qakbot | 11dad18ad216bbbf97891c947ef3b70acd0c5a9a0ce80a9f5c4bcaecd7275164

General

Target

catalog-2032366526.xls
Size

367KB
MD5

090811fa4bbb26277eebc82843f3d70e
SHA1

135d07236adba8e6441c72df1b7f2c459505583c
SHA256

11dad18ad216bbbf97891c947ef3b70acd0c5a9a0ce80a9f5c4bcaecd7275164
SHA512

469ec22e3b2e86bdc5f6d32e3e299ee69f0d12620c0f7486361f19258e7900b3892c8a5d2b1257bdd0188cbe5f9bae7e489dd3f4f17cd5cd81b69abdfa7738d0

Score

10^/10

qakbot tr 1619706851 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.68

Botnet

tr

Campaign

1619706851

C2

24.117.107.120:443

190.85.91.154:443

72.252.201.69:443

189.210.115.207:443

71.41.184.10:3389

81.97.154.100:443

50.29.166.232:995

140.82.49.12:443

75.137.47.174:443

71.74.12.34:443

73.25.124.140:2222

149.28.99.97:2222

45.77.115.208:2222

45.32.211.207:995

207.246.116.237:443

149.28.99.97:443

207.246.77.75:443

149.28.98.196:995

207.246.116.237:2222

45.77.115.208:8443

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exerundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1996	3920	rundll32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1924	3920	rundll32.exe	EXCEL.EXE

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Loads dropped DLL 3 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

1512 rundll32.exe
1512 rundll32.exe
2156 regsvr32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2200 2156 WerFault.exe regsvr32.exe

pid	pid_target	process	target process
2200	2156	WerFault.exe	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3936 schtasks.exe

pid	process
3936	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3920 EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

rundll32.exeWerFault.exe

pid	process
1512	rundll32.exe
1512	rundll32.exe
2200	WerFault.exe
2200	WerFault.exe
2200	WerFault.exe
2200	WerFault.exe
2200	WerFault.exe
2200	WerFault.exe
2200	WerFault.exe
2200	WerFault.exe
2200	WerFault.exe
2200	WerFault.exe
2200	WerFault.exe
2200	WerFault.exe
2200	WerFault.exe
2200	WerFault.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

1512 rundll32.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2200 WerFault.exe
Token: SeBackupPrivilege 2200 WerFault.exe
Token: SeDebugPrivilege 2200 WerFault.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

3920 EXCEL.EXE
3920 EXCEL.EXE

description	pid	process
Token: SeRestorePrivilege	2200	WerFault.exe
Token: SeBackupPrivilege	2200	WerFault.exe
Token: SeDebugPrivilege	2200	WerFault.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

EXCEL.EXE

pid	process
3920	EXCEL.EXE
3920	EXCEL.EXE
3920	EXCEL.EXE
3920	EXCEL.EXE
3920	EXCEL.EXE
3920	EXCEL.EXE
3920	EXCEL.EXE
3920	EXCEL.EXE
3920	EXCEL.EXE
3920	EXCEL.EXE
3920	EXCEL.EXE
3920	EXCEL.EXE
3920	EXCEL.EXE
3920	EXCEL.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

EXCEL.EXErundll32.exerundll32.exeexplorer.exeregsvr32.exe

description	pid	process	target process
PID 3920 wrote to memory of 1996	3920	EXCEL.EXE	rundll32.exe
PID 3920 wrote to memory of 1996	3920	EXCEL.EXE	rundll32.exe
PID 1996 wrote to memory of 1512	1996	rundll32.exe	rundll32.exe
PID 1996 wrote to memory of 1512	1996	rundll32.exe	rundll32.exe
PID 1996 wrote to memory of 1512	1996	rundll32.exe	rundll32.exe
PID 1512 wrote to memory of 3144	1512	rundll32.exe	explorer.exe
PID 1512 wrote to memory of 3144	1512	rundll32.exe	explorer.exe
PID 1512 wrote to memory of 3144	1512	rundll32.exe	explorer.exe
PID 1512 wrote to memory of 3144	1512	rundll32.exe	explorer.exe
PID 1512 wrote to memory of 3144	1512	rundll32.exe	explorer.exe
PID 3920 wrote to memory of 1924	3920	EXCEL.EXE	rundll32.exe
PID 3920 wrote to memory of 1924	3920	EXCEL.EXE	rundll32.exe
PID 3144 wrote to memory of 3936	3144	explorer.exe	schtasks.exe
PID 3144 wrote to memory of 3936	3144	explorer.exe	schtasks.exe
PID 3144 wrote to memory of 3936	3144	explorer.exe	schtasks.exe
PID 2192 wrote to memory of 2156	2192	regsvr32.exe	regsvr32.exe
PID 2192 wrote to memory of 2156	2192	regsvr32.exe	regsvr32.exe
PID 2192 wrote to memory of 2156	2192	regsvr32.exe	regsvr32.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\catalog-2032366526.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3920

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\ritofm.cvm,DllRegisterServer
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\rundll32.exe
rundll32 ..\ritofm.cvm,DllRegisterServer
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3144

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn gcqeieuj /tr "regsvr32.exe -s \"C:\Users\Admin\ritofm.cvm\"" /SC ONCE /Z /ST 15:29 /ET 15:41
5⤵
- Creates scheduled task(s)
PID:3936

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\ritofm.cvm1,DllRegisterServer
2⤵
- Process spawned unexpected child process
PID:1924

\??\c:\windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\ritofm.cvm"
1⤵
- Suspicious use of WriteProcessMemory
PID:2192

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\ritofm.cvm"
2⤵
- Loads dropped DLL
PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 596
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2200

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\ritofm.cvm
MD5
3204cb6d305acc436e09d757cba3a9dc

SHA1
a58d221b113971c4084db930ec96bbc40f834be0

SHA256
074db34f0d313635c8dc7a3f2c24dd9eef990bdb61aa9da617ac9d719645d177

SHA512
f72e5f2ed7a2e5ebddccd3dec77060fe42df698169ca83a016e172d15674e405b48b00cafbc68f94a2f73e0cc1883583fcfc13aff79c940198a6f63f5428af86

Download Submit
C:\Users\Admin\ritofm.cvm
MD5
ba2e00831a081ead1ca285ec389eafee

SHA1
1beed63213f4b667a2cb9ce6ebe13a5e164344d8

SHA256
32bde54ca58893260b8d87c6a4edc48c16dd9115748cd4eeeb7cf9a822089c43

SHA512
e02f5c31bd98f82778d253722023a193f4ebd893142e8d9caeea6a7f5dcfbbe537e085245de496b784aef96a0ccab2cbb27688e9f5489d18eb187776381eabaf

Download Submit
\Users\Admin\ritofm.cvm
MD5
3204cb6d305acc436e09d757cba3a9dc

SHA1
a58d221b113971c4084db930ec96bbc40f834be0

SHA256
074db34f0d313635c8dc7a3f2c24dd9eef990bdb61aa9da617ac9d719645d177

SHA512
f72e5f2ed7a2e5ebddccd3dec77060fe42df698169ca83a016e172d15674e405b48b00cafbc68f94a2f73e0cc1883583fcfc13aff79c940198a6f63f5428af86

Download Submit
\Users\Admin\ritofm.cvm
MD5
3204cb6d305acc436e09d757cba3a9dc

SHA1
a58d221b113971c4084db930ec96bbc40f834be0

SHA256
074db34f0d313635c8dc7a3f2c24dd9eef990bdb61aa9da617ac9d719645d177

SHA512
f72e5f2ed7a2e5ebddccd3dec77060fe42df698169ca83a016e172d15674e405b48b00cafbc68f94a2f73e0cc1883583fcfc13aff79c940198a6f63f5428af86

Download Submit
\Users\Admin\ritofm.cvm
MD5
ba2e00831a081ead1ca285ec389eafee

SHA1
1beed63213f4b667a2cb9ce6ebe13a5e164344d8

SHA256
32bde54ca58893260b8d87c6a4edc48c16dd9115748cd4eeeb7cf9a822089c43

SHA512
e02f5c31bd98f82778d253722023a193f4ebd893142e8d9caeea6a7f5dcfbbe537e085245de496b784aef96a0ccab2cbb27688e9f5489d18eb187776381eabaf

Download Submit
memory/1512-184-0x0000000001110000-0x0000000001150000-memory.dmp

Filesize
256KB

Download
memory/1512-185-0x00000000011D0000-0x000000000120D000-memory.dmp

Filesize
244KB

Download
memory/1512-181-0x0000000000000000-mapping.dmp

Download
memory/1924-188-0x0000000000000000-mapping.dmp

Download
memory/1996-179-0x0000000000000000-mapping.dmp

Download
memory/2156-191-0x0000000000000000-mapping.dmp

Download
memory/3144-186-0x0000000000000000-mapping.dmp

Download
memory/3144-187-0x0000000002F50000-0x0000000002F8D000-memory.dmp

Filesize
244KB

Download
memory/3920-123-0x000001B55E3E0000-0x000001B5602D5000-memory.dmp

Filesize
31.0MB

Download
memory/3920-122-0x00007FF9EFDA0000-0x00007FF9F0E8E000-memory.dmp

Filesize
16.9MB

Download
memory/3920-121-0x00007FF9CF580000-0x00007FF9CF590000-memory.dmp

Filesize
64KB

Download
memory/3920-114-0x00007FF614540000-0x00007FF617AF6000-memory.dmp

Filesize
53.7MB

Download
memory/3920-118-0x00007FF9CF580000-0x00007FF9CF590000-memory.dmp

Filesize
64KB

Download
memory/3920-117-0x00007FF9CF580000-0x00007FF9CF590000-memory.dmp

Filesize
64KB

Download
memory/3920-116-0x00007FF9CF580000-0x00007FF9CF590000-memory.dmp

Filesize
64KB

Download
memory/3920-115-0x00007FF9CF580000-0x00007FF9CF590000-memory.dmp

Filesize
64KB

Download
memory/3936-189-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads