qakbot | 359fae17b7c6b8c156c2030141189e5752f45fcaa91e9c649c99bbd3e220b19b

General

Target

natu.html.dll
Size

611KB
MD5

22183f212d88c36f26d99a6b4a1fd336
SHA1

0c832c3517dc35df8e438d5b46d67f0231965d15
SHA256

359fae17b7c6b8c156c2030141189e5752f45fcaa91e9c649c99bbd3e220b19b
SHA512

5e444cbf5d9ea5820e611ac2288265763b0061f430532d8a97bb0f1c9567565877e3f682df3449cb786d2ac168143dd8b8373c2c71955dc2881857dfb24cbcc9

Score

10^/10

qakbot tr 1633597816 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

tr

Campaign

1633597816

C2

120.150.218.241:995

185.250.148.74:443

89.137.52.44:443

66.103.170.104:2222

86.8.177.143:443

216.201.162.158:443

174.54.193.186:443

103.148.120.144:443

188.50.169.158:443

124.123.42.115:2222

140.82.49.12:443

199.27.127.129:443

81.241.252.59:2078

209.142.97.161:995

209.50.20.255:443

73.230.205.91:443

200.232.214.222:995

103.142.10.177:443

2.222.167.138:443

41.228.22.180:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1784 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1112 schtasks.exe

pid	process
1784	regsvr32.exe

pid	process
1112	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ajryrdflo\74c31211 = d788157065024607fd121cdb4cacb1b676c884870b8e6c7fddf870c12b3583e7b97680879b0e23	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ajryrdflo\b8a7de7 = 984331348378c974a4d7c478250cc2d7db6dda3b00bc721f40fccb122bff9979c19636b6a68e33fe	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ajryrdflo\3c548dd5 = 61ddac1380bb235d84c7752880b86e9e9100477d3771b431109a5c6cfff8a9c75ead4041c67f5b24a90b78c87d6f21f9e941ea99decd9ab298e4844dde9923f816fe5eb6a1feec	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ajryrdflo\b8a7de7 = 984326348378fccbb71c4dac6af9acf6d17a85	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ajryrdflo\3e15ada9 = e9895d132c8bcabbee9fd22e2904ff6168938051753a7531ac17f399cee62f7dc211bcaf954d35066d8ac1821b1dc038dd1dc480405016d65faa3c4998fc8b2208479b0b191f304a56d978bdea57dd9312f3379a26a8fe3edaf65a33f5107f3d2da033007f1414365bca7bc5ec90ca26860e98e8ab0b72c473ef02dc06649dcfe3a73c53bbbcfa5b8c7befdecc93968ad1d7fde120363fa8fb1567bb199011ff1db3470dcee0145b36981a728d520e627ce98b09dd5366c6285c7d9cf43336157762d2b92f8b	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ajryrdflo\84e8eab0 = c2863baec4373cabcc66a17cc76d3a9e9a16ed0b0c811b6fc3895583784d0cf61b688782411bf7eee41fddaa306b50db34	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ajryrdflo\f9e0a53a = 054377fda076b992152bb764b86c565d8fc8e86ef0cdfab95572efcbab61048b5005e74837587ed15626b772bff7c102ba	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ajryrdflo\415cc25f = 061e66cd61898a3185f6ccbf5bf9	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ajryrdflo\86a9cacc = 84d23a44ce7db2219fdfe57c0ea75426a176ea5884b13eb3b07cec8cc36f82230924c514e9d776767cde2fd12655aa938b9825b4d6d395ed1a8cd75b015f5284367e37ed15b240d04c75cea01644b3e9b386840dc5791c5fe1ec4e08524b3d73	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ajryrdflo	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

1476 rundll32.exe
1784 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

1476 rundll32.exe
1784 regsvr32.exe

pid	process
1476	rundll32.exe
1784	regsvr32.exe

pid	process
1476	rundll32.exe
1784	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 1544 wrote to memory of 1476	1544	rundll32.exe	rundll32.exe
PID 1544 wrote to memory of 1476	1544	rundll32.exe	rundll32.exe
PID 1544 wrote to memory of 1476	1544	rundll32.exe	rundll32.exe
PID 1544 wrote to memory of 1476	1544	rundll32.exe	rundll32.exe
PID 1544 wrote to memory of 1476	1544	rundll32.exe	rundll32.exe
PID 1544 wrote to memory of 1476	1544	rundll32.exe	rundll32.exe
PID 1544 wrote to memory of 1476	1544	rundll32.exe	rundll32.exe
PID 1476 wrote to memory of 964	1476	rundll32.exe	explorer.exe
PID 1476 wrote to memory of 964	1476	rundll32.exe	explorer.exe
PID 1476 wrote to memory of 964	1476	rundll32.exe	explorer.exe
PID 1476 wrote to memory of 964	1476	rundll32.exe	explorer.exe
PID 1476 wrote to memory of 964	1476	rundll32.exe	explorer.exe
PID 1476 wrote to memory of 964	1476	rundll32.exe	explorer.exe
PID 964 wrote to memory of 1112	964	explorer.exe	schtasks.exe
PID 964 wrote to memory of 1112	964	explorer.exe	schtasks.exe
PID 964 wrote to memory of 1112	964	explorer.exe	schtasks.exe
PID 964 wrote to memory of 1112	964	explorer.exe	schtasks.exe
PID 548 wrote to memory of 1792	548	taskeng.exe	regsvr32.exe
PID 548 wrote to memory of 1792	548	taskeng.exe	regsvr32.exe
PID 548 wrote to memory of 1792	548	taskeng.exe	regsvr32.exe
PID 548 wrote to memory of 1792	548	taskeng.exe	regsvr32.exe
PID 548 wrote to memory of 1792	548	taskeng.exe	regsvr32.exe
PID 1792 wrote to memory of 1784	1792	regsvr32.exe	regsvr32.exe
PID 1792 wrote to memory of 1784	1792	regsvr32.exe	regsvr32.exe
PID 1792 wrote to memory of 1784	1792	regsvr32.exe	regsvr32.exe
PID 1792 wrote to memory of 1784	1792	regsvr32.exe	regsvr32.exe
PID 1792 wrote to memory of 1784	1792	regsvr32.exe	regsvr32.exe
PID 1792 wrote to memory of 1784	1792	regsvr32.exe	regsvr32.exe
PID 1792 wrote to memory of 1784	1792	regsvr32.exe	regsvr32.exe
PID 1784 wrote to memory of 832	1784	regsvr32.exe	explorer.exe
PID 1784 wrote to memory of 832	1784	regsvr32.exe	explorer.exe
PID 1784 wrote to memory of 832	1784	regsvr32.exe	explorer.exe
PID 1784 wrote to memory of 832	1784	regsvr32.exe	explorer.exe
PID 1784 wrote to memory of 832	1784	regsvr32.exe	explorer.exe
PID 1784 wrote to memory of 832	1784	regsvr32.exe	explorer.exe
PID 832 wrote to memory of 1680	832	explorer.exe	reg.exe
PID 832 wrote to memory of 1680	832	explorer.exe	reg.exe
PID 832 wrote to memory of 1680	832	explorer.exe	reg.exe
PID 832 wrote to memory of 1680	832	explorer.exe	reg.exe
PID 832 wrote to memory of 628	832	explorer.exe	reg.exe
PID 832 wrote to memory of 628	832	explorer.exe	reg.exe
PID 832 wrote to memory of 628	832	explorer.exe	reg.exe
PID 832 wrote to memory of 628	832	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\natu.html.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\natu.html.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn qxsnbmdv /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\natu.html.dll\"" /SC ONCE /Z /ST 11:17 /ET 11:29
4⤵
- Creates scheduled task(s)
PID:1112

C:\Windows\system32\taskeng.exe
taskeng.exe {530BF5A4-FAE1-4DDC-8D08-2AAEA6DC0185} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:548

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\natu.html.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\natu.html.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Bujdjfatf" /d "0"
5⤵
PID:1680

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Nisbagjblpw" /d "0"
5⤵
PID:628

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\natu.html.dll
MD5
22183f212d88c36f26d99a6b4a1fd336

SHA1
0c832c3517dc35df8e438d5b46d67f0231965d15

SHA256
359fae17b7c6b8c156c2030141189e5752f45fcaa91e9c649c99bbd3e220b19b

SHA512
5e444cbf5d9ea5820e611ac2288265763b0061f430532d8a97bb0f1c9567565877e3f682df3449cb786d2ac168143dd8b8373c2c71955dc2881857dfb24cbcc9

Download Submit
\Users\Admin\AppData\Local\Temp\natu.html.dll
MD5
22183f212d88c36f26d99a6b4a1fd336

SHA1
0c832c3517dc35df8e438d5b46d67f0231965d15

SHA256
359fae17b7c6b8c156c2030141189e5752f45fcaa91e9c649c99bbd3e220b19b

SHA512
5e444cbf5d9ea5820e611ac2288265763b0061f430532d8a97bb0f1c9567565877e3f682df3449cb786d2ac168143dd8b8373c2c71955dc2881857dfb24cbcc9

Download Submit
memory/628-78-0x0000000000000000-mapping.dmp

Download
memory/832-74-0x0000000000000000-mapping.dmp

Download
memory/832-79-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/964-64-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/964-60-0x0000000000000000-mapping.dmp

Download
memory/964-62-0x0000000074531000-0x0000000074533000-memory.dmp

Filesize
8KB

Download
memory/1112-63-0x0000000000000000-mapping.dmp

Download
memory/1476-59-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1476-57-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1476-58-0x0000000000290000-0x00000000002B1000-memory.dmp

Filesize
132KB

Download
memory/1476-56-0x0000000000340000-0x00000000003DC000-memory.dmp

Filesize
624KB

Download
memory/1476-55-0x00000000751D1000-0x00000000751D3000-memory.dmp

Filesize
8KB

Download
memory/1476-54-0x0000000000000000-mapping.dmp

Download
memory/1680-77-0x0000000000000000-mapping.dmp

Download
memory/1784-71-0x00000000004D0000-0x000000000056C000-memory.dmp

Filesize
624KB

Download
memory/1784-73-0x0000000000940000-0x0000000000961000-memory.dmp

Filesize
132KB

Download
memory/1784-72-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1784-68-0x0000000000000000-mapping.dmp

Download
memory/1792-66-0x000007FEFBA11000-0x000007FEFBA13000-memory.dmp

Filesize
8KB

Download
memory/1792-65-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads