qakbot | 7f425dcd6bebafba15f5f0887dd4701cf2d848b05c21fe429c9c2d37826ac948

General

Target

7f425dcd6bebafba15f5f0887dd4701cf2d848b05c21fe429c9c2d37826ac948.dll
Size

456KB
MD5

1d18144f5aed798fda3dd86a316a7c7e
SHA1

01e73a919703d9dcdad4ac901d05a5a5a4071584
SHA256

7f425dcd6bebafba15f5f0887dd4701cf2d848b05c21fe429c9c2d37826ac948
SHA512

4e7ef7f043c297630b6ce00912f262a69ad0113a8f9ac7bd63b04540fd6329f609347824529b2d28f735701d8ab669fc50821ca7cbe26b77c502725038a108bc

Score

10^/10

qakbot tr 1632817399 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

tr

Campaign

1632817399

C2

105.198.236.99:443

140.82.49.12:443

37.210.152.224:995

89.101.97.139:443

81.241.252.59:2078

27.223.92.142:995

81.250.153.227:2222

73.151.236.31:443

47.22.148.6:443

122.11.220.212:2222

120.151.47.189:443

199.27.127.129:443

216.201.162.158:443

136.232.34.70:443

76.25.142.196:443

181.118.183.94:443

120.150.218.241:995

185.250.148.74:443

95.77.223.148:443

75.66.88.33:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1020 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1032 schtasks.exe

pid	process
1020	regsvr32.exe

pid	process
1032	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Oaqccoiyhuxdxk\4f7fe8c6 = bd273be9125abb25768d3811544f02615d124a80863ce7b81f50013b1441b1ef470d2097e4fd95bd1856eb516e3e	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Oaqccoiyhuxdxk\888ae055 = 0933fe5c113f842859df66a45176d026cde24b92772a6bcb72dcea76f147e9892a107fa7ddb6904acef48d94f3557f5219dbe9de176bcbca30e5ff4c62346c1223a1	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Oaqccoiyhuxdxk\5a9577e = 1ba043043f6e51a46a489900643123eaa6bdb0fb8d8c16ad124112d485ceaeecd5c5b1d8c5d521cab5409923461d039763d624132c0f8f4d5cdfceba7a6dd25797b9d46c4f	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Oaqccoiyhuxdxk\30368730 = 6657217be2484d17aeef788ec8612d552153b671c642abee68644b727eff8ab5aa8eb6b70f3502aa97154d21797a72e585830091490f8ecfe63ed6d33f9a5bb81d1fd52673e549fff12bb8a466dcfea837fb22cbce071ffead264b306fc49d354f433610543acadb30d9679bae073e8a27aa2aab	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Oaqccoiyhuxdxk\3277a74c = 3fb34ad89df156193e2347b3ba68c312cea011f602111310065291b87a242a3b4b4fb5f38ecd30e7f6439362345a3e4fe379fbb3759b7dd80a22d8633e46c82ed088646b9e9a2f71510e7bd9cded46362f424e8e28b3fecbf9253a8d50ceca205c80810ac2fc1a5e	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Oaqccoiyhuxdxk\f7c38fa3 = b6f7f165208963682a7c7d110a937aef2896e0eba70853f833e52776701decb17864bfcb02c9802226	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Oaqccoiyhuxdxk	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Oaqccoiyhuxdxk\8acbc029 = d525b477d9f154c84cdb5f424248805a5b7eaf2674ee58abc67d05e6e2ed36ba6a96e88c	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Oaqccoiyhuxdxk\7ae03888 = 1e01feee4b478d9668beb885880031e1b203daf09e500e83b44a6624a65c898fcde9057af75684e974b919979dca04b3	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Oaqccoiyhuxdxk\5a9577e = 1ba054043f6e648fbe647db84440b569e63dc74fa2c6ee813afcec3d279c428da49c4152aa13695214ddf9d55270458c1ab1d3e6ea733054ceaa7f236aac6b4496c4cfac1ab5236a04a3d2976e27d7a58bad945eabffeb1f7c71	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

980 rundll32.exe
1020 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

980 rundll32.exe
1020 regsvr32.exe

pid	process
980	rundll32.exe
1020	regsvr32.exe

pid	process
980	rundll32.exe
1020	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 1628 wrote to memory of 980	1628	rundll32.exe	rundll32.exe
PID 1628 wrote to memory of 980	1628	rundll32.exe	rundll32.exe
PID 1628 wrote to memory of 980	1628	rundll32.exe	rundll32.exe
PID 1628 wrote to memory of 980	1628	rundll32.exe	rundll32.exe
PID 1628 wrote to memory of 980	1628	rundll32.exe	rundll32.exe
PID 1628 wrote to memory of 980	1628	rundll32.exe	rundll32.exe
PID 1628 wrote to memory of 980	1628	rundll32.exe	rundll32.exe
PID 980 wrote to memory of 776	980	rundll32.exe	explorer.exe
PID 980 wrote to memory of 776	980	rundll32.exe	explorer.exe
PID 980 wrote to memory of 776	980	rundll32.exe	explorer.exe
PID 980 wrote to memory of 776	980	rundll32.exe	explorer.exe
PID 980 wrote to memory of 776	980	rundll32.exe	explorer.exe
PID 980 wrote to memory of 776	980	rundll32.exe	explorer.exe
PID 776 wrote to memory of 1032	776	explorer.exe	schtasks.exe
PID 776 wrote to memory of 1032	776	explorer.exe	schtasks.exe
PID 776 wrote to memory of 1032	776	explorer.exe	schtasks.exe
PID 776 wrote to memory of 1032	776	explorer.exe	schtasks.exe
PID 844 wrote to memory of 1160	844	taskeng.exe	regsvr32.exe
PID 844 wrote to memory of 1160	844	taskeng.exe	regsvr32.exe
PID 844 wrote to memory of 1160	844	taskeng.exe	regsvr32.exe
PID 844 wrote to memory of 1160	844	taskeng.exe	regsvr32.exe
PID 844 wrote to memory of 1160	844	taskeng.exe	regsvr32.exe
PID 1160 wrote to memory of 1020	1160	regsvr32.exe	regsvr32.exe
PID 1160 wrote to memory of 1020	1160	regsvr32.exe	regsvr32.exe
PID 1160 wrote to memory of 1020	1160	regsvr32.exe	regsvr32.exe
PID 1160 wrote to memory of 1020	1160	regsvr32.exe	regsvr32.exe
PID 1160 wrote to memory of 1020	1160	regsvr32.exe	regsvr32.exe
PID 1160 wrote to memory of 1020	1160	regsvr32.exe	regsvr32.exe
PID 1160 wrote to memory of 1020	1160	regsvr32.exe	regsvr32.exe
PID 1020 wrote to memory of 1772	1020	regsvr32.exe	explorer.exe
PID 1020 wrote to memory of 1772	1020	regsvr32.exe	explorer.exe
PID 1020 wrote to memory of 1772	1020	regsvr32.exe	explorer.exe
PID 1020 wrote to memory of 1772	1020	regsvr32.exe	explorer.exe
PID 1020 wrote to memory of 1772	1020	regsvr32.exe	explorer.exe
PID 1020 wrote to memory of 1772	1020	regsvr32.exe	explorer.exe
PID 1772 wrote to memory of 896	1772	explorer.exe	reg.exe
PID 1772 wrote to memory of 896	1772	explorer.exe	reg.exe
PID 1772 wrote to memory of 896	1772	explorer.exe	reg.exe
PID 1772 wrote to memory of 896	1772	explorer.exe	reg.exe
PID 1772 wrote to memory of 868	1772	explorer.exe	reg.exe
PID 1772 wrote to memory of 868	1772	explorer.exe	reg.exe
PID 1772 wrote to memory of 868	1772	explorer.exe	reg.exe
PID 1772 wrote to memory of 868	1772	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7f425dcd6bebafba15f5f0887dd4701cf2d848b05c21fe429c9c2d37826ac948.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7f425dcd6bebafba15f5f0887dd4701cf2d848b05c21fe429c9c2d37826ac948.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:980

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:776

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn qelzmaq /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\7f425dcd6bebafba15f5f0887dd4701cf2d848b05c21fe429c9c2d37826ac948.dll\"" /SC ONCE /Z /ST 20:15 /ET 20:27
4⤵
- Creates scheduled task(s)
PID:1032

C:\Windows\system32\taskeng.exe
taskeng.exe {E463D2B9-5772-4E90-82B5-FCABB91F8624} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:844

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\7f425dcd6bebafba15f5f0887dd4701cf2d848b05c21fe429c9c2d37826ac948.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\7f425dcd6bebafba15f5f0887dd4701cf2d848b05c21fe429c9c2d37826ac948.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1020

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Uwuzpy" /d "0"
5⤵
PID:896

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Tjjbyywxn" /d "0"
5⤵
PID:868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7f425dcd6bebafba15f5f0887dd4701cf2d848b05c21fe429c9c2d37826ac948.dll

MD5
1d18144f5aed798fda3dd86a316a7c7e

SHA1
01e73a919703d9dcdad4ac901d05a5a5a4071584

SHA256
7f425dcd6bebafba15f5f0887dd4701cf2d848b05c21fe429c9c2d37826ac948

SHA512
4e7ef7f043c297630b6ce00912f262a69ad0113a8f9ac7bd63b04540fd6329f609347824529b2d28f735701d8ab669fc50821ca7cbe26b77c502725038a108bc

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\7f425dcd6bebafba15f5f0887dd4701cf2d848b05c21fe429c9c2d37826ac948.dll

MD5
1d18144f5aed798fda3dd86a316a7c7e

SHA1
01e73a919703d9dcdad4ac901d05a5a5a4071584

SHA256
7f425dcd6bebafba15f5f0887dd4701cf2d848b05c21fe429c9c2d37826ac948

SHA512
4e7ef7f043c297630b6ce00912f262a69ad0113a8f9ac7bd63b04540fd6329f609347824529b2d28f735701d8ab669fc50821ca7cbe26b77c502725038a108bc

Download Submit
memory/776-61-0x0000000000000000-mapping.dmp

Download
memory/776-65-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/776-63-0x0000000074091000-0x0000000074093000-memory.dmp

Filesize
8KB

Download
memory/776-60-0x00000000000B0000-0x00000000000B2000-memory.dmp

Filesize
8KB

Download
memory/868-82-0x0000000000000000-mapping.dmp

Download
memory/896-81-0x0000000000000000-mapping.dmp

Download
memory/980-59-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/980-58-0x0000000010000000-0x0000000010082000-memory.dmp

Filesize
520KB

Download
memory/980-57-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/980-56-0x0000000010000000-0x0000000010082000-memory.dmp

Filesize
520KB

Download
memory/980-55-0x00000000751B1000-0x00000000751B3000-memory.dmp

Filesize
8KB

Download
memory/980-54-0x0000000000000000-mapping.dmp

Download
memory/1020-75-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/1020-72-0x0000000010000000-0x0000000010082000-memory.dmp

Filesize
520KB

Download
memory/1020-74-0x0000000010000000-0x0000000010082000-memory.dmp

Filesize
520KB

Download
memory/1020-69-0x0000000000000000-mapping.dmp

Download
memory/1032-64-0x0000000000000000-mapping.dmp

Download
memory/1160-67-0x000007FEFB591000-0x000007FEFB593000-memory.dmp

Filesize
8KB

Download
memory/1160-66-0x0000000000000000-mapping.dmp

Download
memory/1772-77-0x0000000000000000-mapping.dmp

Download
memory/1772-83-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads