qakbot | 80afad8cad6c0a84c232d5d17354b11ff9e5920d65c2552047801bc73a8bec82

General

Target

a.xlsb
Size

155KB
MD5

79d94d53703ee58ab2aac1782cbd6939
SHA1

16a918e278d56ed854a3314d2a4ea907001195fc
SHA256

80afad8cad6c0a84c232d5d17354b11ff9e5920d65c2552047801bc73a8bec82
SHA512

912a3ea6a5f75b35376ac34b03605ffd660376ad2f201648a0b73b79159c35f051842ba0585ad075bdd2424940dc671082f2cdf178e53c4c6cfdd072c3a7dcd9

Score

10^/10

qakbot tr 1623225382 banker stealer trojan

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

https://shadiinfo.com/2DP6mQeg/pt.html

xlm40.dropper

https://treasurechestcaribbean.com/pZ2Z61bqa/pt.html

Extracted

Family

qakbot

Version

402.68

Botnet

tr

Campaign

1623225382

C2

190.85.91.154:443

140.82.49.12:443

105.198.236.101:443

68.186.192.69:443

24.95.61.62:443

90.65.234.26:2222

197.45.110.165:995

96.61.23.88:995

172.78.51.35:443

184.185.103.157:443

71.163.222.223:443

27.223.92.142:995

24.179.77.236:443

97.69.160.4:2222

188.26.91.212:443

75.67.192.125:443

24.152.219.253:995

92.59.35.196:2222

47.22.148.6:443

216.201.162.158:443

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exeregsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	8	624	regsvr32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3176	624	regsvr32.exe	EXCEL.EXE

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Loads dropped DLL 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

732 regsvr32.exe
1412 regsvr32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2760 1412 WerFault.exe regsvr32.exe

pid	pid_target	process	target process
2760	1412	WerFault.exe	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3600 schtasks.exe

pid	process
3600	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

624 EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

regsvr32.exeWerFault.exe

pid	process
732	regsvr32.exe
732	regsvr32.exe
2760	WerFault.exe
2760	WerFault.exe
2760	WerFault.exe
2760	WerFault.exe
2760	WerFault.exe
2760	WerFault.exe
2760	WerFault.exe
2760	WerFault.exe
2760	WerFault.exe
2760	WerFault.exe
2760	WerFault.exe
2760	WerFault.exe
2760	WerFault.exe
2760	WerFault.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

regsvr32.exe

pid process

732 regsvr32.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2760 WerFault.exe
Token: SeBackupPrivilege 2760 WerFault.exe
Token: SeDebugPrivilege 2760 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	2760	WerFault.exe
Token: SeBackupPrivilege	2760	WerFault.exe
Token: SeDebugPrivilege	2760	WerFault.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
624	EXCEL.EXE
624	EXCEL.EXE
624	EXCEL.EXE
624	EXCEL.EXE
624	EXCEL.EXE
624	EXCEL.EXE
624	EXCEL.EXE
624	EXCEL.EXE
624	EXCEL.EXE
624	EXCEL.EXE
624	EXCEL.EXE
624	EXCEL.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

EXCEL.EXEregsvr32.exeregsvr32.exeexplorer.exeregsvr32.exe

description	pid	process	target process
PID 624 wrote to memory of 3512	624	EXCEL.EXE	splwow64.exe
PID 624 wrote to memory of 3512	624	EXCEL.EXE	splwow64.exe
PID 624 wrote to memory of 8	624	EXCEL.EXE	regsvr32.exe
PID 624 wrote to memory of 8	624	EXCEL.EXE	regsvr32.exe
PID 8 wrote to memory of 732	8	regsvr32.exe	regsvr32.exe
PID 8 wrote to memory of 732	8	regsvr32.exe	regsvr32.exe
PID 8 wrote to memory of 732	8	regsvr32.exe	regsvr32.exe
PID 732 wrote to memory of 3868	732	regsvr32.exe	explorer.exe
PID 732 wrote to memory of 3868	732	regsvr32.exe	explorer.exe
PID 732 wrote to memory of 3868	732	regsvr32.exe	explorer.exe
PID 732 wrote to memory of 3868	732	regsvr32.exe	explorer.exe
PID 732 wrote to memory of 3868	732	regsvr32.exe	explorer.exe
PID 624 wrote to memory of 3176	624	EXCEL.EXE	regsvr32.exe
PID 624 wrote to memory of 3176	624	EXCEL.EXE	regsvr32.exe
PID 3868 wrote to memory of 3600	3868	explorer.exe	schtasks.exe
PID 3868 wrote to memory of 3600	3868	explorer.exe	schtasks.exe
PID 3868 wrote to memory of 3600	3868	explorer.exe	schtasks.exe
PID 3380 wrote to memory of 1412	3380	regsvr32.exe	regsvr32.exe
PID 3380 wrote to memory of 1412	3380	regsvr32.exe	regsvr32.exe
PID 3380 wrote to memory of 1412	3380	regsvr32.exe	regsvr32.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\a.xlsb"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:624

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:3512

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32 -s ..\covi1.dll
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:8

C:\Windows\SysWOW64\regsvr32.exe
-s ..\covi1.dll
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:732

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3868

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn quwxulmxnc /tr "regsvr32.exe -s \"C:\Users\Admin\covi1.dll\"" /SC ONCE /Z /ST 11:53 /ET 12:05
5⤵
- Creates scheduled task(s)
PID:3600

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32 -s ..\covi2.dll
2⤵
- Process spawned unexpected child process
PID:3176

\??\c:\windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\covi1.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:3380

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\covi1.dll"
2⤵
- Loads dropped DLL
PID:1412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 596
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\covi1.dll
MD5
dbf8ea4418afb979a09b782cfbdaccbb

SHA1
03aa8b79fe5289a65c7327524dd052d1134bf537

SHA256
e0934288689e1796773b1eeffe0098c40962335d883a4b4dbad87e68d975f548

SHA512
128d0cec8aaa9dfedba6e98d50747f5200fe7b68f82c7f969a89537d7f5e9ebab47df8b38f1f6ecdc1bbfa56c2d4614e4286454a2bf72f9aa8eb6e65ed1e771b

Download Submit
C:\Users\Admin\covi1.dll
MD5
6edc1d62b0dd8681da9f35cc7320f44b

SHA1
5bfd270a9b7a28a26a29c56c825d93cb84242dc1

SHA256
c74ac403d16f8a943741b28876ce112feb57fab8e9ca7af2310f9ba46d6de482

SHA512
a7f1014eae1b8552521abfcafcbf23ea4962b424d927f168cb3072aaf685ca6a383e1754284bacf0c441dd10e557998f0749ecbb463a751be3045a6dd232af9b

Download Submit
\Users\Admin\covi1.dll
MD5
dbf8ea4418afb979a09b782cfbdaccbb

SHA1
03aa8b79fe5289a65c7327524dd052d1134bf537

SHA256
e0934288689e1796773b1eeffe0098c40962335d883a4b4dbad87e68d975f548

SHA512
128d0cec8aaa9dfedba6e98d50747f5200fe7b68f82c7f969a89537d7f5e9ebab47df8b38f1f6ecdc1bbfa56c2d4614e4286454a2bf72f9aa8eb6e65ed1e771b

Download Submit
\Users\Admin\covi1.dll
MD5
6edc1d62b0dd8681da9f35cc7320f44b

SHA1
5bfd270a9b7a28a26a29c56c825d93cb84242dc1

SHA256
c74ac403d16f8a943741b28876ce112feb57fab8e9ca7af2310f9ba46d6de482

SHA512
a7f1014eae1b8552521abfcafcbf23ea4962b424d927f168cb3072aaf685ca6a383e1754284bacf0c441dd10e557998f0749ecbb463a751be3045a6dd232af9b

Download Submit
memory/8-180-0x0000000000000000-mapping.dmp

Download
memory/624-121-0x00007FFC8B990000-0x00007FFC8B9A0000-memory.dmp

Filesize
64KB

Download
memory/624-122-0x00007FFCABD00000-0x00007FFCACDEE000-memory.dmp

Filesize
16.9MB

Download
memory/624-123-0x00007FFCA9E00000-0x00007FFCABCF5000-memory.dmp

Filesize
31.0MB

Download
memory/624-115-0x00007FFC8B990000-0x00007FFC8B9A0000-memory.dmp

Filesize
64KB

Download
memory/624-114-0x00007FF7E8160000-0x00007FF7EB716000-memory.dmp

Filesize
53.7MB

Download
memory/624-118-0x00007FFC8B990000-0x00007FFC8B9A0000-memory.dmp

Filesize
64KB

Download
memory/624-116-0x00007FFC8B990000-0x00007FFC8B9A0000-memory.dmp

Filesize
64KB

Download
memory/624-117-0x00007FFC8B990000-0x00007FFC8B9A0000-memory.dmp

Filesize
64KB

Download
memory/732-184-0x0000000004C90000-0x0000000004CB3000-memory.dmp

Filesize
140KB

Download
memory/732-185-0x0000000010000000-0x0000000010076000-memory.dmp

Filesize
472KB

Download
memory/732-182-0x0000000000000000-mapping.dmp

Download
memory/1412-191-0x0000000000000000-mapping.dmp

Download
memory/3176-187-0x0000000000000000-mapping.dmp

Download
memory/3512-179-0x0000000000000000-mapping.dmp

Download
memory/3600-188-0x0000000000000000-mapping.dmp

Download
memory/3868-186-0x0000000000000000-mapping.dmp

Download
memory/3868-189-0x0000000000C30000-0x0000000000C6D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads