qakbot | 9c5c2af628233f118a88fb03f859e0f92f4393c8dd7c8204afe15af161f568c7

General

Target

test.test.dll
Size

355KB
MD5

ed3b43ef66f58f891cc51cacc79b0b72
SHA1

02cfa19d275c96fafad6b3e440b220200b839f99
SHA256

9c5c2af628233f118a88fb03f859e0f92f4393c8dd7c8204afe15af161f568c7
SHA512

73913ebf9895625de2b4a4e5c4534164f79b708bfc1338aade1d90aae57836bd7ea79e2a32976b138d8d5ab1d877ec5997428461acb588e732ec49ab8235d116

Score

10^/10

qakbot tr 1632730751 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.343

Botnet

tr

Campaign

1632730751

C2

95.77.223.148:443

47.22.148.6:443

89.101.97.139:443

27.223.92.142:995

120.151.47.189:443

136.232.34.70:443

120.150.218.241:995

185.250.148.74:443

181.118.183.94:443

140.82.49.12:443

67.165.206.193:993

103.148.120.144:443

71.74.12.34:443

76.25.142.196:443

73.151.236.31:443

173.21.10.71:2222

75.188.35.168:443

2.178.88.145:61202

71.80.168.245:443

45.46.53.140:2222

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

4076 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4188 schtasks.exe

pid	process
4076	regsvr32.exe

pid	process
4188	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Nsspyoyusuwot\4a5b13d5 = e42a3476805cb50841075024413c71b37bdc3a33eb38f44eae5a4bb70eb90eb5f080d66428d4e7e956	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Nsspyoyusuwot\37535c5f = 4160a69181234e3262aa52c3aa50e142e553157619046aa5b9743604a3e5	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Nsspyoyusuwot\481a33a9 = 24ad6e28b26aca0f760875ff416eb3f33789ad8438a154a659	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Nsspyoyusuwot\ba70eb74 = 2592229324aab6388e1d3e115b4167cdccbd1f02e8729e1326c03e35d2dae9176ce39d8998cd526ba201a3	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Nsspyoyusuwot\c5398482 = 5b40ab6e19606fe3b244734f0e08738948fd339ca93ea10cbc70b1464302ca26af6a5104178d3970a7ea618aa86cbb10377532650c1da61d1f730fc17cad23ceca3c6127210493ca	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Nsspyoyusuwot\f0a654cc = ee96bf35c366eda01aa7e264f68928b1e28adc8454cca2620104261645e07d6a31388eddee77cb1b1cc10dc7c7a575d29276d8d7f217aa8b5664995da5d88d4d2a16dcfec2ad61f235fe4ba4ba1010120203cd68a8f89d5645318a1194a7c991410d70036e84ef9b25fc9ffb55eb0bedd6f05ce21c28781ebd4b5ed07fa60e58fb216c080ed5b0b031e895522fc1dbbd96b64d279255355d8274f9	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Nsspyoyusuwot\c5398482 = 5b40bc6e19605ac28dc59a0e4f37294dc7ca806443f6cff994a08fec14ac4375348ceb6045a2d44f0e749e18a221008e7fe61b	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Nsspyoyusuwot\f2e774b0 = b758f55e5000cbf807821aae927b5bf97beba64a45a2acfacbcc43d7c1	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Nsspyoyusuwot\8fef3b3a = 4e7b98ce48d55e9be518d494065529ad6d122fb0c6d9374161998baf35a2549aff246aa363347f430033447cc725c1f778	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Nsspyoyusuwot	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

3476 rundll32.exe
3476 rundll32.exe
4076 regsvr32.exe
4076 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

3476 rundll32.exe
4076 regsvr32.exe

pid	process
3476	rundll32.exe
3476	rundll32.exe
4076	regsvr32.exe
4076	regsvr32.exe

pid	process
3476	rundll32.exe
4076	regsvr32.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 3472 wrote to memory of 3476	3472	rundll32.exe	rundll32.exe
PID 3472 wrote to memory of 3476	3472	rundll32.exe	rundll32.exe
PID 3472 wrote to memory of 3476	3472	rundll32.exe	rundll32.exe
PID 3476 wrote to memory of 4152	3476	rundll32.exe	explorer.exe
PID 3476 wrote to memory of 4152	3476	rundll32.exe	explorer.exe
PID 3476 wrote to memory of 4152	3476	rundll32.exe	explorer.exe
PID 3476 wrote to memory of 4152	3476	rundll32.exe	explorer.exe
PID 3476 wrote to memory of 4152	3476	rundll32.exe	explorer.exe
PID 4152 wrote to memory of 4188	4152	explorer.exe	schtasks.exe
PID 4152 wrote to memory of 4188	4152	explorer.exe	schtasks.exe
PID 4152 wrote to memory of 4188	4152	explorer.exe	schtasks.exe
PID 4052 wrote to memory of 4076	4052	regsvr32.exe	regsvr32.exe
PID 4052 wrote to memory of 4076	4052	regsvr32.exe	regsvr32.exe
PID 4052 wrote to memory of 4076	4052	regsvr32.exe	regsvr32.exe
PID 4076 wrote to memory of 4360	4076	regsvr32.exe	explorer.exe
PID 4076 wrote to memory of 4360	4076	regsvr32.exe	explorer.exe
PID 4076 wrote to memory of 4360	4076	regsvr32.exe	explorer.exe
PID 4076 wrote to memory of 4360	4076	regsvr32.exe	explorer.exe
PID 4076 wrote to memory of 4360	4076	regsvr32.exe	explorer.exe
PID 4360 wrote to memory of 4244	4360	explorer.exe	reg.exe
PID 4360 wrote to memory of 4244	4360	explorer.exe	reg.exe
PID 4360 wrote to memory of 1636	4360	explorer.exe	reg.exe
PID 4360 wrote to memory of 1636	4360	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\test.test.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3472

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\test.test.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3476

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4152

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn eutmcio /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\test.test.dll\"" /SC ONCE /Z /ST 12:29 /ET 12:41
4⤵
- Creates scheduled task(s)
PID:4188

\??\c:\windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\test.test.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:4052

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\test.test.dll"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4076

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4360

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Ymbteaofo" /d "0"
4⤵
PID:4244

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Cfusuts" /d "0"
4⤵
PID:1636

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\test.test.dll
MD5
ed3b43ef66f58f891cc51cacc79b0b72

SHA1
02cfa19d275c96fafad6b3e440b220200b839f99

SHA256
9c5c2af628233f118a88fb03f859e0f92f4393c8dd7c8204afe15af161f568c7

SHA512
73913ebf9895625de2b4a4e5c4534164f79b708bfc1338aade1d90aae57836bd7ea79e2a32976b138d8d5ab1d877ec5997428461acb588e732ec49ab8235d116

Download Submit
\Users\Admin\AppData\Local\Temp\test.test.dll
MD5
ed3b43ef66f58f891cc51cacc79b0b72

SHA1
02cfa19d275c96fafad6b3e440b220200b839f99

SHA256
9c5c2af628233f118a88fb03f859e0f92f4393c8dd7c8204afe15af161f568c7

SHA512
73913ebf9895625de2b4a4e5c4534164f79b708bfc1338aade1d90aae57836bd7ea79e2a32976b138d8d5ab1d877ec5997428461acb588e732ec49ab8235d116

Download Submit
memory/1636-129-0x0000000000000000-mapping.dmp

Download
memory/3476-117-0x0000000010000000-0x0000000010055000-memory.dmp

Filesize
340KB

Download
memory/3476-116-0x0000000002FA0000-0x0000000002FC3000-memory.dmp

Filesize
140KB

Download
memory/3476-115-0x0000000000000000-mapping.dmp

Download
memory/4076-126-0x00000000037B0000-0x00000000037F3000-memory.dmp

Filesize
268KB

Download
memory/4076-124-0x0000000000000000-mapping.dmp

Download
memory/4152-122-0x0000000003050000-0x0000000003071000-memory.dmp

Filesize
132KB

Download
memory/4152-118-0x0000000000000000-mapping.dmp

Download
memory/4188-119-0x0000000000000000-mapping.dmp

Download
memory/4244-128-0x0000000000000000-mapping.dmp

Download
memory/4360-127-0x0000000000000000-mapping.dmp

Download
memory/4360-130-0x0000000000870000-0x0000000000891000-memory.dmp

Filesize
132KB

Download
memory/4360-132-0x00000000031A0000-0x00000000031A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads