qakbot | d6b72a3b670cb4bf967247032193169b6530ef8145bdef72e986ac817a7577cc

General

Target

a7c0c6bf571abf5de7d8d6e7131c2ad9.dll
Size

431KB
MD5

a7c0c6bf571abf5de7d8d6e7131c2ad9
SHA1

804ad99fbf3636a5cec3e2c242698db2feb726ab
SHA256

d6b72a3b670cb4bf967247032193169b6530ef8145bdef72e986ac817a7577cc
SHA512

7612c10bb07b8581f9669859a42b27e2f8f12aa1e96baa1fe65b1d07daba3bebff6696811383fb442d3554154705724030ae4f1a33864b012c5ad73e0400d7d1
SSDEEP

6144:dENSSm9kFIxN8yzjJbszIARC7I+8Gbcbfu4Vj6m+Ogu55wL/JYCDwrP:dEMSK4x4jBDARsTdgq4kmNguUL/SCiP

Score

10^/10

qakbot tr 1632817399 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

tr

Campaign

1632817399

C2

105.198.236.99:443

140.82.49.12:443

37.210.152.224:995

89.101.97.139:443

81.241.252.59:2078

27.223.92.142:995

81.250.153.227:2222

73.151.236.31:443

47.22.148.6:443

122.11.220.212:2222

120.151.47.189:443

199.27.127.129:443

216.201.162.158:443

136.232.34.70:443

76.25.142.196:443

181.118.183.94:443

120.150.218.241:995

185.250.148.74:443

95.77.223.148:443

75.66.88.33:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Clsyjyrnll = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Ohyiixfnld = "0"	reg.exe

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

4480 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2132 schtasks.exe

pid	process
4480	regsvr32.exe

pid	process
2132	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Igyhuisdoy	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Igyhuisdoy\4a0c6102 = 5ff3404c8ea039cbeb6e822e39a6cac704b877641cafa9b43d926bc5cba24e106ad2b12371908f3689996f017b96d96a94400716ad8e6eae5103d370cd03c9d86b0272fa4eee12514d4ba287d9b07defc36e4d66e5d224671afa93902aff830ed8be4563c5446739dcafb8	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Igyhuisdoy\f2b00667 = 2c5a3f8089d64a0f76426c4889c87784bd7f2acee5cda4777c399572a1f6b6c3ac807656ad3aa02130fb7631d2a8ca4edd8055c3f3d0427423e5fb57	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Igyhuisdoy\8fb849ed = 1570536ea5b00571dea8a6a3186ad19b19b3318837a382ec228946e4f56fb62c4f35d91ee574abe5562cf798803181e0676d6411a100479811666d2afa074f8babca3da61728e37b98b63d484abacdaab5cce9960e	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Igyhuisdoy\37042e88 = 26e9ebac7e60960f23a004fb9437169ff5a12bd01e16094daff8a998dc5a9894b456b0a19d8278afd8210270298c21bd28a5aaf4394669a962e68f45f360c6f2e44ca79d45730bf455e688c155405827b4a5d0c2b018c033f0c272f65bb8b6456702650995a03c2a56d14828	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Igyhuisdoy\29bfec6 = 21af1887ec0c0d36631e4e6e846da8306619350ab644ba0dbaf186569e2c46890b688862acd08ab611a35431b01855c97fa6322939d4636076c2	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Igyhuisdoy\7dd29130 = 668288ec4616e523a4e19d60859490e4	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Igyhuisdoy\484d417e = f97169aa495b44b5783694d55bdf6712dcffd423bd5c9caed646096942890850f0551b3a110a8b817b7883e0754b385032e31c34d1263a3d1556d4355b2eb75785ff963a98066681ee6518caac63dd7726270f2e68487c425ac71f81235c6c8a20eef23edc6a2ecba843356dd1392b9ac0daecea38aab48376842356c59a6bfaed530c4233346adef0b2362dea4c494356df127635	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Igyhuisdoy\f0f1261b = 3ea405a0a050d9a4ebf408ddde193dd34d51dab83969db70eb7e0ae5cacd9643e085d0ac9ef21135fa6de3507fc7f57c	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Igyhuisdoy\7dd29130 = 66829fec4616d0b85730044576477364a2fdc077d2886715352e42ac79ba060c3ff58a487f	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

3184 rundll32.exe
3184 rundll32.exe
4480 regsvr32.exe
4480 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

3184 rundll32.exe
4480 regsvr32.exe

pid	process
3184	rundll32.exe
3184	rundll32.exe
4480	regsvr32.exe
4480	regsvr32.exe

pid	process
3184	rundll32.exe
4480	regsvr32.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 2620 wrote to memory of 3184	2620	rundll32.exe	rundll32.exe
PID 2620 wrote to memory of 3184	2620	rundll32.exe	rundll32.exe
PID 2620 wrote to memory of 3184	2620	rundll32.exe	rundll32.exe
PID 3184 wrote to memory of 3708	3184	rundll32.exe	explorer.exe
PID 3184 wrote to memory of 3708	3184	rundll32.exe	explorer.exe
PID 3184 wrote to memory of 3708	3184	rundll32.exe	explorer.exe
PID 3184 wrote to memory of 3708	3184	rundll32.exe	explorer.exe
PID 3184 wrote to memory of 3708	3184	rundll32.exe	explorer.exe
PID 3708 wrote to memory of 2132	3708	explorer.exe	schtasks.exe
PID 3708 wrote to memory of 2132	3708	explorer.exe	schtasks.exe
PID 3708 wrote to memory of 2132	3708	explorer.exe	schtasks.exe
PID 984 wrote to memory of 4480	984	regsvr32.exe	regsvr32.exe
PID 984 wrote to memory of 4480	984	regsvr32.exe	regsvr32.exe
PID 984 wrote to memory of 4480	984	regsvr32.exe	regsvr32.exe
PID 4480 wrote to memory of 3900	4480	regsvr32.exe	explorer.exe
PID 4480 wrote to memory of 3900	4480	regsvr32.exe	explorer.exe
PID 4480 wrote to memory of 3900	4480	regsvr32.exe	explorer.exe
PID 4480 wrote to memory of 3900	4480	regsvr32.exe	explorer.exe
PID 4480 wrote to memory of 3900	4480	regsvr32.exe	explorer.exe
PID 3900 wrote to memory of 4208	3900	explorer.exe	reg.exe
PID 3900 wrote to memory of 4208	3900	explorer.exe	reg.exe
PID 3900 wrote to memory of 560	3900	explorer.exe	reg.exe
PID 3900 wrote to memory of 560	3900	explorer.exe	reg.exe

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a7c0c6bf571abf5de7d8d6e7131c2ad9.dll,#1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3184

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3708

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn pxhsriochz /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\a7c0c6bf571abf5de7d8d6e7131c2ad9.dll\"" /SC ONCE /Z /ST 16:28 /ET 16:40
3⤵
- Creates scheduled task(s)
PID:2132

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a7c0c6bf571abf5de7d8d6e7131c2ad9.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2620

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\a7c0c6bf571abf5de7d8d6e7131c2ad9.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:984

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\a7c0c6bf571abf5de7d8d6e7131c2ad9.dll"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4480

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3900

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Clsyjyrnll" /d "0"
4⤵
- Windows security bypass
PID:4208

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Ohyiixfnld" /d "0"
4⤵
- Windows security bypass
PID:560

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a7c0c6bf571abf5de7d8d6e7131c2ad9.dll
Filesize
431KB

MD5
a7c0c6bf571abf5de7d8d6e7131c2ad9

SHA1
804ad99fbf3636a5cec3e2c242698db2feb726ab

SHA256
d6b72a3b670cb4bf967247032193169b6530ef8145bdef72e986ac817a7577cc

SHA512
7612c10bb07b8581f9669859a42b27e2f8f12aa1e96baa1fe65b1d07daba3bebff6696811383fb442d3554154705724030ae4f1a33864b012c5ad73e0400d7d1

Download Submit
memory/3184-0-0x0000000010000000-0x0000000010082000-memory.dmp

Filesize
520KB

Download
memory/3184-2-0x0000000010000000-0x0000000010082000-memory.dmp

Filesize
520KB

Download
memory/3184-4-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/3184-1-0x0000000010000000-0x0000000010082000-memory.dmp

Filesize
520KB

Download
memory/3184-6-0x0000000010000000-0x0000000010082000-memory.dmp

Filesize
520KB

Download
memory/3708-11-0x0000000000EA0000-0x0000000000EC1000-memory.dmp

Filesize
132KB

Download
memory/3708-10-0x0000000000EA0000-0x0000000000EC1000-memory.dmp

Filesize
132KB

Download
memory/3708-9-0x0000000000EA0000-0x0000000000EC1000-memory.dmp

Filesize
132KB

Download
memory/3708-13-0x0000000000EA0000-0x0000000000EC1000-memory.dmp

Filesize
132KB

Download
memory/3708-5-0x0000000000EA0000-0x0000000000EC1000-memory.dmp

Filesize
132KB

Download
memory/3900-22-0x0000000000F20000-0x0000000000F41000-memory.dmp

Filesize
132KB

Download
memory/3900-24-0x0000000000F20000-0x0000000000F41000-memory.dmp

Filesize
132KB

Download
memory/3900-25-0x0000000000F20000-0x0000000000F41000-memory.dmp

Filesize
132KB

Download
memory/3900-26-0x0000000000F20000-0x0000000000F41000-memory.dmp

Filesize
132KB

Download
memory/4480-17-0x0000000010000000-0x0000000010082000-memory.dmp

Filesize
520KB

Download
memory/4480-18-0x0000000010000000-0x0000000010082000-memory.dmp

Filesize
520KB

Download
memory/4480-20-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/4480-21-0x0000000010000000-0x0000000010082000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads