44490.6705313657.dat

max time kernel141s
max time network122s
platformwindows7_x64
resourcewin7-en-20210920
submitted21-10-2021 16:56

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

44490.6705313657.dat.dll

Filesize

534KB

Completed

21-10-2021 16:59

Score

10^/10

MD5

f0be8564345b34916f8b78001baf717d

SHA1

b0dd2e978c6504df6b08b6e8566af8cde0ae8f4f

SHA256

834de7884888e755f1f99061d4c019cfad3bfab15eda47b5d5e7b3f0755dee59

Extracted

Family	qakbot
Version	402.363
Botnet	biden54
Campaign	1634802135
C2	81.250.153.227:2222 120.150.218.241:995 76.25.142.196:443 63.143.92.99:995 89.101.97.139:443 136.143.11.232:443 81.213.59.22:443 136.232.34.70:443 140.82.49.12:443 37.208.181.198:61200 78.191.24.189:995 216.201.162.158:443 197.89.144.102:443 89.137.52.44:443 182.176.180.73:443 173.21.10.71:2222 117.198.156.56:443 196.207.140.40:995 103.142.10.177:443 24.231.209.2:6881 27.223.92.142:995 96.246.158.154:995 71.74.12.34:443 24.231.209.2:2222 75.188.35.168:443 209.210.95.228:995 73.151.236.31:443 220.255.25.187:2222 187.156.134.254:443 41.235.69.115:443 189.175.219.53:80 108.4.67.252:443 209.210.95.228:993 67.165.206.193:993 173.25.162.221:443 100.1.119.41:443 93.48.58.123:2222 65.100.174.110:443 201.137.10.225:443 24.229.150.54:995 146.66.238.74:443 68.204.7.158:443 37.208.181.198:443 41.86.42.158:995 189.135.16.92:443 187.75.66.160:995 72.173.78.211:443 37.117.191.19:2222 94.200.181.154:443 109.12.111.14:443 96.37.113.36:993 45.46.53.140:2222 103.150.40.76:995 24.231.209.2:2083 181.4.53.6:465 2.222.167.138:443 86.220.112.26:2222 24.152.219.253:995 181.118.183.94:443 37.210.155.239:995 129.208.147.188:995 105.198.236.99:995 50.194.160.233:32100 50.194.160.233:465 189.146.41.71:443 24.55.112.61:443 38.70.253.226:2222 72.252.201.69:995 78.105.213.151:995 103.143.8.71:443 109.40.1.4:443 187.149.227.40:443 91.178.126.51:995 81.241.252.59:2078 65.100.174.110:995 39.49.4.147:995 24.139.72.117:443 106.193.223.126:443 86.8.177.143:443 24.119.214.7:443 209.210.95.228:443 78.71.154.58:2222 47.151.181.188:443 78.71.167.243:2222 117.215.230.90:443 174.54.193.186:443 72.27.84.16:995 39.52.224.154:995 188.54.167.41:443 49.206.29.127:443 103.133.200.139:443 98.203.26.168:443 199.27.127.129:443 208.78.220.143:443 47.40.196.233:2222 86.152.43.219:443 201.111.144.72:443 2.237.74.121:2222 115.96.64.9:995 73.52.50.32:443 162.210.220.137:443 103.170.110.191:995 103.170.110.191:465 103.82.211.39:990 31.166.234.68:443 111.91.87.187:995 103.82.211.39:995 174.76.17.43:443 213.60.210.85:443 203.175.72.19:995 167.248.117.81:443 41.228.22.180:443 116.193.136.10:443 122.179.158.212:443 103.148.120.144:443 103.82.211.39:993 117.202.161.73:2222 65.100.174.110:8443 65.100.174.110:6881 69.30.186.190:443 190.117.91.214:443 39.40.37.70:32100 187.172.17.193:443 80.6.192.58:443 68.186.192.69:443 122.60.71.201:995 173.22.178.66:443 2.221.12.60:443 201.68.60.118:995 50.194.160.233:995 65.100.174.110:32103 123.201.44.86:6881 177.76.251.27:995 67.230.44.194:443 109.200.192.84:443 73.230.205.91:443 189.252.201.83:32101 136.232.254.46:443 95.159.33.115:995 115.96.62.113:443 85.60.147.26:2078 75.131.217.182:443 85.60.147.26:2222 129.35.116.77:990 81.250.153.227:2222 120.150.218.241:995 76.25.142.196:443 63.143.92.99:995 89.101.97.139:443 136.143.11.232:443 81.213.59.22:443 136.232.34.70:443 140.82.49.12:443 37.208.181.198:61200 78.191.24.189:995 216.201.162.158:443 197.89.144.102:443 89.137.52.44:443 182.176.180.73:443 173.21.10.71:2222 117.198.156.56:443 196.207.140.40:995 103.142.10.177:443 24.231.209.2:6881 27.223.92.142:995 96.246.158.154:995 71.74.12.34:443 24.231.209.2:2222 75.188.35.168:443 209.210.95.228:995 73.151.236.31:443 220.255.25.187:2222 187.156.134.254:443 41.235.69.115:443 189.175.219.53:80 108.4.67.252:443 209.210.95.228:993 67.165.206.193:993 173.25.162.221:443 100.1.119.41:443 93.48.58.123:2222 65.100.174.110:443 201.137.10.225:443 24.229.150.54:995 146.66.238.74:443 68.204.7.158:443 37.208.181.198:443 41.86.42.158:995 189.135.16.92:443 187.75.66.160:995 72.173.78.211:443 37.117.191.19:2222 94.200.181.154:443 109.12.111.14:443 96.37.113.36:993 45.46.53.140:2222 103.150.40.76:995 24.231.209.2:2083 181.4.53.6:465 2.222.167.138:443 86.220.112.26:2222 24.152.219.253:995 181.118.183.94:443 37.210.155.239:995 129.208.147.188:995 105.198.236.99:995 50.194.160.233:32100 50.194.160.233:465 189.146.41.71:443 24.55.112.61:443 38.70.253.226:2222 72.252.201.69:995 78.105.213.151:995 103.143.8.71:443 109.40.1.4:443 187.149.227.40:443 91.178.126.51:995 81.241.252.59:2078 65.100.174.110:995 39.49.4.147:995 24.139.72.117:443 106.193.223.126:443 86.8.177.143:443 24.119.214.7:443 209.210.95.228:443 78.71.154.58:2222 47.151.181.188:443 78.71.167.243:2222 117.215.230.90:443 174.54.193.186:443 72.27.84.16:995 39.52.224.154:995 188.54.167.41:443 49.206.29.127:443 103.133.200.139:443 98.203.26.168:443 199.27.127.129:443 208.78.220.143:443 47.40.196.233:2222 86.152.43.219:443 201.111.144.72:443 2.237.74.121:2222 115.96.64.9:995 73.52.50.32:443 162.210.220.137:443 103.170.110.191:995 103.170.110.191:465 103.82.211.39:990 31.166.234.68:443 111.91.87.187:995 103.82.211.39:995 174.76.17.43:443 213.60.210.85:443 203.175.72.19:995 167.248.117.81:443 41.228.22.180:443 116.193.136.10:443 122.179.158.212:443 103.148.120.144:443 103.82.211.39:993 117.202.161.73:2222 65.100.174.110:8443 65.100.174.110:6881 69.30.186.190:443 190.117.91.214:443 39.40.37.70:32100 187.172.17.193:443 80.6.192.58:443 68.186.192.69:443 122.60.71.201:995 173.22.178.66:443 2.221.12.60:443 201.68.60.118:995 50.194.160.233:995 65.100.174.110:32103 123.201.44.86:6881 177.76.251.27:995 67.230.44.194:443 109.200.192.84:443 73.230.205.91:443 189.252.201.83:32101 136.232.254.46:443 95.159.33.115:995 115.96.62.113:443 85.60.147.26:2078 75.131.217.182:443 85.60.147.26:2222 129.35.116.77:990
Attributes	salt jHxastDcds)oMc=jvh7wdUhxcsdt2

Defense Evasion

Persistence

Qakbot/Qbot

Description

Qbot or Qakbot is a sophisticated worm with banking capabilities.

Tags

trojan banker stealer qakbot
Windows security bypass

Tags

evasion trojan

TTPs

Disabling Security ToolsModify Registry
Loads dropped DLL
regsvr32.exe

Reported IOCs

pid process

1172 regsvr32.exe
Creates scheduled task(s)
schtasks.exe

Description

Schtasks is often used by malware for persistence or to perform post-infection execution.

Tags

persistence

TTPs

Scheduled Task

Reported IOCs

pid process

1752 schtasks.exe

pid	process
1172	regsvr32.exe

pid	process
1752	schtasks.exe

Modifies data under HKEY_USERS

explorer.exe

Reported IOCs

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ddnbkoleaioiu\e862f67c = d74cd4340932eac802d793fbcbb697f32dd8580023a847574945855e531190d48b5241e1a91b5578c163439be5f33f5791a6fb6bd74309c286681d54661a82bcb8e5f072706c93e472e875fcf6b71357a0c85fd1ca7bcf474f4c3fc2fa0a106e5a475262112d07280822d0eb2e111c69f5f2d8bb08fef591de5fbea9899aa8ad1a27586e80	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ddnbkoleaioiu\ea23d600 = 50626a636ec039e81853651ddb0a78262d34b9bca9a1259769850bfb1886	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ddnbkoleaioiu\972b998a = 43075ab474c129f1a49f6f6437065baf0c6a3987556e31b446834844a1ce31191af03cda6f419bb436a9bc72f50dd68e0f464c357a86a4eb07368bcfffa86a18a737f71319a747fd60e5	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ddnbkoleaioiu\a2b449c4 = 8e99ab1ee97a6009bf9e62ea3340aba65a43b29ee303b1d15598d1c0571c9c7ee0ce409db3eab173925db5b790f6bc92bdb9fdf81f1a5fc4d1f31d6260774f7b1ee8fc673637	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ddnbkoleaioiu\ddfd2632 = 1534d6d92488f07650f94dd7bab7f4e0126ce66f7dfcbef9b093e84ae7e142caa1958705a0f90d950a3ec68912344ee35eb04fafd07f42c77ed78410e98b9c05aa7cd8dc510946361c10c8afb5736362c0	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ddnbkoleaioiu\ddfd2632 = 1534c1d92488c5c38b9c901f2de39bfb8434c3b63ef63b0056cbac877312388c0edc13b5a2fbe40d054b250dc23b5bfbfaa63bf65711baa1f6cc8b8f	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ddnbkoleaioiu\529fb165 = 0424030d251336436b3c49562a8938a19996e1ba57b14138444a8906c78011fa4b2e5f42736723740fde6648eb6f2d70ff9fe5b53216	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ddnbkoleaioiu\2f97feef = 4040acefb1ecf7f4dc29dc5d7a29feef8e8c6d9f5df70c0476eec8b9e92df7f5a8d2adb42df1c3da5049d66ad5d8523834a7ebf4cc6a73e12cabc6770c13d6c01c44a79841f45720c0b49c8b682565f00b1076bb13f3d7	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ddnbkoleaioiu\50de9119 = aee7a3289a4a0bbf62742cb55f5df1fbc244c000eb8909fc951c52fb5639a7df9b6ff0561a08fa5dd76ea81f4998c807629465bebed2e7d42153710e650cce031d39d6c751120db65923f5b612cc4b	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ddnbkoleaioiu	explorer.exe

Suspicious behavior: EnumeratesProcesses
rundll32.exeregsvr32.exe

Reported IOCs

pid process

1684 rundll32.exe
1172 regsvr32.exe
Suspicious behavior: MapViewOfSection
rundll32.exeregsvr32.exe

Reported IOCs

pid process

1684 rundll32.exe
1172 regsvr32.exe

pid	process
1684	rundll32.exe
1172	regsvr32.exe

pid	process
1684	rundll32.exe
1172	regsvr32.exe

Suspicious use of WriteProcessMemory

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exe

Reported IOCs

description	pid	process	target process
PID 1580 wrote to memory of 1684	1580	rundll32.exe	rundll32.exe
PID 1580 wrote to memory of 1684	1580	rundll32.exe	rundll32.exe
PID 1580 wrote to memory of 1684	1580	rundll32.exe	rundll32.exe
PID 1580 wrote to memory of 1684	1580	rundll32.exe	rundll32.exe
PID 1580 wrote to memory of 1684	1580	rundll32.exe	rundll32.exe
PID 1580 wrote to memory of 1684	1580	rundll32.exe	rundll32.exe
PID 1580 wrote to memory of 1684	1580	rundll32.exe	rundll32.exe
PID 1684 wrote to memory of 632	1684	rundll32.exe	explorer.exe
PID 1684 wrote to memory of 632	1684	rundll32.exe	explorer.exe
PID 1684 wrote to memory of 632	1684	rundll32.exe	explorer.exe
PID 1684 wrote to memory of 632	1684	rundll32.exe	explorer.exe
PID 1684 wrote to memory of 632	1684	rundll32.exe	explorer.exe
PID 1684 wrote to memory of 632	1684	rundll32.exe	explorer.exe
PID 632 wrote to memory of 1752	632	explorer.exe	schtasks.exe
PID 632 wrote to memory of 1752	632	explorer.exe	schtasks.exe
PID 632 wrote to memory of 1752	632	explorer.exe	schtasks.exe
PID 632 wrote to memory of 1752	632	explorer.exe	schtasks.exe
PID 948 wrote to memory of 1496	948	taskeng.exe	regsvr32.exe
PID 948 wrote to memory of 1496	948	taskeng.exe	regsvr32.exe
PID 948 wrote to memory of 1496	948	taskeng.exe	regsvr32.exe
PID 948 wrote to memory of 1496	948	taskeng.exe	regsvr32.exe
PID 948 wrote to memory of 1496	948	taskeng.exe	regsvr32.exe
PID 1496 wrote to memory of 1172	1496	regsvr32.exe	regsvr32.exe
PID 1496 wrote to memory of 1172	1496	regsvr32.exe	regsvr32.exe
PID 1496 wrote to memory of 1172	1496	regsvr32.exe	regsvr32.exe
PID 1496 wrote to memory of 1172	1496	regsvr32.exe	regsvr32.exe
PID 1496 wrote to memory of 1172	1496	regsvr32.exe	regsvr32.exe
PID 1496 wrote to memory of 1172	1496	regsvr32.exe	regsvr32.exe
PID 1496 wrote to memory of 1172	1496	regsvr32.exe	regsvr32.exe
PID 1172 wrote to memory of 1068	1172	regsvr32.exe	explorer.exe
PID 1172 wrote to memory of 1068	1172	regsvr32.exe	explorer.exe
PID 1172 wrote to memory of 1068	1172	regsvr32.exe	explorer.exe
PID 1172 wrote to memory of 1068	1172	regsvr32.exe	explorer.exe
PID 1172 wrote to memory of 1068	1172	regsvr32.exe	explorer.exe
PID 1172 wrote to memory of 1068	1172	regsvr32.exe	explorer.exe
PID 1068 wrote to memory of 1912	1068	explorer.exe	reg.exe
PID 1068 wrote to memory of 1912	1068	explorer.exe	reg.exe
PID 1068 wrote to memory of 1912	1068	explorer.exe	reg.exe
PID 1068 wrote to memory of 1912	1068	explorer.exe	reg.exe
PID 1068 wrote to memory of 1736	1068	explorer.exe	reg.exe
PID 1068 wrote to memory of 1736	1068	explorer.exe	reg.exe
PID 1068 wrote to memory of 1736	1068	explorer.exe	reg.exe
PID 1068 wrote to memory of 1736	1068	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\44490.6705313657.dat.dll,#1

Suspicious use of WriteProcessMemory

PID:1580

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\44490.6705313657.dat.dll,#1

Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory

PID:1684

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Suspicious use of WriteProcessMemory

PID:632

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn ommezbwxo /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\44490.6705313657.dat.dll\"" /SC ONCE /Z /ST 16:55 /ET 17:07

Creates scheduled task(s)

PID:1752

C:\Windows\system32\taskeng.exe

taskeng.exe {083B6C36-47A3-4371-A724-4B42B4DE57DD} S-1-5-18:NT AUTHORITY\System:Service:

Suspicious use of WriteProcessMemory

PID:948

C:\Windows\system32\regsvr32.exe

regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\44490.6705313657.dat.dll"

Suspicious use of WriteProcessMemory

PID:1496

C:\Windows\SysWOW64\regsvr32.exe

-s "C:\Users\Admin\AppData\Local\Temp\44490.6705313657.dat.dll"

Loads dropped DLL
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory

PID:1172

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory

PID:1068

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Iaoykqiic" /d "0"

PID:1912

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Aeyabbwukvfk" /d "0"

PID:1736

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Scheduled Task

Privilege Escalation

00:00 00:00

C:\Users\Admin\AppData\Local\Temp\44490.6705313657.dat.dll
MD5
f0be8564345b34916f8b78001baf717d

SHA1
b0dd2e978c6504df6b08b6e8566af8cde0ae8f4f

SHA256
834de7884888e755f1f99061d4c019cfad3bfab15eda47b5d5e7b3f0755dee59

SHA512
2d492277f7efe3277acfa7d325a2952896db812a6d39c03f5cf483a5901782a489c6aae347b516aa552accec1be32af119d473e60cc95ecc05d36e18563af3b1

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\44490.6705313657.dat.dll
MD5
f0be8564345b34916f8b78001baf717d

SHA1
b0dd2e978c6504df6b08b6e8566af8cde0ae8f4f

SHA256
834de7884888e755f1f99061d4c019cfad3bfab15eda47b5d5e7b3f0755dee59

SHA512
2d492277f7efe3277acfa7d325a2952896db812a6d39c03f5cf483a5901782a489c6aae347b516aa552accec1be32af119d473e60cc95ecc05d36e18563af3b1

Download Submit
memory/632-61-0x0000000074EF1000-0x0000000074EF3000-memory.dmp

Download
memory/632-58-0x00000000000F0000-0x00000000000F2000-memory.dmp

Download
memory/632-59-0x0000000000000000-mapping.dmp

Download
memory/632-62-0x0000000000080000-0x00000000000A1000-memory.dmp

Download
memory/1068-78-0x0000000000080000-0x00000000000A1000-memory.dmp

Download
memory/1068-73-0x0000000000000000-mapping.dmp

Download
memory/1172-71-0x0000000010000000-0x0000000014595000-memory.dmp

Download
memory/1172-67-0x0000000000000000-mapping.dmp

Download
memory/1172-70-0x0000000000C20000-0x0000000005163000-memory.dmp

Download
memory/1496-64-0x0000000000000000-mapping.dmp

Download
memory/1496-65-0x000007FEFC461000-0x000007FEFC463000-memory.dmp

Download
memory/1684-54-0x0000000000000000-mapping.dmp

Download
memory/1684-57-0x0000000010000000-0x0000000014595000-memory.dmp

Download
memory/1684-56-0x0000000001DA0000-0x00000000062E3000-memory.dmp

Download
memory/1684-55-0x00000000765A1000-0x00000000765A3000-memory.dmp

Download
memory/1736-79-0x0000000000000000-mapping.dmp

Download
memory/1752-63-0x0000000000000000-mapping.dmp

Download
memory/1912-77-0x0000000000000000-mapping.dmp

Download

44490.6705313657.dat

Extracted

Filter: none

Description

Tags

Tags

TTPs

Reported IOCs

Description

Tags

TTPs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Title