821025a46a256642fe

General

Target

documents-172432862.xlsb
Size

94KB
MD5

7caf6cedbc97b152d2d44c1a4f159cec
SHA1

d9dd28c11641ec176c82b44b6c69459a2f960d45
SHA256

91b6ca1d47127eaa4b3c9cf13c0a3d2e8945393e6de4779f3580a2246179b2ba
SHA512

beda9c6d76df0b0f840a560baa3895d4208e6498e9537e23b6d560b3e357887fb3864ae53fbbd0fe2a443f882bca9e64223dff687643862360a703d59d712344

Score

10^/10

qakbot tr 1618398298 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

tr

Campaign

1618398298

C2

47.196.192.184:443

216.201.162.158:443

136.232.34.70:443

71.41.184.10:3389

140.82.49.12:443

45.63.107.192:2222

45.63.107.192:443

149.28.98.196:443

45.32.211.207:443

144.202.38.185:443

45.77.115.208:2222

45.77.115.208:8443

207.246.116.237:995

45.77.117.108:443

149.28.99.97:443

149.28.99.97:995

149.28.98.196:995

45.32.211.207:995

45.32.211.207:2222

149.28.98.196:2222

Signatures

Process spawned unexpected child process 5 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1828	3892	rundll32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1688	3892	rundll32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2304	3892	rundll32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2116	3892	rundll32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1284	3892	rundll32.exe	EXCEL.EXE

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Loads dropped DLL 3 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

1512 rundll32.exe
1512 rundll32.exe
2304 regsvr32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3548 2304 WerFault.exe regsvr32.exe

pid	pid_target	process	target process
3548	2304	WerFault.exe	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2108 schtasks.exe

pid	process
2108	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3892 EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

rundll32.exeWerFault.exe

pid	process
1512	rundll32.exe
1512	rundll32.exe
3548	WerFault.exe
3548	WerFault.exe
3548	WerFault.exe
3548	WerFault.exe
3548	WerFault.exe
3548	WerFault.exe
3548	WerFault.exe
3548	WerFault.exe
3548	WerFault.exe
3548	WerFault.exe
3548	WerFault.exe
3548	WerFault.exe
3548	WerFault.exe
3548	WerFault.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

1512 rundll32.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3548 WerFault.exe
Token: SeBackupPrivilege 3548 WerFault.exe
Token: SeDebugPrivilege 3548 WerFault.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

3892 EXCEL.EXE
3892 EXCEL.EXE

description	pid	process
Token: SeRestorePrivilege	3548	WerFault.exe
Token: SeBackupPrivilege	3548	WerFault.exe
Token: SeDebugPrivilege	3548	WerFault.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

EXCEL.EXE

pid	process
3892	EXCEL.EXE
3892	EXCEL.EXE
3892	EXCEL.EXE
3892	EXCEL.EXE
3892	EXCEL.EXE
3892	EXCEL.EXE
3892	EXCEL.EXE
3892	EXCEL.EXE
3892	EXCEL.EXE
3892	EXCEL.EXE
3892	EXCEL.EXE
3892	EXCEL.EXE
3892	EXCEL.EXE
3892	EXCEL.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

EXCEL.EXErundll32.exerundll32.exeexplorer.exeregsvr32.exe

description	pid	process	target process
PID 3892 wrote to memory of 1828	3892	EXCEL.EXE	rundll32.exe
PID 3892 wrote to memory of 1828	3892	EXCEL.EXE	rundll32.exe
PID 3892 wrote to memory of 1688	3892	EXCEL.EXE	rundll32.exe
PID 3892 wrote to memory of 1688	3892	EXCEL.EXE	rundll32.exe
PID 3892 wrote to memory of 2304	3892	EXCEL.EXE	rundll32.exe
PID 3892 wrote to memory of 2304	3892	EXCEL.EXE	rundll32.exe
PID 3892 wrote to memory of 2116	3892	EXCEL.EXE	rundll32.exe
PID 3892 wrote to memory of 2116	3892	EXCEL.EXE	rundll32.exe
PID 2116 wrote to memory of 1512	2116	rundll32.exe	rundll32.exe
PID 2116 wrote to memory of 1512	2116	rundll32.exe	rundll32.exe
PID 2116 wrote to memory of 1512	2116	rundll32.exe	rundll32.exe
PID 1512 wrote to memory of 2424	1512	rundll32.exe	explorer.exe
PID 1512 wrote to memory of 2424	1512	rundll32.exe	explorer.exe
PID 1512 wrote to memory of 2424	1512	rundll32.exe	explorer.exe
PID 1512 wrote to memory of 2424	1512	rundll32.exe	explorer.exe
PID 1512 wrote to memory of 2424	1512	rundll32.exe	explorer.exe
PID 3892 wrote to memory of 1284	3892	EXCEL.EXE	rundll32.exe
PID 3892 wrote to memory of 1284	3892	EXCEL.EXE	rundll32.exe
PID 2424 wrote to memory of 2108	2424	explorer.exe	schtasks.exe
PID 2424 wrote to memory of 2108	2424	explorer.exe	schtasks.exe
PID 2424 wrote to memory of 2108	2424	explorer.exe	schtasks.exe
PID 4076 wrote to memory of 2304	4076	regsvr32.exe	regsvr32.exe
PID 4076 wrote to memory of 2304	4076	regsvr32.exe	regsvr32.exe
PID 4076 wrote to memory of 2304	4076	regsvr32.exe	regsvr32.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\documents-172432862.xlsb"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3892

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\wiroe.oer1,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:1828

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\wiroe.oer2,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:1688

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\wiroe.oer3,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:2304

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\wiroe.oer4,DllRegisterServer
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2116

C:\Windows\SysWOW64\rundll32.exe
rundll32 ..\wiroe.oer4,DllRegisterServer
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2424

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn hgcqfylhc /tr "regsvr32.exe -s \"C:\Users\Admin\wiroe.oer4\"" /SC ONCE /Z /ST 14:31 /ET 14:43
5⤵
- Creates scheduled task(s)
PID:2108

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\wiroe.oer5,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:1284

\??\c:\windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\wiroe.oer4"
1⤵
- Suspicious use of WriteProcessMemory
PID:4076

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\wiroe.oer4"
2⤵
- Loads dropped DLL
PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 596
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3548

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\wiroe.oer4
MD5
9a1256e56a53b4ee225b88c795cf8b4e

SHA1
f3f2c2e5987b809a60f573e08566d97f89d5961d

SHA256
cceb5bfb51dbc76aa43e439cad1cbb0ec00c53f4d7332b1a35e43eaa88add30c

SHA512
0d460d2e3f084a310f068dfc9b9cebb0a32b56b8477c6773d0f11f00914da208241d69bca958a9f85668269ef05b80c2746ea0fefe5fae23054d96cdae662919

Download Submit
C:\Users\Admin\wiroe.oer4
MD5
90a0f382c22eb594b311db90fafc85f6

SHA1
8da5e90239c17cbfa2e20bb9a4d8873a6acef7f3

SHA256
0e8ef860377113af0c34318e2feb61983a01c5a4c8ab0594763a4f0d75c45c08

SHA512
36a0e01a54d93ad7f4da5a5975d953edc3ad70d3cd3b3c31c83d6a71fed1f236a969ee85150957119072b3105232fd8ebbe442ab938533c4883148d64e9f3a01

Download Submit
\Users\Admin\wiroe.oer4
MD5
9a1256e56a53b4ee225b88c795cf8b4e

SHA1
f3f2c2e5987b809a60f573e08566d97f89d5961d

SHA256
cceb5bfb51dbc76aa43e439cad1cbb0ec00c53f4d7332b1a35e43eaa88add30c

SHA512
0d460d2e3f084a310f068dfc9b9cebb0a32b56b8477c6773d0f11f00914da208241d69bca958a9f85668269ef05b80c2746ea0fefe5fae23054d96cdae662919

Download Submit
\Users\Admin\wiroe.oer4
MD5
9a1256e56a53b4ee225b88c795cf8b4e

SHA1
f3f2c2e5987b809a60f573e08566d97f89d5961d

SHA256
cceb5bfb51dbc76aa43e439cad1cbb0ec00c53f4d7332b1a35e43eaa88add30c

SHA512
0d460d2e3f084a310f068dfc9b9cebb0a32b56b8477c6773d0f11f00914da208241d69bca958a9f85668269ef05b80c2746ea0fefe5fae23054d96cdae662919

Download Submit
\Users\Admin\wiroe.oer4
MD5
90a0f382c22eb594b311db90fafc85f6

SHA1
8da5e90239c17cbfa2e20bb9a4d8873a6acef7f3

SHA256
0e8ef860377113af0c34318e2feb61983a01c5a4c8ab0594763a4f0d75c45c08

SHA512
36a0e01a54d93ad7f4da5a5975d953edc3ad70d3cd3b3c31c83d6a71fed1f236a969ee85150957119072b3105232fd8ebbe442ab938533c4883148d64e9f3a01

Download Submit
memory/1284-192-0x0000000000000000-mapping.dmp

Download
memory/1512-189-0x0000000004D80000-0x0000000004DB9000-memory.dmp

Filesize
228KB

Download
memory/1512-187-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/1512-184-0x0000000000000000-mapping.dmp

Download
memory/1512-188-0x0000000004CB0000-0x0000000004CF2000-memory.dmp

Filesize
264KB

Download
memory/1688-180-0x0000000000000000-mapping.dmp

Download
memory/1828-179-0x0000000000000000-mapping.dmp

Download
memory/2108-193-0x0000000000000000-mapping.dmp

Download
memory/2116-182-0x0000000000000000-mapping.dmp

Download
memory/2304-181-0x0000000000000000-mapping.dmp

Download
memory/2304-195-0x0000000000000000-mapping.dmp

Download
memory/2424-190-0x0000000000000000-mapping.dmp

Download
memory/2424-191-0x0000000002F30000-0x0000000002F69000-memory.dmp

Filesize
228KB

Download
memory/3892-118-0x00007FFBF09B0000-0x00007FFBF09C0000-memory.dmp

Filesize
64KB

Download
memory/3892-114-0x00007FF64A270000-0x00007FF64D826000-memory.dmp

Filesize
53.7MB

Download
memory/3892-123-0x00007FFC0F5E0000-0x00007FFC114D5000-memory.dmp

Filesize
31.0MB

Download
memory/3892-117-0x00007FFBF09B0000-0x00007FFBF09C0000-memory.dmp

Filesize
64KB

Download
memory/3892-121-0x00007FFC114E0000-0x00007FFC125CE000-memory.dmp

Filesize
16.9MB

Download
memory/3892-116-0x00007FFBF09B0000-0x00007FFBF09C0000-memory.dmp

Filesize
64KB

Download
memory/3892-122-0x00007FFBF09B0000-0x00007FFBF09C0000-memory.dmp

Filesize
64KB

Download
memory/3892-115-0x00007FFBF09B0000-0x00007FFBF09C0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads