c71ac46fba2237c4a8f62a62ce687ce1

max time kernel140s
max time network124s
platformwindows10_x64
resourcewin10-en-20211014
submitted21-10-2021 19:19

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

c71ac46fba2237c4a8f62a62ce687ce1.dll

Filesize

890KB

Completed

21-10-2021 19:21

Score

10^/10

MD5

c71ac46fba2237c4a8f62a62ce687ce1

SHA1

da6f18d68a8224d84491dd7ab175c8e6588c4575

SHA256

7e85568fd3f9ea14fc2a7f0f1a61499265b66001488413eaf2fd1ad86f97b05e

Extracted

Family	qakbot
Version	402.363
Botnet	biden54
Campaign	1634810637
C2	136.143.11.232:443 63.143.92.99:995 182.176.180.73:443 136.232.34.70:443 123.252.190.14:443 216.201.162.158:443 37.208.181.198:61200 140.82.49.12:443 197.89.144.102:443 89.137.52.44:443 109.12.111.14:443 78.191.24.189:995 105.198.236.99:995 196.207.140.40:995 41.235.69.115:443 2.222.167.138:443 117.198.156.56:443 24.231.209.2:6881 27.223.92.142:995 96.246.158.154:995 81.250.153.227:2222 120.150.218.241:995 76.25.142.196:443 89.101.97.139:443 81.213.59.22:443 173.21.10.71:2222 103.142.10.177:443 71.74.12.34:443 24.231.209.2:2222 75.188.35.168:443 209.210.95.228:995 73.151.236.31:443 220.255.25.187:2222 187.156.134.254:443 189.175.219.53:80 108.4.67.252:443 209.210.95.228:993 67.165.206.193:993 173.25.162.221:443 100.1.119.41:443 93.48.58.123:2222 65.100.174.110:443 201.137.10.225:443 24.229.150.54:995 146.66.238.74:443 68.204.7.158:443 37.208.181.198:443 41.86.42.158:995 189.135.16.92:443 187.75.66.160:995 72.173.78.211:443 37.117.191.19:2222 94.200.181.154:443 96.37.113.36:993 45.46.53.140:2222 103.150.40.76:995 24.231.209.2:2083 181.4.53.6:465 86.220.112.26:2222 24.152.219.253:995 181.118.183.94:443 37.210.155.239:995 188.50.43.248:995 50.194.160.233:32100 50.194.160.233:465 189.146.41.71:443 24.55.112.61:443 38.70.253.226:2222 72.252.201.69:995 188.221.250.72:995 103.143.8.71:443 109.40.1.4:443 187.149.227.40:443 91.178.126.51:995 81.241.252.59:2078 65.100.174.110:995 39.49.4.147:995 24.139.72.117:443 86.8.177.143:443 24.119.214.7:443 209.210.95.228:443 78.71.154.58:2222 47.151.181.188:443 78.71.167.243:2222 117.215.230.90:443 174.54.193.186:443 72.27.84.16:995 39.52.224.154:995 188.54.167.41:443 49.206.29.127:443 103.133.200.139:443 98.203.26.168:443 199.27.127.129:443 208.78.220.143:443 47.40.196.233:2222 86.152.43.219:443 201.111.144.72:443 2.237.74.121:2222 115.96.64.9:995 73.52.50.32:443 162.210.220.137:443 103.170.110.191:995 103.170.110.191:465 103.82.211.39:990 31.166.234.68:443 111.91.87.187:995 103.82.211.39:995 174.76.17.43:443 213.60.210.85:443 203.175.72.19:995 167.248.117.81:443 41.228.22.180:443 116.193.136.10:443 122.179.158.212:443 103.148.120.144:443 103.82.211.39:993 117.202.161.73:2222 65.100.174.110:8443 65.100.174.110:6881 69.30.186.190:443 190.117.91.214:443 39.40.37.70:32100 187.172.17.193:443 80.6.192.58:443 68.186.192.69:443 122.60.71.201:995 173.22.178.66:443 2.221.12.60:443 201.68.60.118:995 50.194.160.233:995 65.100.174.110:32103 123.201.44.86:6881 177.76.251.27:995 67.230.44.194:443 109.200.192.84:443 73.230.205.91:443 189.252.201.83:32101 136.232.254.46:443 95.159.33.115:995 115.96.62.113:443 85.60.147.26:2078 75.131.217.182:443 85.60.147.26:2222 129.35.116.77:990 136.143.11.232:443 63.143.92.99:995 182.176.180.73:443 136.232.34.70:443 123.252.190.14:443 216.201.162.158:443 37.208.181.198:61200 140.82.49.12:443 197.89.144.102:443 89.137.52.44:443 109.12.111.14:443 78.191.24.189:995 105.198.236.99:995 196.207.140.40:995 41.235.69.115:443 2.222.167.138:443 117.198.156.56:443 24.231.209.2:6881 27.223.92.142:995 96.246.158.154:995 81.250.153.227:2222 120.150.218.241:995 76.25.142.196:443 89.101.97.139:443 81.213.59.22:443 173.21.10.71:2222 103.142.10.177:443 71.74.12.34:443 24.231.209.2:2222 75.188.35.168:443 209.210.95.228:995 73.151.236.31:443 220.255.25.187:2222 187.156.134.254:443 189.175.219.53:80 108.4.67.252:443 209.210.95.228:993 67.165.206.193:993 173.25.162.221:443 100.1.119.41:443 93.48.58.123:2222 65.100.174.110:443 201.137.10.225:443 24.229.150.54:995 146.66.238.74:443 68.204.7.158:443 37.208.181.198:443 41.86.42.158:995 189.135.16.92:443 187.75.66.160:995 72.173.78.211:443 37.117.191.19:2222 94.200.181.154:443 96.37.113.36:993 45.46.53.140:2222 103.150.40.76:995 24.231.209.2:2083 181.4.53.6:465 86.220.112.26:2222 24.152.219.253:995 181.118.183.94:443 37.210.155.239:995 188.50.43.248:995 50.194.160.233:32100 50.194.160.233:465 189.146.41.71:443 24.55.112.61:443 38.70.253.226:2222 72.252.201.69:995 188.221.250.72:995 103.143.8.71:443 109.40.1.4:443 187.149.227.40:443 91.178.126.51:995 81.241.252.59:2078 65.100.174.110:995 39.49.4.147:995 24.139.72.117:443 86.8.177.143:443 24.119.214.7:443 209.210.95.228:443 78.71.154.58:2222 47.151.181.188:443 78.71.167.243:2222 117.215.230.90:443 174.54.193.186:443 72.27.84.16:995 39.52.224.154:995 188.54.167.41:443 49.206.29.127:443 103.133.200.139:443 98.203.26.168:443 199.27.127.129:443 208.78.220.143:443 47.40.196.233:2222 86.152.43.219:443 201.111.144.72:443 2.237.74.121:2222 115.96.64.9:995 73.52.50.32:443 162.210.220.137:443 103.170.110.191:995 103.170.110.191:465 103.82.211.39:990 31.166.234.68:443 111.91.87.187:995 103.82.211.39:995 174.76.17.43:443 213.60.210.85:443 203.175.72.19:995 167.248.117.81:443 41.228.22.180:443 116.193.136.10:443 122.179.158.212:443 103.148.120.144:443 103.82.211.39:993 117.202.161.73:2222 65.100.174.110:8443 65.100.174.110:6881 69.30.186.190:443 190.117.91.214:443 39.40.37.70:32100 187.172.17.193:443 80.6.192.58:443 68.186.192.69:443 122.60.71.201:995 173.22.178.66:443 2.221.12.60:443 201.68.60.118:995 50.194.160.233:995 65.100.174.110:32103 123.201.44.86:6881 177.76.251.27:995 67.230.44.194:443 109.200.192.84:443 73.230.205.91:443 189.252.201.83:32101 136.232.254.46:443 95.159.33.115:995 115.96.62.113:443 85.60.147.26:2078 75.131.217.182:443 85.60.147.26:2222 129.35.116.77:990
Attributes	salt jHxastDcds)oMc=jvh7wdUhxcsdt2

Defense Evasion

Persistence

Qakbot/Qbot

Description

Qbot or Qakbot is a sophisticated worm with banking capabilities.

Tags

trojan banker stealer qakbot
Windows security bypass

Tags

evasion trojan

TTPs

Disabling Security ToolsModify Registry
Loads dropped DLL
regsvr32.exe

Reported IOCs

pid process

2988 regsvr32.exe
Creates scheduled task(s)
schtasks.exe

Description

Schtasks is often used by malware for persistence or to perform post-infection execution.

Tags

persistence

TTPs

Scheduled Task

Reported IOCs

pid process

3044 schtasks.exe

pid	process
2988	regsvr32.exe

pid	process
3044	schtasks.exe

Modifies data under HKEY_USERS

explorer.exe

Reported IOCs

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Oksayofiivr\4affb8e8 = 6b1ffeb938679b57a0fa255e1f96c9dba93b521ca8c7da77ca58abbab4bb3aec1758f0861e	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Oksayofiivr\f243df8d = f47c34699efadf979e9eccbf6f9ede7a85f088035e25b5599f6c	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Oksayofiivr\8f4b9007 = ec90d46c4cebf17fbabde6073bfa5164ca1be188c980b28647296802873436aff6f40e6474bf8430e7c753c8d496	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Oksayofiivr\7d2148da = 68b499cd7739de901ba26b0668a575b6842cd53cd6f4a3b4d3f31d4b893272c45626190373e173ebc7ad659e5c03de296058ccb8a682b19a2f29121f496861be78e4c34aa8f05db8a00cab2fc8012259cd77cafea6d6b7fc9e0ef003537c011f10144a3a2e8d7f0ce21d16564793cdd530d1787f5c28c8b50727bdb4	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Oksayofiivr	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Oksayofiivr\7d2148da = 68b48ecd7739eb9cc2b280f8d5638a05f6180ce643c8c73ebe0c2bf3a4588a1d14b4f7cd79784f0bc707c503567f6fc0043409cd5bafb5cff208f09dbeb0fad73bafbbb465c0b71571b0ebb5677534b5536c118331791082b6fba27a6a78a1cdcfc78f98f28ec7	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Oksayofiivr\48be9894 = 63c69c20338618d634879cf1fb0a77b5960b6e5cb6ec929e0ebde438aa58e9c2d664ffc235b53ac061ae0466a6c19d8cb1f5cad94906beb1463eaa4b2f95e98973a743505e6bd9b3ec6d9d85d3ff1e699abbafe20c68892d200ba843a665b39031c3008b94266f155ca2a758ae0f1c63931fe2c654fc229a0befc3485e11e03cb591e91aa56c8b9302a287bd3e22bf1fcebdb9198b2acf67d3cc323ad13441689900a5c55f1d5595	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Oksayofiivr\37f7f762 = 9ef369100f73143a1694fa39cd1df1b52f09c01ceda55d3e59a23e8e5e7f	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Oksayofiivr\f002fff1 = 2d301a859661155b84ea3e5809341924ce9d48c4b9	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Oksayofiivr\268272c = a0afc64fac30d3a3e1f9e8b5fe65235b31fcae55ec0e504c910328812d2d5c7d0c6b0301c53a4d221b88d666fda0794e1d	explorer.exe

Suspicious behavior: EnumeratesProcesses
rundll32.exeregsvr32.exe

Reported IOCs

pid process

1308 rundll32.exe
1308 rundll32.exe
2988 regsvr32.exe
2988 regsvr32.exe
Suspicious behavior: MapViewOfSection
rundll32.exeregsvr32.exe

Reported IOCs

pid process

1308 rundll32.exe
2988 regsvr32.exe

pid	process
1308	rundll32.exe
1308	rundll32.exe
2988	regsvr32.exe
2988	regsvr32.exe

pid	process
1308	rundll32.exe
2988	regsvr32.exe

Suspicious use of WriteProcessMemory

rundll32.exerundll32.exeexplorer.exeregsvr32.exeregsvr32.exeexplorer.exe

Reported IOCs

description	pid	process	target process
PID 2332 wrote to memory of 1308	2332	rundll32.exe	rundll32.exe
PID 2332 wrote to memory of 1308	2332	rundll32.exe	rundll32.exe
PID 2332 wrote to memory of 1308	2332	rundll32.exe	rundll32.exe
PID 1308 wrote to memory of 3764	1308	rundll32.exe	explorer.exe
PID 1308 wrote to memory of 3764	1308	rundll32.exe	explorer.exe
PID 1308 wrote to memory of 3764	1308	rundll32.exe	explorer.exe
PID 1308 wrote to memory of 3764	1308	rundll32.exe	explorer.exe
PID 1308 wrote to memory of 3764	1308	rundll32.exe	explorer.exe
PID 3764 wrote to memory of 3044	3764	explorer.exe	schtasks.exe
PID 3764 wrote to memory of 3044	3764	explorer.exe	schtasks.exe
PID 3764 wrote to memory of 3044	3764	explorer.exe	schtasks.exe
PID 2460 wrote to memory of 2988	2460	regsvr32.exe	regsvr32.exe
PID 2460 wrote to memory of 2988	2460	regsvr32.exe	regsvr32.exe
PID 2460 wrote to memory of 2988	2460	regsvr32.exe	regsvr32.exe
PID 2988 wrote to memory of 348	2988	regsvr32.exe	explorer.exe
PID 2988 wrote to memory of 348	2988	regsvr32.exe	explorer.exe
PID 2988 wrote to memory of 348	2988	regsvr32.exe	explorer.exe
PID 2988 wrote to memory of 348	2988	regsvr32.exe	explorer.exe
PID 2988 wrote to memory of 348	2988	regsvr32.exe	explorer.exe
PID 348 wrote to memory of 1884	348	explorer.exe	reg.exe
PID 348 wrote to memory of 1884	348	explorer.exe	reg.exe
PID 348 wrote to memory of 1356	348	explorer.exe	reg.exe
PID 348 wrote to memory of 1356	348	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c71ac46fba2237c4a8f62a62ce687ce1.dll,#1

Suspicious use of WriteProcessMemory

PID:2332

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c71ac46fba2237c4a8f62a62ce687ce1.dll,#1

Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory

PID:1308

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Suspicious use of WriteProcessMemory

PID:3764

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn wkubttvv /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\c71ac46fba2237c4a8f62a62ce687ce1.dll\"" /SC ONCE /Z /ST 10:34 /ET 10:46

Creates scheduled task(s)

PID:3044

\??\c:\windows\system32\regsvr32.exe

regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\c71ac46fba2237c4a8f62a62ce687ce1.dll"

Suspicious use of WriteProcessMemory

PID:2460

C:\Windows\SysWOW64\regsvr32.exe

-s "C:\Users\Admin\AppData\Local\Temp\c71ac46fba2237c4a8f62a62ce687ce1.dll"

Loads dropped DLL
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory

PID:2988

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory

PID:348

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Zyyaws" /d "0"

PID:1884

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Bvbdek" /d "0"

PID:1356

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Scheduled Task

Privilege Escalation

00:00 00:00

C:\Users\Admin\AppData\Local\Temp\c71ac46fba2237c4a8f62a62ce687ce1.dll
MD5
c71ac46fba2237c4a8f62a62ce687ce1

SHA1
da6f18d68a8224d84491dd7ab175c8e6588c4575

SHA256
7e85568fd3f9ea14fc2a7f0f1a61499265b66001488413eaf2fd1ad86f97b05e

SHA512
662c833fb3220010a0b9774e31c68a48d84c68cc3d011f2e64f8afd71bd98aac4fd7afaf5620e546ca8c1b9ede4aacb8c045d0efa18e8d94851ae30a39ae2e91

Download Submit
\Users\Admin\AppData\Local\Temp\c71ac46fba2237c4a8f62a62ce687ce1.dll
MD5
c71ac46fba2237c4a8f62a62ce687ce1

SHA1
da6f18d68a8224d84491dd7ab175c8e6588c4575

SHA256
7e85568fd3f9ea14fc2a7f0f1a61499265b66001488413eaf2fd1ad86f97b05e

SHA512
662c833fb3220010a0b9774e31c68a48d84c68cc3d011f2e64f8afd71bd98aac4fd7afaf5620e546ca8c1b9ede4aacb8c045d0efa18e8d94851ae30a39ae2e91

Download Submit
memory/348-132-0x0000000000000000-mapping.dmp

Download
memory/348-137-0x00000000036B0000-0x00000000036D1000-memory.dmp

Download
memory/348-136-0x00000000006D0000-0x00000000006D1000-memory.dmp

Download
memory/348-135-0x00000000006D0000-0x00000000006D1000-memory.dmp

Download
memory/1308-119-0x0000000003100000-0x000000000324A000-memory.dmp

Download
memory/1308-116-0x0000000073E90000-0x0000000073F83000-memory.dmp

Download
memory/1308-118-0x0000000073E90000-0x0000000073F83000-memory.dmp

Download
memory/1308-117-0x0000000073E90000-0x0000000073EB1000-memory.dmp

Download
memory/1308-115-0x0000000000000000-mapping.dmp

Download
memory/1356-134-0x0000000000000000-mapping.dmp

Download
memory/1884-133-0x0000000000000000-mapping.dmp

Download
memory/2988-129-0x0000000072B20000-0x0000000072B41000-memory.dmp

Download
memory/2988-130-0x0000000072B20000-0x0000000072C13000-memory.dmp

Download
memory/2988-131-0x0000000000800000-0x000000000094A000-memory.dmp

Download
memory/2988-128-0x0000000072B20000-0x0000000072C13000-memory.dmp

Download
memory/2988-126-0x0000000000000000-mapping.dmp

Download
memory/3044-122-0x0000000000000000-mapping.dmp

Download
memory/3764-124-0x0000000000D30000-0x0000000000D31000-memory.dmp

Download
memory/3764-123-0x0000000000D30000-0x0000000000D31000-memory.dmp

Download
memory/3764-121-0x0000000000920000-0x0000000000941000-memory.dmp

Download
memory/3764-120-0x0000000000000000-mapping.dmp

Download

c71ac46fba2237c4a8f62a62ce687ce1

Extracted

Filter: none

Description

Tags

Tags

TTPs

Reported IOCs

Description

Tags

TTPs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Title