qakbot | 8f604242dfb785e324e8207b35f8ce7261436f79cd8b19659a2f194333f31d6f

General

Target

18560d526a5134a7674aeacb02c1ca7f.dll
Size

1.0MB
MD5

18560d526a5134a7674aeacb02c1ca7f
SHA1

f150b2068c282d8fafd02b15fec005fa89cd28b3
SHA256

8f604242dfb785e324e8207b35f8ce7261436f79cd8b19659a2f194333f31d6f
SHA512

319cbd6f8f2d75d87a7b2b801f1debe559b7d62b713072e454a1b59ee6f5afa041c3ee45c23bfc0b54f205b76f23878f5b5c8b99a193c76464e383c7120ee834
SSDEEP

24576:OtLNXJb227NHokpLKVtVvEMkOgPSFrHEjX7hWHQ/uYT/jISlzfmXbC1DCU:0LNXhlFBpL+vEMCPQDWX7hWHQ/ue/jIW

Score

10^/10

qakbot tr 1633334141 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

tr

Campaign

1633334141

C2

75.75.179.226:443

185.250.148.74:443

122.11.220.212:2222

120.150.218.241:995

103.148.120.144:443

140.82.49.12:443

40.131.140.155:995

206.47.134.234:2222

73.230.205.91:443

190.198.206.189:2222

103.157.122.198:995

81.250.153.227:2222

167.248.100.227:443

96.57.188.174:2078

217.17.56.163:2222

217.17.56.163:2078

41.228.22.180:443

136.232.34.70:443

68.186.192.69:443

167.248.111.245:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Cwuuh = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Nbgnig = "0"	reg.exe

Loads dropped DLL 1 IoCs

pid	Process
1336	regsvr32.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1684	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Rpayhkyhnbruap	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Rpayhkyhnbruap\b4e63eb5 = 00bd566769652547fa24d9ec7d89117b04f46980d82184cf86d9f96668658b5dfd6ed78f9a0e4336dc86db72be58198aff65cb9278e7701458329c04	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Rpayhkyhnbruap\8338ce87 = 7e79aef14b2901d54b3f0166ad949e5b714b1ab37bca0640d3ebb0cfd0368fdf31271902b40995505b79f035706639b5a64877ae21183cd68c94db5bcc85f5807e33427df33669c1e31a70c5ad07da365c3e94	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Rpayhkyhnbruap\39c5899e = 2489dabd861ea6fff094b503a8a38482bb8a91733575721f8cb787fee3ea5de420de61c7dd0f5b15f2fb67fddaed3f167cf885a8268f3f07ae0f	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Rpayhkyhnbruap\b4e63eb5 = 00bd4167696510edc955a7b50e981c8df7f26e8b858238950e903762c33f89f1590c923480dc1d461a3d6033cffd9824d97d43441d097d1667f7a10a9960a0bb6f911a475618531f16b52984b4e4c555d2	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Rpayhkyhnbruap\8179eefb = 60b14250afa7f6a9407724ff4aa4cee9de3cf7aa417ed5b8c4bb3bedc4f6efb31838cf34a7c02dc3b385a46c360439266ec995eb2e72c4471886dd9e58e43afe12ec05818a4dd5b29cc34f4e8bdd5fd61d1b48e11af9732c9b7eb858ae907ab06703d54801fbe27e13006bc4f61aecb96ea4d69ec1f0	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Rpayhkyhnbruap\3b84a9e2 = 3dfefd27093c613b9718c31577d9de0299643709d8685a8383ebb5573d24451dd3946f286655ffdc8398475b07c0d03c6fcd1b5104f5976cae50d3cc2c1fc8afac71941c9f45d2300f520bcc63a8ea56475702aea440531e	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Rpayhkyhnbruap\468ce668 = 4ea2631f106a93d1f422cc2b634090a69d2c7e969fbf34361077208067a831c00e8dc720	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Rpayhkyhnbruap\fe30810d = 3b7f5496cd5faaef1ada507d04cec2b4b622b8466b85ad65b834d091d1755ac589386e1f158e036eb90835f99a11c0a36c6aac145e097d4cbd4bedbf06fec2	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Rpayhkyhnbruap\cbaf5143 = 24a0e19771e3e475f69b6444bcfef67d3498c7e3c512a57ba576	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
32	rundll32.exe
32	rundll32.exe
1336	regsvr32.exe
1336	regsvr32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
32	rundll32.exe
1336	regsvr32.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 32	4900	rundll32.exe	88
PID 4900 wrote to memory of 32	4900	rundll32.exe	88
PID 4900 wrote to memory of 32	4900	rundll32.exe	88
PID 32 wrote to memory of 4168	32	rundll32.exe	94
PID 32 wrote to memory of 4168	32	rundll32.exe	94
PID 32 wrote to memory of 4168	32	rundll32.exe	94
PID 32 wrote to memory of 4168	32	rundll32.exe	94
PID 32 wrote to memory of 4168	32	rundll32.exe	94
PID 4168 wrote to memory of 1684	4168	explorer.exe	95
PID 4168 wrote to memory of 1684	4168	explorer.exe	95
PID 4168 wrote to memory of 1684	4168	explorer.exe	95
PID 2416 wrote to memory of 1336	2416	regsvr32.exe	102
PID 2416 wrote to memory of 1336	2416	regsvr32.exe	102
PID 2416 wrote to memory of 1336	2416	regsvr32.exe	102
PID 1336 wrote to memory of 1416	1336	regsvr32.exe	103
PID 1336 wrote to memory of 1416	1336	regsvr32.exe	103
PID 1336 wrote to memory of 1416	1336	regsvr32.exe	103
PID 1336 wrote to memory of 1416	1336	regsvr32.exe	103
PID 1336 wrote to memory of 1416	1336	regsvr32.exe	103
PID 1416 wrote to memory of 4260	1416	explorer.exe	104
PID 1416 wrote to memory of 4260	1416	explorer.exe	104
PID 1416 wrote to memory of 3212	1416	explorer.exe	106
PID 1416 wrote to memory of 3212	1416	explorer.exe	106

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\18560d526a5134a7674aeacb02c1ca7f.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\18560d526a5134a7674aeacb02c1ca7f.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:32
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4168
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn woucbqcy /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\18560d526a5134a7674aeacb02c1ca7f.dll\"" /SC ONCE /Z /ST 16:07 /ET 16:19
      4⤵
      Creates scheduled task(s)
      PID:1684

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\18560d526a5134a7674aeacb02c1ca7f.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\SysWOW64\regsvr32.exe
  -s "C:\Users\Admin\AppData\Local\Temp\18560d526a5134a7674aeacb02c1ca7f.dll"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1336
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious use of WriteProcessMemory
    PID:1416
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Cwuuh" /d "0"
      4⤵
      Windows security bypass
      PID:4260
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Nbgnig" /d "0"
      4⤵
      Windows security bypass
      PID:3212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\18560d526a5134a7674aeacb02c1ca7f.dll

Filesize
1.0MB

MD5
18560d526a5134a7674aeacb02c1ca7f

SHA1
f150b2068c282d8fafd02b15fec005fa89cd28b3

SHA256
8f604242dfb785e324e8207b35f8ce7261436f79cd8b19659a2f194333f31d6f

SHA512
319cbd6f8f2d75d87a7b2b801f1debe559b7d62b713072e454a1b59ee6f5afa041c3ee45c23bfc0b54f205b76f23878f5b5c8b99a193c76464e383c7120ee834

Download Submit
memory/32-3-0x00000000753E0000-0x0000000075584000-memory.dmp

Filesize
1.6MB

Download
memory/32-1-0x00000000753E0000-0x0000000075584000-memory.dmp

Filesize
1.6MB

Download
memory/32-6-0x00000000753E0000-0x0000000075584000-memory.dmp

Filesize
1.6MB

Download
memory/32-0-0x00000000753E0000-0x0000000075584000-memory.dmp

Filesize
1.6MB

Download
memory/32-2-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/1336-18-0x0000000075350000-0x00000000754F4000-memory.dmp

Filesize
1.6MB

Download
memory/1336-23-0x0000000075350000-0x00000000754F4000-memory.dmp

Filesize
1.6MB

Download
memory/1336-19-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/1336-17-0x0000000075350000-0x00000000754F4000-memory.dmp

Filesize
1.6MB

Download
memory/1416-21-0x00000000006E0000-0x0000000000701000-memory.dmp

Filesize
132KB

Download
memory/1416-25-0x00000000006E0000-0x0000000000701000-memory.dmp

Filesize
132KB

Download
memory/1416-26-0x00000000006E0000-0x0000000000701000-memory.dmp

Filesize
132KB

Download
memory/1416-27-0x00000000006E0000-0x0000000000701000-memory.dmp

Filesize
132KB

Download
memory/4168-5-0x00000000007D0000-0x00000000007F1000-memory.dmp

Filesize
132KB

Download
memory/4168-11-0x00000000007D0000-0x00000000007F1000-memory.dmp

Filesize
132KB

Download
memory/4168-13-0x00000000007D0000-0x00000000007F1000-memory.dmp

Filesize
132KB

Download
memory/4168-10-0x00000000007D0000-0x00000000007F1000-memory.dmp

Filesize
132KB

Download
memory/4168-9-0x00000000007D0000-0x00000000007F1000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads