qakbot | d6b72a3b670cb4bf967247032193169b6530ef8145bdef72e986ac817a7577cc

General

Target

a7c0c6bf571abf5de7d8d6e7131c2ad9.dll
Size

431KB
MD5

a7c0c6bf571abf5de7d8d6e7131c2ad9
SHA1

804ad99fbf3636a5cec3e2c242698db2feb726ab
SHA256

d6b72a3b670cb4bf967247032193169b6530ef8145bdef72e986ac817a7577cc
SHA512

7612c10bb07b8581f9669859a42b27e2f8f12aa1e96baa1fe65b1d07daba3bebff6696811383fb442d3554154705724030ae4f1a33864b012c5ad73e0400d7d1
SSDEEP

6144:dENSSm9kFIxN8yzjJbszIARC7I+8Gbcbfu4Vj6m+Ogu55wL/JYCDwrP:dEMSK4x4jBDARsTdgq4kmNguUL/SCiP

Score

10^/10

qakbot tr 1632817399 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

tr

Campaign

1632817399

C2

105.198.236.99:443

140.82.49.12:443

37.210.152.224:995

89.101.97.139:443

81.241.252.59:2078

27.223.92.142:995

81.250.153.227:2222

73.151.236.31:443

47.22.148.6:443

122.11.220.212:2222

120.151.47.189:443

199.27.127.129:443

216.201.162.158:443

136.232.34.70:443

76.25.142.196:443

181.118.183.94:443

120.150.218.241:995

185.250.148.74:443

95.77.223.148:443

75.66.88.33:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Grntr = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Vwpaxtqqtsq = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

2456 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2768 schtasks.exe

pid	process
2456	regsvr32.exe

pid	process
2768	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Fyjyapkda\b22f48cc = 2dd494b39055cfbf238bf843c6aadff81bd1ec9894c0a0d29d1203c898ee65ddbc367f51a668f25f13f22e22bf2d	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Fyjyapkda\cd66273a = f298441f2b46412d6113113fa6aa974a6ad20a72774519124d91c2eb8a17acfb187b16f31d489c134140d650cd41d0a07c24faac792d966f8b8817c8dd2dc57d3ad3b8ac0159dd061851034ce2c2f9df3370d64c935a1829ab4a92aafcd2085b81ee627f	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Fyjyapkda\f8f9f774 = 5ad7f2de6926b9d5b208051a9e274078840d59d9bdcd19a48bcb3ce5e4dcbfd0ee2990f1e1ebd144606c990b4a968572dd024006c719c098cba7cf81f9d592dd8b24da36a9aae316fbb4d408b137cb46a7396039b469bb242365c327809ebfdab4574577e34fbb7f9ed7709ccaa7e27f068a5c4e6ce25fe78253d1ae2e9189ca1a388c5163201fe9f949ff589e4eaee6bcc9c60952eec87b894f5c	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Fyjyapkda\3f0cffe7 = 013a55a8a862a0a49ea48c06a200ff9d0490671fcaa5e69b50709209b2bddb334ded3b7faaf0277facce6827e0c4b67fceadb0de266557a5eb8950f6323787eceb5aca6683a46c1794ae5c1662	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Fyjyapkda\fab8d708 = cfaf942cba7484d29d3e99cbad5192a4c2e10f7f13a064c91685dae88d9b69c46f4e3426f76c1d265e3fd9eb6ff66f7cb3ad58d81fa657824cc0e10bfab3568540c282efa494894d642bdda803646fe34074c1184e61722480c2017b3f96d4a11d	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Fyjyapkda\4204b06d = bd13306866a5a47aae3781992127e6aca8b20c213b	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Fyjyapkda\87b09882 = 4457cf8b457e5e46d4bc9f95fcfffdd0be2d8e5dcbe664874a46dc97e64dfad70b3fe1aaacca9515e9968a58d7af400a3692480fa7fd9a34329b1b	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Fyjyapkda\40459011 = d108b98cbbb623cec6025ccde5c20b0540f49a7e1fbacecfa88c634e23ba4f39f388b555cb672062c038a2c428f209244b56a9dbdbecbd672b23eeac0322c9b76f432646a6506c6f3f93e0776f38032c59f1c4313fbf63837cccb3f39e0c4e0d4fd7c2ea0d179894b5519287	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Fyjyapkda	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Fyjyapkda\cd66273a = f298531f2b46747387206d585287a45e7dfe321006e9ab1244257ab498921c05e77b884d7ecf4429e1110cf9a074f465cc631851db8fd998676cf21b76b4eb2855f7893e09f5e1c918d2f2575fe695	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

1784 rundll32.exe
2456 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

1784 rundll32.exe
2456 regsvr32.exe

pid	process
1784	rundll32.exe
2456	regsvr32.exe

pid	process
1784	rundll32.exe
2456	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 3004 wrote to memory of 1784	3004	rundll32.exe	rundll32.exe
PID 3004 wrote to memory of 1784	3004	rundll32.exe	rundll32.exe
PID 3004 wrote to memory of 1784	3004	rundll32.exe	rundll32.exe
PID 3004 wrote to memory of 1784	3004	rundll32.exe	rundll32.exe
PID 3004 wrote to memory of 1784	3004	rundll32.exe	rundll32.exe
PID 3004 wrote to memory of 1784	3004	rundll32.exe	rundll32.exe
PID 3004 wrote to memory of 1784	3004	rundll32.exe	rundll32.exe
PID 1784 wrote to memory of 2708	1784	rundll32.exe	explorer.exe
PID 1784 wrote to memory of 2708	1784	rundll32.exe	explorer.exe
PID 1784 wrote to memory of 2708	1784	rundll32.exe	explorer.exe
PID 1784 wrote to memory of 2708	1784	rundll32.exe	explorer.exe
PID 1784 wrote to memory of 2708	1784	rundll32.exe	explorer.exe
PID 1784 wrote to memory of 2708	1784	rundll32.exe	explorer.exe
PID 2708 wrote to memory of 2768	2708	explorer.exe	schtasks.exe
PID 2708 wrote to memory of 2768	2708	explorer.exe	schtasks.exe
PID 2708 wrote to memory of 2768	2708	explorer.exe	schtasks.exe
PID 2708 wrote to memory of 2768	2708	explorer.exe	schtasks.exe
PID 2464 wrote to memory of 1124	2464	taskeng.exe	regsvr32.exe
PID 2464 wrote to memory of 1124	2464	taskeng.exe	regsvr32.exe
PID 2464 wrote to memory of 1124	2464	taskeng.exe	regsvr32.exe
PID 2464 wrote to memory of 1124	2464	taskeng.exe	regsvr32.exe
PID 2464 wrote to memory of 1124	2464	taskeng.exe	regsvr32.exe
PID 1124 wrote to memory of 2456	1124	regsvr32.exe	regsvr32.exe
PID 1124 wrote to memory of 2456	1124	regsvr32.exe	regsvr32.exe
PID 1124 wrote to memory of 2456	1124	regsvr32.exe	regsvr32.exe
PID 1124 wrote to memory of 2456	1124	regsvr32.exe	regsvr32.exe
PID 1124 wrote to memory of 2456	1124	regsvr32.exe	regsvr32.exe
PID 1124 wrote to memory of 2456	1124	regsvr32.exe	regsvr32.exe
PID 1124 wrote to memory of 2456	1124	regsvr32.exe	regsvr32.exe
PID 2456 wrote to memory of 2412	2456	regsvr32.exe	explorer.exe
PID 2456 wrote to memory of 2412	2456	regsvr32.exe	explorer.exe
PID 2456 wrote to memory of 2412	2456	regsvr32.exe	explorer.exe
PID 2456 wrote to memory of 2412	2456	regsvr32.exe	explorer.exe
PID 2456 wrote to memory of 2412	2456	regsvr32.exe	explorer.exe
PID 2456 wrote to memory of 2412	2456	regsvr32.exe	explorer.exe
PID 2412 wrote to memory of 2228	2412	explorer.exe	reg.exe
PID 2412 wrote to memory of 2228	2412	explorer.exe	reg.exe
PID 2412 wrote to memory of 2228	2412	explorer.exe	reg.exe
PID 2412 wrote to memory of 2228	2412	explorer.exe	reg.exe
PID 2412 wrote to memory of 1892	2412	explorer.exe	reg.exe
PID 2412 wrote to memory of 1892	2412	explorer.exe	reg.exe
PID 2412 wrote to memory of 1892	2412	explorer.exe	reg.exe
PID 2412 wrote to memory of 1892	2412	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a7c0c6bf571abf5de7d8d6e7131c2ad9.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3004

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a7c0c6bf571abf5de7d8d6e7131c2ad9.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn aeytwibiz /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\a7c0c6bf571abf5de7d8d6e7131c2ad9.dll\"" /SC ONCE /Z /ST 16:28 /ET 16:40
4⤵
- Creates scheduled task(s)
PID:2768

C:\Windows\system32\taskeng.exe
taskeng.exe {BC4E3223-EF53-418C-8CBF-B9ECB71E3CD5} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2464

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\a7c0c6bf571abf5de7d8d6e7131c2ad9.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\a7c0c6bf571abf5de7d8d6e7131c2ad9.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2456

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2412

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Grntr" /d "0"
5⤵
- Windows security bypass
PID:2228

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Vwpaxtqqtsq" /d "0"
5⤵
- Windows security bypass
PID:1892

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a7c0c6bf571abf5de7d8d6e7131c2ad9.dll
Filesize
431KB

MD5
a7c0c6bf571abf5de7d8d6e7131c2ad9

SHA1
804ad99fbf3636a5cec3e2c242698db2feb726ab

SHA256
d6b72a3b670cb4bf967247032193169b6530ef8145bdef72e986ac817a7577cc

SHA512
7612c10bb07b8581f9669859a42b27e2f8f12aa1e96baa1fe65b1d07daba3bebff6696811383fb442d3554154705724030ae4f1a33864b012c5ad73e0400d7d1

Download Submit
memory/1784-1-0x0000000010000000-0x0000000010082000-memory.dmp

Filesize
520KB

Download
memory/1784-4-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1784-0-0x0000000010000000-0x0000000010082000-memory.dmp

Filesize
520KB

Download
memory/1784-7-0x0000000010000000-0x0000000010082000-memory.dmp

Filesize
520KB

Download
memory/2412-30-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2412-29-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2412-28-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2412-25-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2456-20-0x0000000010000000-0x0000000010082000-memory.dmp

Filesize
520KB

Download
memory/2456-26-0x0000000010000000-0x0000000010082000-memory.dmp

Filesize
520KB

Download
memory/2456-19-0x0000000010000000-0x0000000010082000-memory.dmp

Filesize
520KB

Download
memory/2708-6-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2708-14-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2708-12-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2708-11-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2708-10-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2708-5-0x00000000000B0000-0x00000000000B2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads