qakbot | ca187b89a76b3a9f79439d1e9c2cc4c23c0a2a11feb48a05c86544fd221d00a0

General

Target

24c5f884b0a8cca405035a6cecc43b0f835e13a617e4a12bd2d65d98c2d561ec.dll
Size

3.3MB
MD5

cee786b4749d4b5e24badefb484ec477
SHA1

921b1a83da80a75cc619a9ab96ce773da90c90c2
SHA256

24c5f884b0a8cca405035a6cecc43b0f835e13a617e4a12bd2d65d98c2d561ec
SHA512

13f25e9d93d721ef35a59f6a796c4d30aff7fef402b24cacea5d0e23d2d5ab8490d9c461d1463b6aa535ad4dbf23c9880112ad2187ccce5404f00670ba699102
SSDEEP

98304:a9JLJa5P5QVZsTiMqKjxmecaafjkxD2EfX6EfFIVsnVkkzr1meX7HbY+uoDe+yFy:anNa5PrTiMqixmNaafjkD2sXnIVsK61j

Score

10^/10

qakbot tr 1638522901 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.2

Botnet

tr

Campaign

1638522901

C2

189.252.173.60:32101

136.143.11.232:443

2.222.167.138:443

186.64.87.195:443

197.89.12.237:443

218.101.110.3:995

103.142.10.177:443

117.248.109.38:21

123.252.190.14:443

190.73.3.148:2222

89.137.52.44:443

194.36.28.26:443

93.48.80.198:995

217.17.56.163:2222

187.121.121.141:995

117.198.159.240:443

140.82.49.12:443

136.232.34.70:443

78.180.170.159:995

185.53.147.51:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Yaffvjy = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Weearugl = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

112 regsvr32.exe
Drops file in Windows directory 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

description ioc process

File opened for modification C:\Windows\ regsvr32.exe
File opened for modification C:\Windows\ regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

268 schtasks.exe

pid	process
112	regsvr32.exe

description	ioc	process
File opened for modification	C:\Windows\	regsvr32.exe
File opened for modification	C:\Windows\	regsvr32.exe

pid	process
268	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ykpkuorpyofgio	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ykpkuorpyofgio\813f00c6 = 75d08ec8165ffb1b7800160fcce8519d809b0f130d91bc2144895049b760a70f17af5aacd293e0c1944db146c80d459fcb	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ykpkuorpyofgio\b4a0d088 = a79a3f6b311e6968853c78d2f48875f054a6daa388a9b562f5f2c5065579bbf6aaa1d9d61e402b550726617f9e18c56ac8e9b104c4ee60c920b0bde0e429a786c04f02fe68b775a427f27929de1bb2fffdf1830e5ae555a4188fef809720b139e3d29ae28244a2b700689f26f52c6ef9b3505e7aca4d62359b651c47b93c2445123ea920001f2d8c49dab47241cd2df39c4915bdd16a24d81af7f65a0d7022ff7f20038c35856e4394a4e9850d8190ab426cc2b2ab647d6d450c552b	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ykpkuorpyofgio\b6e1f0f4 = e78318da183d3419b183fc10df66459391b9e683fcba9f87381c5945647a0072a48d62e1d8dac71fc0b96627be03584fff5f1afd7b5d4b9073ba0c59629fe4bf80512ed62e87	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ykpkuorpyofgio\e5d9791 = 7fe376f72ef241db206b9ee200da01e6a3a5fde3f07b9f52014ca519a88437c017	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ykpkuorpyofgio\7355d81b = 9b9bcba16993ea1f37c8071c9b7c83cb9aec1bac309402093358774d	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ykpkuorpyofgio\c1cb7ed = 74e618697f4cc2d1cb120cfbd2fc76decf87d282a67173afa3caaf1c1d8fb9a073cf7230fd5ae88f3f6843d500bafd3a253469df5f8626df2f52f6999fb1b7f8	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ykpkuorpyofgio\cbe9bf7e = ff59faf0b0cc9a467022c68eb8799ef16753701e3139630657da3a9707beb1d2230116055a9a09b649118c07665b70c068d86d	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ykpkuorpyofgio\fe766f30 = 129e7b4a7069355c7b4091e4f9e45a90c7b6f6052138d0cd1c5b40a772c55bdd9b94981182eb03c0bba2e9774c8599744d1f5ffe1be563b6bfd56d951917b82512c9e508dea8d5890bfa44ada2952f0441aa9c46ed283162102f1f60d4e5edd3b60b5fa2cb136397680c89ab2d	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ykpkuorpyofgio\813f00c6 = 75d099c8165fce5809b28665cfba983bf249de761df416fa5e5acc0eaa300b6a8200f7fb609d3863dd5a19b766e188bc3299519760abfdb673680ad963c28a481c5ad53b53b1	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

832 regsvr32.exe
112 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

832 regsvr32.exe
112 regsvr32.exe

pid	process
832	regsvr32.exe
112	regsvr32.exe

pid	process
832	regsvr32.exe
112	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

regsvr32.exeregsvr32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 1388 wrote to memory of 832	1388	regsvr32.exe	regsvr32.exe
PID 1388 wrote to memory of 832	1388	regsvr32.exe	regsvr32.exe
PID 1388 wrote to memory of 832	1388	regsvr32.exe	regsvr32.exe
PID 1388 wrote to memory of 832	1388	regsvr32.exe	regsvr32.exe
PID 1388 wrote to memory of 832	1388	regsvr32.exe	regsvr32.exe
PID 1388 wrote to memory of 832	1388	regsvr32.exe	regsvr32.exe
PID 1388 wrote to memory of 832	1388	regsvr32.exe	regsvr32.exe
PID 832 wrote to memory of 836	832	regsvr32.exe	explorer.exe
PID 832 wrote to memory of 836	832	regsvr32.exe	explorer.exe
PID 832 wrote to memory of 836	832	regsvr32.exe	explorer.exe
PID 832 wrote to memory of 836	832	regsvr32.exe	explorer.exe
PID 832 wrote to memory of 836	832	regsvr32.exe	explorer.exe
PID 832 wrote to memory of 836	832	regsvr32.exe	explorer.exe
PID 836 wrote to memory of 268	836	explorer.exe	schtasks.exe
PID 836 wrote to memory of 268	836	explorer.exe	schtasks.exe
PID 836 wrote to memory of 268	836	explorer.exe	schtasks.exe
PID 836 wrote to memory of 268	836	explorer.exe	schtasks.exe
PID 1724 wrote to memory of 904	1724	taskeng.exe	regsvr32.exe
PID 1724 wrote to memory of 904	1724	taskeng.exe	regsvr32.exe
PID 1724 wrote to memory of 904	1724	taskeng.exe	regsvr32.exe
PID 1724 wrote to memory of 904	1724	taskeng.exe	regsvr32.exe
PID 1724 wrote to memory of 904	1724	taskeng.exe	regsvr32.exe
PID 904 wrote to memory of 112	904	regsvr32.exe	regsvr32.exe
PID 904 wrote to memory of 112	904	regsvr32.exe	regsvr32.exe
PID 904 wrote to memory of 112	904	regsvr32.exe	regsvr32.exe
PID 904 wrote to memory of 112	904	regsvr32.exe	regsvr32.exe
PID 904 wrote to memory of 112	904	regsvr32.exe	regsvr32.exe
PID 904 wrote to memory of 112	904	regsvr32.exe	regsvr32.exe
PID 904 wrote to memory of 112	904	regsvr32.exe	regsvr32.exe
PID 112 wrote to memory of 316	112	regsvr32.exe	explorer.exe
PID 112 wrote to memory of 316	112	regsvr32.exe	explorer.exe
PID 112 wrote to memory of 316	112	regsvr32.exe	explorer.exe
PID 112 wrote to memory of 316	112	regsvr32.exe	explorer.exe
PID 112 wrote to memory of 316	112	regsvr32.exe	explorer.exe
PID 112 wrote to memory of 316	112	regsvr32.exe	explorer.exe
PID 316 wrote to memory of 1288	316	explorer.exe	reg.exe
PID 316 wrote to memory of 1288	316	explorer.exe	reg.exe
PID 316 wrote to memory of 1288	316	explorer.exe	reg.exe
PID 316 wrote to memory of 1288	316	explorer.exe	reg.exe
PID 316 wrote to memory of 1004	316	explorer.exe	reg.exe
PID 316 wrote to memory of 1004	316	explorer.exe	reg.exe
PID 316 wrote to memory of 1004	316	explorer.exe	reg.exe
PID 316 wrote to memory of 1004	316	explorer.exe	reg.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\24c5f884b0a8cca405035a6cecc43b0f835e13a617e4a12bd2d65d98c2d561ec.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1388

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\24c5f884b0a8cca405035a6cecc43b0f835e13a617e4a12bd2d65d98c2d561ec.dll
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn ujbpvhxq /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\24c5f884b0a8cca405035a6cecc43b0f835e13a617e4a12bd2d65d98c2d561ec.dll\"" /SC ONCE /Z /ST 03:59 /ET 04:11
4⤵
- Creates scheduled task(s)
PID:268

C:\Windows\system32\taskeng.exe
taskeng.exe {EF37E1F2-6FED-4C2F-ADD9-1652BD9A4D96} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\24c5f884b0a8cca405035a6cecc43b0f835e13a617e4a12bd2d65d98c2d561ec.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:904

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\24c5f884b0a8cca405035a6cecc43b0f835e13a617e4a12bd2d65d98c2d561ec.dll"
3⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:112

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Yaffvjy" /d "0"
5⤵
- Windows security bypass
PID:1288

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Weearugl" /d "0"
5⤵
- Windows security bypass
PID:1004

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\24c5f884b0a8cca405035a6cecc43b0f835e13a617e4a12bd2d65d98c2d561ec.dll
Filesize
3.3MB

MD5
cee786b4749d4b5e24badefb484ec477

SHA1
921b1a83da80a75cc619a9ab96ce773da90c90c2

SHA256
24c5f884b0a8cca405035a6cecc43b0f835e13a617e4a12bd2d65d98c2d561ec

SHA512
13f25e9d93d721ef35a59f6a796c4d30aff7fef402b24cacea5d0e23d2d5ab8490d9c461d1463b6aa535ad4dbf23c9880112ad2187ccce5404f00670ba699102

Download Submit
\Users\Admin\AppData\Local\Temp\24c5f884b0a8cca405035a6cecc43b0f835e13a617e4a12bd2d65d98c2d561ec.dll
Filesize
3.3MB

MD5
cee786b4749d4b5e24badefb484ec477

SHA1
921b1a83da80a75cc619a9ab96ce773da90c90c2

SHA256
24c5f884b0a8cca405035a6cecc43b0f835e13a617e4a12bd2d65d98c2d561ec

SHA512
13f25e9d93d721ef35a59f6a796c4d30aff7fef402b24cacea5d0e23d2d5ab8490d9c461d1463b6aa535ad4dbf23c9880112ad2187ccce5404f00670ba699102

Download Submit
memory/112-70-0x0000000010000000-0x00000000103DE000-memory.dmp

Filesize
3.9MB

Download
memory/112-72-0x0000000010000000-0x00000000103DE000-memory.dmp

Filesize
3.9MB

Download
memory/316-79-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/316-77-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/316-76-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/316-75-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/316-73-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/832-55-0x0000000010000000-0x00000000103DE000-memory.dmp

Filesize
3.9MB

Download
memory/832-58-0x0000000010000000-0x00000000103DE000-memory.dmp

Filesize
3.9MB

Download
memory/832-54-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/836-57-0x0000000000110000-0x0000000000131000-memory.dmp

Filesize
132KB

Download
memory/836-65-0x0000000000110000-0x0000000000131000-memory.dmp

Filesize
132KB

Download
memory/836-64-0x0000000000110000-0x0000000000131000-memory.dmp

Filesize
132KB

Download
memory/836-62-0x0000000000110000-0x0000000000131000-memory.dmp

Filesize
132KB

Download
memory/836-63-0x0000000000110000-0x0000000000131000-memory.dmp

Filesize
132KB

Download
memory/836-61-0x0000000000110000-0x0000000000131000-memory.dmp

Filesize
132KB

Download
memory/836-56-0x00000000000C0000-0x00000000000C2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads