qakbot | 484aa7139e61f466aadc3bfbfafb19c9b0b46753431eec1dd00c7cec27231f69

General

Target

484aa7139e61f466aadc3bfbfafb19c9b0b46753431eec1dd00c7cec27231f69.dll
Size

408KB
MD5

b4e811abbbf0d4bd450c770060711e03
SHA1

6992cf181ce54ef41b02d5c376f3e947dd763699
SHA256

484aa7139e61f466aadc3bfbfafb19c9b0b46753431eec1dd00c7cec27231f69
SHA512

c3ff11834cb6a45a687a616905c133ed2f6ed2db7fe1d8619c7cafa356ae20b1714ac5cf758a30ee1b731902db3fff7057f0d55058fc54017b72bc0557cba592

Score

10^/10

qakbot gml01 1647501143 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.549

Botnet

gml01

Campaign

1647501143

C2

76.69.155.202:2222

75.99.168.194:443

129.208.30.2:995

93.48.80.198:995

108.60.213.141:443

176.67.56.94:443

148.64.96.100:443

47.180.172.159:443

47.51.47.182:995

2.42.176.91:443

140.82.49.12:443

197.167.5.180:993

131.154.102.171:32100

86.195.158.178:2222

114.79.148.170:443

201.176.1.223:995

217.165.79.31:443

24.43.99.75:443

5.32.41.45:443

180.129.97.57:995

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Gwsylz = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Mnoidg = "0"	reg.exe

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

4388 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2968 schtasks.exe

pid	process
4388	regsvr32.exe

pid	process
2968	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yuoxcxspofhe	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yuoxcxspofhe\20255849 = 427a55a2def12ae6c8163feaca192eeb07bc32538a87bad9db10b449f84e92f3ed17857762d2f5f02de11adffc9a6cbe7e672097fceedaf23e7c3f0bb5f2a0a9b785640b4f33fc2d4d8912f8c31240ec41fd37747aa3dc75218d2cc25db0f42630c0ab0473e2a48653d277	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yuoxcxspofhe\15ba8807 = 5878b3185d6f92791b34a0270339682049476e370f4c5149ddff4f44fe93d6e6ee819e5f0c6f75e119dc89d921c8624c067de08780785133ac444329965806064dc4a1bfe515ebbe8d0edd095d063ff5d2022a201d0766bc2fbf215deb9d33ddada2757ae156b0abff797a8e08a2052c91df413057a2c7049de21a2049169788eb9b327485e42bd0d365e5fd8a772eff3fde22dda8d098dcb6f4ce3bbc3cf9b7a4d21583a2bebecbc00f793b2b42bbd9c042ac6cba2a9152f86318a9db3f	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yuoxcxspofhe\af47cf1e = ffced7cf44b8c0066660ff5f437bfeff394c69ef83c2fb32b28b773372f879400a183611553cc1f02cf5676616d2ce99b27994fb5a7b27f3e78f0f634ebce864e3e81f3d720c7c22d6592e91199964db0b30ededa627980a1062fe08fecb44	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yuoxcxspofhe\ad06ef62 = e60465f4058a57cba9d451ce81eade82055fd610d57c50e4b18bab4e12202f186de3f16d2e	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yuoxcxspofhe\17fba87b = 03c1b27632fcf300b6554a1d74ed09938a3c16bbaa713c55316699c05b4d66c714b93d6b827f41f1883d5bdb3047326d4ff62addfb2637804cd6c68259c7eda705249b3d319096c0f03dd7369e383670a802f68c8f5f6edbe7d26238a34b074045c16be3dc	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yuoxcxspofhe\d24f8094 = 0bbe19b3f44b7bd135e4f7be58ddedf7b7a45078ab64382606af9d211245191b90ab9ba0b348662f08e423d5588f3eee31e953c85e50f3db8dbf7715bdb8a06d8d1f4359ce9087c9f0d7bc5a9a7839a7ef	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yuoxcxspofhe\6af3e7f1 = 406cd7e2912b9190c2793f688b253749102cc71d4cd1d2cf430b037c8610d84d9b3dfa98c86f1887f87d6f28c1692442ec9cc65a08c91744ec3f4b1c4af26e05d8815cf2efdf1664fb03ef7328ea22f90b269a1f9aed6ce8d485e067f785278cd527d6	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yuoxcxspofhe\5f6c37bf = 92f29855c1e220bf28a352358d3c7a	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yuoxcxspofhe\20255849 = 427a42a2def11fc8701a90e687e0fd54f512d2d6eb48da435953a1acd8895b7967df8b2854dbce10a2f1df259803270f951796201ee254ac2fe499669f49471c2814731a50f0b21a03a5f837473cbb8166ace25cba0e2250dde0f97b1061acd650c3b0e9787e1ca21901047440630d5aa897005b98458cc9e01f52b58eb79a6e	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exeexplorer.exe

pid	process
1152	regsvr32.exe
1152	regsvr32.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe
1936	explorer.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

1152 regsvr32.exe
4388 regsvr32.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

regsvr32.exeregsvr32.exeexplorer.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 400 wrote to memory of 1152	400	regsvr32.exe	regsvr32.exe
PID 400 wrote to memory of 1152	400	regsvr32.exe	regsvr32.exe
PID 400 wrote to memory of 1152	400	regsvr32.exe	regsvr32.exe
PID 1152 wrote to memory of 1936	1152	regsvr32.exe	explorer.exe
PID 1152 wrote to memory of 1936	1152	regsvr32.exe	explorer.exe
PID 1152 wrote to memory of 1936	1152	regsvr32.exe	explorer.exe
PID 1152 wrote to memory of 1936	1152	regsvr32.exe	explorer.exe
PID 1152 wrote to memory of 1936	1152	regsvr32.exe	explorer.exe
PID 1936 wrote to memory of 2968	1936	explorer.exe	schtasks.exe
PID 1936 wrote to memory of 2968	1936	explorer.exe	schtasks.exe
PID 1936 wrote to memory of 2968	1936	explorer.exe	schtasks.exe
PID 4488 wrote to memory of 4388	4488	regsvr32.exe	regsvr32.exe
PID 4488 wrote to memory of 4388	4488	regsvr32.exe	regsvr32.exe
PID 4488 wrote to memory of 4388	4488	regsvr32.exe	regsvr32.exe
PID 4388 wrote to memory of 4456	4388	regsvr32.exe	explorer.exe
PID 4388 wrote to memory of 4456	4388	regsvr32.exe	explorer.exe
PID 4388 wrote to memory of 4456	4388	regsvr32.exe	explorer.exe
PID 4388 wrote to memory of 4456	4388	regsvr32.exe	explorer.exe
PID 4388 wrote to memory of 4456	4388	regsvr32.exe	explorer.exe
PID 4456 wrote to memory of 1760	4456	explorer.exe	reg.exe
PID 4456 wrote to memory of 1760	4456	explorer.exe	reg.exe
PID 4456 wrote to memory of 3440	4456	explorer.exe	reg.exe
PID 4456 wrote to memory of 3440	4456	explorer.exe	reg.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\484aa7139e61f466aadc3bfbfafb19c9b0b46753431eec1dd00c7cec27231f69.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:400

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\484aa7139e61f466aadc3bfbfafb19c9b0b46753431eec1dd00c7cec27231f69.dll
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1152

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn rmwvwuz /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\484aa7139e61f466aadc3bfbfafb19c9b0b46753431eec1dd00c7cec27231f69.dll\"" /SC ONCE /Z /ST 07:28 /ET 07:40
4⤵
- Creates scheduled task(s)
PID:2968

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\484aa7139e61f466aadc3bfbfafb19c9b0b46753431eec1dd00c7cec27231f69.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:4488

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\484aa7139e61f466aadc3bfbfafb19c9b0b46753431eec1dd00c7cec27231f69.dll"
2⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4388

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4456

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Gwsylz" /d "0"
4⤵
- Windows security bypass
PID:1760

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Mnoidg" /d "0"
4⤵
- Windows security bypass
PID:3440

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\484aa7139e61f466aadc3bfbfafb19c9b0b46753431eec1dd00c7cec27231f69.dll
Filesize
408KB

MD5
b4e811abbbf0d4bd450c770060711e03

SHA1
6992cf181ce54ef41b02d5c376f3e947dd763699

SHA256
484aa7139e61f466aadc3bfbfafb19c9b0b46753431eec1dd00c7cec27231f69

SHA512
c3ff11834cb6a45a687a616905c133ed2f6ed2db7fe1d8619c7cafa356ae20b1714ac5cf758a30ee1b731902db3fff7057f0d55058fc54017b72bc0557cba592

Download Submit
C:\Users\Admin\AppData\Local\Temp\484aa7139e61f466aadc3bfbfafb19c9b0b46753431eec1dd00c7cec27231f69.dll
Filesize
408KB

MD5
b4e811abbbf0d4bd450c770060711e03

SHA1
6992cf181ce54ef41b02d5c376f3e947dd763699

SHA256
484aa7139e61f466aadc3bfbfafb19c9b0b46753431eec1dd00c7cec27231f69

SHA512
c3ff11834cb6a45a687a616905c133ed2f6ed2db7fe1d8619c7cafa356ae20b1714ac5cf758a30ee1b731902db3fff7057f0d55058fc54017b72bc0557cba592

Download Submit
memory/1152-130-0x0000000000000000-mapping.dmp

Download
memory/1760-140-0x0000000000000000-mapping.dmp

Download
memory/1936-131-0x0000000000000000-mapping.dmp

Download
memory/1936-133-0x0000000001390000-0x00000000013FC000-memory.dmp

Filesize
432KB

Download
memory/1936-134-0x0000000001390000-0x00000000013FC000-memory.dmp

Filesize
432KB

Download
memory/2968-132-0x0000000000000000-mapping.dmp

Download
memory/3440-141-0x0000000000000000-mapping.dmp

Download
memory/4388-136-0x0000000000000000-mapping.dmp

Download
memory/4456-138-0x0000000000000000-mapping.dmp

Download
memory/4456-139-0x0000000000740000-0x00000000007AC000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads