qakbot | 7ef0a71655a467280b779d52831b9e0e0a5c693ed9881a737ca3fdb2d2ae3554

General

Target

7ef0a71655a467280b779d52831b9e0e0a5c693ed9881a737ca3fdb2d2ae3554.dll
Size

2.4MB
MD5

34de339cf6809e622d246731e6cad0b7
SHA1

474a4804f13b858d43596ab2548637be6956d62b
SHA256

7ef0a71655a467280b779d52831b9e0e0a5c693ed9881a737ca3fdb2d2ae3554
SHA512

13f0afef6864bf8e052b59fed740f200bc857034f9d523b10ecfde979d7e5ce2cc821a79dc73984fba64c92c043464da321a4f15559328967b2fc574a57320db

Score

10^/10

qakbot abc114 1608129413 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

401.138

Botnet

abc114

Campaign

1608129413

C2

86.127.22.190:443

35.139.242.207:443

108.190.194.146:2222

187.213.199.54:443

68.83.89.188:443

41.233.152.232:993

196.151.252.84:443

181.208.249.141:443

172.87.134.226:443

96.27.47.70:2222

83.110.109.78:2222

93.86.1.159:995

217.162.149.212:443

80.11.210.247:443

72.252.201.69:443

185.163.221.77:2222

189.62.175.92:22

95.76.27.6:443

45.77.115.208:443

187.213.82.104:995

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

5068 regsvr32.exe

pid	process
5068	regsvr32.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	rundll32.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4444 schtasks.exe

pid	process
4444	schtasks.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\ApplicationFlags = "1"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Property	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property\0018400647F126EC = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e00000000020000000000106600000001000020000000b09c0ee8d8456d0c3cb83ca627b7e3e09f52c011ffd604333752ec6993087687000000000e8000000002000020000000a397ffa4e11a3fbe5a55f0fc0c46476f3f9eac8f07ce2a0ecc394bccd8bee46a800000000355c46bc740490be903041281955415c95254b4629c0aea3d49804c4de9bde143629c3d51b05993f4ddbabffc41dc9eb6d24b7cd1502b6f21562d67d501f5a778b046b3952da5836f996fbb39ed596d6bccb3c4e1628adc52402bea17703af6a4e1734f3cda30a9d90f66d5944d3392fb1bdfdc4dd0120274e2b1fe02e4b36a40000000cf65910d2591558260716ad8c3d39984cfcdcc64014465121f747ed9cecf9d121024cdfe75cbf3083353cb5ccf2312fa63345290e30f58f3f3bacbb240bbc2f7	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e000000000200000000001066000000010000200000002a21f88e09327eb3f2b11febd7f0871302b7edc2b453e97bf34478ec086a74b6000000000e8000000002000020000000364ef9e76dcad454736d90c690a7c3580f461f8b59f30b0e6f3eb940ebbcd270100d00003aaf306b30d521c6d16d723702c30adb1e4ba3c2d58a307850bea9f61540b89964ecca9bd0ae51205efbc41f318292e3587b2166c54018f8d8ce284ba9a669b4c21a7cae7418e12467c550c765a87959874f1cb6e7c2ed8c09821200a2bb4e06d34ef53f151224947486882ab64adf1f21b03f2ea565ea7c41e34e49a9b53c584021e085a00f3bcb42f4e639525adf4b7de0727700020f69b9f9d70698fda1cc3365491c695f7beaea24e71ec72ddce6c2fb15f7a9c09f698b0425a10e9c3102a9ffe17abf0d7da27fae1238c475160a5fed0e36c23bcc41e8aa8b9463facece74646322c859f85b6b3365669299303a92c1478d6ed0d3a120b0cc5f73151e851f516d9d9ce840fab4bdfd4a6bb14ec67e5b3d4ccbecee1093de436031e70b17959926502f3a77ec578255e9332121e2462e81fb2856ad5a214bab86d204f96f1ee0557ac62650b8c69d231503e07a1ee8013cad706b764801b1f661486064d9b7e8a94d9886a69d0a010482fb953fb5e7d01027c5a1f83c1011dc986d3d3638bed3e9f0e66838d90c37777f504f91faad0e9424daa3daa747d12f4b9d602c77422209469faf2c1835cedc6cfa507da7a961958f09e420dc63d3de5f558ac2422825efc011cdf475bb517a731962a53d00a29a320eb6517049d2b5021eda0f158e9f2ee52a196b630953e9be1721ad4abafba628ec995cfc37c2020222d7c53f69c6950941b127b96dd8973a7c6d14d05fa75cb2e5489308c6a74013f56dc097a066ac0bf0f0d8b80a829de58ebfd511792fc07cf711759a92f3523b4f9b7d6bbf204be36b253b92f9792c8061f836773413f94bb136536136be8030f20d97fdee649c14dcc78a9d4449314c169f3bf3a6f9db2d3f5a86366b62a7c5b65ec92c1f2393f7234113e513b257a28e03dab909a1cd784e5152e0355d541efa1a4de05a89b722a9afa208f8cd15f76ef417d56606b79f3bbf9f136016c49a36bcf5522b8c43fa02ec851da1ffcf3e0274c7151ac39fb8335873b2447da3bf2af5e254444c81f263b4f0c05b87490b0b74a05886b18c03cfe5c092ead83250206c669421390f818c246bd992246e983c3babd66c96ccf19fd73565ff32fd4d0f80abd639718da682ce9f8e47d8b711fceaa677e9b826243d5dc9f9381a8456bfac8c93b4fbc5044636ca17007d58abae97a5fdbd6d77dbe8e7fce6e3ca4a6e8072874a3cd5151f71b4f26c8600fd79112d62b27e6270c205320e968ea046362d519541ecbd451f029d9d18e99b78f3f07ed387377c5652e5fb23ee5c8f038094e78a22c3674996caa65eaf984bb8d33f80ff950cb926d00e2219ab12ca2760e8359db07d7f45d2320673158e1d03ff2bd6aefb54f8bfb1162929d6e0ba7f97ee064ebec364818eb64bb6c7d39cb2624edfef97365589ddf88d38bb43fdd53e696bd610e06407fe2e3a3376aa9930d82992e45dc369a0a19e4b51afc548924b66e35f668678d571711a9747e26ac0f1859a0b0073d2951fa9e86f94e2eb40ae63f015ac5001d51857a9808ad38129e06ef193f22cae340973c410a11dbc93bddfe504078f3e549f12fd3abcd6bfd343aca0174e46f65400ecf739aa4aeb59d065e91dd4928376a0036c41df1e4bdad867ac18ee3c9e4c80ad72cc0dc66042bcc7146d5b1521102fb06059650b5e8d1ede5dc49edbab0105baa3f5f13b07b627250c8f24eb5a5c7d5c3162bffd7cad56f827ea969d05eecc3b3f36464b6a9dea17716e38d732102358d95d44d8b0bab21b892a60432d73ecae4d3ca5bdfa93fc23ced225fcc292b70154594e6c608991475042288a59ba09981fb7735bef53d0e81af8241dfe04c9bd9202af8ed90cd3f79d7e3a712990f972ec269ad49ef408d6aa9080b1ccd989600c81395f5e2512a0c81788933030f3a617229281eef92cac1cd61e37598a195f6d5be26311cfd574fcc0a49c966148ed261af66c68370f470365c09e2ac56e5e005e1fc2d875e5f80ef5999d17349aff4cb38bd86816ed382db458f882ea33b6399bfffd2513e4578162f903e6e534815760dba882fa295c5ff9703298360a380547303b2d5449d2a5ca6d5f7a74655730832f512fddaf341a94f3a1b53fe4619693064cb3c29d42bd167eb2f79d1dec25bed7dd64ed4e8e235b2c858399350ed6346f747ea3c85218a82930ab13b1742f4fccc49946875ce4ce999cfdd67fffb90f84bf55c93faf13a35842263771c73d3328ee254f29e742c17ae38ea7a7bb14b3d0d80b4d80df18dd992f6c74b57f9d674027b95656af18b145841a49cc91ad3575fab1d37954c9bf6c3e42c6f1f89642b9368cbe9cedd3cf486bda7344b35552d846ef2dcb7a06b6f6708979443d547db71db04590991c27ac6956bb0f015f59d6a4b03142dfa400056def3e9d5351338f9ffead257ea7739f898976564eb2e6252977f4a61acab7a220e3e9c1ef775511997c24d243b379351ccac417171640f187c8ef1c174c371893213a9a7d3e98f95c25b175e975dfd09e1667de6dbd2d9ce5ac8908790ffde5931a723fa75ee66dbd352211dbe3699ee4f7ff4fce090542052471445b1e75d7ad72ad66492e01a18f5fbd5414415cf99f444e816332dac148fdcdd087f5fc99001c06c4b70698ecf109c4ccd6883d4fef01175af870702a19bb982b6651394d04b6c4135c2a0d76c99007349852ffac67b974b7b20e3cd323010368c30f7726bef8bf63ea2cf13298df3a79cbd02a76dc59368accc5e9313cd844c0e2e02a86093fd8a36b8e45d4b36c4023c1ce5bcb6bed4f46b5ac78a1ea2dbe4fa64cc5ed3f7e864759e7ba5b7444e3a1f6fbb6a399ac130e5468f97933771ac19624bc853ad4fe2fbc1761f1890029e94f479c2bb495a148b7548d9124e7a57f6a42fd071a41510ec81500faf5efab9b179830146243affd561979540b7f79ee9a002bf3f85269544a3e3a0570d1bad495ad42ce98c8ea69e5e2e170f36634262c96b139d2472e528a0f74ade51132bfacb6ee99117c73944ae5ee7247684a6b1bb07061b756da44c216cdb1f9132cd2db1ba4a1f730eea1e70eb6f7fa96a8ef8bae620836132783b5409c87fb10f12d097c2da1164242dcd00a2c99f80dd60ed23a8fefc964cc05e2187c109a9125221ad83e79eff8c7ade74a4b643e8773d99957aba24edb0265649b5bc6a1d6e7d7ebe6238d1b20f87cd10ad28965e9d51f0a580322eeaa568b47a1c9763d81123bb1fec0e6c52a79db489c4224aefdb25ae188972260a3762853477a1231beb8c295ddd691a60af9811bec8059aa83baccce054dd0e7fbc394b5fb05294b8f6e7f5af7299ad3e058bcbe242e79abc5348dc8b24471344f096f9c597becb81e6876fcc4fe7d4456b9ae2716eb173a5c854fe894979e62f9b717a3e897f20a6c5263d29040f08c97de0e7967c010ee9bf2fc8e60162a1237ace0abe1e06481c23923889bb9c6d74cf76052d5f798b0a5b525bee57933358cd0660c067c40f2398963369598e1a85426248b8705df9412c9a21c149c77ac993bb1b986cf0f012d82306b49d0cd2fd5c948f33c1e0a528b06695a2869edc551708ca96d052813536c73795637a8ffa7d708b4738180116a893015c1625869250bf955486e2332ced6cbe5c835c9bb37420244fc83414ef3e0ac4bdc7b831dabfd14362fb593ce8f4fcf8ca9a665816898cedeca948de9de945c312ec5b4095a90a639ad4d758d2e2dcb867dd975e933f7bdb74c6aceab8297aa8ccef2fce1b1815428dee4452f3963d66ae0a3049cdb4a7931467ece95938b0a84e01305e3c65baa0d779b443897e1edae6c138ecdda0750ff9e4992d0c35130d443c8e28c733559e8c648da9011bb194257ccf3d0ec64e4d5f2b0991e198dfdd8cd729206776b48f47e8b4e8c743db173ad453ae3925e3b081105cb4805c3a8a3771842c00f085bd56063198d488380b7c922349a31126c5564150ab69a2a85b491fc6510c19a2c5fdde1b135086827cd65647f4cdbf29d97158a0c3c43c5c294e648b8c1b0b1a17fc4b2e469d2aa84c60a09636af1786e89e1f4160519dd47032558d91556a604ebbbd12b114c51f201a659f41f5b2c8c54e5acd52747738b22a6755e14b69f78e3e56aea22c9e180b9db7d5929fc21d75abbe547cabf8a2e7e4ab8d076e08316b9b5c36a2dc16f06ce7379d64f6b0733336e22548a7886e075817ddb186f574c79adf2e983227fd4095c0f66d94904b220804ddf392cfdcd7462e5eb76af1d774cdccf630f42ca7efd20d3fecf6fafb6371dff35c714a81aabb20888f019ca8f5a1510c8bb8f2965df99cab5246c77de85ef4a425caa344a45d32640b2367457d9ac9f2f38e4d1b009155f1cba134d51c92883d94caece2e26b55938a04e41f73c83f6e0e4279aa179ed9f9177cb0ffb1eaf65c15d610d45adbc3ad9975ae8cdebcc36afae65abc9b14ee13ab5b23dabe8f27ce1a75ee573cccf6fa5694203ae44345160ce5644860adc765b4615e655a73ba584e5e87944b354fe3c52d8b1babb5aa62836d00b86ec0bae13182710228ab3380eed3bfc0d01a8fa7dded246a622de7f40879c78445bfd931dbca18f0214f4ef7db455f8bb54462d8d107f221c3a7f01ad92d91bc3ca7449b6aad181050830b102566d66358cc484c5b2f68585906c6d5cc672bac4d5f34427919a73b3819e5e9e5afcea97394afa4540000000fbd1c92a8cfa06107aa5ea9f4cce2d4ae40047d859110ed24c88c8ef9b99ca4c462958e4ae3ed5ac45ee9a85d2b7cd5a34679813b6d8ea954ec193ec61b44639	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceId = "0018400647F126EC"	svchost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exe

pid process

3704 rundll32.exe
3704 rundll32.exe
3704 rundll32.exe
3704 rundll32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

3704 rundll32.exe

pid	process
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe

pid	process
3704	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exeregsvr32.exe

description	pid	process	target process
PID 3512 wrote to memory of 3704	3512	rundll32.exe	rundll32.exe
PID 3512 wrote to memory of 3704	3512	rundll32.exe	rundll32.exe
PID 3512 wrote to memory of 3704	3512	rundll32.exe	rundll32.exe
PID 3704 wrote to memory of 4524	3704	rundll32.exe	explorer.exe
PID 3704 wrote to memory of 4524	3704	rundll32.exe	explorer.exe
PID 3704 wrote to memory of 4524	3704	rundll32.exe	explorer.exe
PID 3704 wrote to memory of 4524	3704	rundll32.exe	explorer.exe
PID 3704 wrote to memory of 4524	3704	rundll32.exe	explorer.exe
PID 4524 wrote to memory of 4444	4524	explorer.exe	schtasks.exe
PID 4524 wrote to memory of 4444	4524	explorer.exe	schtasks.exe
PID 4524 wrote to memory of 4444	4524	explorer.exe	schtasks.exe
PID 2020 wrote to memory of 5068	2020	regsvr32.exe	regsvr32.exe
PID 2020 wrote to memory of 5068	2020	regsvr32.exe	regsvr32.exe
PID 2020 wrote to memory of 5068	2020	regsvr32.exe	regsvr32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7ef0a71655a467280b779d52831b9e0e0a5c693ed9881a737ca3fdb2d2ae3554.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3512

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7ef0a71655a467280b779d52831b9e0e0a5c693ed9881a737ca3fdb2d2ae3554.dll,#1
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3704

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4524

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn ajqoyrfwl /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\7ef0a71655a467280b779d52831b9e0e0a5c693ed9881a737ca3fdb2d2ae3554.dll\"" /SC ONCE /Z /ST 22:18 /ET 22:30
4⤵
- Creates scheduled task(s)
PID:4444

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
- Modifies data under HKEY_USERS
PID:824

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\7ef0a71655a467280b779d52831b9e0e0a5c693ed9881a737ca3fdb2d2ae3554.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\7ef0a71655a467280b779d52831b9e0e0a5c693ed9881a737ca3fdb2d2ae3554.dll"
2⤵
- Loads dropped DLL
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5068 -ip 5068
1⤵
PID:2244

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ef0a71655a467280b779d52831b9e0e0a5c693ed9881a737ca3fdb2d2ae3554.dll
MD5
f2ab7f178e8f0d31656ecfcd3f0f28b2

SHA1
796abc27f6406fff3e361d7f2942816aa56fa6bc

SHA256
ffa4941fe7e97cb9c55190f305ba8984ec86f083cf7fa0d77d2ae4bb60949e0b

SHA512
00ed05f3c8d03c008df94e76873be426b24524383bca3147c0960b999cf5745721ca12992784a0a80fd13f7a26410463cab2f73c2b79bed8a83b6cb942c2f15c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ef0a71655a467280b779d52831b9e0e0a5c693ed9881a737ca3fdb2d2ae3554.dll
MD5
f2ab7f178e8f0d31656ecfcd3f0f28b2

SHA1
796abc27f6406fff3e361d7f2942816aa56fa6bc

SHA256
ffa4941fe7e97cb9c55190f305ba8984ec86f083cf7fa0d77d2ae4bb60949e0b

SHA512
00ed05f3c8d03c008df94e76873be426b24524383bca3147c0960b999cf5745721ca12992784a0a80fd13f7a26410463cab2f73c2b79bed8a83b6cb942c2f15c

Download Submit
memory/3704-134-0x0000000002150000-0x000000000233A000-memory.dmp

Filesize
1.9MB

Download
memory/3704-135-0x0000000010000000-0x0000000010270000-memory.dmp

Filesize
2.4MB

Download
memory/4524-136-0x0000000000890000-0x0000000000CC3000-memory.dmp

Filesize
4.2MB

Download
memory/4524-137-0x0000000000840000-0x0000000000875000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads