qakbot | 15d7aea3e0ad3d6cb43bfe1f7e308cf05113a021fc6443821025a46a256642fe

General

Target

documents-1762652855.xlsb
Size

94KB
MD5

15184e360c4f2597a120edb0ec3b1529
SHA1

e1c61283e9ceaceef3918bab4395ab6762f8c2fa
SHA256

f14dc38347bc80f5f0690d6d1306a24d133bfaafb21007ad5e935000f21ebca9
SHA512

edcfd7bd9545344f581e4023de15cfd9fc90324f5b63c0880d26f1e371664fc8248c6da481825a4070c2714ac66a936dcc683a6fc3c4a36ef9ab5e2d4ac002dd

Score

10^/10

qakbot tr 1618398298 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

tr

Campaign

1618398298

C2

47.196.192.184:443

216.201.162.158:443

136.232.34.70:443

71.41.184.10:3389

140.82.49.12:443

45.63.107.192:2222

45.63.107.192:443

149.28.98.196:443

45.32.211.207:443

144.202.38.185:443

45.77.115.208:2222

45.77.115.208:8443

207.246.116.237:995

45.77.117.108:443

149.28.99.97:443

149.28.99.97:995

149.28.98.196:995

45.32.211.207:995

45.32.211.207:2222

149.28.98.196:2222

Signatures

Process spawned unexpected child process 5 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1844	3204	rundll32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2212	3204	rundll32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2512	3204	rundll32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3872	3204	rundll32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1584	3204	rundll32.exe	EXCEL.EXE

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Loads dropped DLL 3 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

2104 rundll32.exe
2104 rundll32.exe
1852 regsvr32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2184 1852 WerFault.exe regsvr32.exe

pid	pid_target	process	target process
2184	1852	WerFault.exe	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2508 schtasks.exe

pid	process
2508	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3204 EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

rundll32.exeWerFault.exe

pid	process
2104	rundll32.exe
2104	rundll32.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe
2184	WerFault.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

2104 rundll32.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2184 WerFault.exe
Token: SeBackupPrivilege 2184 WerFault.exe
Token: SeDebugPrivilege 2184 WerFault.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

3204 EXCEL.EXE
3204 EXCEL.EXE

description	pid	process
Token: SeRestorePrivilege	2184	WerFault.exe
Token: SeBackupPrivilege	2184	WerFault.exe
Token: SeDebugPrivilege	2184	WerFault.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

EXCEL.EXE

pid	process
3204	EXCEL.EXE
3204	EXCEL.EXE
3204	EXCEL.EXE
3204	EXCEL.EXE
3204	EXCEL.EXE
3204	EXCEL.EXE
3204	EXCEL.EXE
3204	EXCEL.EXE
3204	EXCEL.EXE
3204	EXCEL.EXE
3204	EXCEL.EXE
3204	EXCEL.EXE
3204	EXCEL.EXE
3204	EXCEL.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

EXCEL.EXErundll32.exerundll32.exeexplorer.exeregsvr32.exe

description	pid	process	target process
PID 3204 wrote to memory of 1844	3204	EXCEL.EXE	rundll32.exe
PID 3204 wrote to memory of 1844	3204	EXCEL.EXE	rundll32.exe
PID 3204 wrote to memory of 2212	3204	EXCEL.EXE	rundll32.exe
PID 3204 wrote to memory of 2212	3204	EXCEL.EXE	rundll32.exe
PID 3204 wrote to memory of 2512	3204	EXCEL.EXE	rundll32.exe
PID 3204 wrote to memory of 2512	3204	EXCEL.EXE	rundll32.exe
PID 3204 wrote to memory of 3872	3204	EXCEL.EXE	rundll32.exe
PID 3204 wrote to memory of 3872	3204	EXCEL.EXE	rundll32.exe
PID 3872 wrote to memory of 2104	3872	rundll32.exe	rundll32.exe
PID 3872 wrote to memory of 2104	3872	rundll32.exe	rundll32.exe
PID 3872 wrote to memory of 2104	3872	rundll32.exe	rundll32.exe
PID 2104 wrote to memory of 3312	2104	rundll32.exe	explorer.exe
PID 2104 wrote to memory of 3312	2104	rundll32.exe	explorer.exe
PID 2104 wrote to memory of 3312	2104	rundll32.exe	explorer.exe
PID 2104 wrote to memory of 3312	2104	rundll32.exe	explorer.exe
PID 2104 wrote to memory of 3312	2104	rundll32.exe	explorer.exe
PID 3204 wrote to memory of 1584	3204	EXCEL.EXE	rundll32.exe
PID 3204 wrote to memory of 1584	3204	EXCEL.EXE	rundll32.exe
PID 3312 wrote to memory of 2508	3312	explorer.exe	schtasks.exe
PID 3312 wrote to memory of 2508	3312	explorer.exe	schtasks.exe
PID 3312 wrote to memory of 2508	3312	explorer.exe	schtasks.exe
PID 2496 wrote to memory of 1852	2496	regsvr32.exe	regsvr32.exe
PID 2496 wrote to memory of 1852	2496	regsvr32.exe	regsvr32.exe
PID 2496 wrote to memory of 1852	2496	regsvr32.exe	regsvr32.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\documents-1762652855.xlsb"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3204

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\wiroe.oer1,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:1844

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\wiroe.oer2,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:2212

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\wiroe.oer3,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:2512

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\wiroe.oer4,DllRegisterServer
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3872

C:\Windows\SysWOW64\rundll32.exe
rundll32 ..\wiroe.oer4,DllRegisterServer
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2104

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3312

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn ayparnsxhc /tr "regsvr32.exe -s \"C:\Users\Admin\wiroe.oer4\"" /SC ONCE /Z /ST 14:31 /ET 14:43
5⤵
- Creates scheduled task(s)
PID:2508

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\wiroe.oer5,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:1584

\??\c:\windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\wiroe.oer4"
1⤵
- Suspicious use of WriteProcessMemory
PID:2496

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\wiroe.oer4"
2⤵
- Loads dropped DLL
PID:1852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 596
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2184

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\wiroe.oer4

MD5
9a1256e56a53b4ee225b88c795cf8b4e

SHA1
f3f2c2e5987b809a60f573e08566d97f89d5961d

SHA256
cceb5bfb51dbc76aa43e439cad1cbb0ec00c53f4d7332b1a35e43eaa88add30c

SHA512
0d460d2e3f084a310f068dfc9b9cebb0a32b56b8477c6773d0f11f00914da208241d69bca958a9f85668269ef05b80c2746ea0fefe5fae23054d96cdae662919

Download Submit
C:\Users\Admin\wiroe.oer4

MD5
90a0f382c22eb594b311db90fafc85f6

SHA1
8da5e90239c17cbfa2e20bb9a4d8873a6acef7f3

SHA256
0e8ef860377113af0c34318e2feb61983a01c5a4c8ab0594763a4f0d75c45c08

SHA512
36a0e01a54d93ad7f4da5a5975d953edc3ad70d3cd3b3c31c83d6a71fed1f236a969ee85150957119072b3105232fd8ebbe442ab938533c4883148d64e9f3a01

Download Submit
\Users\Admin\wiroe.oer4

MD5
9a1256e56a53b4ee225b88c795cf8b4e

SHA1
f3f2c2e5987b809a60f573e08566d97f89d5961d

SHA256
cceb5bfb51dbc76aa43e439cad1cbb0ec00c53f4d7332b1a35e43eaa88add30c

SHA512
0d460d2e3f084a310f068dfc9b9cebb0a32b56b8477c6773d0f11f00914da208241d69bca958a9f85668269ef05b80c2746ea0fefe5fae23054d96cdae662919

Download Submit
\Users\Admin\wiroe.oer4

MD5
9a1256e56a53b4ee225b88c795cf8b4e

SHA1
f3f2c2e5987b809a60f573e08566d97f89d5961d

SHA256
cceb5bfb51dbc76aa43e439cad1cbb0ec00c53f4d7332b1a35e43eaa88add30c

SHA512
0d460d2e3f084a310f068dfc9b9cebb0a32b56b8477c6773d0f11f00914da208241d69bca958a9f85668269ef05b80c2746ea0fefe5fae23054d96cdae662919

Download Submit
\Users\Admin\wiroe.oer4

MD5
90a0f382c22eb594b311db90fafc85f6

SHA1
8da5e90239c17cbfa2e20bb9a4d8873a6acef7f3

SHA256
0e8ef860377113af0c34318e2feb61983a01c5a4c8ab0594763a4f0d75c45c08

SHA512
36a0e01a54d93ad7f4da5a5975d953edc3ad70d3cd3b3c31c83d6a71fed1f236a969ee85150957119072b3105232fd8ebbe442ab938533c4883148d64e9f3a01

Download Submit
memory/1584-191-0x0000000000000000-mapping.dmp

Download
memory/1844-179-0x0000000000000000-mapping.dmp

Download
memory/1852-195-0x0000000000000000-mapping.dmp

Download
memory/2104-188-0x0000000000930000-0x0000000000972000-memory.dmp

Filesize
264KB

Download
memory/2104-187-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2104-189-0x0000000004A00000-0x0000000004A39000-memory.dmp

Filesize
228KB

Download
memory/2104-184-0x0000000000000000-mapping.dmp

Download
memory/2212-180-0x0000000000000000-mapping.dmp

Download
memory/2508-192-0x0000000000000000-mapping.dmp

Download
memory/2512-181-0x0000000000000000-mapping.dmp

Download
memory/3204-122-0x00007FFCDB650000-0x00007FFCDC73E000-memory.dmp

Filesize
16.9MB

Download
memory/3204-119-0x00007FFCBABC0000-0x00007FFCBABD0000-memory.dmp

Filesize
64KB

Download
memory/3204-123-0x00007FFCD9750000-0x00007FFCDB645000-memory.dmp

Filesize
31.0MB

Download
memory/3204-114-0x00007FF650EB0000-0x00007FF654466000-memory.dmp

Filesize
53.7MB

Download
memory/3204-116-0x00007FFCBABC0000-0x00007FFCBABD0000-memory.dmp

Filesize
64KB

Download
memory/3204-117-0x00007FFCBABC0000-0x00007FFCBABD0000-memory.dmp

Filesize
64KB

Download
memory/3204-118-0x00007FFCBABC0000-0x00007FFCBABD0000-memory.dmp

Filesize
64KB

Download
memory/3204-115-0x00007FFCBABC0000-0x00007FFCBABD0000-memory.dmp

Filesize
64KB

Download
memory/3312-190-0x0000000000000000-mapping.dmp

Download
memory/3312-193-0x0000000002DA0000-0x0000000002DD9000-memory.dmp

Filesize
228KB

Download
memory/3872-182-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads