qakbot | 236f9f37dc2604ed8d3faee0b07fc6bb8f4dde68ed89a137023f641ad6076ca4

General

Target

236f9f37dc2604ed8d3faee0b07fc6bb8f4dde68ed89a137023f641ad6076ca4.dll
Size

196KB
MD5

1d4952cbe998312fd2bf810535db8a20
SHA1

9667cbfa70ed5f116212be862d8301935c278ceb
SHA256

236f9f37dc2604ed8d3faee0b07fc6bb8f4dde68ed89a137023f641ad6076ca4
SHA512

582ab995fe6b6d1f6bc9ddb95a80c01c776f7d21e7d8e381795172b76ce6500dc2e8847a87cdcc3d35d916d19bdb122e237c75e9425643458d6881a0d24deff2

Score

10^/10

qakbot notset 1635958698 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.1

Botnet

notset

Campaign

1635958698

C2

89.137.52.44:443

94.60.254.81:443

189.146.41.71:443

93.147.212.206:443

71.13.93.154:2222

136.143.11.232:443

100.1.119.41:443

189.223.33.109:443

45.46.53.140:2222

86.97.8.204:443

71.13.93.154:6881

111.250.29.138:443

181.118.183.27:443

71.13.93.154:2083

24.139.72.117:443

24.229.150.54:995

24.55.112.61:443

76.25.142.196:443

72.27.126.188:995

207.246.112.221:995

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1880 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1360 schtasks.exe

pid	process
1880	regsvr32.exe

pid	process
1360	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Pnfhinalufeg\a33d836 = 1d93cf57c39e797ba010091630d9c0c47b4501b15b35fcff5629ea9d16e9a402e82f21215e69210d88efb66e0d1813883b028f417046a59564c540ef5d98da78dc85e0d65bfea0c4ca4d7d9094c8b52bb6d685e8c488ce56e1f660d94bf56ab0534d772406	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Pnfhinalufeg\b0ce9f2f = 20c25997d36fec6ba67713def51be072da572d98f3127e63bdb2e107289ede6fd9baa5395d92f6c5f8857fdb477126ec6f6eed537088b3a33b36	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Pnfhinalufeg\b28fbf53 = 4a57d303590c72619512ebe028915f936cae99fa66aaecbbffb22115774c9b0c69d598b0c19f00d20f4ff1c02d9f08656aa6a888c2f0e00f9fae220c285e6d96b02c6ed6f81b4da8aaa67d3aa525b6853fcb31b711fa0d634504956411adfd84476e3b4adcadf74ca83866090c	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Pnfhinalufeg	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Pnfhinalufeg\3fac0878 = 404e14cfaf4930242af004c38084fabb7badf0ff681e84a1015ff38dadf25401432e443da918b72cef43970b50bfe21e394c381d817cd85eeb97cef8e510fdadc42697d923d0a844ca158e01d5b4f2a137987a7276a1045ce057e6001301ae0f9a7af5f71198	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Pnfhinalufeg\872f84a = 7079d8f0e0f9ba527017a91b1a948c23bb09cb1ed496f74d09dc4b8cda4a0f32134b25a2e4fc27dcc5705f8cffc9c9eaf5684a2a0f0c825488234ce80079dc4dd1c2ac92614abb2d5894cc6b42c6e50831	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Pnfhinalufeg\cdc6d0a5 = cac951696857b89520d5ccce3dab19a35a0c9291d9d68d5077db64d6d430b27228d9d961d70b8ad571798f95baf0f1af0c310dc5b096e1ec	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Pnfhinalufeg\757ab7c0 = 2955bc8892927307c7aa6cacad675293363676e90a8ee994b2eec54970f4d89a09a505aee9358994ef07706753835e330cd396abdbcd3b8c373b591f4590c06060fc7f7ae949d3611e01e6	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Pnfhinalufeg\40e5678e = 1bc37e190c8ddb42d4ea5a5a8d785c350e7e9e052c20c8cf645db033d11cde1bbb0d9e8a3e907250fb41eead4e1657f938354e9376b483325001eb861f4a8e42	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Pnfhinalufeg\3fac0878 = 404e03cfaf49055dabb7feae05be537129e9013eb67ed8f5e01e35d00ece0ca4fb9bd118570dc00337a9623f8ecb71dcac077e8df5cd2ac9f1af21b3f682f860f5231168b047a8288296e0d935e268b2882cd2f9e00ff16aa37ef7924c48abdac769f542e4fd0e9e60fd84e18f153c180bfc9c33fbe147917077ae	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

368 regsvr32.exe
1880 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

368 regsvr32.exe
1880 regsvr32.exe

pid	process
368	regsvr32.exe
1880	regsvr32.exe

pid	process
368	regsvr32.exe
1880	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

regsvr32.exeregsvr32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 1896 wrote to memory of 368	1896	regsvr32.exe	regsvr32.exe
PID 1896 wrote to memory of 368	1896	regsvr32.exe	regsvr32.exe
PID 1896 wrote to memory of 368	1896	regsvr32.exe	regsvr32.exe
PID 1896 wrote to memory of 368	1896	regsvr32.exe	regsvr32.exe
PID 1896 wrote to memory of 368	1896	regsvr32.exe	regsvr32.exe
PID 1896 wrote to memory of 368	1896	regsvr32.exe	regsvr32.exe
PID 1896 wrote to memory of 368	1896	regsvr32.exe	regsvr32.exe
PID 368 wrote to memory of 1484	368	regsvr32.exe	explorer.exe
PID 368 wrote to memory of 1484	368	regsvr32.exe	explorer.exe
PID 368 wrote to memory of 1484	368	regsvr32.exe	explorer.exe
PID 368 wrote to memory of 1484	368	regsvr32.exe	explorer.exe
PID 368 wrote to memory of 1484	368	regsvr32.exe	explorer.exe
PID 368 wrote to memory of 1484	368	regsvr32.exe	explorer.exe
PID 1484 wrote to memory of 1360	1484	explorer.exe	schtasks.exe
PID 1484 wrote to memory of 1360	1484	explorer.exe	schtasks.exe
PID 1484 wrote to memory of 1360	1484	explorer.exe	schtasks.exe
PID 1484 wrote to memory of 1360	1484	explorer.exe	schtasks.exe
PID 1648 wrote to memory of 1160	1648	taskeng.exe	regsvr32.exe
PID 1648 wrote to memory of 1160	1648	taskeng.exe	regsvr32.exe
PID 1648 wrote to memory of 1160	1648	taskeng.exe	regsvr32.exe
PID 1648 wrote to memory of 1160	1648	taskeng.exe	regsvr32.exe
PID 1648 wrote to memory of 1160	1648	taskeng.exe	regsvr32.exe
PID 1160 wrote to memory of 1880	1160	regsvr32.exe	regsvr32.exe
PID 1160 wrote to memory of 1880	1160	regsvr32.exe	regsvr32.exe
PID 1160 wrote to memory of 1880	1160	regsvr32.exe	regsvr32.exe
PID 1160 wrote to memory of 1880	1160	regsvr32.exe	regsvr32.exe
PID 1160 wrote to memory of 1880	1160	regsvr32.exe	regsvr32.exe
PID 1160 wrote to memory of 1880	1160	regsvr32.exe	regsvr32.exe
PID 1160 wrote to memory of 1880	1160	regsvr32.exe	regsvr32.exe
PID 1880 wrote to memory of 1952	1880	regsvr32.exe	explorer.exe
PID 1880 wrote to memory of 1952	1880	regsvr32.exe	explorer.exe
PID 1880 wrote to memory of 1952	1880	regsvr32.exe	explorer.exe
PID 1880 wrote to memory of 1952	1880	regsvr32.exe	explorer.exe
PID 1880 wrote to memory of 1952	1880	regsvr32.exe	explorer.exe
PID 1880 wrote to memory of 1952	1880	regsvr32.exe	explorer.exe
PID 1952 wrote to memory of 1624	1952	explorer.exe	reg.exe
PID 1952 wrote to memory of 1624	1952	explorer.exe	reg.exe
PID 1952 wrote to memory of 1624	1952	explorer.exe	reg.exe
PID 1952 wrote to memory of 1624	1952	explorer.exe	reg.exe
PID 1952 wrote to memory of 1500	1952	explorer.exe	reg.exe
PID 1952 wrote to memory of 1500	1952	explorer.exe	reg.exe
PID 1952 wrote to memory of 1500	1952	explorer.exe	reg.exe
PID 1952 wrote to memory of 1500	1952	explorer.exe	reg.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\236f9f37dc2604ed8d3faee0b07fc6bb8f4dde68ed89a137023f641ad6076ca4.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\236f9f37dc2604ed8d3faee0b07fc6bb8f4dde68ed89a137023f641ad6076ca4.dll
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:368

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn pjicnid /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\236f9f37dc2604ed8d3faee0b07fc6bb8f4dde68ed89a137023f641ad6076ca4.dll\"" /SC ONCE /Z /ST 10:34 /ET 10:46
4⤵
- Creates scheduled task(s)
PID:1360

C:\Windows\system32\taskeng.exe
taskeng.exe {6FA1AE10-6E4A-4268-9647-F412D7FF5553} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\236f9f37dc2604ed8d3faee0b07fc6bb8f4dde68ed89a137023f641ad6076ca4.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\236f9f37dc2604ed8d3faee0b07fc6bb8f4dde68ed89a137023f641ad6076ca4.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1880

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Mnmisjyfa" /d "0"
5⤵
PID:1624

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Rlmyywcdoii" /d "0"
5⤵
PID:1500

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\236f9f37dc2604ed8d3faee0b07fc6bb8f4dde68ed89a137023f641ad6076ca4.dll
MD5
1d4952cbe998312fd2bf810535db8a20

SHA1
9667cbfa70ed5f116212be862d8301935c278ceb

SHA256
236f9f37dc2604ed8d3faee0b07fc6bb8f4dde68ed89a137023f641ad6076ca4

SHA512
582ab995fe6b6d1f6bc9ddb95a80c01c776f7d21e7d8e381795172b76ce6500dc2e8847a87cdcc3d35d916d19bdb122e237c75e9425643458d6881a0d24deff2

Download Submit
\Users\Admin\AppData\Local\Temp\236f9f37dc2604ed8d3faee0b07fc6bb8f4dde68ed89a137023f641ad6076ca4.dll
MD5
1d4952cbe998312fd2bf810535db8a20

SHA1
9667cbfa70ed5f116212be862d8301935c278ceb

SHA256
236f9f37dc2604ed8d3faee0b07fc6bb8f4dde68ed89a137023f641ad6076ca4

SHA512
582ab995fe6b6d1f6bc9ddb95a80c01c776f7d21e7d8e381795172b76ce6500dc2e8847a87cdcc3d35d916d19bdb122e237c75e9425643458d6881a0d24deff2

Download Submit
memory/368-56-0x0000000000000000-mapping.dmp

Download
memory/368-57-0x00000000760C1000-0x00000000760C3000-memory.dmp

Filesize
8KB

Download
memory/1160-64-0x0000000000000000-mapping.dmp

Download
memory/1360-62-0x0000000000000000-mapping.dmp

Download
memory/1484-59-0x0000000000000000-mapping.dmp

Download
memory/1484-63-0x0000000000080000-0x00000000000B4000-memory.dmp

Filesize
208KB

Download
memory/1484-61-0x00000000747F1000-0x00000000747F3000-memory.dmp

Filesize
8KB

Download
memory/1484-58-0x00000000000C0000-0x00000000000C2000-memory.dmp

Filesize
8KB

Download
memory/1500-76-0x0000000000000000-mapping.dmp

Download
memory/1624-74-0x0000000000000000-mapping.dmp

Download
memory/1880-67-0x0000000000000000-mapping.dmp

Download
memory/1896-55-0x000007FEFBDE1000-0x000007FEFBDE3000-memory.dmp

Filesize
8KB

Download
memory/1952-71-0x0000000000000000-mapping.dmp

Download
memory/1952-75-0x00000000000F0000-0x0000000000124000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads