qakbot | 12c388d2d4af3d8303e0fcf7136164317130cfb294c961f88f6cf4641c4f074a

General

Target

51a16a2cbdecb0c89ba2fb698f2b528a.dll
Size

455KB
MD5

51a16a2cbdecb0c89ba2fb698f2b528a
SHA1

3847808fdaae384edc6ad20312fc22d67ff21cd3
SHA256

12c388d2d4af3d8303e0fcf7136164317130cfb294c961f88f6cf4641c4f074a
SHA512

96fa9197bf390789cf233859448bde0afcb95c67263e0e34584b232e9b90807f18c8469ca3ddbbb40d202335725a56b9c21091c8a192ea9a75470cb7b0aebea6

Score

10^/10

qakbot tr 1632817399 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

tr

Campaign

1632817399

C2

105.198.236.99:443

140.82.49.12:443

37.210.152.224:995

89.101.97.139:443

81.241.252.59:2078

27.223.92.142:995

81.250.153.227:2222

73.151.236.31:443

47.22.148.6:443

122.11.220.212:2222

120.151.47.189:443

199.27.127.129:443

216.201.162.158:443

136.232.34.70:443

76.25.142.196:443

181.118.183.94:443

120.150.218.241:995

185.250.148.74:443

95.77.223.148:443

75.66.88.33:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1932 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1608 schtasks.exe

pid	process
1932	regsvr32.exe

pid	process
1608	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ugwqzdwmxiik\529e7fd1 = ffe8eb29b6cd8fd9112d6f8c5a5a03ea8924bcbe0dbec566dab109ad29	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ugwqzdwmxiik\2f96305b = ec4ab7311ccee3f2d99d958155387220c26ba8fa49f766542f735efbfa2e7a76a6a46b057fc5602bb052b0864899519d14fddb5628457ccd4986ad407f1857d0aa64bf1d50cac56c4f73b15f2719ec167a1449c95d099734078d9f9c8bf7dc00b9e0a8e8b8	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ugwqzdwmxiik\972a573e = c1c9650e44b6467355928140bab19e0ae36601f038143b66b09d38b0d300b9831344a7ec9da74e4c	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ugwqzdwmxiik\50df5fad = eb63819aadf04e4fe52af9976c2ff6ada0e40db75ab3d5e70ba6	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ugwqzdwmxiik\a2b58770 = 6ee7bb11953ba8083beda7422732da9f5fea8cd78d70e8eff487338d1ba45427b67a9e001e4140ef38c91e1fb1980e3c01bab4777dcba2b22f1d4f266047b0b8acb5c41b5e40cfb131a1b73263ca8bd1d930eaa7927e9cd667be02bd742f12baa50e5e2d86c93244685a19b60e15cb	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ugwqzdwmxiik\e86338c8 = 02e2bfd5d5abd904be23051ff56c0e63538510d4278f89a75be6aec09c9511347e72f7582b1bdd5393e3f4f00088904bc7e8576169e3461251e367323b4f36486cca2f500c58d2dc26107e1d735e27eb3831ccccbedff06f1bbe920bf9ca36509289925243e2b67ea3d81b73d52535b39e475a16a3684757e36dae4a879b894f4347626e47fbfbd1d884e77bfc1a991cfcee96399029e234582dd8b0fa06536b4d735f83e2559be9fb493eb097ad6ec924ddb279dd04b0fbb3ad4ade79dd34e3cdc0f80bc0c1ba054b	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ugwqzdwmxiik\ddfce886 = 3ff722aedfb345371bc5f5e05c0b4920a3043ab92c0f944dee28c3e5371d3d29c3dcde604348ada5e425a606b5ae0c9976b2b6bf13	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ugwqzdwmxiik\ea2218b4 = a192f1565c331fb4cf6c7f6ad1387d5c99d0d1548f7ca7ed8eef495877d1a42f5ef0dc68f6de991972eb495307ee9367ea8465eb134a84086e4b131f2384d879b0b83c79336ffd4deed9c714b91a12692b751b36ce3b143c24	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ugwqzdwmxiik\ddfce886 = 3ff735aedfb3708ad8f0c4328a7650b3addd084753052f8f575251f7d7c6f7dbcaef449de35a3bcb8110867b82d3ae7b0c737c7f49653e4aa4edab5e5ae26aa77d41ca82c54a5abdb43d	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ugwqzdwmxiik	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

1984 rundll32.exe
1932 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

1984 rundll32.exe
1932 regsvr32.exe

pid	process
1984	rundll32.exe
1932	regsvr32.exe

pid	process
1984	rundll32.exe
1932	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 2008 wrote to memory of 1984	2008	rundll32.exe	rundll32.exe
PID 2008 wrote to memory of 1984	2008	rundll32.exe	rundll32.exe
PID 2008 wrote to memory of 1984	2008	rundll32.exe	rundll32.exe
PID 2008 wrote to memory of 1984	2008	rundll32.exe	rundll32.exe
PID 2008 wrote to memory of 1984	2008	rundll32.exe	rundll32.exe
PID 2008 wrote to memory of 1984	2008	rundll32.exe	rundll32.exe
PID 2008 wrote to memory of 1984	2008	rundll32.exe	rundll32.exe
PID 1984 wrote to memory of 1464	1984	rundll32.exe	explorer.exe
PID 1984 wrote to memory of 1464	1984	rundll32.exe	explorer.exe
PID 1984 wrote to memory of 1464	1984	rundll32.exe	explorer.exe
PID 1984 wrote to memory of 1464	1984	rundll32.exe	explorer.exe
PID 1984 wrote to memory of 1464	1984	rundll32.exe	explorer.exe
PID 1984 wrote to memory of 1464	1984	rundll32.exe	explorer.exe
PID 1464 wrote to memory of 1608	1464	explorer.exe	schtasks.exe
PID 1464 wrote to memory of 1608	1464	explorer.exe	schtasks.exe
PID 1464 wrote to memory of 1608	1464	explorer.exe	schtasks.exe
PID 1464 wrote to memory of 1608	1464	explorer.exe	schtasks.exe
PID 684 wrote to memory of 1760	684	taskeng.exe	regsvr32.exe
PID 684 wrote to memory of 1760	684	taskeng.exe	regsvr32.exe
PID 684 wrote to memory of 1760	684	taskeng.exe	regsvr32.exe
PID 684 wrote to memory of 1760	684	taskeng.exe	regsvr32.exe
PID 684 wrote to memory of 1760	684	taskeng.exe	regsvr32.exe
PID 1760 wrote to memory of 1932	1760	regsvr32.exe	regsvr32.exe
PID 1760 wrote to memory of 1932	1760	regsvr32.exe	regsvr32.exe
PID 1760 wrote to memory of 1932	1760	regsvr32.exe	regsvr32.exe
PID 1760 wrote to memory of 1932	1760	regsvr32.exe	regsvr32.exe
PID 1760 wrote to memory of 1932	1760	regsvr32.exe	regsvr32.exe
PID 1760 wrote to memory of 1932	1760	regsvr32.exe	regsvr32.exe
PID 1760 wrote to memory of 1932	1760	regsvr32.exe	regsvr32.exe
PID 1932 wrote to memory of 952	1932	regsvr32.exe	explorer.exe
PID 1932 wrote to memory of 952	1932	regsvr32.exe	explorer.exe
PID 1932 wrote to memory of 952	1932	regsvr32.exe	explorer.exe
PID 1932 wrote to memory of 952	1932	regsvr32.exe	explorer.exe
PID 1932 wrote to memory of 952	1932	regsvr32.exe	explorer.exe
PID 1932 wrote to memory of 952	1932	regsvr32.exe	explorer.exe
PID 952 wrote to memory of 1052	952	explorer.exe	reg.exe
PID 952 wrote to memory of 1052	952	explorer.exe	reg.exe
PID 952 wrote to memory of 1052	952	explorer.exe	reg.exe
PID 952 wrote to memory of 1052	952	explorer.exe	reg.exe
PID 952 wrote to memory of 1192	952	explorer.exe	reg.exe
PID 952 wrote to memory of 1192	952	explorer.exe	reg.exe
PID 952 wrote to memory of 1192	952	explorer.exe	reg.exe
PID 952 wrote to memory of 1192	952	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\51a16a2cbdecb0c89ba2fb698f2b528a.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\51a16a2cbdecb0c89ba2fb698f2b528a.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1464

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn yhiwqtvdbp /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\51a16a2cbdecb0c89ba2fb698f2b528a.dll\"" /SC ONCE /Z /ST 16:14 /ET 16:26
4⤵
- Creates scheduled task(s)
PID:1608

C:\Windows\system32\taskeng.exe
taskeng.exe {A7B46E8F-9163-4185-A22C-96044B074E05} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\51a16a2cbdecb0c89ba2fb698f2b528a.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\51a16a2cbdecb0c89ba2fb698f2b528a.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:952

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Swfwujfizsn" /d "0"
5⤵
PID:1052

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Kpmguj" /d "0"
5⤵
PID:1192

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\51a16a2cbdecb0c89ba2fb698f2b528a.dll
MD5
51a16a2cbdecb0c89ba2fb698f2b528a

SHA1
3847808fdaae384edc6ad20312fc22d67ff21cd3

SHA256
12c388d2d4af3d8303e0fcf7136164317130cfb294c961f88f6cf4641c4f074a

SHA512
96fa9197bf390789cf233859448bde0afcb95c67263e0e34584b232e9b90807f18c8469ca3ddbbb40d202335725a56b9c21091c8a192ea9a75470cb7b0aebea6

Download Submit
\Users\Admin\AppData\Local\Temp\51a16a2cbdecb0c89ba2fb698f2b528a.dll
MD5
51a16a2cbdecb0c89ba2fb698f2b528a

SHA1
3847808fdaae384edc6ad20312fc22d67ff21cd3

SHA256
12c388d2d4af3d8303e0fcf7136164317130cfb294c961f88f6cf4641c4f074a

SHA512
96fa9197bf390789cf233859448bde0afcb95c67263e0e34584b232e9b90807f18c8469ca3ddbbb40d202335725a56b9c21091c8a192ea9a75470cb7b0aebea6

Download Submit
memory/952-77-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/952-72-0x0000000000000000-mapping.dmp

Download
memory/1052-75-0x0000000000000000-mapping.dmp

Download
memory/1192-76-0x0000000000000000-mapping.dmp

Download
memory/1464-58-0x0000000000000000-mapping.dmp

Download
memory/1464-60-0x0000000074591000-0x0000000074593000-memory.dmp

Filesize
8KB

Download
memory/1464-62-0x00000000000D0000-0x00000000000F1000-memory.dmp

Filesize
132KB

Download
memory/1608-61-0x0000000000000000-mapping.dmp

Download
memory/1760-64-0x000007FEFBC31000-0x000007FEFBC33000-memory.dmp

Filesize
8KB

Download
memory/1760-63-0x0000000000000000-mapping.dmp

Download
memory/1932-66-0x0000000000000000-mapping.dmp

Download
memory/1932-70-0x0000000010000000-0x0000000010082000-memory.dmp

Filesize
520KB

Download
memory/1932-71-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1984-53-0x0000000000000000-mapping.dmp

Download
memory/1984-57-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1984-55-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/1984-56-0x0000000010000000-0x0000000010082000-memory.dmp

Filesize
520KB

Download
memory/1984-54-0x0000000075C11000-0x0000000075C13000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads