Behavioral Report

General

Target

e2bc969424adc97345ac81194d316f58da38621aad3ca7ae27e40a8fae582987.dll
Size

545KB
MD5

53510e20efb161d5b71c4ce2800c1a8d
SHA1

2268178851d0d0debb9ab457d73af8a5e50af168
SHA256

e2bc969424adc97345ac81194d316f58da38621aad3ca7ae27e40a8fae582987
SHA512

27f4f030928581d23212e18cfd0b33376677cef43ad5605e124cd80e2102cd1d559bf205ae1693e5e6567a6bd33d00d0e7209e32d503116d8b1594cb78ae69a3

Score

10^/10

qakbot tr 1633597626 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

tr

Campaign

1633597626

C2

120.150.218.241:995
185.250.148.74:443
89.137.52.44:443
66.103.170.104:2222
86.8.177.143:443
216.201.162.158:443
174.54.193.186:443
103.148.120.144:443
188.50.169.158:443
124.123.42.115:2222
140.82.49.12:443
199.27.127.129:443
81.241.252.59:2078
209.142.97.161:995
209.50.20.255:443
73.230.205.91:443
200.232.214.222:995
103.142.10.177:443
2.222.167.138:443
41.228.22.180:443
122.11.220.212:2222
78.191.58.219:995
47.22.148.6:443
74.72.237.54:443
217.17.56.163:465
96.57.188.174:2078
94.200.181.154:443
37.210.152.224:995
201.93.111.2:995
202.134.178.157:443
89.101.97.139:443
73.52.50.32:443
188.55.235.110:995
27.223.92.142:995
181.118.183.94:443
136.232.34.70:443
186.32.163.199:443
72.173.78.211:443
76.25.142.196:443
45.46.53.140:2222
98.157.235.126:443
173.21.10.71:2222
73.151.236.31:443
71.74.12.34:443
75.75.179.226:443
167.248.117.81:443
67.165.206.193:993
47.40.196.233:2222
72.252.201.69:443
181.4.53.6:465
109.12.111.14:443
24.171.50.5:443
24.139.72.117:443
24.55.112.61:443
24.229.150.54:995
77.57.204.78:443
81.250.153.227:2222
49.33.237.65:443
66.177.215.152:50010
177.170.201.134:995
75.188.35.168:443
120.151.47.189:443
173.25.162.221:443
201.6.246.227:995
66.177.215.152:443
217.17.56.163:2222
202.165.32.158:2222
39.52.229.8:995
42.60.70.14:443
73.140.38.124:443
167.248.100.227:443
63.70.164.200:443
69.30.186.190:443
189.131.221.201:443
68.204.7.158:443
181.84.114.46:443
167.248.99.149:443
177.94.21.110:995
50.54.32.149:443
189.224.181.39:443
24.119.214.7:443
63.70.164.200:995
177.94.125.59:995
82.18.173.253:2222
73.130.180.25:443
217.17.56.163:2078
162.244.227.34:443
75.66.88.33:443
206.47.134.234:2222
167.248.54.34:2222
73.77.87.137:443
181.4.53.6:443
190.198.206.189:2222
167.248.111.245:443
96.46.103.226:443
73.25.124.140:2222
24.152.219.253:995
68.186.192.69:443
162.210.220.137:443
174.54.58.170:443
103.246.130.114:1194
103.246.130.35:21
103.246.130.2:20
103.246.130.122:20
105.198.236.99:443
103.157.122.198:995
4.34.193.180:995
159.2.51.200:2222
110.174.64.179:995
187.101.25.96:32100
76.84.230.103:443
174.59.35.191:443
173.63.245.129:443
68.117.229.117:443
75.163.81.130:995
76.84.32.159:443
147.92.51.49:443
76.84.226.17:443
68.13.157.69:443
167.248.126.223:443
72.196.22.184:443
98.22.92.139:995
97.98.130.50:443
196.117.224.53:995
191.191.38.8:443
188.210.210.122:443
96.46.103.109:2222
37.117.191.19:2222
197.90.137.161:61201
24.32.174.175:443
76.84.225.21:443
78.145.153.73:995
69.30.190.105:995
167.248.81.60:443
69.80.113.148:443
217.17.56.163:443
62.23.194.38:443
62.23.194.41:995
189.210.115.207:443
174.59.226.6:443
73.130.237.36:443
69.253.197.100:443
174.59.242.9:443

120.150.218.241:995

185.250.148.74:443

89.137.52.44:443

66.103.170.104:2222

86.8.177.143:443

216.201.162.158:443

174.54.193.186:443

103.148.120.144:443

188.50.169.158:443

124.123.42.115:2222

140.82.49.12:443

199.27.127.129:443

81.241.252.59:2078

209.142.97.161:995

209.50.20.255:443

73.230.205.91:443

200.232.214.222:995

103.142.10.177:443

2.222.167.138:443

41.228.22.180:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass ⋅ 2 TTPs
evasion trojan

TTPs:

Disabling Security Tools Modify Registry
Loads dropped DLL ⋅ 1 IoCs

Processes:

regsvr32.exe

pid process

4288 regsvr32.exe
Creates scheduled task(s) ⋅ 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

TTPs:

Scheduled Task

Processes:

schtasks.exe

pid process

8 schtasks.exe

pid	process
4288	regsvr32.exe

pid	process
8	schtasks.exe

Modifies data under HKEY_USERS ⋅ 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Uqbpeiyjjhxko\3a40864a = da1feb3a46c199ab43f74148c1d064ca5cbf187f720e975bfc47e46082ff622b9ee5c5aa2a2e16c3cdad4207a664535d82344cfb7c209b569af588d0a2046f8093b049869b50145a9f6a46325e73258319d28a87720e5850702486a5ad0972683e921e7e974012bc9da1f199ec4d9b25257ce6c302	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Uqbpeiyjjhxko	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Uqbpeiyjjhxko\d9e7678 = 6b40785fa0d740903dd6325d79f39e254409ddc315ed41ce27b439610b66ec2b843961457dd13d268a2dd07853b82e99d01427ba26c5b760d40d7be863622ce396ce2028adc9ea1bbc51d634bae2c3d31fa93d6899f76f37fc32fe2e13772b	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Uqbpeiyjjhxko\b522111d = 3d09a3678a84a02ef1	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Uqbpeiyjjhxko\709639f2 = 871818d424492363eab06ff1241d26f860556292534d645458ed882c42f69cbe431f27e6f1	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Uqbpeiyjjhxko\b7633161 = a460efaa1a6c66a0930ef0b5efb1aa77729e22522f063cdbbfcd7e6deb6cdcbade8ba2e9eb9a78c399faf28143	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Uqbpeiyjjhxko\4509e9bc = d05918ee745a624b5503fa5a1ebd9445b72ab2a994f0039ba5ee2490cbe0ba2607e6f9736bea62327c934c9d034da4184a4107	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Uqbpeiyjjhxko\3a40864a = da1ffc3a46c1acb0756ad0d58d9136cc3a0bcc4915f665a66381ba42d15db9c25cef343a26bd9f9a23dbd0c41cb39d8364a6f52297c0f1dd59ec10e1b12281d7a69414fc451721591645e2a2f68d8087c57bbf9de2e8c1ac430507a1c4d6c747	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Uqbpeiyjjhxko\fdf5604 = 3a321111b534cbb4a4a57d3fc020352ee96e15150e8e2e5319f27a91047e1fcc3a6bc415396360d2b45e2876d9fc80306ec5cd420326d93e9a1121ef5543525c9cf4c6a718128186eef7fa5f724b760c62f687e9287ebc8db2234a1bc71150ebf0e9b75866955dafde4d7188ca87078a6947c008f9623eed40aac3cc292b7ae782d214c8182030cee9403f351bd3b958190730b38cad260b12803883a8a1d263feea2563907e4e0168	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Uqbpeiyjjhxko\c82a5e97 = f654066d7bbcb3ada595641a46879eab00a571385066e056cd22a1fddf1bfdba9486f06259	explorer.exe

Suspicious behavior: EnumeratesProcesses ⋅ 4 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

4108 rundll32.exe
4108 rundll32.exe
4288 regsvr32.exe
4288 regsvr32.exe
Suspicious behavior: MapViewOfSection ⋅ 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

4108 rundll32.exe
4288 regsvr32.exe

pid	process
4108	rundll32.exe
4108	rundll32.exe
4288	regsvr32.exe
4288	regsvr32.exe

pid	process
4108	rundll32.exe
4288	regsvr32.exe

Suspicious use of WriteProcessMemory ⋅ 23 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 4112 wrote to memory of 4108	4112	rundll32.exe	rundll32.exe
PID 4112 wrote to memory of 4108	4112	rundll32.exe	rundll32.exe
PID 4112 wrote to memory of 4108	4112	rundll32.exe	rundll32.exe
PID 4108 wrote to memory of 3368	4108	rundll32.exe	explorer.exe
PID 4108 wrote to memory of 3368	4108	rundll32.exe	explorer.exe
PID 4108 wrote to memory of 3368	4108	rundll32.exe	explorer.exe
PID 4108 wrote to memory of 3368	4108	rundll32.exe	explorer.exe
PID 4108 wrote to memory of 3368	4108	rundll32.exe	explorer.exe
PID 3368 wrote to memory of 8	3368	explorer.exe	schtasks.exe
PID 3368 wrote to memory of 8	3368	explorer.exe	schtasks.exe
PID 3368 wrote to memory of 8	3368	explorer.exe	schtasks.exe
PID 3232 wrote to memory of 4288	3232	regsvr32.exe	regsvr32.exe
PID 3232 wrote to memory of 4288	3232	regsvr32.exe	regsvr32.exe
PID 3232 wrote to memory of 4288	3232	regsvr32.exe	regsvr32.exe
PID 4288 wrote to memory of 584	4288	regsvr32.exe	explorer.exe
PID 4288 wrote to memory of 584	4288	regsvr32.exe	explorer.exe
PID 4288 wrote to memory of 584	4288	regsvr32.exe	explorer.exe
PID 4288 wrote to memory of 584	4288	regsvr32.exe	explorer.exe
PID 4288 wrote to memory of 584	4288	regsvr32.exe	explorer.exe
PID 584 wrote to memory of 804	584	explorer.exe	reg.exe
PID 584 wrote to memory of 804	584	explorer.exe	reg.exe
PID 584 wrote to memory of 728	584	explorer.exe	reg.exe
PID 584 wrote to memory of 728	584	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\e2bc969424adc97345ac81194d316f58da38621aad3ca7ae27e40a8fae582987.dll,#1

Suspicious use of WriteProcessMemory

PID:4112

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\e2bc969424adc97345ac81194d316f58da38621aad3ca7ae27e40a8fae582987.dll,#1

Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory

PID:4108

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Suspicious use of WriteProcessMemory

PID:3368

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn iuncjixzwf /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\e2bc969424adc97345ac81194d316f58da38621aad3ca7ae27e40a8fae582987.dll\"" /SC ONCE /Z /ST 23:33 /ET 23:45

Creates scheduled task(s)

PID:8

\??\c:\windows\system32\regsvr32.exe

regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\e2bc969424adc97345ac81194d316f58da38621aad3ca7ae27e40a8fae582987.dll"

Suspicious use of WriteProcessMemory

PID:3232

C:\Windows\SysWOW64\regsvr32.exe

-s "C:\Users\Admin\AppData\Local\Temp\e2bc969424adc97345ac81194d316f58da38621aad3ca7ae27e40a8fae582987.dll"

Loads dropped DLL
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory

PID:4288

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory

PID:584

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Irxolc" /d "0"

PID:804

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Zktsydwtac" /d "0"

PID:728

Network

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Scheduled Task

Privilege Escalation

Replay Monitor

00:00 00:00

Downloads

C:\Users\Admin\AppData\Local\Temp\e2bc969424adc97345ac81194d316f58da38621aad3ca7ae27e40a8fae582987.dll
MD5
53510e20efb161d5b71c4ce2800c1a8d

SHA1
2268178851d0d0debb9ab457d73af8a5e50af168

SHA256
e2bc969424adc97345ac81194d316f58da38621aad3ca7ae27e40a8fae582987

SHA512
27f4f030928581d23212e18cfd0b33376677cef43ad5605e124cd80e2102cd1d559bf205ae1693e5e6567a6bd33d00d0e7209e32d503116d8b1594cb78ae69a3

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\e2bc969424adc97345ac81194d316f58da38621aad3ca7ae27e40a8fae582987.dll
MD5
53510e20efb161d5b71c4ce2800c1a8d

SHA1
2268178851d0d0debb9ab457d73af8a5e50af168

SHA256
e2bc969424adc97345ac81194d316f58da38621aad3ca7ae27e40a8fae582987

SHA512
27f4f030928581d23212e18cfd0b33376677cef43ad5605e124cd80e2102cd1d559bf205ae1693e5e6567a6bd33d00d0e7209e32d503116d8b1594cb78ae69a3

Download Submit
memory/8-119-0x0000000000000000-mapping.dmp

Download
memory/584-133-0x0000000003180000-0x0000000003181000-memory.dmp

Filesize
4KB

Download
memory/584-132-0x0000000003180000-0x0000000003181000-memory.dmp

Filesize
4KB

Download
memory/584-127-0x0000000000000000-mapping.dmp

Download
memory/584-130-0x0000000000830000-0x0000000000851000-memory.dmp

Filesize
132KB

Download
memory/728-131-0x0000000000000000-mapping.dmp

Download
memory/804-129-0x0000000000000000-mapping.dmp

Download
memory/3368-121-0x0000000000580000-0x00000000005A1000-memory.dmp

Filesize
132KB

Download
memory/3368-122-0x0000000002EB0000-0x0000000002EB1000-memory.dmp

Filesize
4KB

Download
memory/3368-120-0x0000000002EB0000-0x0000000002EB1000-memory.dmp

Filesize
4KB

Download
memory/3368-118-0x0000000000000000-mapping.dmp

Download
memory/4108-117-0x0000000010000000-0x000000001530B000-memory.dmp

Filesize
83MB

Download
memory/4108-116-0x0000000004B30000-0x0000000009DE4000-memory.dmp

Filesize
82MB

Download
memory/4108-115-0x0000000000000000-mapping.dmp

Download
memory/4288-126-0x0000000003790000-0x0000000008A44000-memory.dmp

Filesize
82MB

Download
memory/4288-124-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing