qakbot | 3db836aa01204f3f894360b086384595b480b8c45472f97214d1676091851c9f

General

Target

3db836aa01204f3f894360b086384595b480b8c45472f97214d1676091851c9f.dll
Size

436KB
MD5

e5db9f07346ea0649a769c3649847f09
SHA1

23e451605d5d61ef5333a52e984dc3e78670aea0
SHA256

3db836aa01204f3f894360b086384595b480b8c45472f97214d1676091851c9f
SHA512

027c84e5d037fe7502498f5c51bd1bb873138c73b9d8fba8fd27d318ae255a48e15e48e07c80d0494193c3c8ab971e1c0b33a263b0e5d94fd6d1336a11d1533a

Score

10^/10

qakbot tr 1632817399 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

tr

Campaign

1632817399

C2

105.198.236.99:443

140.82.49.12:443

37.210.152.224:995

89.101.97.139:443

81.241.252.59:2078

27.223.92.142:995

81.250.153.227:2222

73.151.236.31:443

47.22.148.6:443

122.11.220.212:2222

120.151.47.189:443

199.27.127.129:443

216.201.162.158:443

136.232.34.70:443

76.25.142.196:443

181.118.183.94:443

120.150.218.241:995

185.250.148.74:443

95.77.223.148:443

75.66.88.33:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

516 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2784 schtasks.exe

pid	process
516	regsvr32.exe

pid	process
2784	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Qykvojibfdwa\9bb55306 = df96f936982fbb327fa0d0913d3b0cf0d8a5fda2bef507af31237482f03cf42a6fa17fbe56e5b56de0b5353d67f7a2b4bff488a3	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Qykvojibfdwa\ae2a8348 = e26be3d47b099fe82ab45ec862860c89f9f7ec6fb66629e5fc50d1e507af8360222c02f16cf5ba1417179c65ea81ad99f58e71344700ed20c7f1ea9ee9c91c525f80a21450f3cb0f14af6a40550b12e6d97978de9edf7a43814692a767cab64d409daf2af89dd7c7eae1d42d9a334c63602652c04f9348873e27de2ae69dd02d653734c4573c2371b5ce8de26d4bf9ea84d370414657acb51bb0	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Qykvojibfdwa\69df8bdb = d6f066cf5183d2f8e0c9ca5219e193fad05603b6e50cbb8f5ff385aa561e3e905905c565cc293cbf000e	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Qykvojibfdwa\d163ecbe = 0b489b390c4a1d041c2f2c911ca157032ba0ed5b7214e0bcf7e26f3033a730971fae3cc1187c5bb0f19f56d2ee55b705e4feb5bb77b64523d563140fb45a5d2401d9eb	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Qykvojibfdwa\1696e42d = 153a4ffca59320c72036526988f634741b5b811b1115091a44e3c131678638e8664afb0e6ce4d039b7b39fed78384b8c2dad1a6199d7441fbca2edb1972784cf5565f95a54de36e1bf0f8ab6017fea4df69ad2078b59ff53f482090a	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Qykvojibfdwa	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Qykvojibfdwa\ac6ba334 = dc84210ef9d5a38bd88b36afcf45b75c8bd8b6d84d29cc53fe5cc40a930fbd0bd8957dcb007e27128c5254bcba1da1f3be73d98e41	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Qykvojibfdwa\14d7c451 = dd327c09b5d8d7a4d184a4	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Qykvojibfdwa\e4fc3cf0 = adb4abefa3fd15b92e8c46aa45b902b1a80b10660f38a7f74961cc7ab1105527b2407134a51e726b908725c488f250b1f9229eee4b3b669fb6379dd1e95c389d7eee469fc5d025d378f0a896cb49751eddc9e39f2465dd78c3ed7d9c0f99095f7e7f670b6e	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Qykvojibfdwa\9bb55306 = df96ee36982f8edd07073015b9deb7870d859f64bc6ae5c4b90f312ec26bcd8265ace2a3f4dfbb57c04bf6876474e02bec3bc8e24319a71f73e5aaba509ca75a1f2a826381e70ad742	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

2360 rundll32.exe
2360 rundll32.exe
516 regsvr32.exe
516 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

2360 rundll32.exe
516 regsvr32.exe

pid	process
2360	rundll32.exe
2360	rundll32.exe
516	regsvr32.exe
516	regsvr32.exe

pid	process
2360	rundll32.exe
516	regsvr32.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 2208 wrote to memory of 2360	2208	rundll32.exe	rundll32.exe
PID 2208 wrote to memory of 2360	2208	rundll32.exe	rundll32.exe
PID 2208 wrote to memory of 2360	2208	rundll32.exe	rundll32.exe
PID 2360 wrote to memory of 2736	2360	rundll32.exe	explorer.exe
PID 2360 wrote to memory of 2736	2360	rundll32.exe	explorer.exe
PID 2360 wrote to memory of 2736	2360	rundll32.exe	explorer.exe
PID 2360 wrote to memory of 2736	2360	rundll32.exe	explorer.exe
PID 2360 wrote to memory of 2736	2360	rundll32.exe	explorer.exe
PID 2736 wrote to memory of 2784	2736	explorer.exe	schtasks.exe
PID 2736 wrote to memory of 2784	2736	explorer.exe	schtasks.exe
PID 2736 wrote to memory of 2784	2736	explorer.exe	schtasks.exe
PID 3284 wrote to memory of 516	3284	regsvr32.exe	regsvr32.exe
PID 3284 wrote to memory of 516	3284	regsvr32.exe	regsvr32.exe
PID 3284 wrote to memory of 516	3284	regsvr32.exe	regsvr32.exe
PID 516 wrote to memory of 420	516	regsvr32.exe	explorer.exe
PID 516 wrote to memory of 420	516	regsvr32.exe	explorer.exe
PID 516 wrote to memory of 420	516	regsvr32.exe	explorer.exe
PID 516 wrote to memory of 420	516	regsvr32.exe	explorer.exe
PID 516 wrote to memory of 420	516	regsvr32.exe	explorer.exe
PID 420 wrote to memory of 1396	420	explorer.exe	reg.exe
PID 420 wrote to memory of 1396	420	explorer.exe	reg.exe
PID 420 wrote to memory of 656	420	explorer.exe	reg.exe
PID 420 wrote to memory of 656	420	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3db836aa01204f3f894360b086384595b480b8c45472f97214d1676091851c9f.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3db836aa01204f3f894360b086384595b480b8c45472f97214d1676091851c9f.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2360

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2736

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn mbhnkda /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\3db836aa01204f3f894360b086384595b480b8c45472f97214d1676091851c9f.dll\"" /SC ONCE /Z /ST 12:54 /ET 13:06
4⤵
- Creates scheduled task(s)
PID:2784

\??\c:\windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\3db836aa01204f3f894360b086384595b480b8c45472f97214d1676091851c9f.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:3284

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\3db836aa01204f3f894360b086384595b480b8c45472f97214d1676091851c9f.dll"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:516

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:420

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Gthokgzfynrs" /d "0"
4⤵
PID:1396

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Wigowo" /d "0"
4⤵
PID:656

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3db836aa01204f3f894360b086384595b480b8c45472f97214d1676091851c9f.dll
MD5
e5db9f07346ea0649a769c3649847f09

SHA1
23e451605d5d61ef5333a52e984dc3e78670aea0

SHA256
3db836aa01204f3f894360b086384595b480b8c45472f97214d1676091851c9f

SHA512
027c84e5d037fe7502498f5c51bd1bb873138c73b9d8fba8fd27d318ae255a48e15e48e07c80d0494193c3c8ab971e1c0b33a263b0e5d94fd6d1336a11d1533a

Download Submit
\Users\Admin\AppData\Local\Temp\3db836aa01204f3f894360b086384595b480b8c45472f97214d1676091851c9f.dll
MD5
e5db9f07346ea0649a769c3649847f09

SHA1
23e451605d5d61ef5333a52e984dc3e78670aea0

SHA256
3db836aa01204f3f894360b086384595b480b8c45472f97214d1676091851c9f

SHA512
027c84e5d037fe7502498f5c51bd1bb873138c73b9d8fba8fd27d318ae255a48e15e48e07c80d0494193c3c8ab971e1c0b33a263b0e5d94fd6d1336a11d1533a

Download Submit
memory/420-135-0x00000000006B0000-0x00000000006D1000-memory.dmp

Filesize
132KB

Download
memory/420-130-0x0000000000000000-mapping.dmp

Download
memory/516-125-0x0000000000000000-mapping.dmp

Download
memory/516-128-0x0000000010000000-0x000000001007E000-memory.dmp

Filesize
504KB

Download
memory/516-129-0x00000000004A0000-0x00000000005EA000-memory.dmp

Filesize
1.3MB

Download
memory/656-132-0x0000000000000000-mapping.dmp

Download
memory/1396-131-0x0000000000000000-mapping.dmp

Download
memory/2360-115-0x0000000000000000-mapping.dmp

Download
memory/2360-118-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download
memory/2360-116-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/2360-117-0x0000000010000000-0x000000001007E000-memory.dmp

Filesize
504KB

Download
memory/2736-123-0x0000000000600000-0x0000000000621000-memory.dmp

Filesize
132KB

Download
memory/2736-119-0x0000000000000000-mapping.dmp

Download
memory/2784-120-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads