qakbot | cf2652dc2a844f6aa436149211ea57e54102ce3ebd808eded619298c0bb16cc4

General

Target

296474dfc42b6c053f354be7e1be151e.exe.dll
Size

327KB
MD5

296474dfc42b6c053f354be7e1be151e
SHA1

138ad810a0dfc8216ea5f71b1d2e00f667dc3b16
SHA256

cf2652dc2a844f6aa436149211ea57e54102ce3ebd808eded619298c0bb16cc4
SHA512

d7750203a565bdb6f11b52aaee117e662f1ae0bd2ef505537a04cdd5b6a39a222f3f3591bf879809acd082527bc291cb139ec37a41355228bafb1502830308a3

Score

10^/10

qakbot tr 1632730751 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.343

Botnet

tr

Campaign

1632730751

C2

95.77.223.148:443

47.22.148.6:443

89.101.97.139:443

27.223.92.142:995

120.151.47.189:443

136.232.34.70:443

120.150.218.241:995

185.250.148.74:443

181.118.183.94:443

140.82.49.12:443

67.165.206.193:993

103.148.120.144:443

71.74.12.34:443

76.25.142.196:443

73.151.236.31:443

173.21.10.71:2222

75.188.35.168:443

2.178.88.145:61202

71.80.168.245:443

45.46.53.140:2222

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

900 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1648 schtasks.exe

pid	process
900	regsvr32.exe

pid	process
1648	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Uunuqrcooc	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Uunuqrcooc\94dcc0e5 = ffe720261ddfa55cdb39416aa011d6e63eb3c394e887b5b2990cd90abb7325f6e746f03817b4a242e8d6d2ad9d2125f073d92d5613cc12ae7a	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Uunuqrcooc\a30230d7 = 596de57c4c60f578432546c97b148bbe0d75a4933973cc78496b	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Uunuqrcooc\1bbe57b2 = c1302c9b61214f7047b1de3401	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Uunuqrcooc\66b61838 = ea17b3eeffefe28689c27aec90b670bbb5c41775b83b3498dafa2d	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Uunuqrcooc\a14310ab = e2fc3a316527bad41d14892ba92023fedb742ccb8c0fec883b94e6c9124d940ea4f42926c6482dcf362d1356098dec3a86aa5989f662190869591fa0a45023941c89526f2559876543a4b599160f7bb057c84b44b1147f1bd414e2e39751341fdd1fb32361399d8d27736531155bf30a424df31af4a49c57615536db92f5d9433b59a39f7c7539f69b4aff0a6fe35c3acf8b524f7b6dad77f8f2b4116414b3cafa183110d5faa59dc06b80066c66eade13fe997bf46a61af1b0f554d	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Uunuqrcooc\de0a7f5d = 94f6e6d89e87dac20bfc18fe5066f8fb1dbfeb0ac322fee9e47cf28df763d8b89e256fd6bde66c8662f9e9b74c7b660e88bebf3607f301de3623ba5f090da85d470ca42551081ba7f916bf40a4e4b98a49c48747	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Uunuqrcooc\19ff77ce = 7e0ba616488e1f46ce2eb38b0682659744a3494b35b7d91b826b66afaca546804d3837a9161bbe30	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Uunuqrcooc\eb95af13 = b89afccfeb8d58afd223876ba577536547392110c444e044a90e474b4e130d934c220f93ee318d82fd5fd4046a39f2926ef7ed1aacf3ddfe9f013ac136852b7526a9fc541a0f	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Uunuqrcooc\94dcc0e5 = ffe737261ddf90893e47cae0ac592cfc52e8cf709db27f5425bee5406ca308ff0ae67d5cc581b5a137d87ee31b6879bc697be5b43d99a2b74dded1ee5fe4a70f81295fe5d053b7cfb0fabf1b13f8	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

552 regsvr32.exe
900 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

552 regsvr32.exe
900 regsvr32.exe

pid	process
552	regsvr32.exe
900	regsvr32.exe

pid	process
552	regsvr32.exe
900	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

regsvr32.exeregsvr32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 784 wrote to memory of 552	784	regsvr32.exe	regsvr32.exe
PID 784 wrote to memory of 552	784	regsvr32.exe	regsvr32.exe
PID 784 wrote to memory of 552	784	regsvr32.exe	regsvr32.exe
PID 784 wrote to memory of 552	784	regsvr32.exe	regsvr32.exe
PID 784 wrote to memory of 552	784	regsvr32.exe	regsvr32.exe
PID 784 wrote to memory of 552	784	regsvr32.exe	regsvr32.exe
PID 784 wrote to memory of 552	784	regsvr32.exe	regsvr32.exe
PID 552 wrote to memory of 1800	552	regsvr32.exe	explorer.exe
PID 552 wrote to memory of 1800	552	regsvr32.exe	explorer.exe
PID 552 wrote to memory of 1800	552	regsvr32.exe	explorer.exe
PID 552 wrote to memory of 1800	552	regsvr32.exe	explorer.exe
PID 552 wrote to memory of 1800	552	regsvr32.exe	explorer.exe
PID 552 wrote to memory of 1800	552	regsvr32.exe	explorer.exe
PID 1800 wrote to memory of 1648	1800	explorer.exe	schtasks.exe
PID 1800 wrote to memory of 1648	1800	explorer.exe	schtasks.exe
PID 1800 wrote to memory of 1648	1800	explorer.exe	schtasks.exe
PID 1800 wrote to memory of 1648	1800	explorer.exe	schtasks.exe
PID 1228 wrote to memory of 1392	1228	taskeng.exe	regsvr32.exe
PID 1228 wrote to memory of 1392	1228	taskeng.exe	regsvr32.exe
PID 1228 wrote to memory of 1392	1228	taskeng.exe	regsvr32.exe
PID 1228 wrote to memory of 1392	1228	taskeng.exe	regsvr32.exe
PID 1228 wrote to memory of 1392	1228	taskeng.exe	regsvr32.exe
PID 1392 wrote to memory of 900	1392	regsvr32.exe	regsvr32.exe
PID 1392 wrote to memory of 900	1392	regsvr32.exe	regsvr32.exe
PID 1392 wrote to memory of 900	1392	regsvr32.exe	regsvr32.exe
PID 1392 wrote to memory of 900	1392	regsvr32.exe	regsvr32.exe
PID 1392 wrote to memory of 900	1392	regsvr32.exe	regsvr32.exe
PID 1392 wrote to memory of 900	1392	regsvr32.exe	regsvr32.exe
PID 1392 wrote to memory of 900	1392	regsvr32.exe	regsvr32.exe
PID 900 wrote to memory of 320	900	regsvr32.exe	explorer.exe
PID 900 wrote to memory of 320	900	regsvr32.exe	explorer.exe
PID 900 wrote to memory of 320	900	regsvr32.exe	explorer.exe
PID 900 wrote to memory of 320	900	regsvr32.exe	explorer.exe
PID 900 wrote to memory of 320	900	regsvr32.exe	explorer.exe
PID 900 wrote to memory of 320	900	regsvr32.exe	explorer.exe
PID 320 wrote to memory of 1052	320	explorer.exe	reg.exe
PID 320 wrote to memory of 1052	320	explorer.exe	reg.exe
PID 320 wrote to memory of 1052	320	explorer.exe	reg.exe
PID 320 wrote to memory of 1052	320	explorer.exe	reg.exe
PID 320 wrote to memory of 1072	320	explorer.exe	reg.exe
PID 320 wrote to memory of 1072	320	explorer.exe	reg.exe
PID 320 wrote to memory of 1072	320	explorer.exe	reg.exe
PID 320 wrote to memory of 1072	320	explorer.exe	reg.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\296474dfc42b6c053f354be7e1be151e.exe.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:784

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\296474dfc42b6c053f354be7e1be151e.exe.dll
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:552

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn mnqqkuaa /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\296474dfc42b6c053f354be7e1be151e.exe.dll\"" /SC ONCE /Z /ST 17:12 /ET 17:24
4⤵
- Creates scheduled task(s)
PID:1648

C:\Windows\system32\taskeng.exe
taskeng.exe {3E5ECAFE-B5A3-4C3E-9E85-D00E3776C424} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1228

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\296474dfc42b6c053f354be7e1be151e.exe.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:1392

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\296474dfc42b6c053f354be7e1be151e.exe.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:900

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:320

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Hqdpapin" /d "0"
5⤵
PID:1052

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Profyayhxj" /d "0"
5⤵
PID:1072

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\296474dfc42b6c053f354be7e1be151e.exe.dll
MD5
296474dfc42b6c053f354be7e1be151e

SHA1
138ad810a0dfc8216ea5f71b1d2e00f667dc3b16

SHA256
cf2652dc2a844f6aa436149211ea57e54102ce3ebd808eded619298c0bb16cc4

SHA512
d7750203a565bdb6f11b52aaee117e662f1ae0bd2ef505537a04cdd5b6a39a222f3f3591bf879809acd082527bc291cb139ec37a41355228bafb1502830308a3

Download Submit
\Users\Admin\AppData\Local\Temp\296474dfc42b6c053f354be7e1be151e.exe.dll
MD5
296474dfc42b6c053f354be7e1be151e

SHA1
138ad810a0dfc8216ea5f71b1d2e00f667dc3b16

SHA256
cf2652dc2a844f6aa436149211ea57e54102ce3ebd808eded619298c0bb16cc4

SHA512
d7750203a565bdb6f11b52aaee117e662f1ae0bd2ef505537a04cdd5b6a39a222f3f3591bf879809acd082527bc291cb139ec37a41355228bafb1502830308a3

Download Submit
memory/320-81-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/320-76-0x0000000000000000-mapping.dmp

Download
memory/552-64-0x0000000010000000-0x0000000010058000-memory.dmp

Filesize
352KB

Download
memory/552-63-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/552-62-0x0000000075AA1000-0x0000000075AA3000-memory.dmp

Filesize
8KB

Download
memory/552-61-0x0000000000000000-mapping.dmp

Download
memory/784-60-0x000007FEFB891000-0x000007FEFB893000-memory.dmp

Filesize
8KB

Download
memory/900-73-0x0000000000000000-mapping.dmp

Download
memory/1052-79-0x0000000000000000-mapping.dmp

Download
memory/1072-80-0x0000000000000000-mapping.dmp

Download
memory/1392-70-0x0000000000000000-mapping.dmp

Download
memory/1648-68-0x0000000000000000-mapping.dmp

Download
memory/1800-65-0x0000000000000000-mapping.dmp

Download
memory/1800-67-0x0000000074281000-0x0000000074283000-memory.dmp

Filesize
8KB

Download
memory/1800-69-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads