qakbot | 8393a4adfc52b82181fc5008601df84de01dd48cbb539d06a006eb93d271eb3d

General

Target

catalog-138717734.xlsm
Size

120KB
MD5

23723cbba5a0c4a19cd6bbf91f884f7c
SHA1

8ac83c33d6696122abfdaca85b16cbc2a44b06e3
SHA256

8393a4adfc52b82181fc5008601df84de01dd48cbb539d06a006eb93d271eb3d
SHA512

7821fdb964dad65b10920d987f03b6c7bfb7e1415c617c5d5586ef852ac24c0966f84276c5d95194adbd926bcead6843c9df6cce55ea90f871f73237ec5301f9

Score

10^/10

qakbot tr 1618398298 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

tr

Campaign

1618398298

C2

47.196.192.184:443

216.201.162.158:443

136.232.34.70:443

71.41.184.10:3389

140.82.49.12:443

45.63.107.192:2222

45.63.107.192:443

149.28.98.196:443

45.32.211.207:443

144.202.38.185:443

45.77.115.208:2222

45.77.115.208:8443

207.246.116.237:995

45.77.117.108:443

149.28.99.97:443

149.28.99.97:995

149.28.98.196:995

45.32.211.207:995

45.32.211.207:2222

149.28.98.196:2222

Signatures

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3500	4024	rundll32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1832	4024	rundll32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2020	4024	rundll32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3980	4024	rundll32.exe	EXCEL.EXE

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Loads dropped DLL 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

3952 rundll32.exe
988 regsvr32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2288 988 WerFault.exe regsvr32.exe

pid	pid_target	process	target process
2288	988	WerFault.exe	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3948 schtasks.exe

pid	process
3948	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4024 EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

rundll32.exeWerFault.exe

pid	process
3952	rundll32.exe
3952	rundll32.exe
2288	WerFault.exe
2288	WerFault.exe
2288	WerFault.exe
2288	WerFault.exe
2288	WerFault.exe
2288	WerFault.exe
2288	WerFault.exe
2288	WerFault.exe
2288	WerFault.exe
2288	WerFault.exe
2288	WerFault.exe
2288	WerFault.exe
2288	WerFault.exe
2288	WerFault.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

3952 rundll32.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2288 WerFault.exe
Token: SeBackupPrivilege 2288 WerFault.exe
Token: SeDebugPrivilege 2288 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	2288	WerFault.exe
Token: SeBackupPrivilege	2288	WerFault.exe
Token: SeDebugPrivilege	2288	WerFault.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

EXCEL.EXE

pid	process
4024	EXCEL.EXE
4024	EXCEL.EXE
4024	EXCEL.EXE
4024	EXCEL.EXE
4024	EXCEL.EXE
4024	EXCEL.EXE
4024	EXCEL.EXE
4024	EXCEL.EXE
4024	EXCEL.EXE
4024	EXCEL.EXE
4024	EXCEL.EXE
4024	EXCEL.EXE
4024	EXCEL.EXE
4024	EXCEL.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

EXCEL.EXErundll32.exerundll32.exeexplorer.exeregsvr32.exe

description	pid	process	target process
PID 4024 wrote to memory of 3500	4024	EXCEL.EXE	rundll32.exe
PID 4024 wrote to memory of 3500	4024	EXCEL.EXE	rundll32.exe
PID 4024 wrote to memory of 1832	4024	EXCEL.EXE	rundll32.exe
PID 4024 wrote to memory of 1832	4024	EXCEL.EXE	rundll32.exe
PID 4024 wrote to memory of 2020	4024	EXCEL.EXE	rundll32.exe
PID 4024 wrote to memory of 2020	4024	EXCEL.EXE	rundll32.exe
PID 2020 wrote to memory of 3952	2020	rundll32.exe	rundll32.exe
PID 2020 wrote to memory of 3952	2020	rundll32.exe	rundll32.exe
PID 2020 wrote to memory of 3952	2020	rundll32.exe	rundll32.exe
PID 3952 wrote to memory of 2108	3952	rundll32.exe	explorer.exe
PID 3952 wrote to memory of 2108	3952	rundll32.exe	explorer.exe
PID 3952 wrote to memory of 2108	3952	rundll32.exe	explorer.exe
PID 3952 wrote to memory of 2108	3952	rundll32.exe	explorer.exe
PID 3952 wrote to memory of 2108	3952	rundll32.exe	explorer.exe
PID 2108 wrote to memory of 3948	2108	explorer.exe	schtasks.exe
PID 2108 wrote to memory of 3948	2108	explorer.exe	schtasks.exe
PID 2108 wrote to memory of 3948	2108	explorer.exe	schtasks.exe
PID 4024 wrote to memory of 3980	4024	EXCEL.EXE	rundll32.exe
PID 4024 wrote to memory of 3980	4024	EXCEL.EXE	rundll32.exe
PID 1832 wrote to memory of 988	1832	regsvr32.exe	regsvr32.exe
PID 1832 wrote to memory of 988	1832	regsvr32.exe	regsvr32.exe
PID 1832 wrote to memory of 988	1832	regsvr32.exe	regsvr32.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\catalog-138717734.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4024

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\ghnrope.rue1,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:3500

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\ghnrope.rue2,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:1832

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\ghnrope.rue3,DllRegisterServer
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\rundll32.exe
rundll32 ..\ghnrope.rue3,DllRegisterServer
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3952

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2108

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn pngpjmxm /tr "regsvr32.exe -s \"C:\Users\Admin\ghnrope.rue3\"" /SC ONCE /Z /ST 15:13 /ET 15:25
5⤵
- Creates scheduled task(s)
PID:3948

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\ghnrope.rue4,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:3980

\??\c:\windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\ghnrope.rue3"
1⤵
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\ghnrope.rue3"
2⤵
- Loads dropped DLL
PID:988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 596
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\ghnrope.rue3

MD5
0862c2bc59577f5ba1732433ced4a248

SHA1
77ae6da5d0a01f95b97a8f809bbf5853aa1acb4b

SHA256
fce34f30cbed4604e97b3982edd693510467a2d61b70ee7b62ea8c777990ea6d

SHA512
8aaf0529d8cf73d229c841ca5f4b7391cfb096a2de3507dd25ba170688c0495caa6f86bee4cf140dcf66734b6077d7adf1609a1a13407ce33c6ec768662cd0c4

Download Submit
C:\Users\Admin\ghnrope.rue3

MD5
62e816ec26ce2332fc8ed5a7dcf7e5c7

SHA1
e7c09a444aeb59df34a0eaa3e3bdf3921a697f53

SHA256
ca88e29eb97223c8f4b05589d854b942728181779e16c483843a5d860371c386

SHA512
1a46e74f7356a7d320f320d5624397af0a16eee930d0fb45a017de7c6a0b230be294da86aa713eda8d444a20a7cdbc121211a811a36b0c96de57ef857db15121

Download Submit
\Users\Admin\ghnrope.rue3

MD5
0862c2bc59577f5ba1732433ced4a248

SHA1
77ae6da5d0a01f95b97a8f809bbf5853aa1acb4b

SHA256
fce34f30cbed4604e97b3982edd693510467a2d61b70ee7b62ea8c777990ea6d

SHA512
8aaf0529d8cf73d229c841ca5f4b7391cfb096a2de3507dd25ba170688c0495caa6f86bee4cf140dcf66734b6077d7adf1609a1a13407ce33c6ec768662cd0c4

Download Submit
\Users\Admin\ghnrope.rue3

MD5
62e816ec26ce2332fc8ed5a7dcf7e5c7

SHA1
e7c09a444aeb59df34a0eaa3e3bdf3921a697f53

SHA256
ca88e29eb97223c8f4b05589d854b942728181779e16c483843a5d860371c386

SHA512
1a46e74f7356a7d320f320d5624397af0a16eee930d0fb45a017de7c6a0b230be294da86aa713eda8d444a20a7cdbc121211a811a36b0c96de57ef857db15121

Download Submit
memory/988-193-0x0000000000000000-mapping.dmp

Download
memory/1832-180-0x0000000000000000-mapping.dmp

Download
memory/2020-181-0x0000000000000000-mapping.dmp

Download
memory/2108-189-0x00000000004E0000-0x0000000000519000-memory.dmp

Filesize
228KB

Download
memory/2108-188-0x0000000000000000-mapping.dmp

Download
memory/3500-179-0x0000000000000000-mapping.dmp

Download
memory/3948-190-0x0000000000000000-mapping.dmp

Download
memory/3952-183-0x0000000000000000-mapping.dmp

Download
memory/3952-185-0x00000000011B0000-0x00000000011B1000-memory.dmp

Filesize
4KB

Download
memory/3952-187-0x00000000065E0000-0x0000000006619000-memory.dmp

Filesize
228KB

Download
memory/3952-186-0x0000000004D20000-0x0000000004D62000-memory.dmp

Filesize
264KB

Download
memory/3980-191-0x0000000000000000-mapping.dmp

Download
memory/4024-114-0x00007FF75EC70000-0x00007FF762226000-memory.dmp

Filesize
53.7MB

Download
memory/4024-123-0x000002BC257D0000-0x000002BC276C5000-memory.dmp

Filesize
31.0MB

Download
memory/4024-122-0x00007FFAA9DE0000-0x00007FFAAAECE000-memory.dmp

Filesize
16.9MB

Download
memory/4024-121-0x00007FFA892C0000-0x00007FFA892D0000-memory.dmp

Filesize
64KB

Download
memory/4024-118-0x00007FFA892C0000-0x00007FFA892D0000-memory.dmp

Filesize
64KB

Download
memory/4024-117-0x00007FFA892C0000-0x00007FFA892D0000-memory.dmp

Filesize
64KB

Download
memory/4024-116-0x00007FFA892C0000-0x00007FFA892D0000-memory.dmp

Filesize
64KB

Download
memory/4024-115-0x00007FFA892C0000-0x00007FFA892D0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads