qakbot | 7f425dcd6bebafba15f5f0887dd4701cf2d848b05c21fe429c9c2d37826ac948

General

Target

7f425dcd6bebafba15f5f0887dd4701cf2d848b05c21fe429c9c2d37826ac948.dll
Size

456KB
MD5

1d18144f5aed798fda3dd86a316a7c7e
SHA1

01e73a919703d9dcdad4ac901d05a5a5a4071584
SHA256

7f425dcd6bebafba15f5f0887dd4701cf2d848b05c21fe429c9c2d37826ac948
SHA512

4e7ef7f043c297630b6ce00912f262a69ad0113a8f9ac7bd63b04540fd6329f609347824529b2d28f735701d8ab669fc50821ca7cbe26b77c502725038a108bc

Score

10^/10

qakbot tr 1632817399 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

tr

Campaign

1632817399

C2

105.198.236.99:443

140.82.49.12:443

37.210.152.224:995

89.101.97.139:443

81.241.252.59:2078

27.223.92.142:995

81.250.153.227:2222

73.151.236.31:443

47.22.148.6:443

122.11.220.212:2222

120.151.47.189:443

199.27.127.129:443

216.201.162.158:443

136.232.34.70:443

76.25.142.196:443

181.118.183.94:443

120.150.218.241:995

185.250.148.74:443

95.77.223.148:443

75.66.88.33:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

764 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1396 schtasks.exe

pid	process
764	regsvr32.exe

pid	process
1396	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Elnfhkigco\821a39d6 = 00e7b49b32f19b70fd	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Elnfhkigco\7231c177 = ba3cb1dcdb620d0c6f439bcb52e57b8619e3acd02eebe3aeb02a757c1fe1f5f5604b933ed3c22198898e5d130c9039cb1d379afb220c14b0f3d351abb573104ce983aeb76cdd50b441a8063eb0ce9e60a47451c00a78daec7c83de17e21d5192756fda	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Elnfhkigco\d78ae81 = 532de85cd09dbf9ba1574fbc849c0b5c223ff660dc870c41342d94d62dae70d00b527531abd3a71eb515015032099406eca0902678e556b1c33003969eaf6d170d7ea93ba13fcc69b66f3b09c43e87ea61d1764f8942fd237c12810e703e8205d535c87353d443	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Elnfhkigco\38e77ecf = 35c77a6831c10c892b04d2db311a33a3d200da66132b6fa1148f7490fa352853130e977082c539d45c0879c5118fc0b8b904fb86d0699070cbfb17ce51952b5aac9e454655888775a443693bd453df47e01fbadb8b2382101773c3b925908e5dce3b23679e88f4b9d084d3fa28eb3652fc340cd1ae0aac9503f68e8af0ba4d42653465	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Elnfhkigco\3aa65eb3 = edb1190ba57e0497587a45ae782e10f7812f6c840ab8e4ad35ed64a380cdb9f22e1d272ca12a5db260	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Elnfhkigco\ff12765c = 0171b18e79ed739f06add72453bc93e8e2f24246fd535522e0569b8cd709465d91d9f8b6502a4d1b8c5ce6867aa18fa556dcfcf3db7e0732d52db1c170	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Elnfhkigco\47ae1139 = 204a1933aa8f9d4c2e2b9c6868a71e458d89a9af00f2a54d5df7cb477e0a91b78501d61d08b34ebae1638c0143169dc75ad5802bc6b858ce161d282b6459f5abceed3f1f	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Elnfhkigco\805b19aa = 1f9a4f1e9b852726ebb6508e8d714bf149c808cd19916450be305291df46b0ddffbf086f1e68cc0b688db1643b1d0a02ce1935c5a65a1618eaa5215a6820173d24eb67f7762be1b6f649fc11b587cb73436687634fa8689be69654087d6942d4c95612b96dfa7b	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Elnfhkigco	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Elnfhkigco\d78ae81 = 532dff5cd09d8ac0995cb10f2f459ab8635fc70b4ece1de426728ce10091de43723bb51c532425c19b6375c395376b4075c3b9ab823e508c2eab9ea84f79e1c459f2c1bdf0f49fee32c7e544aee90fd45964	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

2740 rundll32.exe
2740 rundll32.exe
764 regsvr32.exe
764 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

2740 rundll32.exe
764 regsvr32.exe

pid	process
2740	rundll32.exe
2740	rundll32.exe
764	regsvr32.exe
764	regsvr32.exe

pid	process
2740	rundll32.exe
764	regsvr32.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 2552 wrote to memory of 2740	2552	rundll32.exe	rundll32.exe
PID 2552 wrote to memory of 2740	2552	rundll32.exe	rundll32.exe
PID 2552 wrote to memory of 2740	2552	rundll32.exe	rundll32.exe
PID 2740 wrote to memory of 3636	2740	rundll32.exe	explorer.exe
PID 2740 wrote to memory of 3636	2740	rundll32.exe	explorer.exe
PID 2740 wrote to memory of 3636	2740	rundll32.exe	explorer.exe
PID 2740 wrote to memory of 3636	2740	rundll32.exe	explorer.exe
PID 2740 wrote to memory of 3636	2740	rundll32.exe	explorer.exe
PID 3636 wrote to memory of 1396	3636	explorer.exe	schtasks.exe
PID 3636 wrote to memory of 1396	3636	explorer.exe	schtasks.exe
PID 3636 wrote to memory of 1396	3636	explorer.exe	schtasks.exe
PID 1244 wrote to memory of 764	1244	regsvr32.exe	regsvr32.exe
PID 1244 wrote to memory of 764	1244	regsvr32.exe	regsvr32.exe
PID 1244 wrote to memory of 764	1244	regsvr32.exe	regsvr32.exe
PID 764 wrote to memory of 1816	764	regsvr32.exe	explorer.exe
PID 764 wrote to memory of 1816	764	regsvr32.exe	explorer.exe
PID 764 wrote to memory of 1816	764	regsvr32.exe	explorer.exe
PID 764 wrote to memory of 1816	764	regsvr32.exe	explorer.exe
PID 764 wrote to memory of 1816	764	regsvr32.exe	explorer.exe
PID 1816 wrote to memory of 3604	1816	explorer.exe	reg.exe
PID 1816 wrote to memory of 3604	1816	explorer.exe	reg.exe
PID 1816 wrote to memory of 900	1816	explorer.exe	reg.exe
PID 1816 wrote to memory of 900	1816	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7f425dcd6bebafba15f5f0887dd4701cf2d848b05c21fe429c9c2d37826ac948.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2552

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7f425dcd6bebafba15f5f0887dd4701cf2d848b05c21fe429c9c2d37826ac948.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3636

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn szhdmczceq /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\7f425dcd6bebafba15f5f0887dd4701cf2d848b05c21fe429c9c2d37826ac948.dll\"" /SC ONCE /Z /ST 12:03 /ET 12:15
4⤵
- Creates scheduled task(s)
PID:1396

\??\c:\windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\7f425dcd6bebafba15f5f0887dd4701cf2d848b05c21fe429c9c2d37826ac948.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:1244

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\7f425dcd6bebafba15f5f0887dd4701cf2d848b05c21fe429c9c2d37826ac948.dll"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Ematyewrzy" /d "0"
4⤵
PID:3604

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Ohrruoiunid" /d "0"
4⤵
PID:900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7f425dcd6bebafba15f5f0887dd4701cf2d848b05c21fe429c9c2d37826ac948.dll

MD5
1d18144f5aed798fda3dd86a316a7c7e

SHA1
01e73a919703d9dcdad4ac901d05a5a5a4071584

SHA256
7f425dcd6bebafba15f5f0887dd4701cf2d848b05c21fe429c9c2d37826ac948

SHA512
4e7ef7f043c297630b6ce00912f262a69ad0113a8f9ac7bd63b04540fd6329f609347824529b2d28f735701d8ab669fc50821ca7cbe26b77c502725038a108bc

Download Submit
\Users\Admin\AppData\Local\Temp\7f425dcd6bebafba15f5f0887dd4701cf2d848b05c21fe429c9c2d37826ac948.dll

MD5
1d18144f5aed798fda3dd86a316a7c7e

SHA1
01e73a919703d9dcdad4ac901d05a5a5a4071584

SHA256
7f425dcd6bebafba15f5f0887dd4701cf2d848b05c21fe429c9c2d37826ac948

SHA512
4e7ef7f043c297630b6ce00912f262a69ad0113a8f9ac7bd63b04540fd6329f609347824529b2d28f735701d8ab669fc50821ca7cbe26b77c502725038a108bc

Download Submit
memory/764-131-0x0000000003050000-0x00000000030FE000-memory.dmp

Filesize
696KB

Download
memory/764-128-0x0000000010000000-0x0000000010082000-memory.dmp

Filesize
520KB

Download
memory/764-130-0x0000000010000000-0x0000000010082000-memory.dmp

Filesize
520KB

Download
memory/764-126-0x0000000000000000-mapping.dmp

Download
memory/900-134-0x0000000000000000-mapping.dmp

Download
memory/1396-121-0x0000000000000000-mapping.dmp

Download
memory/1816-136-0x0000000001150000-0x0000000001151000-memory.dmp

Filesize
4KB

Download
memory/1816-137-0x0000000001150000-0x0000000001151000-memory.dmp

Filesize
4KB

Download
memory/1816-135-0x0000000000CA0000-0x0000000000CC1000-memory.dmp

Filesize
132KB

Download
memory/1816-132-0x0000000000000000-mapping.dmp

Download
memory/2740-115-0x0000000000000000-mapping.dmp

Download
memory/2740-116-0x0000000010000000-0x0000000010082000-memory.dmp

Filesize
520KB

Download
memory/2740-118-0x0000000010000000-0x0000000010082000-memory.dmp

Filesize
520KB

Download
memory/2740-117-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/2740-119-0x0000000002E30000-0x0000000002E31000-memory.dmp

Filesize
4KB

Download
memory/3604-133-0x0000000000000000-mapping.dmp

Download
memory/3636-124-0x00000000004F0000-0x0000000000511000-memory.dmp

Filesize
132KB

Download
memory/3636-123-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/3636-122-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/3636-120-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads