qakbot | 6ac1f7b75783b42e112828cb97ddea479b82e20ab82df792a1da5b41473c6e40

General

Target

repo.html.2.dll
Size

484KB
MD5

6efb8dc48e232aa7ba405632259af67a
SHA1

2a1c0f25a9768fa04c648567e6d533f789793bb4
SHA256

6ac1f7b75783b42e112828cb97ddea479b82e20ab82df792a1da5b41473c6e40
SHA512

4e7b0013506df2437ecb801d268faf876255a4d66b88dad9f7d85c031d8a963e25c6360e8d6c1d0d48ba84e6dc4500e3ba8246bb2e013b5df0bda9b4312a7ee2

Score

10^/10

qakbot tr 1632817399 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

tr

Campaign

1632817399

C2

105.198.236.99:443

140.82.49.12:443

37.210.152.224:995

89.101.97.139:443

81.241.252.59:2078

27.223.92.142:995

81.250.153.227:2222

73.151.236.31:443

47.22.148.6:443

122.11.220.212:2222

120.151.47.189:443

199.27.127.129:443

216.201.162.158:443

136.232.34.70:443

76.25.142.196:443

181.118.183.94:443

120.150.218.241:995

185.250.148.74:443

95.77.223.148:443

75.66.88.33:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

924 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1608 schtasks.exe

pid	process
924	regsvr32.exe

pid	process
1608	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ugwqzdwmxiik\50df5fad = eb63819aadf022afeb2af9976c2ff6ada0e40db75ab3d5e70ba6	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ugwqzdwmxiik\a2b58770 = 6ee7bb11953bd4083beda7422732da9f5fea8cd78d70e8eff487338d1ba45427b67a9e001e4140ef38c91e1fb1980e3c01bab4777dcba2b22f1d4f266047b0b8acb5c41b5e40cfb131a1b73263ca8bd1d930eaa7927e9cd667be02bd742f12baa50e5e2d86c93244685a19b60e15cb	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ugwqzdwmxiik\ea2218b4 = a192f1565c331fb4cf6c7f6ad1387d5c99d0d1548f7ca7ed8eef495877d1a42f5ef0dc68f6de991972eb495307ee9367ea8465eb134a84086e4b131f2384d879b0b83c79336ffd4deed9c714b91a12692b751b36ce3b143c24	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ugwqzdwmxiik\529e7fd1 = ffe8eb29b6cd8fd9112d6f8c5a5a03ea8924bcbe0dbec566dab109ad29	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ugwqzdwmxiik\2f96305b = ec4ab7311ccee3f2d99d958155387220c26ba8fa49f766542f735efbfa2e7a76a6a46b057fc5602bb052b0864899519d14fddb5628457ccd4986ad407f1857d0aa64bf1d50cac56c4f73b15f2719ec167a1449c95d099734078d9f9c8bf7dc00b9e0a8e8b8	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ugwqzdwmxiik\972a573e = c1c9650e44b62a935b928140bab19e0ae36601f038143b66b09d38b0d300b9831344a7ec9da74e4c	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ugwqzdwmxiik\ddfce886 = 3ff735aedfb3708ad8f0c4328a7650b3addd084753062b83515c59f7d7c6f7dbcaef449de35a3bcb8110867b82d3ae7b0c737c7f49653e4aa4edab5e5ae26aa77d41ca82c54a5abdb43d	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ugwqzdwmxiik	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ugwqzdwmxiik\ddfce886 = 3ff722aedfb345371bc5f5e05c0b4920a3043ab92c0f944dee28c3e5371d3d29c3dcde604348ada5e425a606b5ae0c9976b2b6bf13	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ugwqzdwmxiik\e86338c8 = 02e2bfd5d5abd904be23051ff56c0e63538510d4278f89a75be6aec09c9511347e72f7582b1bdd5393e3f4f00088904bc7e8576169e3461251e367323b4f36486cca2f500c58d2dc26107e1d735e27eb3831ccccbedff06f1bbe920bf9ca36509289925243e2b67ea3d81b73d52535b39e475a16a3684757e36dae4a879b894f4347626e47fbfbd1d884e77bfc1a991cfcee96399029e234582dd8b0fa06536b4d735f83e2559be9fb493eb097ad6ec924ddb279dd04b0fbb3ad4ade79dd34e3cdc0f80bc0c1ba054b	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

2012 rundll32.exe
924 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

2012 rundll32.exe
924 regsvr32.exe

pid	process
2012	rundll32.exe
924	regsvr32.exe

pid	process
2012	rundll32.exe
924	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 2004 wrote to memory of 2012	2004	rundll32.exe	rundll32.exe
PID 2004 wrote to memory of 2012	2004	rundll32.exe	rundll32.exe
PID 2004 wrote to memory of 2012	2004	rundll32.exe	rundll32.exe
PID 2004 wrote to memory of 2012	2004	rundll32.exe	rundll32.exe
PID 2004 wrote to memory of 2012	2004	rundll32.exe	rundll32.exe
PID 2004 wrote to memory of 2012	2004	rundll32.exe	rundll32.exe
PID 2004 wrote to memory of 2012	2004	rundll32.exe	rundll32.exe
PID 2012 wrote to memory of 1508	2012	rundll32.exe	explorer.exe
PID 2012 wrote to memory of 1508	2012	rundll32.exe	explorer.exe
PID 2012 wrote to memory of 1508	2012	rundll32.exe	explorer.exe
PID 2012 wrote to memory of 1508	2012	rundll32.exe	explorer.exe
PID 2012 wrote to memory of 1508	2012	rundll32.exe	explorer.exe
PID 2012 wrote to memory of 1508	2012	rundll32.exe	explorer.exe
PID 1508 wrote to memory of 1608	1508	explorer.exe	schtasks.exe
PID 1508 wrote to memory of 1608	1508	explorer.exe	schtasks.exe
PID 1508 wrote to memory of 1608	1508	explorer.exe	schtasks.exe
PID 1508 wrote to memory of 1608	1508	explorer.exe	schtasks.exe
PID 1756 wrote to memory of 1436	1756	taskeng.exe	regsvr32.exe
PID 1756 wrote to memory of 1436	1756	taskeng.exe	regsvr32.exe
PID 1756 wrote to memory of 1436	1756	taskeng.exe	regsvr32.exe
PID 1756 wrote to memory of 1436	1756	taskeng.exe	regsvr32.exe
PID 1756 wrote to memory of 1436	1756	taskeng.exe	regsvr32.exe
PID 1436 wrote to memory of 924	1436	regsvr32.exe	regsvr32.exe
PID 1436 wrote to memory of 924	1436	regsvr32.exe	regsvr32.exe
PID 1436 wrote to memory of 924	1436	regsvr32.exe	regsvr32.exe
PID 1436 wrote to memory of 924	1436	regsvr32.exe	regsvr32.exe
PID 1436 wrote to memory of 924	1436	regsvr32.exe	regsvr32.exe
PID 1436 wrote to memory of 924	1436	regsvr32.exe	regsvr32.exe
PID 1436 wrote to memory of 924	1436	regsvr32.exe	regsvr32.exe
PID 924 wrote to memory of 964	924	regsvr32.exe	explorer.exe
PID 924 wrote to memory of 964	924	regsvr32.exe	explorer.exe
PID 924 wrote to memory of 964	924	regsvr32.exe	explorer.exe
PID 924 wrote to memory of 964	924	regsvr32.exe	explorer.exe
PID 924 wrote to memory of 964	924	regsvr32.exe	explorer.exe
PID 924 wrote to memory of 964	924	regsvr32.exe	explorer.exe
PID 964 wrote to memory of 1284	964	explorer.exe	reg.exe
PID 964 wrote to memory of 1284	964	explorer.exe	reg.exe
PID 964 wrote to memory of 1284	964	explorer.exe	reg.exe
PID 964 wrote to memory of 1284	964	explorer.exe	reg.exe
PID 964 wrote to memory of 1460	964	explorer.exe	reg.exe
PID 964 wrote to memory of 1460	964	explorer.exe	reg.exe
PID 964 wrote to memory of 1460	964	explorer.exe	reg.exe
PID 964 wrote to memory of 1460	964	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\repo.html.2.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\repo.html.2.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn ovdfgnlfom /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\repo.html.2.dll\"" /SC ONCE /Z /ST 13:31 /ET 13:43
4⤵
- Creates scheduled task(s)
PID:1608

C:\Windows\system32\taskeng.exe
taskeng.exe {A7B46E8F-9163-4185-A22C-96044B074E05} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\repo.html.2.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:1436

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\repo.html.2.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:924

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Swfwujfizsn" /d "0"
5⤵
PID:1284

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Kpmguj" /d "0"
5⤵
PID:1460

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\repo.html.2.dll
MD5
6efb8dc48e232aa7ba405632259af67a

SHA1
2a1c0f25a9768fa04c648567e6d533f789793bb4

SHA256
6ac1f7b75783b42e112828cb97ddea479b82e20ab82df792a1da5b41473c6e40

SHA512
4e7b0013506df2437ecb801d268faf876255a4d66b88dad9f7d85c031d8a963e25c6360e8d6c1d0d48ba84e6dc4500e3ba8246bb2e013b5df0bda9b4312a7ee2

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\repo.html.2.dll
MD5
6efb8dc48e232aa7ba405632259af67a

SHA1
2a1c0f25a9768fa04c648567e6d533f789793bb4

SHA256
6ac1f7b75783b42e112828cb97ddea479b82e20ab82df792a1da5b41473c6e40

SHA512
4e7b0013506df2437ecb801d268faf876255a4d66b88dad9f7d85c031d8a963e25c6360e8d6c1d0d48ba84e6dc4500e3ba8246bb2e013b5df0bda9b4312a7ee2

Download Submit
memory/924-75-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/924-70-0x0000000010000000-0x0000000010085000-memory.dmp

Filesize
532KB

Download
memory/924-66-0x0000000000000000-mapping.dmp

Download
memory/964-76-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/964-71-0x0000000000000000-mapping.dmp

Download
memory/1284-77-0x0000000000000000-mapping.dmp

Download
memory/1436-64-0x000007FEFBC31000-0x000007FEFBC33000-memory.dmp

Filesize
8KB

Download
memory/1436-63-0x0000000000000000-mapping.dmp

Download
memory/1460-78-0x0000000000000000-mapping.dmp

Download
memory/1508-62-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1508-59-0x0000000074671000-0x0000000074673000-memory.dmp

Filesize
8KB

Download
memory/1508-57-0x0000000000000000-mapping.dmp

Download
memory/1608-60-0x0000000000000000-mapping.dmp

Download
memory/2012-53-0x0000000000000000-mapping.dmp

Download
memory/2012-61-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2012-55-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/2012-56-0x0000000010000000-0x0000000010085000-memory.dmp

Filesize
532KB

Download
memory/2012-54-0x0000000075C11000-0x0000000075C13000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads