qakbot | 6f63742c25fd3a2dae5995f182254c253003066488ef86e754f661e8ba1d76fd

General

Target

687550f98527483a1c49ab185a2105ea.dll
Size

471KB
MD5

687550f98527483a1c49ab185a2105ea
SHA1

42d0db4cdc64e1fc2e57025f031f285cf0ba45a3
SHA256

6f63742c25fd3a2dae5995f182254c253003066488ef86e754f661e8ba1d76fd
SHA512

2b92d4cb037c0a6dd6855819d8e44ec036bc3fac71d7c2ee537bb6dfe907888b69b97958ebaa7b102e473f76ce6d1811ce090fb1e7ab38c18d2b1c6098403fc5

Score

10^/10

qakbot tr 1632817399 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

tr

Campaign

1632817399

C2

105.198.236.99:443

140.82.49.12:443

37.210.152.224:995

89.101.97.139:443

81.241.252.59:2078

27.223.92.142:995

81.250.153.227:2222

73.151.236.31:443

47.22.148.6:443

122.11.220.212:2222

120.151.47.189:443

199.27.127.129:443

216.201.162.158:443

136.232.34.70:443

76.25.142.196:443

181.118.183.94:443

120.150.218.241:995

185.250.148.74:443

95.77.223.148:443

75.66.88.33:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

804 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2796 schtasks.exe

pid	process
804	regsvr32.exe

pid	process
2796	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Eybymwair	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Eybymwair\1fe910ba = 268396774f53c50dda7a4b271e82f20dce0d15de0656c21b44db735c19cd9d533eae7629874d39d62518da72f3ab1e24a2cb28cfd4ed77bfa3fd52a87d77e0cd13a20e8db839f929e7ccd35448fa3329dc63601fe2c5a8fb6b477f0a85e64cbb19d5f855f4ddbcd32ff0c79c4131d477707f49237765efda5485ff9f64f52e948a2a816d935178563aeca56e9c0785a72512d9786623e72db11ffc06528e7b88a9dd803d95619ca1d4caf70776fede8b63df	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Eybymwair\a75577df = 7630f6e8de43dc3b9c8d079f2498f446fc419d2c83c0dec9e34710607499a8ea820765488c1f092e8a6a351193077c5354d8ef72557197e70b49bf848cd3a22be5c7b44a037c62be0b03d234a22a2694b49d758248539885ebf7ed6a63bfab3be4dbb6	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Eybymwair\553faf02 = fbadfe41cac182d411aba38c3f2339fcf6f7238c	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Eybymwair\2a76c0f4 = d4279129e21ead4c2771750bc0eaa6b030aad1663c6e25e1b07946d09007c0babac78c3886f18f1b44e58f27f0450113a607e4dd685a0d6e056cff79263643c246117db920a59b774ad5244336363f2d809d472a5bc8732849e7766a690624a2ecacf9e91437040f6ab628022499dbd52466d28355348e887c97cb0b3db9bf	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Eybymwair\2a76c0f4 = d4278629e21e986192b7c5906a69e54cb35ccce4042bbb9f08c4a21389dc218ed54ff9e5c2ecb99b7bee992cfa85abe4f21e6681d97c7fa86af8da529f642d7c63544fa0c5f6cb4965f2490928dc8204e38a30fdc8a5baea1c28fd42063d768de4420d49ef32bb553e0a	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Eybymwair\1da830c6 = 215bc0c4bc8691d1a88058c75bfed6e5ddf35f686a1b6638fb93e66d51fc5ff315c4d0859d9fcbfa18c085d871ee1bc57ecb80dc9ed7949e0fb14a359441cb5a3afae77881333a735026970cee042b28ab0e80f3d2d09bda967bdd4a92aa9f9d1413425076	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Eybymwair\a51457a3 = 07b8ec99db7de056930ee89a661327fc	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Eybymwair\d81c1829 = 5452333cf35a4b00a2b4aa97260ed9c59197d6b1f3dd588db3a077d8ec138841e8f176131a503df2	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Eybymwair\60a07f4c = 0a5292e1bd95e457e0002a26f6af2247396744ef64dbdf5bc84647ef059afec665b2dca067c26f31f134f4cc1dacf12595f60f948a0013fa1913bfffc8e6ad463f4a5e34402044c3692123a6c57c555d6728aa8139d8dbcf2e7e69534168e62067021f9b385c4c6a9ac1f08ea80c368296	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

808 rundll32.exe
808 rundll32.exe
804 regsvr32.exe
804 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

808 rundll32.exe
804 regsvr32.exe

pid	process
808	rundll32.exe
808	rundll32.exe
804	regsvr32.exe
804	regsvr32.exe

pid	process
808	rundll32.exe
804	regsvr32.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 652 wrote to memory of 808	652	rundll32.exe	rundll32.exe
PID 652 wrote to memory of 808	652	rundll32.exe	rundll32.exe
PID 652 wrote to memory of 808	652	rundll32.exe	rundll32.exe
PID 808 wrote to memory of 2484	808	rundll32.exe	explorer.exe
PID 808 wrote to memory of 2484	808	rundll32.exe	explorer.exe
PID 808 wrote to memory of 2484	808	rundll32.exe	explorer.exe
PID 808 wrote to memory of 2484	808	rundll32.exe	explorer.exe
PID 808 wrote to memory of 2484	808	rundll32.exe	explorer.exe
PID 2484 wrote to memory of 2796	2484	explorer.exe	schtasks.exe
PID 2484 wrote to memory of 2796	2484	explorer.exe	schtasks.exe
PID 2484 wrote to memory of 2796	2484	explorer.exe	schtasks.exe
PID 3744 wrote to memory of 804	3744	regsvr32.exe	regsvr32.exe
PID 3744 wrote to memory of 804	3744	regsvr32.exe	regsvr32.exe
PID 3744 wrote to memory of 804	3744	regsvr32.exe	regsvr32.exe
PID 804 wrote to memory of 3292	804	regsvr32.exe	explorer.exe
PID 804 wrote to memory of 3292	804	regsvr32.exe	explorer.exe
PID 804 wrote to memory of 3292	804	regsvr32.exe	explorer.exe
PID 804 wrote to memory of 3292	804	regsvr32.exe	explorer.exe
PID 804 wrote to memory of 3292	804	regsvr32.exe	explorer.exe
PID 3292 wrote to memory of 3488	3292	explorer.exe	reg.exe
PID 3292 wrote to memory of 3488	3292	explorer.exe	reg.exe
PID 3292 wrote to memory of 2084	3292	explorer.exe	reg.exe
PID 3292 wrote to memory of 2084	3292	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\687550f98527483a1c49ab185a2105ea.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:652

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\687550f98527483a1c49ab185a2105ea.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:808

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2484

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn evmtacmnpv /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\687550f98527483a1c49ab185a2105ea.dll\"" /SC ONCE /Z /ST 17:20 /ET 17:32
4⤵
- Creates scheduled task(s)
PID:2796

\??\c:\windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\687550f98527483a1c49ab185a2105ea.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:3744

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\687550f98527483a1c49ab185a2105ea.dll"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:804

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3292

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Gpbsfrrbwhd" /d "0"
4⤵
PID:3488

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Qgsiuf" /d "0"
4⤵
PID:2084

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\687550f98527483a1c49ab185a2105ea.dll
MD5
687550f98527483a1c49ab185a2105ea

SHA1
42d0db4cdc64e1fc2e57025f031f285cf0ba45a3

SHA256
6f63742c25fd3a2dae5995f182254c253003066488ef86e754f661e8ba1d76fd

SHA512
2b92d4cb037c0a6dd6855819d8e44ec036bc3fac71d7c2ee537bb6dfe907888b69b97958ebaa7b102e473f76ce6d1811ce090fb1e7ab38c18d2b1c6098403fc5

Download Submit
\Users\Admin\AppData\Local\Temp\687550f98527483a1c49ab185a2105ea.dll
MD5
687550f98527483a1c49ab185a2105ea

SHA1
42d0db4cdc64e1fc2e57025f031f285cf0ba45a3

SHA256
6f63742c25fd3a2dae5995f182254c253003066488ef86e754f661e8ba1d76fd

SHA512
2b92d4cb037c0a6dd6855819d8e44ec036bc3fac71d7c2ee537bb6dfe907888b69b97958ebaa7b102e473f76ce6d1811ce090fb1e7ab38c18d2b1c6098403fc5

Download Submit
memory/804-127-0x0000000010000000-0x0000000010081000-memory.dmp

Filesize
516KB

Download
memory/804-128-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/804-124-0x0000000000000000-mapping.dmp

Download
memory/808-116-0x0000000010000000-0x0000000010081000-memory.dmp

Filesize
516KB

Download
memory/808-115-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/808-117-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

Filesize
4KB

Download
memory/808-114-0x0000000000000000-mapping.dmp

Download
memory/2084-131-0x0000000000000000-mapping.dmp

Download
memory/2484-118-0x0000000000000000-mapping.dmp

Download
memory/2484-122-0x00000000030A0000-0x00000000030C1000-memory.dmp

Filesize
132KB

Download
memory/2796-119-0x0000000000000000-mapping.dmp

Download
memory/3292-129-0x0000000000000000-mapping.dmp

Download
memory/3292-134-0x0000000002F20000-0x0000000002F41000-memory.dmp

Filesize
132KB

Download
memory/3488-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads