qakbot | 14da506c629f1046dcd6cd3f21080ae8886c15b5027a555c61219aec2911eca8

General

Target

b008ec2be96eda36cbe241413ffcbc96.dll
Size

599KB
MD5

b008ec2be96eda36cbe241413ffcbc96
SHA1

5bce500b0916f0d668ff8dca8564c9195361a48e
SHA256

14da506c629f1046dcd6cd3f21080ae8886c15b5027a555c61219aec2911eca8
SHA512

56ee477d0a107f93dc79b0779ee27a90a730bcc0c9859e2cc456b4663134f944c550c6bf0823ceea053b8f22e728cf68468de854bce683375dcd2ba4b71be6c0

Score

10^/10

qakbot tr 1632817399 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

tr

Campaign

1632817399

C2

105.198.236.99:443

140.82.49.12:443

37.210.152.224:995

89.101.97.139:443

81.241.252.59:2078

27.223.92.142:995

81.250.153.227:2222

73.151.236.31:443

47.22.148.6:443

122.11.220.212:2222

120.151.47.189:443

199.27.127.129:443

216.201.162.158:443

136.232.34.70:443

76.25.142.196:443

181.118.183.94:443

120.150.218.241:995

185.250.148.74:443

95.77.223.148:443

75.66.88.33:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

4480 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3036 schtasks.exe

pid	process
4480	regsvr32.exe

pid	process
3036	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Kigwnxofq	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Kigwnxofq\3889c3e7 = 861ea355a9d19c6f8e58aefa507eb75836a49e6e6080d322c07f2249950b44605423f8ad93f51739c15322f7a919afb790cd59930a373086f8ec145d6ca3707853d91257f1	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Kigwnxofq\d1613a9 = 9609f5f69ef729a4fc6a773ac48027633e23fbc55eef1c510cb7e74a3c74484f2de2594ef29c875b4e62f71973c3d8ef49837d2cc2e40336f1eb598d12ba097c48a9507743626c3c917226476555968e7a4151123ef22b1adf22ab6dbf1ac6a01713417677405bc2d574f0ebeb6e0d20d9084a4df8a70e532a21e395d6e7fc9b482bd4738fa710630f71acebcdbe677d	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Kigwnxofq\cae31b3a = 51a4dd537399e0d72a42c6bbeab357ac07a30c49ddb656b4cfbce8af24aabb83341cd410c93102d0d2aaeda5be5e87158880df35c22a60a4914123303258295173d80924f3789c0f555df0a4983209a45594602eab14d5b7bdcdef7b13c9	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Kigwnxofq\b5aa74cc = bd0ab0d1e4ef21b2ae63dcbeedd5de1e481a0ba79de5920a0d33f5665116b31144967a06f85d78e2ddf77ec990c69f4b6fc3c5c1a4c5ce1a	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Kigwnxofq\47c0ac11 = 7b6a82016a3484cf688439ef7c360fd4a59d46b243d0c80db3c8ae0e282190aaed7f50d5e4078c36060c3def66a463fa73acb88eecf7e9e4669013d04a0c358d46874d01c77db49cde81e55a465d7bfeb9253186bfaa333fb09b3415a814a94b170bf5b9840801ccf7090926f8d53132ff	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Kigwnxofq\3889c3e7 = 861eb455a9d1a927029141d1190e5d156db2bf7ad43f1ad2c83d78cd5a201cc4430f7b0ee23cf55bfa9d602de820473070f23e0c7930f08a4c40122b582beed1f75bf543f8384f019d386dec66744f46b63f6d71dbcde3bea28b	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Kigwnxofq\f5733d5 = dcffa3675525567d9f6c413a1ad0dc7d9acb05be488ae3f40b1cf1ae98db034bfa88e9e905546a7acbc04f7de4604fe56a60af5c522a8a	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Kigwnxofq\b7eb54b0 = bd3a60f96c5884615d3742d3125d6fb2507f071ca7e8cd10dce87e38d31effaca30f2bcb76	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Kigwnxofq\725f7c5f = 3985b679e18f960f52eba39054cdfbf9	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

2240 rundll32.exe
2240 rundll32.exe
4480 regsvr32.exe
4480 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

2240 rundll32.exe
4480 regsvr32.exe

pid	process
2240	rundll32.exe
2240	rundll32.exe
4480	regsvr32.exe
4480	regsvr32.exe

pid	process
2240	rundll32.exe
4480	regsvr32.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 3624 wrote to memory of 2240	3624	rundll32.exe	rundll32.exe
PID 3624 wrote to memory of 2240	3624	rundll32.exe	rundll32.exe
PID 3624 wrote to memory of 2240	3624	rundll32.exe	rundll32.exe
PID 2240 wrote to memory of 4304	2240	rundll32.exe	explorer.exe
PID 2240 wrote to memory of 4304	2240	rundll32.exe	explorer.exe
PID 2240 wrote to memory of 4304	2240	rundll32.exe	explorer.exe
PID 2240 wrote to memory of 4304	2240	rundll32.exe	explorer.exe
PID 2240 wrote to memory of 4304	2240	rundll32.exe	explorer.exe
PID 4304 wrote to memory of 3036	4304	explorer.exe	schtasks.exe
PID 4304 wrote to memory of 3036	4304	explorer.exe	schtasks.exe
PID 4304 wrote to memory of 3036	4304	explorer.exe	schtasks.exe
PID 3964 wrote to memory of 4480	3964	regsvr32.exe	regsvr32.exe
PID 3964 wrote to memory of 4480	3964	regsvr32.exe	regsvr32.exe
PID 3964 wrote to memory of 4480	3964	regsvr32.exe	regsvr32.exe
PID 4480 wrote to memory of 4372	4480	regsvr32.exe	explorer.exe
PID 4480 wrote to memory of 4372	4480	regsvr32.exe	explorer.exe
PID 4480 wrote to memory of 4372	4480	regsvr32.exe	explorer.exe
PID 4480 wrote to memory of 4372	4480	regsvr32.exe	explorer.exe
PID 4480 wrote to memory of 4372	4480	regsvr32.exe	explorer.exe
PID 4372 wrote to memory of 1588	4372	explorer.exe	reg.exe
PID 4372 wrote to memory of 1588	4372	explorer.exe	reg.exe
PID 4372 wrote to memory of 4616	4372	explorer.exe	reg.exe
PID 4372 wrote to memory of 4616	4372	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b008ec2be96eda36cbe241413ffcbc96.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3624

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b008ec2be96eda36cbe241413ffcbc96.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4304

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn uygqsbblu /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\b008ec2be96eda36cbe241413ffcbc96.dll\"" /SC ONCE /Z /ST 16:16 /ET 16:28
4⤵
- Creates scheduled task(s)
PID:3036

\??\c:\windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\b008ec2be96eda36cbe241413ffcbc96.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:3964

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\b008ec2be96eda36cbe241413ffcbc96.dll"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4480

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4372

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Irdabgy" /d "0"
4⤵
PID:1588

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Gkrzqup" /d "0"
4⤵
PID:4616

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b008ec2be96eda36cbe241413ffcbc96.dll
MD5
b008ec2be96eda36cbe241413ffcbc96

SHA1
5bce500b0916f0d668ff8dca8564c9195361a48e

SHA256
14da506c629f1046dcd6cd3f21080ae8886c15b5027a555c61219aec2911eca8

SHA512
56ee477d0a107f93dc79b0779ee27a90a730bcc0c9859e2cc456b4663134f944c550c6bf0823ceea053b8f22e728cf68468de854bce683375dcd2ba4b71be6c0

Download Submit
\Users\Admin\AppData\Local\Temp\b008ec2be96eda36cbe241413ffcbc96.dll
MD5
b008ec2be96eda36cbe241413ffcbc96

SHA1
5bce500b0916f0d668ff8dca8564c9195361a48e

SHA256
14da506c629f1046dcd6cd3f21080ae8886c15b5027a555c61219aec2911eca8

SHA512
56ee477d0a107f93dc79b0779ee27a90a730bcc0c9859e2cc456b4663134f944c550c6bf0823ceea053b8f22e728cf68468de854bce683375dcd2ba4b71be6c0

Download Submit
memory/1588-132-0x0000000000000000-mapping.dmp

Download
memory/2240-116-0x00000000742F0000-0x0000000074311000-memory.dmp

Filesize
132KB

Download
memory/2240-117-0x00000000742F0000-0x0000000074395000-memory.dmp

Filesize
660KB

Download
memory/2240-118-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2240-115-0x0000000000000000-mapping.dmp

Download
memory/3036-121-0x0000000000000000-mapping.dmp

Download
memory/4304-119-0x0000000000000000-mapping.dmp

Download
memory/4304-120-0x0000000000600000-0x0000000000621000-memory.dmp

Filesize
132KB

Download
memory/4372-130-0x0000000000000000-mapping.dmp

Download
memory/4372-131-0x0000000000570000-0x0000000000591000-memory.dmp

Filesize
132KB

Download
memory/4480-125-0x0000000000000000-mapping.dmp

Download
memory/4480-129-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/4480-128-0x0000000073010000-0x00000000730B5000-memory.dmp

Filesize
660KB

Download
memory/4480-127-0x0000000073010000-0x0000000073031000-memory.dmp

Filesize
132KB

Download
memory/4616-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads