qakbot | 254c5f9932e879e29f2e15e31e0793178501564657f6cb2a9f936155c3af1d51

General

Target

test.test.dll
Size

429KB
MD5

31b892a30bff1fcc03495e42ea72474b
SHA1

a9a4cf6e38166c1d1d1f0347369115364b5bf165
SHA256

254c5f9932e879e29f2e15e31e0793178501564657f6cb2a9f936155c3af1d51
SHA512

f4f6a96abae8b23a02fb8f55969d071a343768c23e15e3ccc121797dea078290a7e504555f9a13ea97671933846d9e138ddc538aa1826f9f637d7226330e0042

Score

10^/10

qakbot tr 1632817399 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

tr

Campaign

1632817399

C2

105.198.236.99:443

140.82.49.12:443

37.210.152.224:995

89.101.97.139:443

81.241.252.59:2078

27.223.92.142:995

81.250.153.227:2222

73.151.236.31:443

47.22.148.6:443

122.11.220.212:2222

120.151.47.189:443

199.27.127.129:443

216.201.162.158:443

136.232.34.70:443

76.25.142.196:443

181.118.183.94:443

120.150.218.241:995

185.250.148.74:443

95.77.223.148:443

75.66.88.33:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

3268 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2540 schtasks.exe

pid	process
3268	regsvr32.exe

pid	process
2540	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Pfxpumzywwyv\ef6f57b8 = b1729a8af25ef3928e936c1a14ceaf6cf255f4734cd65fa19a06f2ce1a67cc765f9325ba8ee1e1ae23a138b5796c6e9deacaf3f0f9d7360f892f99fba5b55d9cfe96dda98f962efccd69ee826f4b55cc8d9396618f9d5835a3ec8f865894fe73dd5385811172c11811	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Pfxpumzywwyv	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Pfxpumzywwyv\ef6f57b8 = b1728d8af25ec64985e90c42ffffb27c4cd824d7a31802993b46e548bacc7b92a722d50d3bf62b9ae6b77692820a4ba5bc9f98d23481ff1ac64a3136793a658492606fda67fdcb7a10b853d73a39d850af4937b2	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Pfxpumzywwyv\d8b1a78a = 2398db4bb86ff967b7f5ec9a01ce04e81ad219ee73db3edd622b11be842a1c5d80854e0c91970ce1	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Pfxpumzywwyv\600dc0ef = 522a14d49a8a0aa151e5f708cd19fdd0d512afd7d868c79da788ff7891ddc67b2423068e2c7700e8fa9831f5a8d6d83c4a0365fe8815aa9718ed70d14c2aa0da0bee981297b5	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Pfxpumzywwyv\1d058f65 = 6462ba9ce3b31e006572d22acb4d0de55cc47b9b3085fd63235c67f93fb422e9bbd542b3a9	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Pfxpumzywwyv\daf087f6 = 5e7745cdf9f5531383ecfc60a25ef7a9873286c4a38cd902ea1bca3901e5ff7ee281b0a2ba1e1cb634dde4cc5102faf123c462ea48f6bc8ff84954cd03e796ecfc4ea673dd6bbb490d402e3742cd257e22064fec183db6f15a277e2798b7d5dcf931eebfe7a17dfae05d62e253d4cbb97c9358f297da4d95296b761236ce78747eb57ee2eb083ec682f2	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Pfxpumzywwyv\a5b9e800 = 99ccc5aa50f6397e8f5d80b68906255c97143667ad0fa20d829b3945565d735ceda55da6faea8940d2da7e2d64	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Pfxpumzywwyv\624ce093 = ae77a5582b02605c04c7697b6ce0da53b63db51e8f179e22e498dc42509665ee9c38c59afea09e1cc41849e85cb9541b15099f9c6f8a85bcc39e9644c2df762776aec2ab2c8b10b7303113d35e41ff52a4bdf56ff7bc98bc	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Pfxpumzywwyv\9026384e = 50a2ad449e4f95d61908de0a8dff7bd2205c0b8b4b33eaf3df808460a7a09c01b027f0ec23dfef9c7f3946337d064303d483d3f8bed546f8d707b2	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

836 rundll32.exe
836 rundll32.exe
3268 regsvr32.exe
3268 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

836 rundll32.exe
3268 regsvr32.exe

pid	process
836	rundll32.exe
836	rundll32.exe
3268	regsvr32.exe
3268	regsvr32.exe

pid	process
836	rundll32.exe
3268	regsvr32.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 664 wrote to memory of 836	664	rundll32.exe	rundll32.exe
PID 664 wrote to memory of 836	664	rundll32.exe	rundll32.exe
PID 664 wrote to memory of 836	664	rundll32.exe	rundll32.exe
PID 836 wrote to memory of 2372	836	rundll32.exe	explorer.exe
PID 836 wrote to memory of 2372	836	rundll32.exe	explorer.exe
PID 836 wrote to memory of 2372	836	rundll32.exe	explorer.exe
PID 836 wrote to memory of 2372	836	rundll32.exe	explorer.exe
PID 836 wrote to memory of 2372	836	rundll32.exe	explorer.exe
PID 2372 wrote to memory of 2540	2372	explorer.exe	schtasks.exe
PID 2372 wrote to memory of 2540	2372	explorer.exe	schtasks.exe
PID 2372 wrote to memory of 2540	2372	explorer.exe	schtasks.exe
PID 2864 wrote to memory of 3268	2864	regsvr32.exe	regsvr32.exe
PID 2864 wrote to memory of 3268	2864	regsvr32.exe	regsvr32.exe
PID 2864 wrote to memory of 3268	2864	regsvr32.exe	regsvr32.exe
PID 3268 wrote to memory of 2088	3268	regsvr32.exe	explorer.exe
PID 3268 wrote to memory of 2088	3268	regsvr32.exe	explorer.exe
PID 3268 wrote to memory of 2088	3268	regsvr32.exe	explorer.exe
PID 3268 wrote to memory of 2088	3268	regsvr32.exe	explorer.exe
PID 3268 wrote to memory of 2088	3268	regsvr32.exe	explorer.exe
PID 2088 wrote to memory of 3476	2088	explorer.exe	reg.exe
PID 2088 wrote to memory of 3476	2088	explorer.exe	reg.exe
PID 2088 wrote to memory of 784	2088	explorer.exe	reg.exe
PID 2088 wrote to memory of 784	2088	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\test.test.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:664

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\test.test.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2372

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn zzngevhjb /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\test.test.dll\"" /SC ONCE /Z /ST 15:09 /ET 15:21
4⤵
- Creates scheduled task(s)
PID:2540

\??\c:\windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\test.test.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:2864

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\test.test.dll"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3268

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2088

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Cvrfe" /d "0"
4⤵
PID:3476

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Kwyrexoc" /d "0"
4⤵
PID:784

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\test.test.dll
MD5
31b892a30bff1fcc03495e42ea72474b

SHA1
a9a4cf6e38166c1d1d1f0347369115364b5bf165

SHA256
254c5f9932e879e29f2e15e31e0793178501564657f6cb2a9f936155c3af1d51

SHA512
f4f6a96abae8b23a02fb8f55969d071a343768c23e15e3ccc121797dea078290a7e504555f9a13ea97671933846d9e138ddc538aa1826f9f637d7226330e0042

Download Submit
\Users\Admin\AppData\Local\Temp\test.test.dll
MD5
31b892a30bff1fcc03495e42ea72474b

SHA1
a9a4cf6e38166c1d1d1f0347369115364b5bf165

SHA256
254c5f9932e879e29f2e15e31e0793178501564657f6cb2a9f936155c3af1d51

SHA512
f4f6a96abae8b23a02fb8f55969d071a343768c23e15e3ccc121797dea078290a7e504555f9a13ea97671933846d9e138ddc538aa1826f9f637d7226330e0042

Download Submit
memory/784-131-0x0000000000000000-mapping.dmp

Download
memory/836-116-0x0000000010000000-0x0000000010082000-memory.dmp

Filesize
520KB

Download
memory/836-115-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/836-117-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/836-114-0x0000000000000000-mapping.dmp

Download
memory/2088-134-0x0000000002570000-0x0000000002591000-memory.dmp

Filesize
132KB

Download
memory/2088-129-0x0000000000000000-mapping.dmp

Download
memory/2372-118-0x0000000000000000-mapping.dmp

Download
memory/2372-119-0x0000000002570000-0x0000000002591000-memory.dmp

Filesize
132KB

Download
memory/2540-120-0x0000000000000000-mapping.dmp

Download
memory/3268-127-0x0000000010000000-0x0000000010082000-memory.dmp

Filesize
520KB

Download
memory/3268-128-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/3268-124-0x0000000000000000-mapping.dmp

Download
memory/3476-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads