qakbot | 0c6a5acc3823fdd07d2096562030a3818fb6001312d0daf33a61039d3acfcee7

General

Target

test.test.dll
Size

573KB
MD5

fa3ad164c7198e0bf3747ffa1f84d074
SHA1

ebdd0932906db624c500d27184fa46814354756c
SHA256

0c6a5acc3823fdd07d2096562030a3818fb6001312d0daf33a61039d3acfcee7
SHA512

371d472067ee1c313ea37ff1bed16375446168ca95673ce1af2803e64e20c346de9932499622f256a6485a92c806f285be22ab8fed2726da5d73b4fae26fcf44

Score

10^/10

qakbot tr 1633334141 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

tr

Campaign

1633334141

C2

75.75.179.226:443

185.250.148.74:443

122.11.220.212:2222

120.150.218.241:995

103.148.120.144:443

140.82.49.12:443

40.131.140.155:995

206.47.134.234:2222

73.230.205.91:443

190.198.206.189:2222

103.157.122.198:995

81.250.153.227:2222

167.248.100.227:443

96.57.188.174:2078

217.17.56.163:2222

217.17.56.163:2078

41.228.22.180:443

136.232.34.70:443

68.186.192.69:443

167.248.111.245:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

756 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

796 schtasks.exe

pid	process
756	regsvr32.exe

pid	process
796	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Mevnfykuve\4cce23b1 = d19957d2e1967b5747e73b040272764fabea0aa7ee33bf5819bf8ea571469cece07743eb63102b85f8222e15611769775c9bd1f48d4edd7664431bfd4b08bf7706ae36818a9a3e0f	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Mevnfykuve\c1ed949a = 55ddce1c604dd11b70632febeae4cdb5a1dd76989b38da3f4cc2673c8d7b372d9189265668b19e790ad7c57403149702f0d447f9ed1a348e22fecab21756d1c9cc18060ba31eec4a5601a9f6408d5a784b195cd7ddad60edda7f	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Mevnfykuve\f47244d4 = 79e750f4d08dade90dc4efbfe87787bc93f8c1dd39000f7004c6c74b7a6401a35dc71866b8902bcd64bdbd7bfe0ec1207a072c63430133fda6c49715bc75e83dbcd6a8301a3818acf34542a96ea7358ace54f91bcc57267611c68ebb62b0331fdaf9cadcf4c8c7438608d5e2847fac1d9a1c213e95221e178faf84f8a19d01d8c9b7d19ada0013dd55f787070c506a5715f41e18	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Mevnfykuve\f63364a8 = cc3fcf7e5bb37147e2465625fcf6d8c3f2a1d6e27eef6ed3c8e380013a2c67a66d58c78f0bdef0d8b796c1b9f88eafb766873f121f230f7bd72d3eb47bce080037fa646445c0dac5c69ca839db4fd29555e04f1d0a263aecc23357d1f158e4d760ae	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Mevnfykuve\33874c47 = e8f71e2ebfd6253b80cab10df4a9b728baa6cbb38a62b6f1072dbc2fd170dfcbf4eb6ec844adb157acdc0e215edf	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Mevnfykuve\8b3b2b22 = bfabcf1cfc3c8a54451d10bc4c83cae44b991c70446b1a97bf35a4c21df4e8fc549255c0dab2065c170ca7d5de40e8c1394b73b0f84096c8a79490abfb4fbd70e6afcf65a74f37943c367a2cc43f11e7847948c1ab203c4ade7dab46211966ea667d99f3f6c700178c6ded92c55e24743814	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Mevnfykuve\bea4fb6c = 697496d06dc844b9d4e5000e4b4e531b8f558cb589632bb3ac5279f9f2e62c3ab3dc6f9103047429f8571e6e20d8611a62c80215a452d589ff	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Mevnfykuve	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Mevnfykuve\c1ed949a = 55ddd91c604de494ba62ae79ec234daad8353ea7c202857cf7e8de0d8046b5e231faf5f8272d510300abe93b681c0628f48745e04d9cff3e2c875329aa42aebd6ac0569b99	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Mevnfykuve\4e8f03cd = ca88630ebddf0e713af48c6fc1e3ecb7ff021bbc46af	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

1596 rundll32.exe
756 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

1596 rundll32.exe
756 regsvr32.exe

pid	process
1596	rundll32.exe
756	regsvr32.exe

pid	process
1596	rundll32.exe
756	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 1540 wrote to memory of 1596	1540	rundll32.exe	rundll32.exe
PID 1540 wrote to memory of 1596	1540	rundll32.exe	rundll32.exe
PID 1540 wrote to memory of 1596	1540	rundll32.exe	rundll32.exe
PID 1540 wrote to memory of 1596	1540	rundll32.exe	rundll32.exe
PID 1540 wrote to memory of 1596	1540	rundll32.exe	rundll32.exe
PID 1540 wrote to memory of 1596	1540	rundll32.exe	rundll32.exe
PID 1540 wrote to memory of 1596	1540	rundll32.exe	rundll32.exe
PID 1596 wrote to memory of 1488	1596	rundll32.exe	explorer.exe
PID 1596 wrote to memory of 1488	1596	rundll32.exe	explorer.exe
PID 1596 wrote to memory of 1488	1596	rundll32.exe	explorer.exe
PID 1596 wrote to memory of 1488	1596	rundll32.exe	explorer.exe
PID 1596 wrote to memory of 1488	1596	rundll32.exe	explorer.exe
PID 1596 wrote to memory of 1488	1596	rundll32.exe	explorer.exe
PID 1488 wrote to memory of 796	1488	explorer.exe	schtasks.exe
PID 1488 wrote to memory of 796	1488	explorer.exe	schtasks.exe
PID 1488 wrote to memory of 796	1488	explorer.exe	schtasks.exe
PID 1488 wrote to memory of 796	1488	explorer.exe	schtasks.exe
PID 1800 wrote to memory of 1760	1800	taskeng.exe	regsvr32.exe
PID 1800 wrote to memory of 1760	1800	taskeng.exe	regsvr32.exe
PID 1800 wrote to memory of 1760	1800	taskeng.exe	regsvr32.exe
PID 1800 wrote to memory of 1760	1800	taskeng.exe	regsvr32.exe
PID 1800 wrote to memory of 1760	1800	taskeng.exe	regsvr32.exe
PID 1760 wrote to memory of 756	1760	regsvr32.exe	regsvr32.exe
PID 1760 wrote to memory of 756	1760	regsvr32.exe	regsvr32.exe
PID 1760 wrote to memory of 756	1760	regsvr32.exe	regsvr32.exe
PID 1760 wrote to memory of 756	1760	regsvr32.exe	regsvr32.exe
PID 1760 wrote to memory of 756	1760	regsvr32.exe	regsvr32.exe
PID 1760 wrote to memory of 756	1760	regsvr32.exe	regsvr32.exe
PID 1760 wrote to memory of 756	1760	regsvr32.exe	regsvr32.exe
PID 756 wrote to memory of 1940	756	regsvr32.exe	explorer.exe
PID 756 wrote to memory of 1940	756	regsvr32.exe	explorer.exe
PID 756 wrote to memory of 1940	756	regsvr32.exe	explorer.exe
PID 756 wrote to memory of 1940	756	regsvr32.exe	explorer.exe
PID 756 wrote to memory of 1940	756	regsvr32.exe	explorer.exe
PID 756 wrote to memory of 1940	756	regsvr32.exe	explorer.exe
PID 1940 wrote to memory of 1324	1940	explorer.exe	reg.exe
PID 1940 wrote to memory of 1324	1940	explorer.exe	reg.exe
PID 1940 wrote to memory of 1324	1940	explorer.exe	reg.exe
PID 1940 wrote to memory of 1324	1940	explorer.exe	reg.exe
PID 1940 wrote to memory of 1680	1940	explorer.exe	reg.exe
PID 1940 wrote to memory of 1680	1940	explorer.exe	reg.exe
PID 1940 wrote to memory of 1680	1940	explorer.exe	reg.exe
PID 1940 wrote to memory of 1680	1940	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\test.test.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\test.test.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn phltlexj /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\test.test.dll\"" /SC ONCE /Z /ST 13:21 /ET 13:33
4⤵
- Creates scheduled task(s)
PID:796

C:\Windows\system32\taskeng.exe
taskeng.exe {82EDBF16-47B3-4F70-B064-49EE136E2CB8} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\test.test.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\test.test.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Ueyreylqomqi" /d "0"
5⤵
PID:1324

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Invgxerfh" /d "0"
5⤵
PID:1680

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\test.test.dll
MD5
fa3ad164c7198e0bf3747ffa1f84d074

SHA1
ebdd0932906db624c500d27184fa46814354756c

SHA256
0c6a5acc3823fdd07d2096562030a3818fb6001312d0daf33a61039d3acfcee7

SHA512
371d472067ee1c313ea37ff1bed16375446168ca95673ce1af2803e64e20c346de9932499622f256a6485a92c806f285be22ab8fed2726da5d73b4fae26fcf44

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\test.test.dll
MD5
fa3ad164c7198e0bf3747ffa1f84d074

SHA1
ebdd0932906db624c500d27184fa46814354756c

SHA256
0c6a5acc3823fdd07d2096562030a3818fb6001312d0daf33a61039d3acfcee7

SHA512
371d472067ee1c313ea37ff1bed16375446168ca95673ce1af2803e64e20c346de9932499622f256a6485a92c806f285be22ab8fed2726da5d73b4fae26fcf44

Download Submit
memory/756-69-0x0000000010000000-0x000000001458E000-memory.dmp

Filesize
69.6MB

Download
memory/756-68-0x0000000000C20000-0x0000000005157000-memory.dmp

Filesize
69.2MB

Download
memory/756-65-0x0000000000000000-mapping.dmp

Download
memory/796-61-0x0000000000000000-mapping.dmp

Download
memory/1324-75-0x0000000000000000-mapping.dmp

Download
memory/1488-59-0x0000000074FE1000-0x0000000074FE3000-memory.dmp

Filesize
8KB

Download
memory/1488-60-0x0000000000330000-0x0000000000351000-memory.dmp

Filesize
132KB

Download
memory/1488-57-0x0000000000000000-mapping.dmp

Download
memory/1596-53-0x0000000000000000-mapping.dmp

Download
memory/1596-56-0x0000000010000000-0x000000001458E000-memory.dmp

Filesize
69.6MB

Download
memory/1596-55-0x00000000022D0000-0x0000000006807000-memory.dmp

Filesize
69.2MB

Download
memory/1596-54-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download
memory/1680-76-0x0000000000000000-mapping.dmp

Download
memory/1760-63-0x000007FEFC391000-0x000007FEFC393000-memory.dmp

Filesize
8KB

Download
memory/1760-62-0x0000000000000000-mapping.dmp

Download
memory/1940-70-0x0000000000000000-mapping.dmp

Download
memory/1940-74-0x0000000000390000-0x00000000003B1000-memory.dmp

Filesize
132KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads