e2bc969424adc97345ac81194d316f58da38621aad3ca7ae27e40a8fae582987

max time kernel150s
max time network125s
platformwindows10_x64
resourcewin10-en-20211014
submitted15-11-2021 14:47

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

e2bc969424adc97345ac81194d316f58da38621aad3ca7ae27e40a8fae582987.dll

Filesize

545KB

Completed

15-11-2021 14:50

Score

10^/10

MD5

53510e20efb161d5b71c4ce2800c1a8d

SHA1

2268178851d0d0debb9ab457d73af8a5e50af168

SHA256

e2bc969424adc97345ac81194d316f58da38621aad3ca7ae27e40a8fae582987

qakbot tr 1633597626 banker evasion stealer trojan

Extracted

Family	qakbot
Version	402.363
Botnet	tr
Campaign	1633597626
C2	120.150.218.241:995 185.250.148.74:443 89.137.52.44:443 66.103.170.104:2222 86.8.177.143:443 216.201.162.158:443 174.54.193.186:443 103.148.120.144:443 188.50.169.158:443 124.123.42.115:2222 140.82.49.12:443 199.27.127.129:443 81.241.252.59:2078 209.142.97.161:995 209.50.20.255:443 73.230.205.91:443 200.232.214.222:995 103.142.10.177:443 2.222.167.138:443 41.228.22.180:443 122.11.220.212:2222 78.191.58.219:995 47.22.148.6:443 74.72.237.54:443 217.17.56.163:465 96.57.188.174:2078 94.200.181.154:443 37.210.152.224:995 201.93.111.2:995 202.134.178.157:443 89.101.97.139:443 73.52.50.32:443 188.55.235.110:995 27.223.92.142:995 181.118.183.94:443 136.232.34.70:443 186.32.163.199:443 72.173.78.211:443 76.25.142.196:443 45.46.53.140:2222 98.157.235.126:443 173.21.10.71:2222 73.151.236.31:443 71.74.12.34:443 75.75.179.226:443 167.248.117.81:443 67.165.206.193:993 47.40.196.233:2222 72.252.201.69:443 181.4.53.6:465 109.12.111.14:443 24.171.50.5:443 24.139.72.117:443 24.55.112.61:443 24.229.150.54:995 77.57.204.78:443 81.250.153.227:2222 49.33.237.65:443 66.177.215.152:50010 177.170.201.134:995 75.188.35.168:443 120.151.47.189:443 173.25.162.221:443 201.6.246.227:995 66.177.215.152:443 217.17.56.163:2222 202.165.32.158:2222 39.52.229.8:995 42.60.70.14:443 73.140.38.124:443 167.248.100.227:443 63.70.164.200:443 69.30.186.190:443 189.131.221.201:443 68.204.7.158:443 181.84.114.46:443 167.248.99.149:443 177.94.21.110:995 50.54.32.149:443 189.224.181.39:443 24.119.214.7:443 63.70.164.200:995 177.94.125.59:995 82.18.173.253:2222 73.130.180.25:443 217.17.56.163:2078 162.244.227.34:443 75.66.88.33:443 206.47.134.234:2222 167.248.54.34:2222 73.77.87.137:443 181.4.53.6:443 190.198.206.189:2222 167.248.111.245:443 96.46.103.226:443 73.25.124.140:2222 24.152.219.253:995 68.186.192.69:443 162.210.220.137:443 174.54.58.170:443 103.246.130.114:1194 103.246.130.35:21 103.246.130.2:20 103.246.130.122:20 105.198.236.99:443 103.157.122.198:995 4.34.193.180:995 159.2.51.200:2222 110.174.64.179:995 187.101.25.96:32100 76.84.230.103:443 174.59.35.191:443 173.63.245.129:443 68.117.229.117:443 75.163.81.130:995 76.84.32.159:443 147.92.51.49:443 76.84.226.17:443 68.13.157.69:443 167.248.126.223:443 72.196.22.184:443 98.22.92.139:995 97.98.130.50:443 196.117.224.53:995 191.191.38.8:443 188.210.210.122:443 96.46.103.109:2222 37.117.191.19:2222 197.90.137.161:61201 24.32.174.175:443 76.84.225.21:443 78.145.153.73:995 69.30.190.105:995 167.248.81.60:443 69.80.113.148:443 217.17.56.163:443 62.23.194.38:443 62.23.194.41:995 189.210.115.207:443 174.59.226.6:443 73.130.237.36:443 69.253.197.100:443 174.59.242.9:443 120.150.218.241:995 185.250.148.74:443 89.137.52.44:443 66.103.170.104:2222 86.8.177.143:443 216.201.162.158:443 174.54.193.186:443 103.148.120.144:443 188.50.169.158:443 124.123.42.115:2222 140.82.49.12:443 199.27.127.129:443 81.241.252.59:2078 209.142.97.161:995 209.50.20.255:443 73.230.205.91:443 200.232.214.222:995 103.142.10.177:443 2.222.167.138:443 41.228.22.180:443 122.11.220.212:2222 78.191.58.219:995 47.22.148.6:443 74.72.237.54:443 217.17.56.163:465 96.57.188.174:2078 94.200.181.154:443 37.210.152.224:995 201.93.111.2:995 202.134.178.157:443 89.101.97.139:443 73.52.50.32:443 188.55.235.110:995 27.223.92.142:995 181.118.183.94:443 136.232.34.70:443 186.32.163.199:443 72.173.78.211:443 76.25.142.196:443 45.46.53.140:2222 98.157.235.126:443 173.21.10.71:2222 73.151.236.31:443 71.74.12.34:443 75.75.179.226:443 167.248.117.81:443 67.165.206.193:993 47.40.196.233:2222 72.252.201.69:443 181.4.53.6:465 109.12.111.14:443 24.171.50.5:443 24.139.72.117:443 24.55.112.61:443 24.229.150.54:995 77.57.204.78:443 81.250.153.227:2222 49.33.237.65:443 66.177.215.152:50010 177.170.201.134:995 75.188.35.168:443 120.151.47.189:443 173.25.162.221:443 201.6.246.227:995 66.177.215.152:443 217.17.56.163:2222 202.165.32.158:2222 39.52.229.8:995 42.60.70.14:443 73.140.38.124:443 167.248.100.227:443 63.70.164.200:443 69.30.186.190:443 189.131.221.201:443 68.204.7.158:443 181.84.114.46:443 167.248.99.149:443 177.94.21.110:995 50.54.32.149:443 189.224.181.39:443 24.119.214.7:443 63.70.164.200:995 177.94.125.59:995 82.18.173.253:2222 73.130.180.25:443 217.17.56.163:2078 162.244.227.34:443 75.66.88.33:443 206.47.134.234:2222 167.248.54.34:2222 73.77.87.137:443 181.4.53.6:443 190.198.206.189:2222 167.248.111.245:443 96.46.103.226:443 73.25.124.140:2222 24.152.219.253:995 68.186.192.69:443 162.210.220.137:443 174.54.58.170:443 103.246.130.114:1194 103.246.130.35:21 103.246.130.2:20 103.246.130.122:20 105.198.236.99:443 103.157.122.198:995 4.34.193.180:995 159.2.51.200:2222 110.174.64.179:995 187.101.25.96:32100 76.84.230.103:443 174.59.35.191:443 173.63.245.129:443 68.117.229.117:443 75.163.81.130:995 76.84.32.159:443 147.92.51.49:443 76.84.226.17:443 68.13.157.69:443 167.248.126.223:443 72.196.22.184:443 98.22.92.139:995 97.98.130.50:443 196.117.224.53:995 191.191.38.8:443 188.210.210.122:443 96.46.103.109:2222 37.117.191.19:2222 197.90.137.161:61201 24.32.174.175:443 76.84.225.21:443 78.145.153.73:995 69.30.190.105:995 167.248.81.60:443 69.80.113.148:443 217.17.56.163:443 62.23.194.38:443 62.23.194.41:995 189.210.115.207:443 174.59.226.6:443 73.130.237.36:443 69.253.197.100:443 174.59.242.9:443
Attributes	salt jHxastDcds)oMc=jvh7wdUhxcsdt2

Defense Evasion

Persistence

Qakbot/Qbot

Description

Qbot or Qakbot is a sophisticated worm with banking capabilities.

Tags

trojan banker stealer qakbot
Windows security bypass

Tags

evasion trojan

TTPs

Disabling Security ToolsModify Registry
Loads dropped DLL
regsvr32.exe

Reported IOCs

pid process

4288 regsvr32.exe
Creates scheduled task(s)
schtasks.exe

Description

Schtasks is often used by malware for persistence or to perform post-infection execution.

Tags

persistence

TTPs

Scheduled Task

Reported IOCs

pid process

8 schtasks.exe

pid	process
4288	regsvr32.exe

pid	process
8	schtasks.exe

Modifies data under HKEY_USERS

explorer.exe

Reported IOCs

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Uqbpeiyjjhxko\3a40864a = da1feb3a46c199ab43f74148c1d064ca5cbf187f720e975bfc47e46082ff622b9ee5c5aa2a2e16c3cdad4207a664535d82344cfb7c209b569af588d0a2046f8093b049869b50145a9f6a46325e73258319d28a87720e5850702486a5ad0972683e921e7e974012bc9da1f199ec4d9b25257ce6c302	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Uqbpeiyjjhxko	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Uqbpeiyjjhxko\d9e7678 = 6b40785fa0d740903dd6325d79f39e254409ddc315ed41ce27b439610b66ec2b843961457dd13d268a2dd07853b82e99d01427ba26c5b760d40d7be863622ce396ce2028adc9ea1bbc51d634bae2c3d31fa93d6899f76f37fc32fe2e13772b	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Uqbpeiyjjhxko\b522111d = 3d09a3678a84a02ef1	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Uqbpeiyjjhxko\709639f2 = 871818d424492363eab06ff1241d26f860556292534d645458ed882c42f69cbe431f27e6f1	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Uqbpeiyjjhxko\b7633161 = a460efaa1a6c66a0930ef0b5efb1aa77729e22522f063cdbbfcd7e6deb6cdcbade8ba2e9eb9a78c399faf28143	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Uqbpeiyjjhxko\4509e9bc = d05918ee745a624b5503fa5a1ebd9445b72ab2a994f0039ba5ee2490cbe0ba2607e6f9736bea62327c934c9d034da4184a4107	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Uqbpeiyjjhxko\3a40864a = da1ffc3a46c1acb0756ad0d58d9136cc3a0bcc4915f665a66381ba42d15db9c25cef343a26bd9f9a23dbd0c41cb39d8364a6f52297c0f1dd59ec10e1b12281d7a69414fc451721591645e2a2f68d8087c57bbf9de2e8c1ac430507a1c4d6c747	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Uqbpeiyjjhxko\fdf5604 = 3a321111b534cbb4a4a57d3fc020352ee96e15150e8e2e5319f27a91047e1fcc3a6bc415396360d2b45e2876d9fc80306ec5cd420326d93e9a1121ef5543525c9cf4c6a718128186eef7fa5f724b760c62f687e9287ebc8db2234a1bc71150ebf0e9b75866955dafde4d7188ca87078a6947c008f9623eed40aac3cc292b7ae782d214c8182030cee9403f351bd3b958190730b38cad260b12803883a8a1d263feea2563907e4e0168	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Uqbpeiyjjhxko\c82a5e97 = f654066d7bbcb3ada595641a46879eab00a571385066e056cd22a1fddf1bfdba9486f06259	explorer.exe

Suspicious behavior: EnumeratesProcesses
rundll32.exeregsvr32.exe

Reported IOCs

pid process

4108 rundll32.exe
4108 rundll32.exe
4288 regsvr32.exe
4288 regsvr32.exe
Suspicious behavior: MapViewOfSection
rundll32.exeregsvr32.exe

Reported IOCs

pid process

4108 rundll32.exe
4288 regsvr32.exe

pid	process
4108	rundll32.exe
4108	rundll32.exe
4288	regsvr32.exe
4288	regsvr32.exe

pid	process
4108	rundll32.exe
4288	regsvr32.exe

Suspicious use of WriteProcessMemory

rundll32.exerundll32.exeexplorer.exeregsvr32.exeregsvr32.exeexplorer.exe

Reported IOCs

description	pid	process	target process
PID 4112 wrote to memory of 4108	4112	rundll32.exe	rundll32.exe
PID 4112 wrote to memory of 4108	4112	rundll32.exe	rundll32.exe
PID 4112 wrote to memory of 4108	4112	rundll32.exe	rundll32.exe
PID 4108 wrote to memory of 3368	4108	rundll32.exe	explorer.exe
PID 4108 wrote to memory of 3368	4108	rundll32.exe	explorer.exe
PID 4108 wrote to memory of 3368	4108	rundll32.exe	explorer.exe
PID 4108 wrote to memory of 3368	4108	rundll32.exe	explorer.exe
PID 4108 wrote to memory of 3368	4108	rundll32.exe	explorer.exe
PID 3368 wrote to memory of 8	3368	explorer.exe	schtasks.exe
PID 3368 wrote to memory of 8	3368	explorer.exe	schtasks.exe
PID 3368 wrote to memory of 8	3368	explorer.exe	schtasks.exe
PID 3232 wrote to memory of 4288	3232	regsvr32.exe	regsvr32.exe
PID 3232 wrote to memory of 4288	3232	regsvr32.exe	regsvr32.exe
PID 3232 wrote to memory of 4288	3232	regsvr32.exe	regsvr32.exe
PID 4288 wrote to memory of 584	4288	regsvr32.exe	explorer.exe
PID 4288 wrote to memory of 584	4288	regsvr32.exe	explorer.exe
PID 4288 wrote to memory of 584	4288	regsvr32.exe	explorer.exe
PID 4288 wrote to memory of 584	4288	regsvr32.exe	explorer.exe
PID 4288 wrote to memory of 584	4288	regsvr32.exe	explorer.exe
PID 584 wrote to memory of 804	584	explorer.exe	reg.exe
PID 584 wrote to memory of 804	584	explorer.exe	reg.exe
PID 584 wrote to memory of 728	584	explorer.exe	reg.exe
PID 584 wrote to memory of 728	584	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\e2bc969424adc97345ac81194d316f58da38621aad3ca7ae27e40a8fae582987.dll,#1

Suspicious use of WriteProcessMemory

PID:4112

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\e2bc969424adc97345ac81194d316f58da38621aad3ca7ae27e40a8fae582987.dll,#1

Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory

PID:4108

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Suspicious use of WriteProcessMemory

PID:3368

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn iuncjixzwf /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\e2bc969424adc97345ac81194d316f58da38621aad3ca7ae27e40a8fae582987.dll\"" /SC ONCE /Z /ST 23:33 /ET 23:45

Creates scheduled task(s)

PID:8

\??\c:\windows\system32\regsvr32.exe

regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\e2bc969424adc97345ac81194d316f58da38621aad3ca7ae27e40a8fae582987.dll"

Suspicious use of WriteProcessMemory

PID:3232

C:\Windows\SysWOW64\regsvr32.exe

-s "C:\Users\Admin\AppData\Local\Temp\e2bc969424adc97345ac81194d316f58da38621aad3ca7ae27e40a8fae582987.dll"

Loads dropped DLL
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory

PID:4288

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory

PID:584

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Irxolc" /d "0"

PID:804

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Zktsydwtac" /d "0"

PID:728

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Scheduled Task

Privilege Escalation

00:00 00:00

C:\Users\Admin\AppData\Local\Temp\e2bc969424adc97345ac81194d316f58da38621aad3ca7ae27e40a8fae582987.dll
MD5
53510e20efb161d5b71c4ce2800c1a8d

SHA1
2268178851d0d0debb9ab457d73af8a5e50af168

SHA256
e2bc969424adc97345ac81194d316f58da38621aad3ca7ae27e40a8fae582987

SHA512
27f4f030928581d23212e18cfd0b33376677cef43ad5605e124cd80e2102cd1d559bf205ae1693e5e6567a6bd33d00d0e7209e32d503116d8b1594cb78ae69a3

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\e2bc969424adc97345ac81194d316f58da38621aad3ca7ae27e40a8fae582987.dll
MD5
53510e20efb161d5b71c4ce2800c1a8d

SHA1
2268178851d0d0debb9ab457d73af8a5e50af168

SHA256
e2bc969424adc97345ac81194d316f58da38621aad3ca7ae27e40a8fae582987

SHA512
27f4f030928581d23212e18cfd0b33376677cef43ad5605e124cd80e2102cd1d559bf205ae1693e5e6567a6bd33d00d0e7209e32d503116d8b1594cb78ae69a3

Download Submit
memory/8-119-0x0000000000000000-mapping.dmp

Download
memory/584-127-0x0000000000000000-mapping.dmp

Download
memory/584-132-0x0000000003180000-0x0000000003181000-memory.dmp

Download
memory/584-133-0x0000000003180000-0x0000000003181000-memory.dmp

Download
memory/584-130-0x0000000000830000-0x0000000000851000-memory.dmp

Download
memory/728-131-0x0000000000000000-mapping.dmp

Download
memory/804-129-0x0000000000000000-mapping.dmp

Download
memory/3368-122-0x0000000002EB0000-0x0000000002EB1000-memory.dmp

Download
memory/3368-121-0x0000000000580000-0x00000000005A1000-memory.dmp

Download
memory/3368-118-0x0000000000000000-mapping.dmp

Download
memory/3368-120-0x0000000002EB0000-0x0000000002EB1000-memory.dmp

Download
memory/4108-115-0x0000000000000000-mapping.dmp

Download
memory/4108-117-0x0000000010000000-0x000000001530B000-memory.dmp

Download
memory/4108-116-0x0000000004B30000-0x0000000009DE4000-memory.dmp

Download
memory/4288-126-0x0000000003790000-0x0000000008A44000-memory.dmp

Download
memory/4288-124-0x0000000000000000-mapping.dmp

Download

e2bc969424adc97345ac81194d316f58da38621aad3ca7ae27e40a8fae582987

Extracted

Filter: none

Description

Tags

Tags

TTPs

Reported IOCs

Description

Tags

TTPs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Title