qakbot | 254c5f9932e879e29f2e15e31e0793178501564657f6cb2a9f936155c3af1d51

General

Target

test.test.dll
Size

429KB
MD5

31b892a30bff1fcc03495e42ea72474b
SHA1

a9a4cf6e38166c1d1d1f0347369115364b5bf165
SHA256

254c5f9932e879e29f2e15e31e0793178501564657f6cb2a9f936155c3af1d51
SHA512

f4f6a96abae8b23a02fb8f55969d071a343768c23e15e3ccc121797dea078290a7e504555f9a13ea97671933846d9e138ddc538aa1826f9f637d7226330e0042

Score

10^/10

qakbot tr 1632817399 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

tr

Campaign

1632817399

C2

105.198.236.99:443

140.82.49.12:443

37.210.152.224:995

89.101.97.139:443

81.241.252.59:2078

27.223.92.142:995

81.250.153.227:2222

73.151.236.31:443

47.22.148.6:443

122.11.220.212:2222

120.151.47.189:443

199.27.127.129:443

216.201.162.158:443

136.232.34.70:443

76.25.142.196:443

181.118.183.94:443

120.150.218.241:995

185.250.148.74:443

95.77.223.148:443

75.66.88.33:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

432 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1472 schtasks.exe

pid	process
432	regsvr32.exe

pid	process
1472	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ajryrdflo\f9e0a53a = 054377fda07636fb192bb764b86c565d8fc8e86ef0cdfab95572efcbab61048b5005e74837587ed15626b772bff7c102ba	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ajryrdflo\86a9cacc = 84d23a44ce7d9f4194dfe57c0ea75426a176ea5884b13eb3b07cec8cc36f82230924c514e9d776767cde2fd12655aa938b9825b4d6d395ed1a8cd75b015f5284367e37ed15b240d04c75cea01644b3e9b386840dc5791c5fe1ec4e08524b3d73	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ajryrdflo\3e15ada9 = e9895d132c8bcabbee9fd22e2904ff6168938051753a7531ac17f399cee62f7dc211bcaf954d35066d8ac1821b1dc038dd1dc480405016d65faa3c4998fc8b2208479b0b191f304a56d978bdea57dd9312f3379a26a8fe3edaf65a33f5107f3d2da033007f1414365bca7bc5ec90ca26860e98e8ab0b72c473ef02dc06649dcfe3a73c53bbbcfa5b8c7befdecc93968ad1d7fde120363fa8fb1567bb199011ff1db3470dcee0145b36981a728d520e627ce98b09dd5366c6285c7d9cf43336157762d2b92f8b	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ajryrdflo\3c548dd5 = 61ddac1380bb235d84c7752880b86e9e9100477d3771b431109a5c6cfff8a9c75ead4041c67f5b24a90b78c87d6f21f9e941ea99decd9ab298e4844dde9923f816fe5eb6a1feec	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ajryrdflo\84e8eab0 = c2863baec4373cabcc66a17cc76d3a9e9a16ed0b0c811b6fc3895583784d0cf61b688782411bf7eee41fddaa306b50db34	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ajryrdflo\415cc25f = 061e66cd6189a7518ef6ccbf5bf9	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ajryrdflo\74c31211 = d788157065028e02fd121cdb4cacb1b676c884870b8e6c7fddf870c12b3583e7b97680879b0e23	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ajryrdflo\b8a7de7 = 984331348378c974a4d7c478250cc2d7db6dda3b00ba721d47f8ca122bff9979c19636b6a68e33fe	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ajryrdflo	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ajryrdflo\b8a7de7 = 984326348378fccbb71c4dac6af9acf6d17a85	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

1476 rundll32.exe
432 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

1476 rundll32.exe
432 regsvr32.exe

pid	process
1476	rundll32.exe
432	regsvr32.exe

pid	process
1476	rundll32.exe
432	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 1544 wrote to memory of 1476	1544	rundll32.exe	rundll32.exe
PID 1544 wrote to memory of 1476	1544	rundll32.exe	rundll32.exe
PID 1544 wrote to memory of 1476	1544	rundll32.exe	rundll32.exe
PID 1544 wrote to memory of 1476	1544	rundll32.exe	rundll32.exe
PID 1544 wrote to memory of 1476	1544	rundll32.exe	rundll32.exe
PID 1544 wrote to memory of 1476	1544	rundll32.exe	rundll32.exe
PID 1544 wrote to memory of 1476	1544	rundll32.exe	rundll32.exe
PID 1476 wrote to memory of 964	1476	rundll32.exe	explorer.exe
PID 1476 wrote to memory of 964	1476	rundll32.exe	explorer.exe
PID 1476 wrote to memory of 964	1476	rundll32.exe	explorer.exe
PID 1476 wrote to memory of 964	1476	rundll32.exe	explorer.exe
PID 1476 wrote to memory of 964	1476	rundll32.exe	explorer.exe
PID 1476 wrote to memory of 964	1476	rundll32.exe	explorer.exe
PID 964 wrote to memory of 1472	964	explorer.exe	schtasks.exe
PID 964 wrote to memory of 1472	964	explorer.exe	schtasks.exe
PID 964 wrote to memory of 1472	964	explorer.exe	schtasks.exe
PID 964 wrote to memory of 1472	964	explorer.exe	schtasks.exe
PID 1804 wrote to memory of 1556	1804	taskeng.exe	regsvr32.exe
PID 1804 wrote to memory of 1556	1804	taskeng.exe	regsvr32.exe
PID 1804 wrote to memory of 1556	1804	taskeng.exe	regsvr32.exe
PID 1804 wrote to memory of 1556	1804	taskeng.exe	regsvr32.exe
PID 1804 wrote to memory of 1556	1804	taskeng.exe	regsvr32.exe
PID 1556 wrote to memory of 432	1556	regsvr32.exe	regsvr32.exe
PID 1556 wrote to memory of 432	1556	regsvr32.exe	regsvr32.exe
PID 1556 wrote to memory of 432	1556	regsvr32.exe	regsvr32.exe
PID 1556 wrote to memory of 432	1556	regsvr32.exe	regsvr32.exe
PID 1556 wrote to memory of 432	1556	regsvr32.exe	regsvr32.exe
PID 1556 wrote to memory of 432	1556	regsvr32.exe	regsvr32.exe
PID 1556 wrote to memory of 432	1556	regsvr32.exe	regsvr32.exe
PID 432 wrote to memory of 1672	432	regsvr32.exe	explorer.exe
PID 432 wrote to memory of 1672	432	regsvr32.exe	explorer.exe
PID 432 wrote to memory of 1672	432	regsvr32.exe	explorer.exe
PID 432 wrote to memory of 1672	432	regsvr32.exe	explorer.exe
PID 432 wrote to memory of 1672	432	regsvr32.exe	explorer.exe
PID 432 wrote to memory of 1672	432	regsvr32.exe	explorer.exe
PID 1672 wrote to memory of 1280	1672	explorer.exe	reg.exe
PID 1672 wrote to memory of 1280	1672	explorer.exe	reg.exe
PID 1672 wrote to memory of 1280	1672	explorer.exe	reg.exe
PID 1672 wrote to memory of 1280	1672	explorer.exe	reg.exe
PID 1672 wrote to memory of 1172	1672	explorer.exe	reg.exe
PID 1672 wrote to memory of 1172	1672	explorer.exe	reg.exe
PID 1672 wrote to memory of 1172	1672	explorer.exe	reg.exe
PID 1672 wrote to memory of 1172	1672	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\test.test.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\test.test.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn ayefjzquc /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\test.test.dll\"" /SC ONCE /Z /ST 13:09 /ET 13:21
4⤵
- Creates scheduled task(s)
PID:1472

C:\Windows\system32\taskeng.exe
taskeng.exe {064F8576-E44F-434D-A451-9D5DDE04D680} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\test.test.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\test.test.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:432

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Bujdjfatf" /d "0"
5⤵
PID:1280

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Nisbagjblpw" /d "0"
5⤵
PID:1172

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\test.test.dll
MD5
31b892a30bff1fcc03495e42ea72474b

SHA1
a9a4cf6e38166c1d1d1f0347369115364b5bf165

SHA256
254c5f9932e879e29f2e15e31e0793178501564657f6cb2a9f936155c3af1d51

SHA512
f4f6a96abae8b23a02fb8f55969d071a343768c23e15e3ccc121797dea078290a7e504555f9a13ea97671933846d9e138ddc538aa1826f9f637d7226330e0042

Download Submit
\Users\Admin\AppData\Local\Temp\test.test.dll
MD5
31b892a30bff1fcc03495e42ea72474b

SHA1
a9a4cf6e38166c1d1d1f0347369115364b5bf165

SHA256
254c5f9932e879e29f2e15e31e0793178501564657f6cb2a9f936155c3af1d51

SHA512
f4f6a96abae8b23a02fb8f55969d071a343768c23e15e3ccc121797dea078290a7e504555f9a13ea97671933846d9e138ddc538aa1826f9f637d7226330e0042

Download Submit
memory/432-76-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/432-71-0x0000000010000000-0x0000000010082000-memory.dmp

Filesize
520KB

Download
memory/432-67-0x0000000000000000-mapping.dmp

Download
memory/964-58-0x0000000000000000-mapping.dmp

Download
memory/964-63-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/964-60-0x0000000074501000-0x0000000074503000-memory.dmp

Filesize
8KB

Download
memory/1172-78-0x0000000000000000-mapping.dmp

Download
memory/1280-75-0x0000000000000000-mapping.dmp

Download
memory/1472-61-0x0000000000000000-mapping.dmp

Download
memory/1476-62-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1476-54-0x0000000000000000-mapping.dmp

Download
memory/1476-57-0x0000000010000000-0x0000000010082000-memory.dmp

Filesize
520KB

Download
memory/1476-56-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/1476-55-0x00000000751D1000-0x00000000751D3000-memory.dmp

Filesize
8KB

Download
memory/1556-65-0x000007FEFBA11000-0x000007FEFBA13000-memory.dmp

Filesize
8KB

Download
memory/1556-64-0x0000000000000000-mapping.dmp

Download
memory/1672-77-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1672-72-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads