qakbot | 2915591ef479332f179e26a3f6e4a63c35049569f5ca42d067f64dbdae681df9

General

Target

waff.xls
Size

233KB
MD5

15950554dbc4a843ef439b46d31fe341
SHA1

e91c0e7f7cfe1034fe1a3d861334fdb34f2bb691
SHA256

2915591ef479332f179e26a3f6e4a63c35049569f5ca42d067f64dbdae681df9
SHA512

ac330f408ef28b27e7a8d17caa1cd9c21ecde824cf03bd75e767b8b206ced98b5522bea53042947336f15150d05b8408bc587c3b1929a71c610a05b64834512b

Score

10^/10

qakbot tr 1632730751 banker stealer trojan

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

https://maxdigitizing.com/wAbCNMUm/pp.html

xlm40.dropper

https://turnipshop.com/ihiRzoi1/pp.html

xlm40.dropper

https://dynamiclifts.co.in/1PWQQcv0D/pp.html

Extracted

Family

qakbot

Version

402.343

Botnet

tr

Campaign

1632730751

C2

95.77.223.148:443

47.22.148.6:443

89.101.97.139:443

27.223.92.142:995

120.151.47.189:443

136.232.34.70:443

120.150.218.241:995

185.250.148.74:443

181.118.183.94:443

140.82.49.12:443

67.165.206.193:993

103.148.120.144:443

71.74.12.34:443

76.25.142.196:443

73.151.236.31:443

173.21.10.71:2222

75.188.35.168:443

2.178.88.145:61202

71.80.168.245:443

45.46.53.140:2222

Signatures

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exeregsvr32.exeregsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3480	4796	regsvr32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4564	4796	regsvr32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4532	4796	regsvr32.exe	EXCEL.EXE

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

4572 regsvr32.exe

pid	process
4572	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4852 schtasks.exe

pid	process
4852	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4796 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

4572 regsvr32.exe
4572 regsvr32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

regsvr32.exe

pid process

4572 regsvr32.exe

pid	process
4572	regsvr32.exe
4572	regsvr32.exe

pid	process
4572	regsvr32.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

EXCEL.EXE

pid	process
4796	EXCEL.EXE
4796	EXCEL.EXE
4796	EXCEL.EXE
4796	EXCEL.EXE
4796	EXCEL.EXE
4796	EXCEL.EXE
4796	EXCEL.EXE
4796	EXCEL.EXE
4796	EXCEL.EXE
4796	EXCEL.EXE
4796	EXCEL.EXE
4796	EXCEL.EXE
4796	EXCEL.EXE
4796	EXCEL.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

EXCEL.EXEregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 4796 wrote to memory of 3480	4796	EXCEL.EXE	regsvr32.exe
PID 4796 wrote to memory of 3480	4796	EXCEL.EXE	regsvr32.exe
PID 4796 wrote to memory of 4564	4796	EXCEL.EXE	regsvr32.exe
PID 4796 wrote to memory of 4564	4796	EXCEL.EXE	regsvr32.exe
PID 4796 wrote to memory of 4532	4796	EXCEL.EXE	regsvr32.exe
PID 4796 wrote to memory of 4532	4796	EXCEL.EXE	regsvr32.exe
PID 3480 wrote to memory of 4572	3480	regsvr32.exe	regsvr32.exe
PID 3480 wrote to memory of 4572	3480	regsvr32.exe	regsvr32.exe
PID 3480 wrote to memory of 4572	3480	regsvr32.exe	regsvr32.exe
PID 4572 wrote to memory of 4848	4572	regsvr32.exe	explorer.exe
PID 4572 wrote to memory of 4848	4572	regsvr32.exe	explorer.exe
PID 4572 wrote to memory of 4848	4572	regsvr32.exe	explorer.exe
PID 4572 wrote to memory of 4848	4572	regsvr32.exe	explorer.exe
PID 4572 wrote to memory of 4848	4572	regsvr32.exe	explorer.exe
PID 4848 wrote to memory of 4852	4848	explorer.exe	schtasks.exe
PID 4848 wrote to memory of 4852	4848	explorer.exe	schtasks.exe
PID 4848 wrote to memory of 4852	4848	explorer.exe	schtasks.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\waff.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4796

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" C:\Datop\test.test
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3480

C:\Windows\SysWOW64\regsvr32.exe
C:\Datop\test.test
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4572

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4848

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn rvfahslcyf /tr "regsvr32.exe -s \"C:\Datop\test.test\"" /SC ONCE /Z /ST 14:02 /ET 14:14
5⤵
- Creates scheduled task(s)
PID:4852

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" C:\Datop\test1.test
2⤵
- Process spawned unexpected child process
PID:4564

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" C:\Datop\test2.test
2⤵
- Process spawned unexpected child process
PID:4532

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Datop\test.test
MD5
97406f2cee93cdb660848c99e6d291e6

SHA1
17aa4ce85e931fdf383b864144a3c1b6e68f91e2

SHA256
336cdd146beca939c6d1e3e3c00cc10ec2d6e859a18d350bff937ad5194c27da

SHA512
4884d65111c7da44832d30eb0cd7bcee9aceb6de24a610eb0709960d1276ad963214b8c620b14960a43319b0d77da7af3f622a5d6f1d36f31190ac2c641be4ef

Download Submit
\Datop\test.test
MD5
97406f2cee93cdb660848c99e6d291e6

SHA1
17aa4ce85e931fdf383b864144a3c1b6e68f91e2

SHA256
336cdd146beca939c6d1e3e3c00cc10ec2d6e859a18d350bff937ad5194c27da

SHA512
4884d65111c7da44832d30eb0cd7bcee9aceb6de24a610eb0709960d1276ad963214b8c620b14960a43319b0d77da7af3f622a5d6f1d36f31190ac2c641be4ef

Download Submit
memory/3480-276-0x0000000000000000-mapping.dmp

Download
memory/4532-281-0x0000000000000000-mapping.dmp

Download
memory/4564-278-0x0000000000000000-mapping.dmp

Download
memory/4572-291-0x00000000736C0000-0x0000000073828000-memory.dmp

Filesize
1.4MB

Download
memory/4572-286-0x0000000000000000-mapping.dmp

Download
memory/4572-292-0x0000000000F00000-0x000000000104A000-memory.dmp

Filesize
1.3MB

Download
memory/4572-290-0x00000000736C0000-0x00000000736E1000-memory.dmp

Filesize
132KB

Download
memory/4796-118-0x00007FFD6E7C0000-0x00007FFD6E7D0000-memory.dmp

Filesize
64KB

Download
memory/4796-117-0x00007FFD6E7C0000-0x00007FFD6E7D0000-memory.dmp

Filesize
64KB

Download
memory/4796-116-0x00007FFD6E7C0000-0x00007FFD6E7D0000-memory.dmp

Filesize
64KB

Download
memory/4796-122-0x00007FFD900C0000-0x00007FFD911AE000-memory.dmp

Filesize
16.9MB

Download
memory/4796-115-0x00007FFD6E7C0000-0x00007FFD6E7D0000-memory.dmp

Filesize
64KB

Download
memory/4796-121-0x00007FFD6E7C0000-0x00007FFD6E7D0000-memory.dmp

Filesize
64KB

Download
memory/4796-114-0x00007FF765510000-0x00007FF768AC6000-memory.dmp

Filesize
53.7MB

Download
memory/4796-123-0x0000020AF20F0000-0x0000020AF3FE5000-memory.dmp

Filesize
31.0MB

Download
memory/4848-293-0x0000000000000000-mapping.dmp

Download
memory/4848-294-0x0000000000930000-0x0000000000951000-memory.dmp

Filesize
132KB

Download
memory/4852-295-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads