qakbot | d6b72a3b670cb4bf967247032193169b6530ef8145bdef72e986ac817a7577cc

Analysis

max time kernel
141s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19-12-2023 21:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a7c0c6bf571abf5de7d8d6e7131c2ad9.dll
Size

431KB
MD5

a7c0c6bf571abf5de7d8d6e7131c2ad9
SHA1

804ad99fbf3636a5cec3e2c242698db2feb726ab
SHA256

d6b72a3b670cb4bf967247032193169b6530ef8145bdef72e986ac817a7577cc
SHA512

7612c10bb07b8581f9669859a42b27e2f8f12aa1e96baa1fe65b1d07daba3bebff6696811383fb442d3554154705724030ae4f1a33864b012c5ad73e0400d7d1
SSDEEP

6144:dENSSm9kFIxN8yzjJbszIARC7I+8Gbcbfu4Vj6m+Ogu55wL/JYCDwrP:dEMSK4x4jBDARsTdgq4kmNguUL/SCiP

Score

10^/10

qakbot tr 1632817399 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

Campaign

1632817399

105.198.236.99:443

140.82.49.12:443

37.210.152.224:995

89.101.97.139:443

81.241.252.59:2078

27.223.92.142:995

81.250.153.227:2222

73.151.236.31:443

47.22.148.6:443

122.11.220.212:2222

120.151.47.189:443

199.27.127.129:443

216.201.162.158:443

136.232.34.70:443

76.25.142.196:443

181.118.183.94:443

120.150.218.241:995

185.250.148.74:443

95.77.223.148:443

75.66.88.33:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Grntr = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Vwpaxtqqtsq = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid	Process
2456	regsvr32.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exe

pid	Process
2768	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Fyjyapkda\b22f48cc = 2dd494b39055cfbf238bf843c6aadff81bd1ec9894c0a0d29d1203c898ee65ddbc367f51a668f25f13f22e22bf2d	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Fyjyapkda\cd66273a = f298441f2b46412d6113113fa6aa974a6ad20a72774519124d91c2eb8a17acfb187b16f31d489c134140d650cd41d0a07c24faac792d966f8b8817c8dd2dc57d3ad3b8ac0159dd061851034ce2c2f9df3370d64c935a1829ab4a92aafcd2085b81ee627f	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Fyjyapkda\f8f9f774 = 5ad7f2de6926b9d5b208051a9e274078840d59d9bdcd19a48bcb3ce5e4dcbfd0ee2990f1e1ebd144606c990b4a968572dd024006c719c098cba7cf81f9d592dd8b24da36a9aae316fbb4d408b137cb46a7396039b469bb242365c327809ebfdab4574577e34fbb7f9ed7709ccaa7e27f068a5c4e6ce25fe78253d1ae2e9189ca1a388c5163201fe9f949ff589e4eaee6bcc9c60952eec87b894f5c	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Fyjyapkda\3f0cffe7 = 013a55a8a862a0a49ea48c06a200ff9d0490671fcaa5e69b50709209b2bddb334ded3b7faaf0277facce6827e0c4b67fceadb0de266557a5eb8950f6323787eceb5aca6683a46c1794ae5c1662	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Fyjyapkda\fab8d708 = cfaf942cba7484d29d3e99cbad5192a4c2e10f7f13a064c91685dae88d9b69c46f4e3426f76c1d265e3fd9eb6ff66f7cb3ad58d81fa657824cc0e10bfab3568540c282efa494894d642bdda803646fe34074c1184e61722480c2017b3f96d4a11d	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Fyjyapkda\4204b06d = bd13306866a5a47aae3781992127e6aca8b20c213b	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Fyjyapkda\87b09882 = 4457cf8b457e5e46d4bc9f95fcfffdd0be2d8e5dcbe664874a46dc97e64dfad70b3fe1aaacca9515e9968a58d7af400a3692480fa7fd9a34329b1b	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Fyjyapkda\40459011 = d108b98cbbb623cec6025ccde5c20b0540f49a7e1fbacecfa88c634e23ba4f39f388b555cb672062c038a2c428f209244b56a9dbdbecbd672b23eeac0322c9b76f432646a6506c6f3f93e0776f38032c59f1c4313fbf63837cccb3f39e0c4e0d4fd7c2ea0d179894b5519287	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Fyjyapkda	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Fyjyapkda\cd66273a = f298531f2b46747387206d585287a45e7dfe321006e9ab1244257ab498921c05e77b884d7ecf4429e1110cf9a074f465cc631851db8fd998676cf21b76b4eb2855f7893e09f5e1c918d2f2575fe695	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid	Process
1784	rundll32.exe
2456	regsvr32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid	Process
1784	rundll32.exe
2456	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	Process	procid_target
PID 3004 wrote to memory of 1784	3004	rundll32.exe	16
PID 3004 wrote to memory of 1784	3004	rundll32.exe	16
PID 3004 wrote to memory of 1784	3004	rundll32.exe	16
PID 3004 wrote to memory of 1784	3004	rundll32.exe	16
PID 3004 wrote to memory of 1784	3004	rundll32.exe	16
PID 3004 wrote to memory of 1784	3004	rundll32.exe	16
PID 3004 wrote to memory of 1784	3004	rundll32.exe	16
PID 1784 wrote to memory of 2708	1784	rundll32.exe	29
PID 1784 wrote to memory of 2708	1784	rundll32.exe	29
PID 1784 wrote to memory of 2708	1784	rundll32.exe	29
PID 1784 wrote to memory of 2708	1784	rundll32.exe	29
PID 1784 wrote to memory of 2708	1784	rundll32.exe	29
PID 1784 wrote to memory of 2708	1784	rundll32.exe	29
PID 2708 wrote to memory of 2768	2708	explorer.exe	30
PID 2708 wrote to memory of 2768	2708	explorer.exe	30
PID 2708 wrote to memory of 2768	2708	explorer.exe	30
PID 2708 wrote to memory of 2768	2708	explorer.exe	30
PID 2464 wrote to memory of 1124	2464	taskeng.exe	35
PID 2464 wrote to memory of 1124	2464	taskeng.exe	35
PID 2464 wrote to memory of 1124	2464	taskeng.exe	35
PID 2464 wrote to memory of 1124	2464	taskeng.exe	35
PID 2464 wrote to memory of 1124	2464	taskeng.exe	35
PID 1124 wrote to memory of 2456	1124	regsvr32.exe	36
PID 1124 wrote to memory of 2456	1124	regsvr32.exe	36
PID 1124 wrote to memory of 2456	1124	regsvr32.exe	36
PID 1124 wrote to memory of 2456	1124	regsvr32.exe	36
PID 1124 wrote to memory of 2456	1124	regsvr32.exe	36
PID 1124 wrote to memory of 2456	1124	regsvr32.exe	36
PID 1124 wrote to memory of 2456	1124	regsvr32.exe	36
PID 2456 wrote to memory of 2412	2456	regsvr32.exe	37
PID 2456 wrote to memory of 2412	2456	regsvr32.exe	37
PID 2456 wrote to memory of 2412	2456	regsvr32.exe	37
PID 2456 wrote to memory of 2412	2456	regsvr32.exe	37
PID 2456 wrote to memory of 2412	2456	regsvr32.exe	37
PID 2456 wrote to memory of 2412	2456	regsvr32.exe	37
PID 2412 wrote to memory of 2228	2412	explorer.exe	38
PID 2412 wrote to memory of 2228	2412	explorer.exe	38
PID 2412 wrote to memory of 2228	2412	explorer.exe	38
PID 2412 wrote to memory of 2228	2412	explorer.exe	38
PID 2412 wrote to memory of 1892	2412	explorer.exe	40
PID 2412 wrote to memory of 1892	2412	explorer.exe	40
PID 2412 wrote to memory of 1892	2412	explorer.exe	40
PID 2412 wrote to memory of 1892	2412	explorer.exe	40

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a7c0c6bf571abf5de7d8d6e7131c2ad9.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\a7c0c6bf571abf5de7d8d6e7131c2ad9.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1784
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn aeytwibiz /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\a7c0c6bf571abf5de7d8d6e7131c2ad9.dll\"" /SC ONCE /Z /ST 16:28 /ET 16:40
      4⤵
      Creates scheduled task(s)
      PID:2768

C:\Windows\system32\taskeng.exe
taskeng.exe {BC4E3223-EF53-418C-8CBF-B9ECB71E3CD5} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\a7c0c6bf571abf5de7d8d6e7131c2ad9.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1124
- - C:\Windows\SysWOW64\regsvr32.exe
    -s "C:\Users\Admin\AppData\Local\Temp\a7c0c6bf571abf5de7d8d6e7131c2ad9.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2456
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      4⤵
      Modifies data under HKEY_USERS
      Suspicious use of WriteProcessMemory
      PID:2412
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Grntr" /d "0"
        5⤵
        Windows security bypass
        
        PID:2228
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Vwpaxtqqtsq" /d "0"
        5⤵
        Windows security bypass
        
        PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a7c0c6bf571abf5de7d8d6e7131c2ad9.dll

Filesize
431KB

MD5
a7c0c6bf571abf5de7d8d6e7131c2ad9

SHA1
804ad99fbf3636a5cec3e2c242698db2feb726ab

SHA256
d6b72a3b670cb4bf967247032193169b6530ef8145bdef72e986ac817a7577cc

SHA512
7612c10bb07b8581f9669859a42b27e2f8f12aa1e96baa1fe65b1d07daba3bebff6696811383fb442d3554154705724030ae4f1a33864b012c5ad73e0400d7d1

Download Submit
memory/1784-1-0x0000000010000000-0x0000000010082000-memory.dmp

Filesize
520KB

Download
memory/1784-4-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1784-0-0x0000000010000000-0x0000000010082000-memory.dmp

Filesize
520KB

Download
memory/1784-7-0x0000000010000000-0x0000000010082000-memory.dmp

Filesize
520KB

Download
memory/2412-30-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2412-29-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2412-28-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2412-25-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2456-20-0x0000000010000000-0x0000000010082000-memory.dmp

Filesize
520KB

Download
memory/2456-26-0x0000000010000000-0x0000000010082000-memory.dmp

Filesize
520KB

Download
memory/2456-19-0x0000000010000000-0x0000000010082000-memory.dmp

Filesize
520KB

Download
memory/2708-6-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2708-14-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2708-12-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2708-11-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2708-10-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2708-5-0x00000000000B0000-0x00000000000B2000-memory.dmp

Filesize
8KB

Download