qakbot | cf2652dc2a844f6aa436149211ea57e54102ce3ebd808eded619298c0bb16cc4

General

Target

296474dfc42b6c053f354be7e1be151e.exe.dll
Size

327KB
MD5

296474dfc42b6c053f354be7e1be151e
SHA1

138ad810a0dfc8216ea5f71b1d2e00f667dc3b16
SHA256

cf2652dc2a844f6aa436149211ea57e54102ce3ebd808eded619298c0bb16cc4
SHA512

d7750203a565bdb6f11b52aaee117e662f1ae0bd2ef505537a04cdd5b6a39a222f3f3591bf879809acd082527bc291cb139ec37a41355228bafb1502830308a3

Score

10^/10

qakbot tr 1632730751 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.343

Botnet

tr

Campaign

1632730751

C2

95.77.223.148:443

47.22.148.6:443

89.101.97.139:443

27.223.92.142:995

120.151.47.189:443

136.232.34.70:443

120.150.218.241:995

185.250.148.74:443

181.118.183.94:443

140.82.49.12:443

67.165.206.193:993

103.148.120.144:443

71.74.12.34:443

76.25.142.196:443

73.151.236.31:443

173.21.10.71:2222

75.188.35.168:443

2.178.88.145:61202

71.80.168.245:443

45.46.53.140:2222

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

2580 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2728 schtasks.exe

pid	process
2580	regsvr32.exe

pid	process
2728	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Vhrygiyvwfo\d1661114 = 76edf932f3a945c2c8115e4c81c91e168e3c47f78d7b80857d024fd8eda0203d137cc4439f80ade4c0de743de66c2ec761f659fbd725d18a6eb13dfe89f77ab361abd98d53ce072e2a27ceebd040	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Vhrygiyvwfo\e4f9c15a = c8aea755167ce95bf55564c6c7370dae9692429c2b94736f555a5caaf2b1a5c8ca551594e26f1b140df289840ccea7e61aba1eabe3158459848345e99664bd5bc3025a0a7bf35baca9a2780a2e24c5e9aa7e034c152c139965871e87fc033e5be09be87da8ae6d	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Vhrygiyvwfo\230cc9c9 = 3bb012bc0662e572898316922cf6dec612a4c2c251c14e60bd166b5e32cfeb5acf1cb76e70d3e257de981cf082924ce8b876bdacf7038bcc52afaa6b50086397b4d108dd632a53857f7b425372ac3b7f6ac31486af02ece67d124b0d	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Vhrygiyvwfo\9bb0aeac = 2a4a963f342dbc93e3b0d344c1722d332084d2766572c00ffaa05d0a385912c48f3da03c429f62dfaa2fcbf991e7aa30eefe5b8182d73d4e3fd410e1e2eb8255c4da7ed02170f2adc6ec3881f85f210d35443ad12cb40345ed3184ee01a74abc37185b5c1472af2e2873cd3f916260c683	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Vhrygiyvwfo\ae2f7ee2 = c596f6588bd652c8d7c3aef0af525b23e6be41cca4d9462803b806b04f4be9531d02d267be0faec4eb874d6248ea8ada24b2f34d79968db71c7f21e6e922f3843676d476bca6f25aeaba2e079a31c858f72e079dc53c357b4a49550eda7d	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Vhrygiyvwfo	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Vhrygiyvwfo\5e048643 = 109efbd1143e7e82d2544720ae1678213ea61ab0830dc8b0f31dcca06883518c3b7a4d5acef6f86c7ef92871a5a319d2c73814d95fae176e768596687b05157897cefe6b6483f0eede56fb	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Vhrygiyvwfo\5c45a63f = c138b0f921cd12fd82bcffa35cc5ac91a4bd5a3f7c049ba91678f381ef4ca3417107fa	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Vhrygiyvwfo\d1661114 = 76edee32f3a970f90ab1f89792e5cc2618cbacaede8a92b7efa877707240d6f55252d2daa43c42c93672e1ac249154772e4ead8fd1f29ae09d0e98edb8fd1b215bd110ef59a79c4df28e9a00b97eb46aa2fd1173420c23ba0bebb42ecceb2164a06a84	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Vhrygiyvwfo\e6b8e126 = d62ef408f17797277855be96e27720b73cab	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

2284 regsvr32.exe
2284 regsvr32.exe
2580 regsvr32.exe
2580 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

2284 regsvr32.exe
2580 regsvr32.exe

pid	process
2284	regsvr32.exe
2284	regsvr32.exe
2580	regsvr32.exe
2580	regsvr32.exe

pid	process
2284	regsvr32.exe
2580	regsvr32.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

regsvr32.exeregsvr32.exeexplorer.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 2212 wrote to memory of 2284	2212	regsvr32.exe	regsvr32.exe
PID 2212 wrote to memory of 2284	2212	regsvr32.exe	regsvr32.exe
PID 2212 wrote to memory of 2284	2212	regsvr32.exe	regsvr32.exe
PID 2284 wrote to memory of 2524	2284	regsvr32.exe	explorer.exe
PID 2284 wrote to memory of 2524	2284	regsvr32.exe	explorer.exe
PID 2284 wrote to memory of 2524	2284	regsvr32.exe	explorer.exe
PID 2284 wrote to memory of 2524	2284	regsvr32.exe	explorer.exe
PID 2284 wrote to memory of 2524	2284	regsvr32.exe	explorer.exe
PID 2524 wrote to memory of 2728	2524	explorer.exe	schtasks.exe
PID 2524 wrote to memory of 2728	2524	explorer.exe	schtasks.exe
PID 2524 wrote to memory of 2728	2524	explorer.exe	schtasks.exe
PID 3804 wrote to memory of 2580	3804	regsvr32.exe	regsvr32.exe
PID 3804 wrote to memory of 2580	3804	regsvr32.exe	regsvr32.exe
PID 3804 wrote to memory of 2580	3804	regsvr32.exe	regsvr32.exe
PID 2580 wrote to memory of 520	2580	regsvr32.exe	explorer.exe
PID 2580 wrote to memory of 520	2580	regsvr32.exe	explorer.exe
PID 2580 wrote to memory of 520	2580	regsvr32.exe	explorer.exe
PID 2580 wrote to memory of 520	2580	regsvr32.exe	explorer.exe
PID 2580 wrote to memory of 520	2580	regsvr32.exe	explorer.exe
PID 520 wrote to memory of 1084	520	explorer.exe	reg.exe
PID 520 wrote to memory of 1084	520	explorer.exe	reg.exe
PID 520 wrote to memory of 1064	520	explorer.exe	reg.exe
PID 520 wrote to memory of 1064	520	explorer.exe	reg.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\296474dfc42b6c053f354be7e1be151e.exe.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2212

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\296474dfc42b6c053f354be7e1be151e.exe.dll
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2284

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2524

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn bejaqtd /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\296474dfc42b6c053f354be7e1be151e.exe.dll\"" /SC ONCE /Z /ST 15:12 /ET 15:24
4⤵
- Creates scheduled task(s)
PID:2728

\??\c:\windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\296474dfc42b6c053f354be7e1be151e.exe.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:3804

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\296474dfc42b6c053f354be7e1be151e.exe.dll"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2580

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Qmvfeaes" /d "0"
4⤵
PID:1084

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Uquxhygya" /d "0"
4⤵
PID:1064

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\296474dfc42b6c053f354be7e1be151e.exe.dll
MD5
296474dfc42b6c053f354be7e1be151e

SHA1
138ad810a0dfc8216ea5f71b1d2e00f667dc3b16

SHA256
cf2652dc2a844f6aa436149211ea57e54102ce3ebd808eded619298c0bb16cc4

SHA512
d7750203a565bdb6f11b52aaee117e662f1ae0bd2ef505537a04cdd5b6a39a222f3f3591bf879809acd082527bc291cb139ec37a41355228bafb1502830308a3

Download Submit
\Users\Admin\AppData\Local\Temp\296474dfc42b6c053f354be7e1be151e.exe.dll
MD5
296474dfc42b6c053f354be7e1be151e

SHA1
138ad810a0dfc8216ea5f71b1d2e00f667dc3b16

SHA256
cf2652dc2a844f6aa436149211ea57e54102ce3ebd808eded619298c0bb16cc4

SHA512
d7750203a565bdb6f11b52aaee117e662f1ae0bd2ef505537a04cdd5b6a39a222f3f3591bf879809acd082527bc291cb139ec37a41355228bafb1502830308a3

Download Submit
memory/520-127-0x0000000000000000-mapping.dmp

Download
memory/520-132-0x0000000000C10000-0x0000000000C31000-memory.dmp

Filesize
132KB

Download
memory/1064-129-0x0000000000000000-mapping.dmp

Download
memory/1084-128-0x0000000000000000-mapping.dmp

Download
memory/2284-116-0x00000000030B0000-0x00000000031FA000-memory.dmp

Filesize
1.3MB

Download
memory/2284-117-0x0000000010000000-0x0000000010058000-memory.dmp

Filesize
352KB

Download
memory/2284-115-0x0000000000000000-mapping.dmp

Download
memory/2524-118-0x0000000000000000-mapping.dmp

Download
memory/2524-122-0x00000000031A0000-0x00000000031C1000-memory.dmp

Filesize
132KB

Download
memory/2580-126-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2580-124-0x0000000000000000-mapping.dmp

Download
memory/2728-119-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads