qakbot | 8ba7f0285fe67b9e603aa5f8d5d213b1d7f76d535c6feabd768499d40e31b87c

General

Target

test.test.dll
Size

662KB
MD5

78ae3f7f5d7cf9c0e95cefb5c4b61ab7
SHA1

29125f7ffffc2ab6a6808d80a1abbc17ac806262
SHA256

8ba7f0285fe67b9e603aa5f8d5d213b1d7f76d535c6feabd768499d40e31b87c
SHA512

b2a1a6a8b8e0c647dad1a813540e24920cb033d0d56d770283ca08cc51d39f22fe73e66a028931b1cd52539202d7c87c684646d6a21fcfa464fb6ffce823b03d

Score

10^/10

qakbot tr 1632730751 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.343

Botnet

tr

Campaign

1632730751

C2

95.77.223.148:443

47.22.148.6:443

89.101.97.139:443

27.223.92.142:995

120.151.47.189:443

136.232.34.70:443

120.150.218.241:995

185.250.148.74:443

181.118.183.94:443

140.82.49.12:443

67.165.206.193:993

103.148.120.144:443

71.74.12.34:443

76.25.142.196:443

73.151.236.31:443

173.21.10.71:2222

75.188.35.168:443

2.178.88.145:61202

71.80.168.245:443

45.46.53.140:2222

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

3036 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

804 schtasks.exe

pid	process
3036	regsvr32.exe

pid	process
804	schtasks.exe

Modifies data under HKEY_USERS 18 IoCs

Processes:

regsvr32.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties	regsvr32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tehijunyv	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tehijunyv\71fe3258 = ba5fa59e7f3317362ea925581ea7e4fa46df34b8d96ae5597c97e9d2192528ea7cf47c15b1f6e40a355d051245d04383f304afc03e2a5fe4e6a389880970b7b1085161c959ce7016a11a4275d99763eb1076d9b8153dd1cd212c4d854bd98388068278eb	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tehijunyv\cf67dd2 = 6ce06a5b186645c6826795d10f486b34e68b2f2495f537403cd478621671a84cbbbb56fa312968aa588b62e3527012244880	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tehijunyv\3969ad9c = 67e2ef4bcd0b6aa979c8992c973cb72838f27fbb73adf2756edf41d9503d59657bff2365bfb9936b65068548acf4055e4c4a64fb1deb1b3a653d7e76ea3b5039ce04f7cf6ad3423602ab2b9654dca2266848f861d963ef751d8afa4f4b8caa2fe13cf34321	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties	regsvr32.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick	regsvr32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm\wheel = "1"	regsvr32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tehijunyv\cb037541 = 501ba904f03d235ca14aaad6f6787dc8afda7bdfc147f2c5859b4bbbc66cc84aabf35f853b47e5fd004846be726c97358923396e59714d965e19bb71018df105f94892fb7c0406271077eb7f7eca	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tehijunyv\4620c26a = 0a61b3cb107b6ac7848b94152e2f4839f6d28b9ba92ed7cad0a4ab955fd7049b5612214242cce6f65193c75be045829271ea6485a9eb752022c53293d73216ac10988b42d3c50295c48d43af9de881d5421167382c9eb901d0de0de786c0ada0eaff8a7342a0d8a0fd2e344304997a7d	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tehijunyv\73bf1224 = b73ab2919b58c442db1e75e0b1c81034846e47bb305138de110bc3b6f0aadb498e7bba3464c2501cb42a1695b407f4fd4b5a1d72b9b3dcfd4bd7b5a1f12fa706d7189be02b2fb43bea46f3c610ef724e81757073ed3514dbb9211699905f00ab0cbeff73afe57d549611974d297966ff	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm	regsvr32.exe
Key created	\REGISTRY\USER\.DEFAULT\System	regsvr32.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet	regsvr32.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control	regsvr32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tehijunyv\4620c26a = 0a61a4cb107b5f5ed2dfceb43ab76a9bf53ab057f0a0b9983dec31f10fafaa053f03563f4a182241e83034a3dc939b3f85f59c5a81513329fd5f0080ae3c362355603f7416516a8ff0dd7092c8631e8c6203824de6c4370d88e219	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tehijunyv\c942553d = 7b6dc4f55d0ff726082884acbd29a86a61066e9f26cc99f9438f737aa36a51	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tehijunyv\b44a1ab7 = 596326ef3fb023502f1ded89feadc2c80846a44f3c2305a1ddf506320a465c220900c94845c6c609e51dd40a13b28f75238ac2a19a6cf90b68bd4951d0cd4637	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

4020 regsvr32.exe
4020 regsvr32.exe
3036 regsvr32.exe
3036 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

4020 regsvr32.exe
3036 regsvr32.exe

pid	process
4020	regsvr32.exe
4020	regsvr32.exe
3036	regsvr32.exe
3036	regsvr32.exe

pid	process
4020	regsvr32.exe
3036	regsvr32.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

regsvr32.exeregsvr32.exeexplorer.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 3628 wrote to memory of 4020	3628	regsvr32.exe	regsvr32.exe
PID 3628 wrote to memory of 4020	3628	regsvr32.exe	regsvr32.exe
PID 3628 wrote to memory of 4020	3628	regsvr32.exe	regsvr32.exe
PID 4020 wrote to memory of 584	4020	regsvr32.exe	explorer.exe
PID 4020 wrote to memory of 584	4020	regsvr32.exe	explorer.exe
PID 4020 wrote to memory of 584	4020	regsvr32.exe	explorer.exe
PID 4020 wrote to memory of 584	4020	regsvr32.exe	explorer.exe
PID 4020 wrote to memory of 584	4020	regsvr32.exe	explorer.exe
PID 584 wrote to memory of 804	584	explorer.exe	schtasks.exe
PID 584 wrote to memory of 804	584	explorer.exe	schtasks.exe
PID 584 wrote to memory of 804	584	explorer.exe	schtasks.exe
PID 3036 wrote to memory of 3792	3036	regsvr32.exe	explorer.exe
PID 3036 wrote to memory of 3792	3036	regsvr32.exe	explorer.exe
PID 3036 wrote to memory of 3792	3036	regsvr32.exe	explorer.exe
PID 3036 wrote to memory of 3792	3036	regsvr32.exe	explorer.exe
PID 3036 wrote to memory of 3792	3036	regsvr32.exe	explorer.exe
PID 3792 wrote to memory of 2336	3792	explorer.exe	reg.exe
PID 3792 wrote to memory of 2336	3792	explorer.exe	reg.exe
PID 3792 wrote to memory of 736	3792	explorer.exe	reg.exe
PID 3792 wrote to memory of 736	3792	explorer.exe	reg.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\test.test.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3628

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\test.test.dll
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4020

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:584

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn htuavoay /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\test.test.dll\"" /SC ONCE /Z /ST 17:18 /ET 17:30
4⤵
- Creates scheduled task(s)
PID:804

\??\c:\windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\test.test.dll"
1⤵
PID:3348

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\test.test.dll"
2⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3036

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3792

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Vgwocrd" /d "0"
4⤵
PID:2336

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Fouupcfrj" /d "0"
4⤵
PID:736

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\test.test.dll
MD5
78ae3f7f5d7cf9c0e95cefb5c4b61ab7

SHA1
29125f7ffffc2ab6a6808d80a1abbc17ac806262

SHA256
8ba7f0285fe67b9e603aa5f8d5d213b1d7f76d535c6feabd768499d40e31b87c

SHA512
b2a1a6a8b8e0c647dad1a813540e24920cb033d0d56d770283ca08cc51d39f22fe73e66a028931b1cd52539202d7c87c684646d6a21fcfa464fb6ffce823b03d

Download Submit
\Users\Admin\AppData\Local\Temp\test.test.dll
MD5
78ae3f7f5d7cf9c0e95cefb5c4b61ab7

SHA1
29125f7ffffc2ab6a6808d80a1abbc17ac806262

SHA256
8ba7f0285fe67b9e603aa5f8d5d213b1d7f76d535c6feabd768499d40e31b87c

SHA512
b2a1a6a8b8e0c647dad1a813540e24920cb033d0d56d770283ca08cc51d39f22fe73e66a028931b1cd52539202d7c87c684646d6a21fcfa464fb6ffce823b03d

Download Submit
memory/584-117-0x0000000000000000-mapping.dmp

Download
memory/584-121-0x0000000000420000-0x0000000000441000-memory.dmp

Filesize
132KB

Download
memory/736-127-0x0000000000000000-mapping.dmp

Download
memory/804-118-0x0000000000000000-mapping.dmp

Download
memory/2336-126-0x0000000000000000-mapping.dmp

Download
memory/3036-124-0x0000000002BC0000-0x0000000002DCE000-memory.dmp

Filesize
2.1MB

Download
memory/3792-125-0x0000000000000000-mapping.dmp

Download
memory/3792-130-0x0000000003200000-0x0000000003221000-memory.dmp

Filesize
132KB

Download
memory/4020-114-0x0000000000000000-mapping.dmp

Download
memory/4020-115-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

Filesize
4KB

Download
memory/4020-116-0x0000000010000000-0x0000000010175000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads