qakbot | ca187b89a76b3a9f79439d1e9c2cc4c23c0a2a11feb48a05c86544fd221d00a0

General

Target

24c5f884b0a8cca405035a6cecc43b0f835e13a617e4a12bd2d65d98c2d561ec.dll
Size

3.3MB
MD5

cee786b4749d4b5e24badefb484ec477
SHA1

921b1a83da80a75cc619a9ab96ce773da90c90c2
SHA256

24c5f884b0a8cca405035a6cecc43b0f835e13a617e4a12bd2d65d98c2d561ec
SHA512

13f25e9d93d721ef35a59f6a796c4d30aff7fef402b24cacea5d0e23d2d5ab8490d9c461d1463b6aa535ad4dbf23c9880112ad2187ccce5404f00670ba699102
SSDEEP

98304:a9JLJa5P5QVZsTiMqKjxmecaafjkxD2EfX6EfFIVsnVkkzr1meX7HbY+uoDe+yFy:anNa5PrTiMqixmNaafjkD2sXnIVsK61j

Score

10^/10

qakbot tr 1638522901 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.2

Botnet

tr

Campaign

1638522901

C2

189.252.173.60:32101

136.143.11.232:443

2.222.167.138:443

186.64.87.195:443

197.89.12.237:443

218.101.110.3:995

103.142.10.177:443

117.248.109.38:21

123.252.190.14:443

190.73.3.148:2222

89.137.52.44:443

194.36.28.26:443

93.48.80.198:995

217.17.56.163:2222

187.121.121.141:995

117.198.159.240:443

140.82.49.12:443

136.232.34.70:443

78.180.170.159:995

185.53.147.51:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Aueleo = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Sgfnprwgufno = "0"	reg.exe

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

4788 regsvr32.exe
Drops file in Windows directory 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

description ioc process

File opened for modification C:\Windows\ regsvr32.exe
File opened for modification C:\Windows\ regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2288 schtasks.exe

pid	process
4788	regsvr32.exe

description	ioc	process
File opened for modification	C:\Windows\	regsvr32.exe
File opened for modification	C:\Windows\	regsvr32.exe

pid	process
2288	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tdvxespij	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tdvxespij\89ad705d = d91348af5f910d6ce65e97eeb89c34fbc9d4f40e0828d0a315dc6f0af3a77dd8425a42eb895191388037400f7cb3b99ec888ca5e8f0f048ba57faec774cadb	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tdvxespij\bc32a013 = 949d82ed70e831f42eed8d463a9e53c6b536a70f3ff75a3d89a30702f1ad2035314301cabb6e0d15ec5ecfb1335926d94b4a025049ef2b4057e3fd9fa9305ee8defb3b9377b19495090a94d51737ad860d7c9370dc581dc431207e69f8fa111ed39ea74d78ed1d8ba2920eb381437ec23cdb1f9f4158f67055b5bff63d5198d4524e16839ea07498d14840b34e9118887ca109f4f2754a3b407b67c0f039781f2629	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tdvxespij\be73806f = e944b2b40cc4538b4224128b50434ef4bf3fa5eb35da3e4b58d7a2ab0cbab32950fd4a88797232412c16a995434dcf6ad764b0f98cffc8af78896565bcfca31b8a93508ecf2a7a47ac6c1569817842a9891408	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tdvxespij\6cfe70a = 30f859f7bb0aa09f3471909e74d8a22aa12f52f27102acfdd7fe197897800a555d7221f78736623e9eca604eba4d013b6c0d96f1d4a5efc27423d3dd59af08426a501e8c4bdfc918c270dbb4ec6ba3d1ecf81c	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tdvxespij\89ad705d = d9135faf5f9138f1d564e85dcf97b2d08596e07b52a60f5068de8ccbd14dace171140a7a4d63fe3a6496b9dbd0780241849c69d35b88fcca9c67c20d2fd05ba9efea30d0c13c6e2dcf3d22e0cb17f439d8ccc1d6	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tdvxespij\7bc7a880 = 8d3747b12a7c6eef3b8f475fe06a3ba880a13bacf8a3fda7bb8da81f3468ee36859c66d6c04e99c2ed10b3b9039ea584a477dcf2c9889689778f7fe357346f0c193e882c31742f013924d7b812c811ba816e999fc9b47abba2b78d9c97389c6be78bfc	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tdvxespij\c37bcfe5 = 81f6f2a2e85a97293105a16dc9e5d0574a53f84ef52b3709970ed4c12525e12879973cc499f8ace41603e2b8ab1f7beb8f675746f3e1b10271d5bec7a4b5e4211a270029c92ce576fbfe32ec2bc1b1f2de36d0bdb2ea314b7c5f	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tdvxespij\48ec776 = ee47426965ef8a2f5027d472718aabd4599ca464f6f2ac2229b53ba5f30eaec079b6e617604a45bfff8e4eca3fdce411a4200b5089	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tdvxespij\f6e41fab = d281b690362443e273c39d93b2f1b431fa9fb9577063dc4990a793eb05b232ee55df68c13591e91e07134166e14b	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

3864 regsvr32.exe
3864 regsvr32.exe
4788 regsvr32.exe
4788 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

3864 regsvr32.exe
4788 regsvr32.exe

pid	process
3864	regsvr32.exe
3864	regsvr32.exe
4788	regsvr32.exe
4788	regsvr32.exe

pid	process
3864	regsvr32.exe
4788	regsvr32.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

regsvr32.exeregsvr32.exeexplorer.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 1912 wrote to memory of 3864	1912	regsvr32.exe	regsvr32.exe
PID 1912 wrote to memory of 3864	1912	regsvr32.exe	regsvr32.exe
PID 1912 wrote to memory of 3864	1912	regsvr32.exe	regsvr32.exe
PID 3864 wrote to memory of 3092	3864	regsvr32.exe	explorer.exe
PID 3864 wrote to memory of 3092	3864	regsvr32.exe	explorer.exe
PID 3864 wrote to memory of 3092	3864	regsvr32.exe	explorer.exe
PID 3864 wrote to memory of 3092	3864	regsvr32.exe	explorer.exe
PID 3864 wrote to memory of 3092	3864	regsvr32.exe	explorer.exe
PID 3092 wrote to memory of 2288	3092	explorer.exe	schtasks.exe
PID 3092 wrote to memory of 2288	3092	explorer.exe	schtasks.exe
PID 3092 wrote to memory of 2288	3092	explorer.exe	schtasks.exe
PID 4080 wrote to memory of 4788	4080	regsvr32.exe	regsvr32.exe
PID 4080 wrote to memory of 4788	4080	regsvr32.exe	regsvr32.exe
PID 4080 wrote to memory of 4788	4080	regsvr32.exe	regsvr32.exe
PID 4788 wrote to memory of 4320	4788	regsvr32.exe	explorer.exe
PID 4788 wrote to memory of 4320	4788	regsvr32.exe	explorer.exe
PID 4788 wrote to memory of 4320	4788	regsvr32.exe	explorer.exe
PID 4788 wrote to memory of 4320	4788	regsvr32.exe	explorer.exe
PID 4788 wrote to memory of 4320	4788	regsvr32.exe	explorer.exe
PID 4320 wrote to memory of 1836	4320	explorer.exe	reg.exe
PID 4320 wrote to memory of 1836	4320	explorer.exe	reg.exe
PID 4320 wrote to memory of 4100	4320	explorer.exe	reg.exe
PID 4320 wrote to memory of 4100	4320	explorer.exe	reg.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\24c5f884b0a8cca405035a6cecc43b0f835e13a617e4a12bd2d65d98c2d561ec.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\24c5f884b0a8cca405035a6cecc43b0f835e13a617e4a12bd2d65d98c2d561ec.dll
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3864

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3092

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn ulwaftau /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\24c5f884b0a8cca405035a6cecc43b0f835e13a617e4a12bd2d65d98c2d561ec.dll\"" /SC ONCE /Z /ST 03:59 /ET 04:11
4⤵
- Creates scheduled task(s)
PID:2288

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\24c5f884b0a8cca405035a6cecc43b0f835e13a617e4a12bd2d65d98c2d561ec.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:4080

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\24c5f884b0a8cca405035a6cecc43b0f835e13a617e4a12bd2d65d98c2d561ec.dll"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4788

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4320

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Aueleo" /d "0"
4⤵
- Windows security bypass
PID:1836

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Sgfnprwgufno" /d "0"
4⤵
- Windows security bypass
PID:4100

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\24c5f884b0a8cca405035a6cecc43b0f835e13a617e4a12bd2d65d98c2d561ec.dll
Filesize
3.3MB

MD5
cee786b4749d4b5e24badefb484ec477

SHA1
921b1a83da80a75cc619a9ab96ce773da90c90c2

SHA256
24c5f884b0a8cca405035a6cecc43b0f835e13a617e4a12bd2d65d98c2d561ec

SHA512
13f25e9d93d721ef35a59f6a796c4d30aff7fef402b24cacea5d0e23d2d5ab8490d9c461d1463b6aa535ad4dbf23c9880112ad2187ccce5404f00670ba699102

Download Submit
C:\Users\Admin\AppData\Local\Temp\24c5f884b0a8cca405035a6cecc43b0f835e13a617e4a12bd2d65d98c2d561ec.dll
Filesize
3.3MB

MD5
cee786b4749d4b5e24badefb484ec477

SHA1
921b1a83da80a75cc619a9ab96ce773da90c90c2

SHA256
24c5f884b0a8cca405035a6cecc43b0f835e13a617e4a12bd2d65d98c2d561ec

SHA512
13f25e9d93d721ef35a59f6a796c4d30aff7fef402b24cacea5d0e23d2d5ab8490d9c461d1463b6aa535ad4dbf23c9880112ad2187ccce5404f00670ba699102

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3092-139-0x0000000000D00000-0x0000000000D21000-memory.dmp

Filesize
132KB

Download
memory/3092-141-0x0000000000D00000-0x0000000000D21000-memory.dmp

Filesize
132KB

Download
memory/3092-142-0x0000000000D00000-0x0000000000D21000-memory.dmp

Filesize
132KB

Download
memory/3092-138-0x0000000000D00000-0x0000000000D21000-memory.dmp

Filesize
132KB

Download
memory/3092-137-0x0000000000D00000-0x0000000000D21000-memory.dmp

Filesize
132KB

Download
memory/3864-133-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/3864-134-0x0000000010000000-0x00000000103DE000-memory.dmp

Filesize
3.9MB

Download
memory/4320-149-0x0000000000BB0000-0x0000000000BD1000-memory.dmp

Filesize
132KB

Download
memory/4320-150-0x0000000000BB0000-0x0000000000BD1000-memory.dmp

Filesize
132KB

Download
memory/4320-151-0x0000000000BB0000-0x0000000000BD1000-memory.dmp

Filesize
132KB

Download
memory/4320-152-0x0000000000BB0000-0x0000000000BD1000-memory.dmp

Filesize
132KB

Download
memory/4320-154-0x0000000000BB0000-0x0000000000BD1000-memory.dmp

Filesize
132KB

Download
memory/4788-147-0x0000000010000000-0x00000000103DE000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads