qakbot | 430d4980a1a19c9f7fdb203c395ef1a920f8595b0d93ae212fb526f9e9af1fd4

General

Target

catalog-1746358838.xlsm
Size

120KB
MD5

f7604fd53f0c0e2ba5f1e688f85d6d38
SHA1

4e179d4689b4d3760bbff69f3493a7802d8b9259
SHA256

430d4980a1a19c9f7fdb203c395ef1a920f8595b0d93ae212fb526f9e9af1fd4
SHA512

9079aefe98413f2af951dd0f787d7e4f3186e6a8ec59f16b7d19714fab48174da841f68a7204dffbb00413efacdef710621e31318791d48214309988f3835b41

Score

10^/10

qakbot tr 1618398298 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

tr

Campaign

1618398298

C2

47.196.192.184:443

216.201.162.158:443

136.232.34.70:443

71.41.184.10:3389

140.82.49.12:443

45.63.107.192:2222

45.63.107.192:443

149.28.98.196:443

45.32.211.207:443

144.202.38.185:443

45.77.115.208:2222

45.77.115.208:8443

207.246.116.237:995

45.77.117.108:443

149.28.99.97:443

149.28.99.97:995

149.28.98.196:995

45.32.211.207:995

45.32.211.207:2222

149.28.98.196:2222

Signatures

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3984	740	rundll32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4064	740	rundll32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	968	740	rundll32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2816	740	rundll32.exe	EXCEL.EXE

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Loads dropped DLL 3 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

496 rundll32.exe
3412 regsvr32.exe
3412 regsvr32.exe

pid	process
496	rundll32.exe
3412	regsvr32.exe
3412	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2252 schtasks.exe

pid	process
2252	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

740 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

496 rundll32.exe
496 rundll32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

496 rundll32.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

740 EXCEL.EXE
740 EXCEL.EXE

pid	process
496	rundll32.exe
496	rundll32.exe

pid	process
496	rundll32.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

EXCEL.EXE

pid	process
740	EXCEL.EXE
740	EXCEL.EXE
740	EXCEL.EXE
740	EXCEL.EXE
740	EXCEL.EXE
740	EXCEL.EXE
740	EXCEL.EXE
740	EXCEL.EXE
740	EXCEL.EXE
740	EXCEL.EXE
740	EXCEL.EXE
740	EXCEL.EXE
740	EXCEL.EXE
740	EXCEL.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

EXCEL.EXErundll32.exerundll32.exeexplorer.exeregsvr32.exe

description	pid	process	target process
PID 740 wrote to memory of 3984	740	EXCEL.EXE	rundll32.exe
PID 740 wrote to memory of 3984	740	EXCEL.EXE	rundll32.exe
PID 740 wrote to memory of 4064	740	EXCEL.EXE	rundll32.exe
PID 740 wrote to memory of 4064	740	EXCEL.EXE	rundll32.exe
PID 740 wrote to memory of 968	740	EXCEL.EXE	rundll32.exe
PID 740 wrote to memory of 968	740	EXCEL.EXE	rundll32.exe
PID 968 wrote to memory of 496	968	rundll32.exe	rundll32.exe
PID 968 wrote to memory of 496	968	rundll32.exe	rundll32.exe
PID 968 wrote to memory of 496	968	rundll32.exe	rundll32.exe
PID 496 wrote to memory of 3424	496	rundll32.exe	explorer.exe
PID 496 wrote to memory of 3424	496	rundll32.exe	explorer.exe
PID 496 wrote to memory of 3424	496	rundll32.exe	explorer.exe
PID 496 wrote to memory of 3424	496	rundll32.exe	explorer.exe
PID 496 wrote to memory of 3424	496	rundll32.exe	explorer.exe
PID 740 wrote to memory of 2816	740	EXCEL.EXE	rundll32.exe
PID 740 wrote to memory of 2816	740	EXCEL.EXE	rundll32.exe
PID 3424 wrote to memory of 2252	3424	explorer.exe	schtasks.exe
PID 3424 wrote to memory of 2252	3424	explorer.exe	schtasks.exe
PID 3424 wrote to memory of 2252	3424	explorer.exe	schtasks.exe
PID 3840 wrote to memory of 3412	3840	regsvr32.exe	regsvr32.exe
PID 3840 wrote to memory of 3412	3840	regsvr32.exe	regsvr32.exe
PID 3840 wrote to memory of 3412	3840	regsvr32.exe	regsvr32.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\catalog-1746358838.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:740

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\ghnrope.rue1,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:3984

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\ghnrope.rue2,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:4064

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\ghnrope.rue3,DllRegisterServer
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\SysWOW64\rundll32.exe
rundll32 ..\ghnrope.rue3,DllRegisterServer
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:496

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3424

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn piuqpqhbl /tr "regsvr32.exe -s \"C:\Users\Admin\ghnrope.rue3\"" /SC ONCE /Z /ST 15:24 /ET 15:36
5⤵
- Creates scheduled task(s)
PID:2252

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\ghnrope.rue4,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:2816

\??\c:\windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\ghnrope.rue3"
1⤵
- Suspicious use of WriteProcessMemory
PID:3840

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\ghnrope.rue3"
2⤵
- Loads dropped DLL
PID:3412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\ghnrope.rue3

MD5
0862c2bc59577f5ba1732433ced4a248

SHA1
77ae6da5d0a01f95b97a8f809bbf5853aa1acb4b

SHA256
fce34f30cbed4604e97b3982edd693510467a2d61b70ee7b62ea8c777990ea6d

SHA512
8aaf0529d8cf73d229c841ca5f4b7391cfb096a2de3507dd25ba170688c0495caa6f86bee4cf140dcf66734b6077d7adf1609a1a13407ce33c6ec768662cd0c4

Download Submit
C:\Users\Admin\ghnrope.rue3

MD5
62e816ec26ce2332fc8ed5a7dcf7e5c7

SHA1
e7c09a444aeb59df34a0eaa3e3bdf3921a697f53

SHA256
ca88e29eb97223c8f4b05589d854b942728181779e16c483843a5d860371c386

SHA512
1a46e74f7356a7d320f320d5624397af0a16eee930d0fb45a017de7c6a0b230be294da86aa713eda8d444a20a7cdbc121211a811a36b0c96de57ef857db15121

Download Submit
\Users\Admin\ghnrope.rue3

MD5
0862c2bc59577f5ba1732433ced4a248

SHA1
77ae6da5d0a01f95b97a8f809bbf5853aa1acb4b

SHA256
fce34f30cbed4604e97b3982edd693510467a2d61b70ee7b62ea8c777990ea6d

SHA512
8aaf0529d8cf73d229c841ca5f4b7391cfb096a2de3507dd25ba170688c0495caa6f86bee4cf140dcf66734b6077d7adf1609a1a13407ce33c6ec768662cd0c4

Download Submit
\Users\Admin\ghnrope.rue3

MD5
62e816ec26ce2332fc8ed5a7dcf7e5c7

SHA1
e7c09a444aeb59df34a0eaa3e3bdf3921a697f53

SHA256
ca88e29eb97223c8f4b05589d854b942728181779e16c483843a5d860371c386

SHA512
1a46e74f7356a7d320f320d5624397af0a16eee930d0fb45a017de7c6a0b230be294da86aa713eda8d444a20a7cdbc121211a811a36b0c96de57ef857db15121

Download Submit
\Users\Admin\ghnrope.rue3

MD5
62e816ec26ce2332fc8ed5a7dcf7e5c7

SHA1
e7c09a444aeb59df34a0eaa3e3bdf3921a697f53

SHA256
ca88e29eb97223c8f4b05589d854b942728181779e16c483843a5d860371c386

SHA512
1a46e74f7356a7d320f320d5624397af0a16eee930d0fb45a017de7c6a0b230be294da86aa713eda8d444a20a7cdbc121211a811a36b0c96de57ef857db15121

Download Submit
memory/496-186-0x0000000004C80000-0x0000000004CC2000-memory.dmp

Filesize
264KB

Download
memory/496-187-0x0000000004D10000-0x0000000004D49000-memory.dmp

Filesize
228KB

Download
memory/496-185-0x0000000002940000-0x00000000029EE000-memory.dmp

Filesize
696KB

Download
memory/496-183-0x0000000000000000-mapping.dmp

Download
memory/740-122-0x00007FF9B9EB0000-0x00007FF9BAF9E000-memory.dmp

Filesize
16.9MB

Download
memory/740-118-0x00007FF999990000-0x00007FF9999A0000-memory.dmp

Filesize
64KB

Download
memory/740-115-0x00007FF999990000-0x00007FF9999A0000-memory.dmp

Filesize
64KB

Download
memory/740-116-0x00007FF999990000-0x00007FF9999A0000-memory.dmp

Filesize
64KB

Download
memory/740-123-0x00007FF9B7FB0000-0x00007FF9B9EA5000-memory.dmp

Filesize
31.0MB

Download
memory/740-114-0x00007FF70E060000-0x00007FF711616000-memory.dmp

Filesize
53.7MB

Download
memory/740-121-0x00007FF999990000-0x00007FF9999A0000-memory.dmp

Filesize
64KB

Download
memory/740-117-0x00007FF999990000-0x00007FF9999A0000-memory.dmp

Filesize
64KB

Download
memory/968-181-0x0000000000000000-mapping.dmp

Download
memory/2252-190-0x0000000000000000-mapping.dmp

Download
memory/2816-189-0x0000000000000000-mapping.dmp

Download
memory/3412-193-0x0000000000000000-mapping.dmp

Download
memory/3424-188-0x0000000000000000-mapping.dmp

Download
memory/3424-191-0x0000000002F40000-0x0000000002F79000-memory.dmp

Filesize
228KB

Download
memory/3984-179-0x0000000000000000-mapping.dmp

Download
memory/4064-180-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads