qakbot | 44009f70509b1383eb8ffa0ad2a965fe45f1f2ccd9405872e750bfab8988582b

General

Target

test1.test.dll
Size

612KB
MD5

e09e508743525c5bc7cd8e9f7790fbf5
SHA1

b83584d6b3b6cd679c188b8e7aad8706ab5f102e
SHA256

44009f70509b1383eb8ffa0ad2a965fe45f1f2ccd9405872e750bfab8988582b
SHA512

18a90729df14d228e8e503a2462085d714b521caec273eb7197f6972a32cd611ff4199e0a55b43443d7bba35ac99f8ae1c1027a663d86b9d7731496b7c203a88

Score

10^/10

qakbot tr 1633943125 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

tr

Campaign

1633943125

C2

140.82.49.12:443

89.137.52.44:443

24.107.165.50:443

66.216.193.114:443

75.131.217.182:443

41.86.42.158:995

24.119.214.7:443

67.166.233.75:443

105.198.236.99:443

120.151.47.189:443

2.222.167.138:443

41.228.22.180:443

78.105.213.151:995

5.193.125.67:995

41.86.42.158:443

96.57.188.174:2078

120.150.218.241:995

66.177.215.152:0

122.11.220.212:2222

73.52.50.32:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

432 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1964 schtasks.exe

pid	process
432	regsvr32.exe

pid	process
1964	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Lgmmjopmvayero\942c7029 = c5c86ac382176b297144c81f134bcf9e7f22e3756b46f6a1ae74f70ce480ee100afeaa42c12b94a1cc2b6e36e61ce14b913e0a59b1f69c5c8ba91e7d2d9da9d925ea35468f07fe6f09c876153e2d49a5cc4b05696a4cec98e2c12154d447d2e215f067a469b2ef0d9fb0b4ac0e4d92e79446a3dfc634efa8ade1c76d794e637521040b16765138ee1cd395df51855f7e368f9d47ae8d29d9500f2010e97084a1292f152dbf7cef08125757657a8ea81febe37f309ee697ebbae925f4595457	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Lgmmjopmvayero\2ed13730 = de5a73e916ba9a4a03169a2ca70ee28993371ca643d9e04a512d4fd9c16bbd50cd8e9250ad91e9ac9e49d3c69a967b33f2bc830d5ce89dd3df5ce4a73fb5b8b95ba27333746b00e7e41edba3ee3ccf21cc94	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Lgmmjopmvayero\a1b3a067 = c2b87402594fcdf1d23a959cc601bc6d0ab1096ecaed7b151fdc4e12bafa0540d2b7b85fbf2ee9615fffde546a749535d03c56af5db0e2d85149161c12bbaf8de77c4e9bffdc52ebba4419cd380d38cac08cbc95da087422b55f21e4e0d4	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Lgmmjopmvayero	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Lgmmjopmvayero\a1b3a067 = c2b86302594ff84341a8661d0f6acba69a7f55e3f68ff17ca1eac533dc0d87e58f69935693ae7e7076d3f51f2f1611f39fe91769eabdcd03c94fb38bd2c4a9e776d5de01d9b45a0353	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Lgmmjopmvayero\966d5055 = b3575fe39d2f815146ab1bf182531af74276e3f7e80accb7e6bac2bd187f86b69c0ae0c6139437d35a4f1ab59fdfd1ff404d92df8fd73990b661db29fb8bbcb183fa91bc481a5cd8d56d0972764ff8f365297459445c7bf8b1d5f089ce762e	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Lgmmjopmvayero\53d978ba = 58177319dc419434c91cb4a406330af92cb756b29b2cb63ec0e30d3b2f66bf6722bc0be719fad3a303ff733d7e	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Lgmmjopmvayero\eb651fdf = f0c2f363e7cf325ae43af8d1b4edc085b29bed4704dc6a9329985ca801677f27d5ccf0973ea720c32fcd91a991b9beba	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Lgmmjopmvayero\2c90174c = af41c7331a12ce018ba44fc0a3eb769a9a94efd9b9f1ebeb7b9a850ef86a4394e489eb89be8d2dc21d81eb74b3b6aa7b2f4f98adf0a906a8ad9701343de7e843dea33771002ccc602ab5392d4ad05a1a5840	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Lgmmjopmvayero\defacf91 = 963ac454ee0e3a627cbd3909ab8e791e4774c0d1a6c5f5c1be35f4143d1215b573231ed4a90d74929281c37cda1115892644ea91e360c0223ce3fe64b2b8d353aae0cd70a2bf80b45fafaf28bcde3300fc0aeec2ae17d5153702211376c2594d	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

1528 rundll32.exe
432 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

1528 rundll32.exe
432 regsvr32.exe

pid	process
1528	rundll32.exe
432	regsvr32.exe

pid	process
1528	rundll32.exe
432	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 1080 wrote to memory of 1528	1080	rundll32.exe	rundll32.exe
PID 1080 wrote to memory of 1528	1080	rundll32.exe	rundll32.exe
PID 1080 wrote to memory of 1528	1080	rundll32.exe	rundll32.exe
PID 1080 wrote to memory of 1528	1080	rundll32.exe	rundll32.exe
PID 1080 wrote to memory of 1528	1080	rundll32.exe	rundll32.exe
PID 1080 wrote to memory of 1528	1080	rundll32.exe	rundll32.exe
PID 1080 wrote to memory of 1528	1080	rundll32.exe	rundll32.exe
PID 1528 wrote to memory of 1192	1528	rundll32.exe	explorer.exe
PID 1528 wrote to memory of 1192	1528	rundll32.exe	explorer.exe
PID 1528 wrote to memory of 1192	1528	rundll32.exe	explorer.exe
PID 1528 wrote to memory of 1192	1528	rundll32.exe	explorer.exe
PID 1528 wrote to memory of 1192	1528	rundll32.exe	explorer.exe
PID 1528 wrote to memory of 1192	1528	rundll32.exe	explorer.exe
PID 1192 wrote to memory of 1964	1192	explorer.exe	schtasks.exe
PID 1192 wrote to memory of 1964	1192	explorer.exe	schtasks.exe
PID 1192 wrote to memory of 1964	1192	explorer.exe	schtasks.exe
PID 1192 wrote to memory of 1964	1192	explorer.exe	schtasks.exe
PID 1700 wrote to memory of 1656	1700	taskeng.exe	regsvr32.exe
PID 1700 wrote to memory of 1656	1700	taskeng.exe	regsvr32.exe
PID 1700 wrote to memory of 1656	1700	taskeng.exe	regsvr32.exe
PID 1700 wrote to memory of 1656	1700	taskeng.exe	regsvr32.exe
PID 1700 wrote to memory of 1656	1700	taskeng.exe	regsvr32.exe
PID 1656 wrote to memory of 432	1656	regsvr32.exe	regsvr32.exe
PID 1656 wrote to memory of 432	1656	regsvr32.exe	regsvr32.exe
PID 1656 wrote to memory of 432	1656	regsvr32.exe	regsvr32.exe
PID 1656 wrote to memory of 432	1656	regsvr32.exe	regsvr32.exe
PID 1656 wrote to memory of 432	1656	regsvr32.exe	regsvr32.exe
PID 1656 wrote to memory of 432	1656	regsvr32.exe	regsvr32.exe
PID 1656 wrote to memory of 432	1656	regsvr32.exe	regsvr32.exe
PID 432 wrote to memory of 864	432	regsvr32.exe	explorer.exe
PID 432 wrote to memory of 864	432	regsvr32.exe	explorer.exe
PID 432 wrote to memory of 864	432	regsvr32.exe	explorer.exe
PID 432 wrote to memory of 864	432	regsvr32.exe	explorer.exe
PID 432 wrote to memory of 864	432	regsvr32.exe	explorer.exe
PID 432 wrote to memory of 864	432	regsvr32.exe	explorer.exe
PID 864 wrote to memory of 1508	864	explorer.exe	reg.exe
PID 864 wrote to memory of 1508	864	explorer.exe	reg.exe
PID 864 wrote to memory of 1508	864	explorer.exe	reg.exe
PID 864 wrote to memory of 1508	864	explorer.exe	reg.exe
PID 864 wrote to memory of 900	864	explorer.exe	reg.exe
PID 864 wrote to memory of 900	864	explorer.exe	reg.exe
PID 864 wrote to memory of 900	864	explorer.exe	reg.exe
PID 864 wrote to memory of 900	864	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\test1.test.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\test1.test.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1192

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn thjkalvhl /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\test1.test.dll\"" /SC ONCE /Z /ST 16:10 /ET 16:22
4⤵
- Creates scheduled task(s)
PID:1964

C:\Windows\system32\taskeng.exe
taskeng.exe {402F6E81-5548-4330-AB08-87CC036C4648} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\test1.test.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\test1.test.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:432

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Zisoelqumejr" /d "0"
5⤵
PID:1508

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Yfoireobkhk" /d "0"
5⤵
PID:900

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\test1.test.dll
MD5
e09e508743525c5bc7cd8e9f7790fbf5

SHA1
b83584d6b3b6cd679c188b8e7aad8706ab5f102e

SHA256
44009f70509b1383eb8ffa0ad2a965fe45f1f2ccd9405872e750bfab8988582b

SHA512
18a90729df14d228e8e503a2462085d714b521caec273eb7197f6972a32cd611ff4199e0a55b43443d7bba35ac99f8ae1c1027a663d86b9d7731496b7c203a88

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\test1.test.dll
MD5
e09e508743525c5bc7cd8e9f7790fbf5

SHA1
b83584d6b3b6cd679c188b8e7aad8706ab5f102e

SHA256
44009f70509b1383eb8ffa0ad2a965fe45f1f2ccd9405872e750bfab8988582b

SHA512
18a90729df14d228e8e503a2462085d714b521caec273eb7197f6972a32cd611ff4199e0a55b43443d7bba35ac99f8ae1c1027a663d86b9d7731496b7c203a88

Download Submit
memory/432-86-0x0000000000DD0000-0x0000000000DF1000-memory.dmp

Filesize
132KB

Download
memory/432-84-0x0000000000DD0000-0x0000000000DF1000-memory.dmp

Filesize
132KB

Download
memory/432-79-0x0000000000000000-mapping.dmp

Download
memory/432-88-0x0000000000DD0000-0x0000000000DF1000-memory.dmp

Filesize
132KB

Download
memory/432-87-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/432-82-0x0000000000410000-0x00000000004AC000-memory.dmp

Filesize
624KB

Download
memory/432-85-0x0000000000DD0000-0x0000000000DF1000-memory.dmp

Filesize
132KB

Download
memory/432-83-0x0000000000DD0000-0x0000000000DF1000-memory.dmp

Filesize
132KB

Download
memory/864-96-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/864-90-0x0000000000000000-mapping.dmp

Download
memory/900-95-0x0000000000000000-mapping.dmp

Download
memory/1192-71-0x0000000000000000-mapping.dmp

Download
memory/1192-73-0x0000000074161000-0x0000000074163000-memory.dmp

Filesize
8KB

Download
memory/1192-75-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1192-70-0x00000000000B0000-0x00000000000B2000-memory.dmp

Filesize
8KB

Download
memory/1508-94-0x0000000000000000-mapping.dmp

Download
memory/1528-68-0x0000000000260000-0x0000000000285000-memory.dmp

Filesize
148KB

Download
memory/1528-69-0x00000000002B0000-0x00000000002D1000-memory.dmp

Filesize
132KB

Download
memory/1528-60-0x0000000000000000-mapping.dmp

Download
memory/1528-66-0x00000000002B0000-0x00000000002D1000-memory.dmp

Filesize
132KB

Download
memory/1528-67-0x00000000002B0000-0x00000000002D1000-memory.dmp

Filesize
132KB

Download
memory/1528-64-0x00000000002B0000-0x00000000002D1000-memory.dmp

Filesize
132KB

Download
memory/1528-65-0x00000000002B0000-0x00000000002D1000-memory.dmp

Filesize
132KB

Download
memory/1528-63-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/1528-62-0x0000000000820000-0x00000000008BC000-memory.dmp

Filesize
624KB

Download
memory/1528-61-0x0000000075801000-0x0000000075803000-memory.dmp

Filesize
8KB

Download
memory/1656-77-0x000007FEFB631000-0x000007FEFB633000-memory.dmp

Filesize
8KB

Download
memory/1656-76-0x0000000000000000-mapping.dmp

Download
memory/1964-74-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads