qakbot | 31115320c06d44714df32b4c26f33a8e14396f97ad46433cd30ec3eee01b2750

General

Target

450184.dll
Size

131KB
MD5

9ce1e32e3d046f8d48fdd17f49d7a3da
SHA1

e0cd269248501022f9cf8cd31b678e039cb029d1
SHA256

31115320c06d44714df32b4c26f33a8e14396f97ad46433cd30ec3eee01b2750
SHA512

6c8d0bce56f282d235df8715d5d46ff1e020f8293ce3e1b0053515a6d6527e97a626d5395273a7d2fb251717cae840dc99878794a42f2964db7cbafd66e29232

Score

10^/10

qakbot domain01 1632765151 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

domain01

Campaign

1632765151

C2

173.21.10.71:2222

67.165.206.193:993

37.210.152.224:995

68.204.7.158:443

89.101.97.139:443

47.22.148.6:443

120.151.47.189:443

47.40.196.233:2222

24.229.150.54:995

81.250.153.227:2222

76.25.142.196:443

71.74.12.34:443

181.118.183.94:443

24.55.112.61:443

24.139.72.117:443

120.150.218.241:995

185.250.148.74:443

109.12.111.14:443

140.82.49.12:443

177.130.82.197:2222

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

432 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3836 schtasks.exe

pid	process
432	regsvr32.exe

pid	process
3836	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ndzylsmrtvnivo\ac389053 = 9b21379690a911d02149a5d1035f9f3211f8c46e3e800d7a9cf004998551f3b2e8c2ae895545e25239c77545c1	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ndzylsmrtvnivo\99a7401d = 6d356f13225111a856d8ad948c6f7c114218	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ndzylsmrtvnivo\e6ee2feb = 64e09371f856c9f232abe21b612b1e87653d701b3941e16e97af3af8b28c68f465e5ad6ee204c1e63d520b0f905414cd3b62237e4b553762555daf7c6499db899e10facd3ffc8c69f535281656f8505796fe7044ec	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ndzylsmrtvnivo\d130dfd9 = 79ba0f2ac78353c1c70a71b5566c1dd13f33ebf295559523a69b0612705e295582d58f566104edb25e101a3fcc683cf7f9a5ddcf65871b4e0365ff5593f737dc03e621d9ddffddafbf8d793e4b5a7edd1e05349c17	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ndzylsmrtvnivo\1484f736 = c8b867607d56d264527aa38bd9f968b7cfb31b780d53696b238e41cc1197814082effbec9c81bbc3e09c2ab70590	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ndzylsmrtvnivo\6bcd98c0 = 03abfe96fd0d49379aa9cc3dea3af65ee610b0256f7c6562a48c5ca55631da702b73a88c4df12dc1efe5f803430062435c258fc9085c84ce63e6396cdc2a77fd	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ndzylsmrtvnivo\e6ee2feb = 64e08471f856fcf21f1733ebb874922cb9697782bdc34f2668d1d2a5e9900c180cdd52e9305411ad2e827cb4d6b1eed3ff94de14749b537fd441a4a40ac92542c78fdb4ee53a0df4f83277cd345636e962441a6f9349a68ef7d2758a213eb6d28a52b473834f6189f791	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ndzylsmrtvnivo	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ndzylsmrtvnivo\d371ffa5 = e51e7ebd028dc72c68ad935eb4e9f83836092c726e6eed71fccf711d11d728b373d3774736da2c0894ed4fb1741ef2366887ab4732103015a39f6fd24ed83c5a21e6ae1ad49576b8703b5067e70902c81e2231d4df70c8eb2d12bf76ffceba0964394edec64dccd72c0e06	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ndzylsmrtvnivo\698cb8bc = b4a03ebfe340e021f057a22fb1033a006c4b59d5ddc80f74	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

2412 regsvr32.exe
2412 regsvr32.exe
432 regsvr32.exe
432 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

2412 regsvr32.exe
432 regsvr32.exe

pid	process
2412	regsvr32.exe
2412	regsvr32.exe
432	regsvr32.exe
432	regsvr32.exe

pid	process
2412	regsvr32.exe
432	regsvr32.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

regsvr32.exeregsvr32.exeexplorer.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 1324 wrote to memory of 2412	1324	regsvr32.exe	regsvr32.exe
PID 1324 wrote to memory of 2412	1324	regsvr32.exe	regsvr32.exe
PID 1324 wrote to memory of 2412	1324	regsvr32.exe	regsvr32.exe
PID 2412 wrote to memory of 2784	2412	regsvr32.exe	explorer.exe
PID 2412 wrote to memory of 2784	2412	regsvr32.exe	explorer.exe
PID 2412 wrote to memory of 2784	2412	regsvr32.exe	explorer.exe
PID 2412 wrote to memory of 2784	2412	regsvr32.exe	explorer.exe
PID 2412 wrote to memory of 2784	2412	regsvr32.exe	explorer.exe
PID 2784 wrote to memory of 3836	2784	explorer.exe	schtasks.exe
PID 2784 wrote to memory of 3836	2784	explorer.exe	schtasks.exe
PID 2784 wrote to memory of 3836	2784	explorer.exe	schtasks.exe
PID 1032 wrote to memory of 432	1032	regsvr32.exe	regsvr32.exe
PID 1032 wrote to memory of 432	1032	regsvr32.exe	regsvr32.exe
PID 1032 wrote to memory of 432	1032	regsvr32.exe	regsvr32.exe
PID 432 wrote to memory of 604	432	regsvr32.exe	explorer.exe
PID 432 wrote to memory of 604	432	regsvr32.exe	explorer.exe
PID 432 wrote to memory of 604	432	regsvr32.exe	explorer.exe
PID 432 wrote to memory of 604	432	regsvr32.exe	explorer.exe
PID 432 wrote to memory of 604	432	regsvr32.exe	explorer.exe
PID 604 wrote to memory of 2460	604	explorer.exe	reg.exe
PID 604 wrote to memory of 2460	604	explorer.exe	reg.exe
PID 604 wrote to memory of 1300	604	explorer.exe	reg.exe
PID 604 wrote to memory of 1300	604	explorer.exe	reg.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\450184.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\450184.dll
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2412

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2784

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn ejgdbzkrd /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\450184.dll\"" /SC ONCE /Z /ST 00:21 /ET 00:33
4⤵
- Creates scheduled task(s)
PID:3836

\??\c:\windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\450184.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\450184.dll"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:432

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:604

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Fuipjbooxh" /d "0"
4⤵
PID:2460

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Shukmjcpla" /d "0"
4⤵
PID:1300

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\450184.dll
MD5
9ce1e32e3d046f8d48fdd17f49d7a3da

SHA1
e0cd269248501022f9cf8cd31b678e039cb029d1

SHA256
31115320c06d44714df32b4c26f33a8e14396f97ad46433cd30ec3eee01b2750

SHA512
6c8d0bce56f282d235df8715d5d46ff1e020f8293ce3e1b0053515a6d6527e97a626d5395273a7d2fb251717cae840dc99878794a42f2964db7cbafd66e29232

Download Submit
\Users\Admin\AppData\Local\Temp\450184.dll
MD5
9ce1e32e3d046f8d48fdd17f49d7a3da

SHA1
e0cd269248501022f9cf8cd31b678e039cb029d1

SHA256
31115320c06d44714df32b4c26f33a8e14396f97ad46433cd30ec3eee01b2750

SHA512
6c8d0bce56f282d235df8715d5d46ff1e020f8293ce3e1b0053515a6d6527e97a626d5395273a7d2fb251717cae840dc99878794a42f2964db7cbafd66e29232

Download Submit
memory/432-122-0x0000000000000000-mapping.dmp

Download
memory/604-124-0x0000000000000000-mapping.dmp

Download
memory/604-127-0x00000000039A0000-0x00000000039A1000-memory.dmp

Filesize
4KB

Download
memory/604-128-0x00000000039A0000-0x00000000039A1000-memory.dmp

Filesize
4KB

Download
memory/604-129-0x0000000003600000-0x0000000003621000-memory.dmp

Filesize
132KB

Download
memory/1300-126-0x0000000000000000-mapping.dmp

Download
memory/2412-115-0x0000000000000000-mapping.dmp

Download
memory/2460-125-0x0000000000000000-mapping.dmp

Download
memory/2784-119-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2784-120-0x0000000000E80000-0x0000000000EA1000-memory.dmp

Filesize
132KB

Download
memory/2784-118-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2784-116-0x0000000000000000-mapping.dmp

Download
memory/3836-117-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads