qakbot | 61238817a6f5e25030106932adf64912cd1a2e7221a193299a9aea16d93b3cd6

General

Target

alp.html.dll
Size

642KB
MD5

f4685180e8b17a8bc23f5764cb67cb43
SHA1

f7a1f3fce5e6f0f1bd28a7262f26385277a4b5a4
SHA256

61238817a6f5e25030106932adf64912cd1a2e7221a193299a9aea16d93b3cd6
SHA512

336a812f63718821c03da35139674b4b63ab7032909eea721a341cc91786e1f7aa2a919432536410a017d4b9da2e0d4b6dbb54aeaa07074bcd97975641107f56

Score

10^/10

qakbot tr 1632730751 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.343

Botnet

tr

Campaign

1632730751

C2

95.77.223.148:443

47.22.148.6:443

89.101.97.139:443

27.223.92.142:995

120.151.47.189:443

136.232.34.70:443

120.150.218.241:995

185.250.148.74:443

181.118.183.94:443

140.82.49.12:443

67.165.206.193:993

103.148.120.144:443

71.74.12.34:443

76.25.142.196:443

73.151.236.31:443

173.21.10.71:2222

75.188.35.168:443

2.178.88.145:61202

71.80.168.245:443

45.46.53.140:2222

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1332 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1668 schtasks.exe

pid	process
1332	regsvr32.exe

pid	process
1668	schtasks.exe

Modifies data under HKEY_USERS 19 IoCs

Processes:

regsvr32.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties	regsvr32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Arihwykfcprl\1f4d6bbc = 893c88fc49d3bf005c673fe244f0a70dab49fd628381443c923fc7a9373af9ab55c5d208957a1bcb53b457c2d4739f83b52eca7d0a5faa03f2a011c4eabe72151ef911a381405759ec	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Arihwykfcprl\a7f10cd9 = a1ae9f829eaa394d5ffe601d41a9093b23dd8d66a84aa9e3de3bd5c2e929b013f3b52c50e67d9e80b1ebe968dfbf27c3e9e1a53d8d77b7394eb18c51d0127ba94e1797262074afe3a5e73763fb3dd0eb50663440fa492a17e4fc4ad93427637820cd858c15aaa6e16e3435255ab1aa48b315807c5558f787da	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Arihwykfcprl\6004044a = 8e015581fa21ccccc3998ad4fb765aaee7834e725c1c41547e2fbd6bb0b14eecb9e97ab83480221046c5227a646beb3e7580bd9fbd7eab8cf0d836c75ac2f6343bdc9e6b5fa34f	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\System	regsvr32.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet	regsvr32.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick	regsvr32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Arihwykfcprl\ed27b361 = eb1f92c93baef801c7e49ae3865327b977c007996805a8cb035914441874c73bedaf14bfb0e2a6ac63383f3f3bcbdc6279b91eb62d0715ef8798782e0ed7ef	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Arihwykfcprl\926edc97 = fb376f3bc3e715591c566d7c1923124d2a026096c9e1591650e9c7d93e76039798319a61258789269b45e6045abc87db9c7d8c54e0bf0e86	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm	regsvr32.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties	regsvr32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Arihwykfcprl\926edc97 = fb37783bc3e7202fa4ae5fa5459c92fe719114e77b3e1c260932ca60f275025e8e25ca	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Arihwykfcprl	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Arihwykfcprl\a5b02ca5 = 8dcfbdbe62eed91be6957cc1eef43fbc3f30b18b936bcd53e31231c47bcedada853953ce416730fdb4861dd8f8df96ebbb8d15a5443f87aa1daada81e2a2b23749caa1ebc94fea	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Arihwykfcprl\1d0c4bc0 = f4a93329d4bf51bbdf295b84233b7e7272303b4f1773b0d2e6cefd92eba0b2b3ac83be09694f4ecfa371d41ed61ffc7c9b9332625c8bc77a0787e6b53d5d79518e12cfe762a8301d5f9442ac71d4d2b0bb5074eec77323739120f7	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Arihwykfcprl\d8b8632f = 7801bcda7c16d681b4c424fb8fc8ba805f12919bff6c57714f71d52829fc930f42e6a89793a8cd	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control	regsvr32.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm	regsvr32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm\wheel = "1"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

972 regsvr32.exe
1332 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

972 regsvr32.exe
1332 regsvr32.exe

pid	process
972	regsvr32.exe
1332	regsvr32.exe

pid	process
972	regsvr32.exe
1332	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

regsvr32.exeregsvr32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 1596 wrote to memory of 972	1596	regsvr32.exe	regsvr32.exe
PID 1596 wrote to memory of 972	1596	regsvr32.exe	regsvr32.exe
PID 1596 wrote to memory of 972	1596	regsvr32.exe	regsvr32.exe
PID 1596 wrote to memory of 972	1596	regsvr32.exe	regsvr32.exe
PID 1596 wrote to memory of 972	1596	regsvr32.exe	regsvr32.exe
PID 1596 wrote to memory of 972	1596	regsvr32.exe	regsvr32.exe
PID 1596 wrote to memory of 972	1596	regsvr32.exe	regsvr32.exe
PID 972 wrote to memory of 968	972	regsvr32.exe	explorer.exe
PID 972 wrote to memory of 968	972	regsvr32.exe	explorer.exe
PID 972 wrote to memory of 968	972	regsvr32.exe	explorer.exe
PID 972 wrote to memory of 968	972	regsvr32.exe	explorer.exe
PID 972 wrote to memory of 968	972	regsvr32.exe	explorer.exe
PID 972 wrote to memory of 968	972	regsvr32.exe	explorer.exe
PID 968 wrote to memory of 1668	968	explorer.exe	schtasks.exe
PID 968 wrote to memory of 1668	968	explorer.exe	schtasks.exe
PID 968 wrote to memory of 1668	968	explorer.exe	schtasks.exe
PID 968 wrote to memory of 1668	968	explorer.exe	schtasks.exe
PID 516 wrote to memory of 616	516	taskeng.exe	regsvr32.exe
PID 516 wrote to memory of 616	516	taskeng.exe	regsvr32.exe
PID 516 wrote to memory of 616	516	taskeng.exe	regsvr32.exe
PID 516 wrote to memory of 616	516	taskeng.exe	regsvr32.exe
PID 516 wrote to memory of 616	516	taskeng.exe	regsvr32.exe
PID 616 wrote to memory of 1332	616	regsvr32.exe	regsvr32.exe
PID 616 wrote to memory of 1332	616	regsvr32.exe	regsvr32.exe
PID 616 wrote to memory of 1332	616	regsvr32.exe	regsvr32.exe
PID 616 wrote to memory of 1332	616	regsvr32.exe	regsvr32.exe
PID 616 wrote to memory of 1332	616	regsvr32.exe	regsvr32.exe
PID 616 wrote to memory of 1332	616	regsvr32.exe	regsvr32.exe
PID 616 wrote to memory of 1332	616	regsvr32.exe	regsvr32.exe
PID 1332 wrote to memory of 1992	1332	regsvr32.exe	explorer.exe
PID 1332 wrote to memory of 1992	1332	regsvr32.exe	explorer.exe
PID 1332 wrote to memory of 1992	1332	regsvr32.exe	explorer.exe
PID 1332 wrote to memory of 1992	1332	regsvr32.exe	explorer.exe
PID 1332 wrote to memory of 1992	1332	regsvr32.exe	explorer.exe
PID 1332 wrote to memory of 1992	1332	regsvr32.exe	explorer.exe
PID 1992 wrote to memory of 1536	1992	explorer.exe	reg.exe
PID 1992 wrote to memory of 1536	1992	explorer.exe	reg.exe
PID 1992 wrote to memory of 1536	1992	explorer.exe	reg.exe
PID 1992 wrote to memory of 1536	1992	explorer.exe	reg.exe
PID 1992 wrote to memory of 1120	1992	explorer.exe	reg.exe
PID 1992 wrote to memory of 1120	1992	explorer.exe	reg.exe
PID 1992 wrote to memory of 1120	1992	explorer.exe	reg.exe
PID 1992 wrote to memory of 1120	1992	explorer.exe	reg.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\alp.html.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\alp.html.dll
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:972

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn viaktwc /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\alp.html.dll\"" /SC ONCE /Z /ST 14:05 /ET 14:17
4⤵
- Creates scheduled task(s)
PID:1668

C:\Windows\system32\taskeng.exe
taskeng.exe {4226611C-AC45-43B2-BD4C-61AE595E484E} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:516

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\alp.html.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:616

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\alp.html.dll"
3⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1332

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Anldqaqfu" /d "0"
5⤵
PID:1536

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Yzieoaniwo" /d "0"
5⤵
PID:1120

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\alp.html.dll
MD5
f4685180e8b17a8bc23f5764cb67cb43

SHA1
f7a1f3fce5e6f0f1bd28a7262f26385277a4b5a4

SHA256
61238817a6f5e25030106932adf64912cd1a2e7221a193299a9aea16d93b3cd6

SHA512
336a812f63718821c03da35139674b4b63ab7032909eea721a341cc91786e1f7aa2a919432536410a017d4b9da2e0d4b6dbb54aeaa07074bcd97975641107f56

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\alp.html.dll
MD5
f4685180e8b17a8bc23f5764cb67cb43

SHA1
f7a1f3fce5e6f0f1bd28a7262f26385277a4b5a4

SHA256
61238817a6f5e25030106932adf64912cd1a2e7221a193299a9aea16d93b3cd6

SHA512
336a812f63718821c03da35139674b4b63ab7032909eea721a341cc91786e1f7aa2a919432536410a017d4b9da2e0d4b6dbb54aeaa07074bcd97975641107f56

Download Submit
memory/616-64-0x0000000000000000-mapping.dmp

Download
memory/968-62-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/968-59-0x0000000000000000-mapping.dmp

Download
memory/968-61-0x00000000740A1000-0x00000000740A3000-memory.dmp

Filesize
8KB

Download
memory/972-57-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/972-58-0x0000000010000000-0x0000000010175000-memory.dmp

Filesize
1.5MB

Download
memory/972-56-0x00000000757B1000-0x00000000757B3000-memory.dmp

Filesize
8KB

Download
memory/972-55-0x0000000000000000-mapping.dmp

Download
memory/1120-75-0x0000000000000000-mapping.dmp

Download
memory/1332-67-0x0000000000000000-mapping.dmp

Download
memory/1536-74-0x0000000000000000-mapping.dmp

Download
memory/1596-54-0x000007FEFB951000-0x000007FEFB953000-memory.dmp

Filesize
8KB

Download
memory/1668-63-0x0000000000000000-mapping.dmp

Download
memory/1992-70-0x0000000000000000-mapping.dmp

Download
memory/1992-76-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads