qakbot | 6ac1f7b75783b42e112828cb97ddea479b82e20ab82df792a1da5b41473c6e40

General

Target

repo.html.2.dll
Size

484KB
MD5

6efb8dc48e232aa7ba405632259af67a
SHA1

2a1c0f25a9768fa04c648567e6d533f789793bb4
SHA256

6ac1f7b75783b42e112828cb97ddea479b82e20ab82df792a1da5b41473c6e40
SHA512

4e7b0013506df2437ecb801d268faf876255a4d66b88dad9f7d85c031d8a963e25c6360e8d6c1d0d48ba84e6dc4500e3ba8246bb2e013b5df0bda9b4312a7ee2

Score

10^/10

qakbot tr 1632817399 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

tr

Campaign

1632817399

C2

105.198.236.99:443

140.82.49.12:443

37.210.152.224:995

89.101.97.139:443

81.241.252.59:2078

27.223.92.142:995

81.250.153.227:2222

73.151.236.31:443

47.22.148.6:443

122.11.220.212:2222

120.151.47.189:443

199.27.127.129:443

216.201.162.158:443

136.232.34.70:443

76.25.142.196:443

181.118.183.94:443

120.150.218.241:995

185.250.148.74:443

95.77.223.148:443

75.66.88.33:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1460 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3528 schtasks.exe

pid	process
1460	regsvr32.exe

pid	process
3528	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yiaabaxins\c4ece5bf = 6c3277f982464dae8b50893a27aebc10a70437096e060a56f04ca8ef608122649fddfeb576d7a134bc275f395449c329c70c4460531611867ca15e61edb7275c62a878ecd6692f1c1748c3d835d9c10600b8e52c18facd3c379d8e5713c9f69942e5201be12bb218	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yiaabaxins\319ed2c = 7e49031860885e0e8e67309eccc522b69ba9c46d8b99b2c63c84030f3252ea904d72e5529cc5e1b349712ee5832a00f22242c803fba017c45f1d34e969b037ff8b233d03cdd6d3d5920c86980c1ca5baba7ab6b0539d61e837	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yiaabaxins\f17335f1 = 75cfbb96ae509aad737f179c1c4cff56a84b089c396c89f867214cae5f232be3fd65909dacf12ac2b0cb183c64eb1148c47c91881b03b23663a16f7ac8f342c1a2e0166cf3524f874f9f49632e80c3d7aec63467f6e5926f74d5848c48c212f81bc1c17c0959fd	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yiaabaxins\8e3a5a07 = 48a59765fbbff1a328eeaaf23e8631191a76dec7ada07cccce1722ac0ac25dbbe3a30aa17ac2f530b10bdc5792d4a4d3cf56d618c68e14d72d03cdad1f2e26aac68559904f9018f5b07614f476ef97c6ec1696ffe5e54d8bde6d979273b9474815c9a34032518c07e90db4bc0b325c7f0c05cfe0e986dcc7c4bc67d8	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yiaabaxins\158cd50 = 9464e2432ffc984e6cd97f4e526aa6183bad5394ae7e07fd98223cdade7947036d85cc9bb274c23842ea48fa070621558729b38a96988817862124575c77655c	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yiaabaxins\7c5082da = 5cf8151b111af6b5bc92ba08152c86cf2a48689d15550056ce2abdf3f8acdeb1c136186138b73906dabbd65f7040934f8c97d764313afef5b6503a92c057	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yiaabaxins	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yiaabaxins\8e3a5a07 = 48a58065fbbfc48babfaba912e80ce1a7a41cc89a4a3008050ad31720d47269de4c34e1017e11e66f583b74fbc46628c16e33ea8a4ec7bd7e9ab2b4f0e868b0eb2368ddad744fc300068de37a08f169ac1bb194f74f9bca1cea107f9712c17b678ad9fc005eea7	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yiaabaxins\bba58a49 = 2ff9eccfb8462adc2ec53c3ba6de4b1a780a25fdd437cd7ffc84cf86edf0d69582974e5ee679fa80099ecc6f614e90ea109963bc4a3fff88f9edc6f443e259a46079ebc419ba4c6a2b1a1799b3172da2b54068100ac9e13d0ae9b79cb08d54097e6d3fa60b0571d65fa59c9fe77a8bf2e8f003360ed6b4c622c5dabed5c0b9140844c8e6e0aea00f89e8a7a80724340769ff6612555f9dbaaee170e8ef518288de788908080ef9da48	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yiaabaxins\b9e4aa35 = 6ebd7aca541a6c15a8a44f11382f877dde776fecfb3fbfd60af1e12d71a13465c65a2e10b6620dd036ee8bc037e06301a0b4ee5608419c5fbe0ca7bb103fe1f0b3b10604e5d885cbf7dce76523d354c09e41	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

836 rundll32.exe
836 rundll32.exe
1460 regsvr32.exe
1460 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

836 rundll32.exe
1460 regsvr32.exe

pid	process
836	rundll32.exe
836	rundll32.exe
1460	regsvr32.exe
1460	regsvr32.exe

pid	process
836	rundll32.exe
1460	regsvr32.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 664 wrote to memory of 836	664	rundll32.exe	rundll32.exe
PID 664 wrote to memory of 836	664	rundll32.exe	rundll32.exe
PID 664 wrote to memory of 836	664	rundll32.exe	rundll32.exe
PID 836 wrote to memory of 2528	836	rundll32.exe	explorer.exe
PID 836 wrote to memory of 2528	836	rundll32.exe	explorer.exe
PID 836 wrote to memory of 2528	836	rundll32.exe	explorer.exe
PID 836 wrote to memory of 2528	836	rundll32.exe	explorer.exe
PID 836 wrote to memory of 2528	836	rundll32.exe	explorer.exe
PID 2528 wrote to memory of 3528	2528	explorer.exe	schtasks.exe
PID 2528 wrote to memory of 3528	2528	explorer.exe	schtasks.exe
PID 2528 wrote to memory of 3528	2528	explorer.exe	schtasks.exe
PID 1020 wrote to memory of 1460	1020	regsvr32.exe	regsvr32.exe
PID 1020 wrote to memory of 1460	1020	regsvr32.exe	regsvr32.exe
PID 1020 wrote to memory of 1460	1020	regsvr32.exe	regsvr32.exe
PID 1460 wrote to memory of 2696	1460	regsvr32.exe	explorer.exe
PID 1460 wrote to memory of 2696	1460	regsvr32.exe	explorer.exe
PID 1460 wrote to memory of 2696	1460	regsvr32.exe	explorer.exe
PID 1460 wrote to memory of 2696	1460	regsvr32.exe	explorer.exe
PID 1460 wrote to memory of 2696	1460	regsvr32.exe	explorer.exe
PID 2696 wrote to memory of 3344	2696	explorer.exe	reg.exe
PID 2696 wrote to memory of 3344	2696	explorer.exe	reg.exe
PID 2696 wrote to memory of 2164	2696	explorer.exe	reg.exe
PID 2696 wrote to memory of 2164	2696	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\repo.html.2.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:664

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\repo.html.2.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2528

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn gsaplnslsp /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\repo.html.2.dll\"" /SC ONCE /Z /ST 15:31 /ET 15:43
4⤵
- Creates scheduled task(s)
PID:3528

\??\c:\windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\repo.html.2.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:1020

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\repo.html.2.dll"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1460

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2696

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Kpuxnsh" /d "0"
4⤵
PID:3344

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Gndoy" /d "0"
4⤵
PID:2164

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\repo.html.2.dll
MD5
6efb8dc48e232aa7ba405632259af67a

SHA1
2a1c0f25a9768fa04c648567e6d533f789793bb4

SHA256
6ac1f7b75783b42e112828cb97ddea479b82e20ab82df792a1da5b41473c6e40

SHA512
4e7b0013506df2437ecb801d268faf876255a4d66b88dad9f7d85c031d8a963e25c6360e8d6c1d0d48ba84e6dc4500e3ba8246bb2e013b5df0bda9b4312a7ee2

Download Submit
\Users\Admin\AppData\Local\Temp\repo.html.2.dll
MD5
6efb8dc48e232aa7ba405632259af67a

SHA1
2a1c0f25a9768fa04c648567e6d533f789793bb4

SHA256
6ac1f7b75783b42e112828cb97ddea479b82e20ab82df792a1da5b41473c6e40

SHA512
4e7b0013506df2437ecb801d268faf876255a4d66b88dad9f7d85c031d8a963e25c6360e8d6c1d0d48ba84e6dc4500e3ba8246bb2e013b5df0bda9b4312a7ee2

Download Submit
memory/836-116-0x0000000010000000-0x0000000010085000-memory.dmp

Filesize
532KB

Download
memory/836-115-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/836-117-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

Filesize
4KB

Download
memory/836-114-0x0000000000000000-mapping.dmp

Download
memory/1460-128-0x00000000039E0000-0x0000000003BEE000-memory.dmp

Filesize
2.1MB

Download
memory/1460-124-0x0000000000000000-mapping.dmp

Download
memory/1460-127-0x0000000010000000-0x0000000010085000-memory.dmp

Filesize
532KB

Download
memory/2164-131-0x0000000000000000-mapping.dmp

Download
memory/2528-122-0x00000000035D0000-0x00000000035D1000-memory.dmp

Filesize
4KB

Download
memory/2528-119-0x0000000003200000-0x0000000003221000-memory.dmp

Filesize
132KB

Download
memory/2528-118-0x0000000000000000-mapping.dmp

Download
memory/2696-129-0x0000000000000000-mapping.dmp

Download
memory/2696-134-0x00000000009A0000-0x00000000009C1000-memory.dmp

Filesize
132KB

Download
memory/3344-130-0x0000000000000000-mapping.dmp

Download
memory/3528-120-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads