qakbot | d2157bd2deee9de3b537377329ec18a466c28cd9a8a4bbe165fa1f1527e7d103

General

Target

13d0184.dll
Size

131KB
MD5

5232d30313fb4c1960bb72a0d2941848
SHA1

08141f2115bcde3ae0568ec921c78e14d0a9deeb
SHA256

d2157bd2deee9de3b537377329ec18a466c28cd9a8a4bbe165fa1f1527e7d103
SHA512

64ba67c903c58055ea5ff8a46f3883839ee2e1271b67cf3226b861b09b3140ed98880bf26dec4982c604e3ff8dcba756d16a9ff7801704759fa0c1ec76c63287

Score

10^/10

qakbot domain01 1632765151 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

domain01

Campaign

1632765151

C2

173.21.10.71:2222

67.165.206.193:993

37.210.152.224:995

68.204.7.158:443

89.101.97.139:443

47.22.148.6:443

120.151.47.189:443

47.40.196.233:2222

24.229.150.54:995

81.250.153.227:2222

76.25.142.196:443

71.74.12.34:443

181.118.183.94:443

24.55.112.61:443

24.139.72.117:443

120.150.218.241:995

185.250.148.74:443

109.12.111.14:443

140.82.49.12:443

177.130.82.197:2222

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

3052 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

660 schtasks.exe

pid	process
3052	regsvr32.exe

pid	process
660	schtasks.exe

Modifies data under HKEY_USERS 11 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ukjuiabpb\9a685769 = dd0b8d1d2c766a8557a26dc9a9028d07a6bc30c9a317763a76a08b3ab93548349ae1e081ce403f53cbbb2b8a3dc44d82	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ukjuiabpb\22d4300c = 7134c00be7e81c7a574cd535dd95d054fa41a7b9d6901d6b5132cd4ae59c18c7247fc6ddb7985ac655679af7dfc343d1ec2f5a671b964a967a8a41e11c86b680d094ad68541080aba5800fca5b8eb39e611609560642	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ukjuiabpb\174be042 = fd6b6891ac6d458b1e56df54c4faf6ac88d75b5713395135cb6c0c1183f398766574962e7295dcbd681c7fcc60616249001da54a0756ba20eeac0954a573070e253a28ad32a12ad93256f05001ae	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ukjuiabpb\e521389f = 9bdbc3d4a676a4a08920c861e1c293cc0001b11b30a01abbce2a6e2f96e03f77c037c62cba14825a5bb17f565165d74a436d3df4557d3b75075c1ba11e3c2e55dc65eb7aec5e9a57c2104bcea536ea70f8	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ukjuiabpb\68028fb4 = 1fd6811a7278a137566052b933e4d9c4d8e204a8adcee936f01bb9c72058d0220a474025fa767feac8a1dee5fea0dff4b0462e0babaf940f99353d02ae1cc2c9081df87cbf2917f2c2de33b8ea4c4277bf2cb2a7786244b4a5	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ukjuiabpb\68028fb4 = 1fd6811a7278a137566052b933e4d9c4d8e204a8adcee936f112b8c72058d0220a474025fa767feac8a1dee5fea0dff4b0462e0babaf940f99353d02ae1cc2c9081df87cbf2917f2c2de33b8ea4c4277bf2cb2a7786244b4a5	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ukjuiabpb	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ukjuiabpb\68028fb4 = 1fd6961a7278943fdcdade7ae11e223e532849cacc2b15d7e06238e7fe14eea096d9bc385627828f4393dcdd289c7c49b049228e61e3f4c17acf4fd27c6a3b5a71d62b4f	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ukjuiabpb\5d9d5ffa = e26dce18b880ea1b19e79d3353d4e71fa18a9f1462e96af9c9e7c531c48e8919c7113a9caa65f533b37f2af0bb4d3419ab570926a0a39c3178b906a97719657f407bb12343127d71f9bf809cb64d39e35c59f6e5d60eb03ce917f6cf26dc3f3758fa0988e660f380c63ccf22818d84a3cd2f21de0a19b36649bf990abe8b1697ee431cdf8bcd1c25c2cec104d10d4cb21c82f5a42b956b945b3606	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ukjuiabpb\5fdc7f86 = 69673cdecddfad60d1eca40845ac67bd4724efeb48d2b1087ba7ad60f9e8566d14362c4f97192730c1eebab4ce7ddcf499720a85a8dd057f11a5a105d2d0d2f7b108a935a856cfa7dac68d53905df34da42310bd538894844d382210f673907d	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ukjuiabpb\e76018e3 = 1bb2e70576482a699f644dd05b3e6a9faa7cbb92dcb251d6ef31174c2cacc9d4461b1922047e36	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

3264 regsvr32.exe
3264 regsvr32.exe
3052 regsvr32.exe
3052 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

3264 regsvr32.exe
3052 regsvr32.exe

pid	process
3264	regsvr32.exe
3264	regsvr32.exe
3052	regsvr32.exe
3052	regsvr32.exe

pid	process
3264	regsvr32.exe
3052	regsvr32.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

regsvr32.exeregsvr32.exeexplorer.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 1968 wrote to memory of 3264	1968	regsvr32.exe	regsvr32.exe
PID 1968 wrote to memory of 3264	1968	regsvr32.exe	regsvr32.exe
PID 1968 wrote to memory of 3264	1968	regsvr32.exe	regsvr32.exe
PID 3264 wrote to memory of 1256	3264	regsvr32.exe	explorer.exe
PID 3264 wrote to memory of 1256	3264	regsvr32.exe	explorer.exe
PID 3264 wrote to memory of 1256	3264	regsvr32.exe	explorer.exe
PID 3264 wrote to memory of 1256	3264	regsvr32.exe	explorer.exe
PID 3264 wrote to memory of 1256	3264	regsvr32.exe	explorer.exe
PID 1256 wrote to memory of 660	1256	explorer.exe	schtasks.exe
PID 1256 wrote to memory of 660	1256	explorer.exe	schtasks.exe
PID 1256 wrote to memory of 660	1256	explorer.exe	schtasks.exe
PID 680 wrote to memory of 3052	680	regsvr32.exe	regsvr32.exe
PID 680 wrote to memory of 3052	680	regsvr32.exe	regsvr32.exe
PID 680 wrote to memory of 3052	680	regsvr32.exe	regsvr32.exe
PID 3052 wrote to memory of 4060	3052	regsvr32.exe	explorer.exe
PID 3052 wrote to memory of 4060	3052	regsvr32.exe	explorer.exe
PID 3052 wrote to memory of 4060	3052	regsvr32.exe	explorer.exe
PID 3052 wrote to memory of 4060	3052	regsvr32.exe	explorer.exe
PID 3052 wrote to memory of 4060	3052	regsvr32.exe	explorer.exe
PID 4060 wrote to memory of 3324	4060	explorer.exe	reg.exe
PID 4060 wrote to memory of 3324	4060	explorer.exe	reg.exe
PID 4060 wrote to memory of 1984	4060	explorer.exe	reg.exe
PID 4060 wrote to memory of 1984	4060	explorer.exe	reg.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\13d0184.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\13d0184.dll
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3264

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1256

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn oxvkzxhii /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\13d0184.dll\"" /SC ONCE /Z /ST 05:10 /ET 05:22
4⤵
- Creates scheduled task(s)
PID:660

\??\c:\windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\13d0184.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:680

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\13d0184.dll"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3052

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4060

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Acryt" /d "0"
4⤵
PID:3324

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Eolrm" /d "0"
4⤵
PID:1984

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\13d0184.dll
MD5
5232d30313fb4c1960bb72a0d2941848

SHA1
08141f2115bcde3ae0568ec921c78e14d0a9deeb

SHA256
d2157bd2deee9de3b537377329ec18a466c28cd9a8a4bbe165fa1f1527e7d103

SHA512
64ba67c903c58055ea5ff8a46f3883839ee2e1271b67cf3226b861b09b3140ed98880bf26dec4982c604e3ff8dcba756d16a9ff7801704759fa0c1ec76c63287

Download Submit
\Users\Admin\AppData\Local\Temp\13d0184.dll
MD5
5232d30313fb4c1960bb72a0d2941848

SHA1
08141f2115bcde3ae0568ec921c78e14d0a9deeb

SHA256
d2157bd2deee9de3b537377329ec18a466c28cd9a8a4bbe165fa1f1527e7d103

SHA512
64ba67c903c58055ea5ff8a46f3883839ee2e1271b67cf3226b861b09b3140ed98880bf26dec4982c604e3ff8dcba756d16a9ff7801704759fa0c1ec76c63287

Download Submit
memory/660-118-0x0000000000000000-mapping.dmp

Download
memory/1256-119-0x00000000038C0000-0x00000000038C1000-memory.dmp

Filesize
4KB

Download
memory/1256-120-0x00000000038C0000-0x00000000038C1000-memory.dmp

Filesize
4KB

Download
memory/1256-117-0x00000000034D0000-0x00000000034F1000-memory.dmp

Filesize
132KB

Download
memory/1256-116-0x0000000000000000-mapping.dmp

Download
memory/1984-126-0x0000000000000000-mapping.dmp

Download
memory/3052-122-0x0000000000000000-mapping.dmp

Download
memory/3264-115-0x0000000000000000-mapping.dmp

Download
memory/3324-125-0x0000000000000000-mapping.dmp

Download
memory/4060-124-0x0000000000000000-mapping.dmp

Download
memory/4060-127-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/4060-128-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/4060-129-0x00000000004C0000-0x00000000004E1000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads