qakbot | b69d373340bdd8dde8c718286c5f2bb8e1bbfc0c817f0fc7d5b1b712e4ef85ff

General

Target

test1.test.dll
Size

662KB
MD5

8538019c513379a092104fa35dfd5d76
SHA1

f524fea3b2f880359c2ed44453e5515c9f99cefe
SHA256

b69d373340bdd8dde8c718286c5f2bb8e1bbfc0c817f0fc7d5b1b712e4ef85ff
SHA512

5c3ed2a46507d7fa797a61ac54085a206dac66014a8e1b7217b134fd640f53c7d23c04e4f1f368aac27417262118dbb450bf979aa1fffa4dedd5b780b362cf1e

Score

10^/10

qakbot tr 1632730751 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.343

Botnet

tr

Campaign

1632730751

C2

95.77.223.148:443

47.22.148.6:443

89.101.97.139:443

27.223.92.142:995

120.151.47.189:443

136.232.34.70:443

120.150.218.241:995

185.250.148.74:443

181.118.183.94:443

140.82.49.12:443

67.165.206.193:993

103.148.120.144:443

71.74.12.34:443

76.25.142.196:443

73.151.236.31:443

173.21.10.71:2222

75.188.35.168:443

2.178.88.145:61202

71.80.168.245:443

45.46.53.140:2222

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

2028 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1864 schtasks.exe

pid	process
2028	regsvr32.exe

pid	process
1864	schtasks.exe

Modifies data under HKEY_USERS 19 IoCs

Processes:

explorer.exeregsvr32.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Wdccorha\da45d91f = 7fec40c2455cd65aeaf0570c45d39711053f0f2544d1f9cd5b945d840305eb81b62a78b75b053d02f3bca90eda0b99989bb49f3676181c62fb2a147cc6ec37720101a6516e866bf1f6d2be3baf1d53c7b6cb2ce83c87c73f25c9ef1df8	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Wdccorha\55274e48 = f43e8d5399ad283aa04b4d0dfa088091f7ce3fea5e887065fd06d17c2d1bdecb1e971056bc55e5047b33fb5c617304977e1cc72da6fb09eac0a57dc21c2a66912766	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties	regsvr32.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties	regsvr32.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm	regsvr32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm\wheel = "1"	regsvr32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Wdccorha	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Wdccorha\55274e48 = f43e9a5399ad1d82befe8982d6f1774abd84421bab32738395ca928324358eaba7f8e053370b10e11fc259e650	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Wdccorha\62f9be7a = a7d9e641cd9474150d31a111d70ddd299e5eed65f64681fc8bebe8ebff4bbbeb8fafad4e01596fc4f5f7b4293599c1357e1d1c19f73bca407046e654ece7a3f59e7843	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Wdccorha\d804f963 = bbc07b461dfcc25a47b4e44e75336ec105cab67e0725b20b161930023384adb869ec30a6c8eadb915bf2f392755bc07d970f888f3c41be9e85f32d5ab8621554cd9af5ba	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet	regsvr32.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control	regsvr32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Wdccorha\60b89e06 = fd3b710167a348e2a0860c7a18450af24b1157c8a32f1417a98ad62cdc85c71f48279f8f90c55a67b12e8e608fa87cd55e74aa5b84438ac0001646946b17c4454bc98a00999b269c3777868879ed76a3de2950a03ee7f0fefee98964c3e201bce02fd7e78a443208dd156fef1254e5b3614d280f9441c06a31b1ce1c834359d9d989cde005911ed7ab2df73a	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Wdccorha\a74d9695 = 66f093643cd6bac3fc256f1599b67d33e96a5d1e1d0695aa0858b779c517f41941ea	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Wdccorha\2a6e21be = 27aa46fffb8e1f8d08710e0007d6a791b25eca761f9732b6548a63932b9ce23bc4df5aa5259c70f0864b1dbc40bcbb6bf71cfb5c9d2b34f16de986a30373bccefdfd0f95693d483d9dcc44d7cb71a498a5734ce29b2a608fe0747a0ecccfa8	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm	regsvr32.exe
Key created	\REGISTRY\USER\.DEFAULT\System	regsvr32.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick	regsvr32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Wdccorha\1ff1f1f0 = 946cc2f46b7b591b33f6e3967104455dcb21f729223e91b94eeea6f624bfbe5af963b293f10c505db4db44ce9266a94f0c68e77ffcb3676e2a4effadebc9904a5c71c0b775b5a4dd800afd974ce949f4496e3f51831ee82a477c86ea7b70dc6df20cc4abbe6b0e4edb9f99db9b	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

1012 regsvr32.exe
2028 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

1012 regsvr32.exe
2028 regsvr32.exe

pid	process
1012	regsvr32.exe
2028	regsvr32.exe

pid	process
1012	regsvr32.exe
2028	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

regsvr32.exeregsvr32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 1640 wrote to memory of 1012	1640	regsvr32.exe	regsvr32.exe
PID 1640 wrote to memory of 1012	1640	regsvr32.exe	regsvr32.exe
PID 1640 wrote to memory of 1012	1640	regsvr32.exe	regsvr32.exe
PID 1640 wrote to memory of 1012	1640	regsvr32.exe	regsvr32.exe
PID 1640 wrote to memory of 1012	1640	regsvr32.exe	regsvr32.exe
PID 1640 wrote to memory of 1012	1640	regsvr32.exe	regsvr32.exe
PID 1640 wrote to memory of 1012	1640	regsvr32.exe	regsvr32.exe
PID 1012 wrote to memory of 1568	1012	regsvr32.exe	explorer.exe
PID 1012 wrote to memory of 1568	1012	regsvr32.exe	explorer.exe
PID 1012 wrote to memory of 1568	1012	regsvr32.exe	explorer.exe
PID 1012 wrote to memory of 1568	1012	regsvr32.exe	explorer.exe
PID 1012 wrote to memory of 1568	1012	regsvr32.exe	explorer.exe
PID 1012 wrote to memory of 1568	1012	regsvr32.exe	explorer.exe
PID 1568 wrote to memory of 1864	1568	explorer.exe	schtasks.exe
PID 1568 wrote to memory of 1864	1568	explorer.exe	schtasks.exe
PID 1568 wrote to memory of 1864	1568	explorer.exe	schtasks.exe
PID 1568 wrote to memory of 1864	1568	explorer.exe	schtasks.exe
PID 1976 wrote to memory of 1216	1976	taskeng.exe	regsvr32.exe
PID 1976 wrote to memory of 1216	1976	taskeng.exe	regsvr32.exe
PID 1976 wrote to memory of 1216	1976	taskeng.exe	regsvr32.exe
PID 1976 wrote to memory of 1216	1976	taskeng.exe	regsvr32.exe
PID 1976 wrote to memory of 1216	1976	taskeng.exe	regsvr32.exe
PID 1216 wrote to memory of 2028	1216	regsvr32.exe	regsvr32.exe
PID 1216 wrote to memory of 2028	1216	regsvr32.exe	regsvr32.exe
PID 1216 wrote to memory of 2028	1216	regsvr32.exe	regsvr32.exe
PID 1216 wrote to memory of 2028	1216	regsvr32.exe	regsvr32.exe
PID 1216 wrote to memory of 2028	1216	regsvr32.exe	regsvr32.exe
PID 1216 wrote to memory of 2028	1216	regsvr32.exe	regsvr32.exe
PID 1216 wrote to memory of 2028	1216	regsvr32.exe	regsvr32.exe
PID 2028 wrote to memory of 1536	2028	regsvr32.exe	explorer.exe
PID 2028 wrote to memory of 1536	2028	regsvr32.exe	explorer.exe
PID 2028 wrote to memory of 1536	2028	regsvr32.exe	explorer.exe
PID 2028 wrote to memory of 1536	2028	regsvr32.exe	explorer.exe
PID 2028 wrote to memory of 1536	2028	regsvr32.exe	explorer.exe
PID 2028 wrote to memory of 1536	2028	regsvr32.exe	explorer.exe
PID 1536 wrote to memory of 660	1536	explorer.exe	reg.exe
PID 1536 wrote to memory of 660	1536	explorer.exe	reg.exe
PID 1536 wrote to memory of 660	1536	explorer.exe	reg.exe
PID 1536 wrote to memory of 660	1536	explorer.exe	reg.exe
PID 1536 wrote to memory of 1556	1536	explorer.exe	reg.exe
PID 1536 wrote to memory of 1556	1536	explorer.exe	reg.exe
PID 1536 wrote to memory of 1556	1536	explorer.exe	reg.exe
PID 1536 wrote to memory of 1556	1536	explorer.exe	reg.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\test1.test.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\test1.test.dll
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1012

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1568

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn fzbiepvsm /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\test1.test.dll\"" /SC ONCE /Z /ST 17:19 /ET 17:31
4⤵
- Creates scheduled task(s)
PID:1864

C:\Windows\system32\taskeng.exe
taskeng.exe {A2AF0E72-D38A-47CB-B6EE-48E11C0332DE} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\test1.test.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:1216

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\test1.test.dll"
3⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Morlykatai" /d "0"
5⤵
PID:660

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Ueuyyohjkc" /d "0"
5⤵
PID:1556

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\test1.test.dll
MD5
8538019c513379a092104fa35dfd5d76

SHA1
f524fea3b2f880359c2ed44453e5515c9f99cefe

SHA256
b69d373340bdd8dde8c718286c5f2bb8e1bbfc0c817f0fc7d5b1b712e4ef85ff

SHA512
5c3ed2a46507d7fa797a61ac54085a206dac66014a8e1b7217b134fd640f53c7d23c04e4f1f368aac27417262118dbb450bf979aa1fffa4dedd5b780b362cf1e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\test1.test.dll
MD5
8538019c513379a092104fa35dfd5d76

SHA1
f524fea3b2f880359c2ed44453e5515c9f99cefe

SHA256
b69d373340bdd8dde8c718286c5f2bb8e1bbfc0c817f0fc7d5b1b712e4ef85ff

SHA512
5c3ed2a46507d7fa797a61ac54085a206dac66014a8e1b7217b134fd640f53c7d23c04e4f1f368aac27417262118dbb450bf979aa1fffa4dedd5b780b362cf1e

Download Submit
memory/660-80-0x0000000000000000-mapping.dmp

Download
memory/1012-61-0x0000000000000000-mapping.dmp

Download
memory/1012-62-0x00000000769B1000-0x00000000769B3000-memory.dmp

Filesize
8KB

Download
memory/1012-66-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1012-67-0x0000000010000000-0x0000000010175000-memory.dmp

Filesize
1.5MB

Download
memory/1216-70-0x0000000000000000-mapping.dmp

Download
memory/1536-82-0x00000000000D0000-0x00000000000F1000-memory.dmp

Filesize
132KB

Download
memory/1536-76-0x0000000000000000-mapping.dmp

Download
memory/1556-81-0x0000000000000000-mapping.dmp

Download
memory/1568-65-0x0000000074811000-0x0000000074813000-memory.dmp

Filesize
8KB

Download
memory/1568-69-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/1568-63-0x0000000000000000-mapping.dmp

Download
memory/1640-60-0x000007FEFC0C1000-0x000007FEFC0C3000-memory.dmp

Filesize
8KB

Download
memory/1864-68-0x0000000000000000-mapping.dmp

Download
memory/2028-73-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads