qakbot | 3889086935fd4818ec652f34cc8dfde7a071492fe5a50f5b523bdbe9acaa2861

General

Target

613ba8d3c34e8fa5c5a08f998719ee71.dll
Size

431KB
MD5

613ba8d3c34e8fa5c5a08f998719ee71
SHA1

4e28cebb44165de63a14fade2eaab89626bd1efb
SHA256

3889086935fd4818ec652f34cc8dfde7a071492fe5a50f5b523bdbe9acaa2861
SHA512

462af6967004a8a554980442903adc75ef22f205d201f192903645d63f883cefa329104a4d90927360e4b5d8306595157287a520af34ccb683ea0011f73a6746

Score

10^/10

qakbot tr 1632817399 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

tr

Campaign

1632817399

C2

105.198.236.99:443

140.82.49.12:443

37.210.152.224:995

89.101.97.139:443

81.241.252.59:2078

27.223.92.142:995

81.250.153.227:2222

73.151.236.31:443

47.22.148.6:443

122.11.220.212:2222

120.151.47.189:443

199.27.127.129:443

216.201.162.158:443

136.232.34.70:443

76.25.142.196:443

181.118.183.94:443

120.150.218.241:995

185.250.148.74:443

95.77.223.148:443

75.66.88.33:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1168 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2896 schtasks.exe

pid	process
1168	regsvr32.exe

pid	process
2896	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yujdashe\6fe19d12 = a58708aa1b306f9680abf30ed1eac291327c9f8fffb628b63d9ed3e89dad800b46a2cfa79c24b9f47707c2afeffe2dad0778b6ab4fa4db3f3d29e734310c00795063a7620407c3de2f0498aac47586c48c0c5a52193e76310be0abcf2dd6d575970152bc55	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yujdashe\9d8b45cf = d4b57b721818c66e187356642944d4eea21d366311ee69898fa090ceae95d3f2e165bb1a22cbf198e4191a71f8b2e9fdba04436637d44fe38cd6bcf0dd7dde	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yujdashe\e2c22a39 = 7f109bdd933fa2a9f1b9a45d2a23b419fb4470427202f1af01c8f53b8c4e4d0b28a2d61cc9a6926c8d8e6e42a3dc643cecf7c9f2a64b30c6cf46ada47622486832c7a791e794273aabde439836d7d57e48b805e7eac5c1fd747197b8c26028f4e2f5061433377d4faf6c00a2f476a9b07d2e4ec931a9c1fadc2a	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yujdashe\d75dfa77 = 5ab725e49d7a5903d078da664a8913767e33bc5812f874d2dc8caaba0588fa016c92c3180597924036df29a179a650415d8951686ba3ef12031e8fa7d2d2fd63031a31753693dfe8e2cec47d5049267b2d783fbb5d83b8fafdae193333d101f2d7b0114efddfb8c250a87a74d2cb4ea8533d74b2232bd23bc630bc91b1070c9ab0e5b063b14fe13e345ef92e32b788643043277312aa5a145e34acde3932f8cb776cc1cc29fa3991ab685df6861f66	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yujdashe\6da0bd6e = 3813c72f277ebf1fcc3fec38b9d93b81c29f00d0e27d8f654d14e2afc80a	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yujdashe\10a8f2e4 = d951b0e0e92ca7ecd185e0ff958000d8d67601c3b9d8c519931364d4437653c2126e7d9a	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yujdashe\a8149581 = 57f97827c259095fd5caacbdc725c7a40499fd6956163b75447f3ce8032163191609d3287b8d2e006996de0063d832c9900194927947ce46eb0b4765b7e92de6b423a9	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yujdashe	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yujdashe\e2c22a39 = 7f108cdd933f97b5afcad0ee41c5dc95a3b5bbfc7ac69af63d49982b5a51be45d99d073614e05e06fce6f02c2b3710d3265da6168805f4d3ef5753234b3f6236e6e99c7bbd3cd24a3a8bede70c2a245b8cc8e4ab747009f3f7d30199199c5f477039cb6942	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yujdashe\d51cda0b = f0602e6ac843961df0119691d6a4	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

2112 rundll32.exe
2112 rundll32.exe
1168 regsvr32.exe
1168 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

2112 rundll32.exe
1168 regsvr32.exe

pid	process
2112	rundll32.exe
2112	rundll32.exe
1168	regsvr32.exe
1168	regsvr32.exe

pid	process
2112	rundll32.exe
1168	regsvr32.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 1752 wrote to memory of 2112	1752	rundll32.exe	rundll32.exe
PID 1752 wrote to memory of 2112	1752	rundll32.exe	rundll32.exe
PID 1752 wrote to memory of 2112	1752	rundll32.exe	rundll32.exe
PID 2112 wrote to memory of 2808	2112	rundll32.exe	explorer.exe
PID 2112 wrote to memory of 2808	2112	rundll32.exe	explorer.exe
PID 2112 wrote to memory of 2808	2112	rundll32.exe	explorer.exe
PID 2112 wrote to memory of 2808	2112	rundll32.exe	explorer.exe
PID 2112 wrote to memory of 2808	2112	rundll32.exe	explorer.exe
PID 2808 wrote to memory of 2896	2808	explorer.exe	schtasks.exe
PID 2808 wrote to memory of 2896	2808	explorer.exe	schtasks.exe
PID 2808 wrote to memory of 2896	2808	explorer.exe	schtasks.exe
PID 1340 wrote to memory of 1168	1340	regsvr32.exe	regsvr32.exe
PID 1340 wrote to memory of 1168	1340	regsvr32.exe	regsvr32.exe
PID 1340 wrote to memory of 1168	1340	regsvr32.exe	regsvr32.exe
PID 1168 wrote to memory of 68	1168	regsvr32.exe	explorer.exe
PID 1168 wrote to memory of 68	1168	regsvr32.exe	explorer.exe
PID 1168 wrote to memory of 68	1168	regsvr32.exe	explorer.exe
PID 1168 wrote to memory of 68	1168	regsvr32.exe	explorer.exe
PID 1168 wrote to memory of 68	1168	regsvr32.exe	explorer.exe
PID 68 wrote to memory of 1472	68	explorer.exe	reg.exe
PID 68 wrote to memory of 1472	68	explorer.exe	reg.exe
PID 68 wrote to memory of 3020	68	explorer.exe	reg.exe
PID 68 wrote to memory of 3020	68	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\613ba8d3c34e8fa5c5a08f998719ee71.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\613ba8d3c34e8fa5c5a08f998719ee71.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2112

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2808

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn lsipqxbgp /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\613ba8d3c34e8fa5c5a08f998719ee71.dll\"" /SC ONCE /Z /ST 16:16 /ET 16:28
4⤵
- Creates scheduled task(s)
PID:2896

\??\c:\windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\613ba8d3c34e8fa5c5a08f998719ee71.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\613ba8d3c34e8fa5c5a08f998719ee71.dll"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:68

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Vykeoy" /d "0"
4⤵
PID:1472

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Eulfinzo" /d "0"
4⤵
PID:3020

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\613ba8d3c34e8fa5c5a08f998719ee71.dll
MD5
613ba8d3c34e8fa5c5a08f998719ee71

SHA1
4e28cebb44165de63a14fade2eaab89626bd1efb

SHA256
3889086935fd4818ec652f34cc8dfde7a071492fe5a50f5b523bdbe9acaa2861

SHA512
462af6967004a8a554980442903adc75ef22f205d201f192903645d63f883cefa329104a4d90927360e4b5d8306595157287a520af34ccb683ea0011f73a6746

Download Submit
\Users\Admin\AppData\Local\Temp\613ba8d3c34e8fa5c5a08f998719ee71.dll
MD5
613ba8d3c34e8fa5c5a08f998719ee71

SHA1
4e28cebb44165de63a14fade2eaab89626bd1efb

SHA256
3889086935fd4818ec652f34cc8dfde7a071492fe5a50f5b523bdbe9acaa2861

SHA512
462af6967004a8a554980442903adc75ef22f205d201f192903645d63f883cefa329104a4d90927360e4b5d8306595157287a520af34ccb683ea0011f73a6746

Download Submit
memory/68-135-0x00000000030B0000-0x00000000030D1000-memory.dmp

Filesize
132KB

Download
memory/68-130-0x0000000000000000-mapping.dmp

Download
memory/1168-125-0x0000000000000000-mapping.dmp

Download
memory/1168-128-0x0000000010000000-0x0000000010082000-memory.dmp

Filesize
520KB

Download
memory/1168-129-0x00000000030A0000-0x00000000030A1000-memory.dmp

Filesize
4KB

Download
memory/1472-131-0x0000000000000000-mapping.dmp

Download
memory/2112-115-0x0000000000000000-mapping.dmp

Download
memory/2112-117-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/2112-118-0x0000000010000000-0x0000000010082000-memory.dmp

Filesize
520KB

Download
memory/2112-116-0x0000000000D60000-0x0000000000D61000-memory.dmp

Filesize
4KB

Download
memory/2808-123-0x00000000032B0000-0x00000000032D1000-memory.dmp

Filesize
132KB

Download
memory/2808-119-0x0000000000000000-mapping.dmp

Download
memory/2896-120-0x0000000000000000-mapping.dmp

Download
memory/3020-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads