9d0548b0495518b448154aee4726aa5c

General
Target

9d0548b0495518b448154aee4726aa5c.dll

Filesize

890KB

Completed

21-10-2021 19:13

Score
10/10
MD5

9d0548b0495518b448154aee4726aa5c

SHA1

839cecb1e45d0dd5af4397754ee3564f0848eb1b

SHA256

9fd2f36653216c8e653de84e5f247e3c9c379fc98f2644fd20ccde41bba501bf

Malware Config

Extracted

Family qakbot
Version 402.363
Botnet biden54
Campaign 1634810637
C2

136.143.11.232:443

63.143.92.99:995

182.176.180.73:443

136.232.34.70:443

123.252.190.14:443

216.201.162.158:443

37.208.181.198:61200

140.82.49.12:443

197.89.144.102:443

89.137.52.44:443

109.12.111.14:443

78.191.24.189:995

105.198.236.99:995

196.207.140.40:995

41.235.69.115:443

2.222.167.138:443

117.198.156.56:443

24.231.209.2:6881

27.223.92.142:995

96.246.158.154:995

81.250.153.227:2222

120.150.218.241:995

76.25.142.196:443

89.101.97.139:443

81.213.59.22:443

173.21.10.71:2222

103.142.10.177:443

71.74.12.34:443

24.231.209.2:2222

75.188.35.168:443

209.210.95.228:995

73.151.236.31:443

220.255.25.187:2222

187.156.134.254:443

189.175.219.53:80

108.4.67.252:443

209.210.95.228:993

67.165.206.193:993

173.25.162.221:443

100.1.119.41:443

93.48.58.123:2222

65.100.174.110:443

201.137.10.225:443

24.229.150.54:995

146.66.238.74:443

68.204.7.158:443

37.208.181.198:443

41.86.42.158:995

189.135.16.92:443

187.75.66.160:995

Attributes
salt
jHxastDcds)oMc=jvh7wdUhxcsdt2
Signatures 8

Filter: none

Defense Evasion
Persistence
  • Qakbot/Qbot

    Description

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

  • Windows security bypass

    TTPs

    Disabling Security ToolsModify Registry
  • Loads dropped DLL
    regsvr32.exe

    Reported IOCs

    pidprocess
    1284regsvr32.exe
  • Creates scheduled task(s)
    schtasks.exe

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    880schtasks.exe
  • Modifies data under HKEY_USERS
    explorer.exe

    Reported IOCs

    descriptioniocprocess
    Set value (data)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Vyqvdntyexes\65268819 = f5ecc11b1c42f31e032a2e36ea84ac3fe0f0ff29db6b18749a7335176eb8f6bc8570afab7f0c42350a9e7aafb30eebf9193b8bb97896f4337813d45e103b62d641786b563882fb96d282b814689dfb7a276a01fe35be29877453950356915f525bc4explorer.exe
    Set value (data)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Vyqvdntyexes\ea441f4e = 679ce6ef5c09cf32951d7c938a922eb0b7c8702d80a6130fa2636059daec5d184a1c4555ce92498d1b9d1a712ce4d57488f9837dbdb4101d3cf38bc6318cd49511fcexplorer.exe
    Set value (data)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Vyqvdntyexes\974c50c4 = adaaab516adb82be8568ca9a4f77a516d36fbb4c967f33ea0f5b3ca26393c44cf24e5cf4a669cb62860fe660e287e27cfc4f1d8efbdf03e996a84f57009da8d6e4a756d1550f83eeb9e932b1cde14dfaa61d0e2603a4ef2a7c4562258dddc117explorer.exe
    Set value (data)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Vyqvdntyexes\2ff037a1 = 6bfd8666aae388433721c83d12bd5e0f67cc75d8ba23943ade65b39c1ec9d736c48c45cb49f9f259ab1b477836e8f906a226c99f9195a87c36044a7b4c4ccda5f92fdca245622ef34bcec4dfexplorer.exe
    Set value (data)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Vyqvdntyexes\65268819 = f5ecd61b1c42c60227024e807d7a33b64f0e802981a44541522569d0f81504ba64d4eb03f25f80c73daa5beff9eef22974c5c112f62d0f725d60571d6f191c71c37a5d2a41a56282919d6268282ed0bd284d3677e79af95f6d1a04b5b5747bd45498671996e04fd30cad9deff0f022c871c439f0ff78a6explorer.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\Vyqvdntyexesexplorer.exe
    Set value (data)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Vyqvdntyexes\50b95857 = 618340ab404b25a0133dfa15e204a094123117002ef7fea32b34bb49bc2baebdb19c46ef9fb36bb23ee5148fdaa8ee93229fea58a68892dbdf032d56340cc465e363178628d514b6f8dc918489672ae9d9302930818a85c84a9a1b91626caff1a6a7c97ccd386efa2a0aac3fb3e80762b4238bb1ef86a9a457e02e8e37cdb132a3d7181d1c41f00ab81e549a27699fbee374bb74fc6e213a7f280349fb6e5b365a7966e8b3aad4589f40785dd8907a7f0a6cf3e8ce4c2e750fe724c7c0a639fc0999f821cd04cfdeexplorer.exe
    Set value (data)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Vyqvdntyexes\52f8782b = d0a0aa1d8c07ef7de7da3e94c5a5a6b952ffdf4895ac6872dc21f40c3c17ac663f321513e5289a4e4e52e68218871b1cb6a7ce9c0d6a1292117117a3f89a2a9f2ff84691cf02f28f109c9cf519dd89c6explorer.exe
    Set value (data)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Vyqvdntyexes\e8053f32 = e75288f669fba3d97272c0bd8f7ca9a5explorer.exe
    Set value (data)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Vyqvdntyexes\1a6fe7ef = 454d8d338489cd0a7f0ec6eb191fabb97029a344904fd6fd8a32b32a483d0716f6b1d045ebb4b95676aa6ad613a927e7650a0848425a66d4cb5b14542b6f9b593ec76122d479d8a2f71e46caf3f60d000561b7dbfbf6da8def60f5d4418258cbexplorer.exe
  • Suspicious behavior: EnumeratesProcesses
    rundll32.exeregsvr32.exe

    Reported IOCs

    pidprocess
    1036rundll32.exe
    1284regsvr32.exe
  • Suspicious behavior: MapViewOfSection
    rundll32.exeregsvr32.exe

    Reported IOCs

    pidprocess
    1036rundll32.exe
    1284regsvr32.exe
  • Suspicious use of WriteProcessMemory
    rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 956 wrote to memory of 1036956rundll32.exerundll32.exe
    PID 956 wrote to memory of 1036956rundll32.exerundll32.exe
    PID 956 wrote to memory of 1036956rundll32.exerundll32.exe
    PID 956 wrote to memory of 1036956rundll32.exerundll32.exe
    PID 956 wrote to memory of 1036956rundll32.exerundll32.exe
    PID 956 wrote to memory of 1036956rundll32.exerundll32.exe
    PID 956 wrote to memory of 1036956rundll32.exerundll32.exe
    PID 1036 wrote to memory of 18561036rundll32.exeexplorer.exe
    PID 1036 wrote to memory of 18561036rundll32.exeexplorer.exe
    PID 1036 wrote to memory of 18561036rundll32.exeexplorer.exe
    PID 1036 wrote to memory of 18561036rundll32.exeexplorer.exe
    PID 1036 wrote to memory of 18561036rundll32.exeexplorer.exe
    PID 1036 wrote to memory of 18561036rundll32.exeexplorer.exe
    PID 1856 wrote to memory of 8801856explorer.exeschtasks.exe
    PID 1856 wrote to memory of 8801856explorer.exeschtasks.exe
    PID 1856 wrote to memory of 8801856explorer.exeschtasks.exe
    PID 1856 wrote to memory of 8801856explorer.exeschtasks.exe
    PID 1844 wrote to memory of 18081844taskeng.exeregsvr32.exe
    PID 1844 wrote to memory of 18081844taskeng.exeregsvr32.exe
    PID 1844 wrote to memory of 18081844taskeng.exeregsvr32.exe
    PID 1844 wrote to memory of 18081844taskeng.exeregsvr32.exe
    PID 1844 wrote to memory of 18081844taskeng.exeregsvr32.exe
    PID 1808 wrote to memory of 12841808regsvr32.exeregsvr32.exe
    PID 1808 wrote to memory of 12841808regsvr32.exeregsvr32.exe
    PID 1808 wrote to memory of 12841808regsvr32.exeregsvr32.exe
    PID 1808 wrote to memory of 12841808regsvr32.exeregsvr32.exe
    PID 1808 wrote to memory of 12841808regsvr32.exeregsvr32.exe
    PID 1808 wrote to memory of 12841808regsvr32.exeregsvr32.exe
    PID 1808 wrote to memory of 12841808regsvr32.exeregsvr32.exe
    PID 1284 wrote to memory of 9921284regsvr32.exeexplorer.exe
    PID 1284 wrote to memory of 9921284regsvr32.exeexplorer.exe
    PID 1284 wrote to memory of 9921284regsvr32.exeexplorer.exe
    PID 1284 wrote to memory of 9921284regsvr32.exeexplorer.exe
    PID 1284 wrote to memory of 9921284regsvr32.exeexplorer.exe
    PID 1284 wrote to memory of 9921284regsvr32.exeexplorer.exe
    PID 992 wrote to memory of 1260992explorer.exereg.exe
    PID 992 wrote to memory of 1260992explorer.exereg.exe
    PID 992 wrote to memory of 1260992explorer.exereg.exe
    PID 992 wrote to memory of 1260992explorer.exereg.exe
    PID 992 wrote to memory of 1288992explorer.exereg.exe
    PID 992 wrote to memory of 1288992explorer.exereg.exe
    PID 992 wrote to memory of 1288992explorer.exereg.exe
    PID 992 wrote to memory of 1288992explorer.exereg.exe
Processes 10
  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\9d0548b0495518b448154aee4726aa5c.dll,#1
    Suspicious use of WriteProcessMemory
    PID:956
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\9d0548b0495518b448154aee4726aa5c.dll,#1
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:1036
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        Suspicious use of WriteProcessMemory
        PID:1856
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn ikevfytoti /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\9d0548b0495518b448154aee4726aa5c.dll\"" /SC ONCE /Z /ST 21:17 /ET 21:29
          Creates scheduled task(s)
          PID:880
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {F336AB1D-775E-4233-A9B6-77107FB5432F} S-1-5-18:NT AUTHORITY\System:Service:
    Suspicious use of WriteProcessMemory
    PID:1844
    • C:\Windows\system32\regsvr32.exe
      regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\9d0548b0495518b448154aee4726aa5c.dll"
      Suspicious use of WriteProcessMemory
      PID:1808
      • C:\Windows\SysWOW64\regsvr32.exe
        -s "C:\Users\Admin\AppData\Local\Temp\9d0548b0495518b448154aee4726aa5c.dll"
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        PID:1284
        • C:\Windows\SysWOW64\explorer.exe
          C:\Windows\SysWOW64\explorer.exe
          Modifies data under HKEY_USERS
          Suspicious use of WriteProcessMemory
          PID:992
          • C:\Windows\system32\reg.exe
            C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Frpegowtbb" /d "0"
            PID:1260
          • C:\Windows\system32\reg.exe
            C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Zjaoiwhvip" /d "0"
            PID:1288
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • C:\Users\Admin\AppData\Local\Temp\9d0548b0495518b448154aee4726aa5c.dll

                        MD5

                        9d0548b0495518b448154aee4726aa5c

                        SHA1

                        839cecb1e45d0dd5af4397754ee3564f0848eb1b

                        SHA256

                        9fd2f36653216c8e653de84e5f247e3c9c379fc98f2644fd20ccde41bba501bf

                        SHA512

                        9ca2401fb0b821969540c2e2e32d9625c2400d504bf23399a94c6335ca5c24bfa333610e9b70899e7236a040d301f0b95baeffe234925c5de5ca749c0a059019

                      • \Users\Admin\AppData\Local\Temp\9d0548b0495518b448154aee4726aa5c.dll

                        MD5

                        9d0548b0495518b448154aee4726aa5c

                        SHA1

                        839cecb1e45d0dd5af4397754ee3564f0848eb1b

                        SHA256

                        9fd2f36653216c8e653de84e5f247e3c9c379fc98f2644fd20ccde41bba501bf

                        SHA512

                        9ca2401fb0b821969540c2e2e32d9625c2400d504bf23399a94c6335ca5c24bfa333610e9b70899e7236a040d301f0b95baeffe234925c5de5ca749c0a059019

                      • memory/880-66-0x0000000000000000-mapping.dmp

                      • memory/992-83-0x0000000000080000-0x00000000000A1000-memory.dmp

                      • memory/992-78-0x0000000000000000-mapping.dmp

                      • memory/1036-59-0x0000000074370000-0x0000000074463000-memory.dmp

                      • memory/1036-60-0x0000000000170000-0x0000000000171000-memory.dmp

                      • memory/1036-56-0x0000000074F21000-0x0000000074F23000-memory.dmp

                      • memory/1036-57-0x0000000074370000-0x0000000074463000-memory.dmp

                      • memory/1036-58-0x0000000074370000-0x0000000074391000-memory.dmp

                      • memory/1036-55-0x0000000000000000-mapping.dmp

                      • memory/1260-81-0x0000000000000000-mapping.dmp

                      • memory/1284-74-0x0000000073A00000-0x0000000073A21000-memory.dmp

                      • memory/1284-70-0x0000000000000000-mapping.dmp

                      • memory/1284-76-0x0000000000140000-0x0000000000141000-memory.dmp

                      • memory/1284-73-0x0000000073A00000-0x0000000073AF3000-memory.dmp

                      • memory/1284-75-0x0000000073A00000-0x0000000073AF3000-memory.dmp

                      • memory/1288-82-0x0000000000000000-mapping.dmp

                      • memory/1808-67-0x0000000000000000-mapping.dmp

                      • memory/1808-68-0x000007FEFB561000-0x000007FEFB563000-memory.dmp

                      • memory/1856-62-0x0000000000000000-mapping.dmp

                      • memory/1856-61-0x00000000000F0000-0x00000000000F2000-memory.dmp

                      • memory/1856-64-0x0000000073EF1000-0x0000000073EF3000-memory.dmp

                      • memory/1856-65-0x0000000000080000-0x00000000000A1000-memory.dmp