qakbot | 7e85568fd3f9ea14fc2a7f0f1a61499265b66001488413eaf2fd1ad86f97b05e

General

Target

c71ac46fba2237c4a8f62a62ce687ce1.dll
Size

890KB
MD5

c71ac46fba2237c4a8f62a62ce687ce1
SHA1

da6f18d68a8224d84491dd7ab175c8e6588c4575
SHA256

7e85568fd3f9ea14fc2a7f0f1a61499265b66001488413eaf2fd1ad86f97b05e
SHA512

662c833fb3220010a0b9774e31c68a48d84c68cc3d011f2e64f8afd71bd98aac4fd7afaf5620e546ca8c1b9ede4aacb8c045d0efa18e8d94851ae30a39ae2e91

Score

10^/10

qakbot biden54 1634810637 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

biden54

Campaign

1634810637

C2

136.143.11.232:443

63.143.92.99:995

182.176.180.73:443

136.232.34.70:443

123.252.190.14:443

216.201.162.158:443

37.208.181.198:61200

140.82.49.12:443

197.89.144.102:443

89.137.52.44:443

109.12.111.14:443

78.191.24.189:995

105.198.236.99:995

196.207.140.40:995

41.235.69.115:443

2.222.167.138:443

117.198.156.56:443

24.231.209.2:6881

27.223.92.142:995

96.246.158.154:995

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

2988 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3044 schtasks.exe

pid	process
2988	regsvr32.exe

pid	process
3044	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Oksayofiivr\4affb8e8 = 6b1ffeb938679b57a0fa255e1f96c9dba93b521ca8c7da77ca58abbab4bb3aec1758f0861e	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Oksayofiivr\f243df8d = f47c34699efadf979e9eccbf6f9ede7a85f088035e25b5599f6c	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Oksayofiivr\8f4b9007 = ec90d46c4cebf17fbabde6073bfa5164ca1be188c980b28647296802873436aff6f40e6474bf8430e7c753c8d496	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Oksayofiivr\7d2148da = 68b499cd7739de901ba26b0668a575b6842cd53cd6f4a3b4d3f31d4b893272c45626190373e173ebc7ad659e5c03de296058ccb8a682b19a2f29121f496861be78e4c34aa8f05db8a00cab2fc8012259cd77cafea6d6b7fc9e0ef003537c011f10144a3a2e8d7f0ce21d16564793cdd530d1787f5c28c8b50727bdb4	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Oksayofiivr	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Oksayofiivr\7d2148da = 68b48ecd7739eb9cc2b280f8d5638a05f6180ce643c8c73ebe0c2bf3a4588a1d14b4f7cd79784f0bc707c503567f6fc0043409cd5bafb5cff208f09dbeb0fad73bafbbb465c0b71571b0ebb5677534b5536c118331791082b6fba27a6a78a1cdcfc78f98f28ec7	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Oksayofiivr\48be9894 = 63c69c20338618d634879cf1fb0a77b5960b6e5cb6ec929e0ebde438aa58e9c2d664ffc235b53ac061ae0466a6c19d8cb1f5cad94906beb1463eaa4b2f95e98973a743505e6bd9b3ec6d9d85d3ff1e699abbafe20c68892d200ba843a665b39031c3008b94266f155ca2a758ae0f1c63931fe2c654fc229a0befc3485e11e03cb591e91aa56c8b9302a287bd3e22bf1fcebdb9198b2acf67d3cc323ad13441689900a5c55f1d5595	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Oksayofiivr\37f7f762 = 9ef369100f73143a1694fa39cd1df1b52f09c01ceda55d3e59a23e8e5e7f	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Oksayofiivr\f002fff1 = 2d301a859661155b84ea3e5809341924ce9d48c4b9	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Oksayofiivr\268272c = a0afc64fac30d3a3e1f9e8b5fe65235b31fcae55ec0e504c910328812d2d5c7d0c6b0301c53a4d221b88d666fda0794e1d	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

1308 rundll32.exe
1308 rundll32.exe
2988 regsvr32.exe
2988 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

1308 rundll32.exe
2988 regsvr32.exe

pid	process
1308	rundll32.exe
1308	rundll32.exe
2988	regsvr32.exe
2988	regsvr32.exe

pid	process
1308	rundll32.exe
2988	regsvr32.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 2332 wrote to memory of 1308	2332	rundll32.exe	rundll32.exe
PID 2332 wrote to memory of 1308	2332	rundll32.exe	rundll32.exe
PID 2332 wrote to memory of 1308	2332	rundll32.exe	rundll32.exe
PID 1308 wrote to memory of 3764	1308	rundll32.exe	explorer.exe
PID 1308 wrote to memory of 3764	1308	rundll32.exe	explorer.exe
PID 1308 wrote to memory of 3764	1308	rundll32.exe	explorer.exe
PID 1308 wrote to memory of 3764	1308	rundll32.exe	explorer.exe
PID 1308 wrote to memory of 3764	1308	rundll32.exe	explorer.exe
PID 3764 wrote to memory of 3044	3764	explorer.exe	schtasks.exe
PID 3764 wrote to memory of 3044	3764	explorer.exe	schtasks.exe
PID 3764 wrote to memory of 3044	3764	explorer.exe	schtasks.exe
PID 2460 wrote to memory of 2988	2460	regsvr32.exe	regsvr32.exe
PID 2460 wrote to memory of 2988	2460	regsvr32.exe	regsvr32.exe
PID 2460 wrote to memory of 2988	2460	regsvr32.exe	regsvr32.exe
PID 2988 wrote to memory of 348	2988	regsvr32.exe	explorer.exe
PID 2988 wrote to memory of 348	2988	regsvr32.exe	explorer.exe
PID 2988 wrote to memory of 348	2988	regsvr32.exe	explorer.exe
PID 2988 wrote to memory of 348	2988	regsvr32.exe	explorer.exe
PID 2988 wrote to memory of 348	2988	regsvr32.exe	explorer.exe
PID 348 wrote to memory of 1884	348	explorer.exe	reg.exe
PID 348 wrote to memory of 1884	348	explorer.exe	reg.exe
PID 348 wrote to memory of 1356	348	explorer.exe	reg.exe
PID 348 wrote to memory of 1356	348	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c71ac46fba2237c4a8f62a62ce687ce1.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2332

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c71ac46fba2237c4a8f62a62ce687ce1.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1308

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3764

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn wkubttvv /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\c71ac46fba2237c4a8f62a62ce687ce1.dll\"" /SC ONCE /Z /ST 10:34 /ET 10:46
4⤵
- Creates scheduled task(s)
PID:3044

\??\c:\windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\c71ac46fba2237c4a8f62a62ce687ce1.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:2460

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\c71ac46fba2237c4a8f62a62ce687ce1.dll"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2988

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:348

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Zyyaws" /d "0"
4⤵
PID:1884

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Bvbdek" /d "0"
4⤵
PID:1356

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c71ac46fba2237c4a8f62a62ce687ce1.dll
MD5
c71ac46fba2237c4a8f62a62ce687ce1

SHA1
da6f18d68a8224d84491dd7ab175c8e6588c4575

SHA256
7e85568fd3f9ea14fc2a7f0f1a61499265b66001488413eaf2fd1ad86f97b05e

SHA512
662c833fb3220010a0b9774e31c68a48d84c68cc3d011f2e64f8afd71bd98aac4fd7afaf5620e546ca8c1b9ede4aacb8c045d0efa18e8d94851ae30a39ae2e91

Download Submit
\Users\Admin\AppData\Local\Temp\c71ac46fba2237c4a8f62a62ce687ce1.dll
MD5
c71ac46fba2237c4a8f62a62ce687ce1

SHA1
da6f18d68a8224d84491dd7ab175c8e6588c4575

SHA256
7e85568fd3f9ea14fc2a7f0f1a61499265b66001488413eaf2fd1ad86f97b05e

SHA512
662c833fb3220010a0b9774e31c68a48d84c68cc3d011f2e64f8afd71bd98aac4fd7afaf5620e546ca8c1b9ede4aacb8c045d0efa18e8d94851ae30a39ae2e91

Download Submit
memory/348-136-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/348-132-0x0000000000000000-mapping.dmp

Download
memory/348-135-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/348-137-0x00000000036B0000-0x00000000036D1000-memory.dmp

Filesize
132KB

Download
memory/1308-117-0x0000000073E90000-0x0000000073EB1000-memory.dmp

Filesize
132KB

Download
memory/1308-119-0x0000000003100000-0x000000000324A000-memory.dmp

Filesize
1.3MB

Download
memory/1308-115-0x0000000000000000-mapping.dmp

Download
memory/1308-118-0x0000000073E90000-0x0000000073F83000-memory.dmp

Filesize
972KB

Download
memory/1308-116-0x0000000073E90000-0x0000000073F83000-memory.dmp

Filesize
972KB

Download
memory/1356-134-0x0000000000000000-mapping.dmp

Download
memory/1884-133-0x0000000000000000-mapping.dmp

Download
memory/2988-130-0x0000000072B20000-0x0000000072C13000-memory.dmp

Filesize
972KB

Download
memory/2988-129-0x0000000072B20000-0x0000000072B41000-memory.dmp

Filesize
132KB

Download
memory/2988-128-0x0000000072B20000-0x0000000072C13000-memory.dmp

Filesize
972KB

Download
memory/2988-131-0x0000000000800000-0x000000000094A000-memory.dmp

Filesize
1.3MB

Download
memory/2988-126-0x0000000000000000-mapping.dmp

Download
memory/3044-122-0x0000000000000000-mapping.dmp

Download
memory/3764-124-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/3764-123-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/3764-121-0x0000000000920000-0x0000000000941000-memory.dmp

Filesize
132KB

Download
memory/3764-120-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads