qakbot | b42dd9fd0efb6f0a45acbd601c142db5ce3ee5e59629afcb8c8e8e7695658d0f

General

Target

52eff0300787c5cb4bab4f1f58573f3f.dll
Size

429KB
MD5

52eff0300787c5cb4bab4f1f58573f3f
SHA1

13656352e657bb530655c83febd88822c5219729
SHA256

b42dd9fd0efb6f0a45acbd601c142db5ce3ee5e59629afcb8c8e8e7695658d0f
SHA512

787f0fd796d3e4d9f98ab80622203b9997dfc9e943b2fba859ba673f80893c42920af9ab94e59dfe8ebb52df3f87616949cedbb9086e1c5fd085082e623b48ad
SSDEEP

6144:dENSSm9kFIxN8yzjJbszIARC7I+8Gbcbfu4Vj6m+Ogu55wL/JYCDwrJ:dEMSK4x4jBDARsTdgq4kmNguUL/SCiJ

Score

10^/10

qakbot tr 1632817399 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

tr

Campaign

1632817399

C2

105.198.236.99:443

140.82.49.12:443

37.210.152.224:995

89.101.97.139:443

81.241.252.59:2078

27.223.92.142:995

81.250.153.227:2222

73.151.236.31:443

47.22.148.6:443

122.11.220.212:2222

120.151.47.189:443

199.27.127.129:443

216.201.162.158:443

136.232.34.70:443

76.25.142.196:443

181.118.183.94:443

120.150.218.241:995

185.250.148.74:443

95.77.223.148:443

75.66.88.33:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Pxkwoo = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Iphkbidq = "0"	reg.exe

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1828 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1572 schtasks.exe

pid	process
1828	regsvr32.exe

pid	process
1572	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Zuijulbwra\760affd6 = 13b4fe3cc6acd0b9ed88c2eb41966b7ca2aa6f31b07098b37b47c70a2faeec1f12e80a25e3df87cf2f7e2c62bcbeea182c9436874bddcb35870966ada139251c84fa2cc0050e465c	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Zuijulbwra	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Zuijulbwra\43952f98 = 9552570dd04438b91759609379208226ecb69a31da2fa9b0bb5597067b81856e5ace6cbb1039f099475bf334fd1bc6593d83e6a69d2824005c7c053b613d948758c6e3ec0c01c9ed4d8f856c7d5c0f060957031993664d134311346068041566	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Zuijulbwra\8460270b = 306adbbee7ca6f4c07467b59fab948eef699e8ef05de7661fb75999d904e660cf22a192d032f7739cf40c7	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Zuijulbwra\86210777 = 70cdd35b7147ebfc0b330f61d0bb05435a0ca6a3a5e50c8f8beb6b71437265cc152c962d45da4348e4f473a7ef423f8c67e2f1a28f15e639aa0487dc54c6bf517497094a8145e0cbea04ceed58c6f674a8adbc6ff6ffbd	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Zuijulbwra\fb2948fd = c1041f8c1f61b38d0870dd5ea4d8da0edf1cb46fd5d60e77	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Zuijulbwra\9439020 = 7fae5d58407fad2ef23bd1f60dd4e43e7f93860954852839892a748c207d5cf85d287e7bd619d99f	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Zuijulbwra\9439020 = 7fae4a58407f985274552d4ed50d09f24c6a01	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Zuijulbwra\3cdc406e = f9270ee96db285c92ea56e73f24811d443dc5cbae34e53f6e9c58c1acc2442e39e1d0524c4ae9370ec23d9db1f0d4944907a68052e698cea279f5a05fbe3b3cd3add9295946d31d1682c92c67f62b6a833d27e929cd4288587cdc78115c1faeb76728dff1f24d7f53b0ba3ef773488796ac1d0afcbb12263881678f853	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Zuijulbwra\3e9d6012 = 3ff8e201857472a50aa060bcdc2631997036460940f3e34b0e971446a9fbaf8ade68f5430a65a0fe4f3f543d7e4877ff9d7cfa5bfb360dc50ecf77090a835c379cdbd322817b5d227e5ae7	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

3748 rundll32.exe
3748 rundll32.exe
1828 regsvr32.exe
1828 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

3748 rundll32.exe
1828 regsvr32.exe

pid	process
3748	rundll32.exe
3748	rundll32.exe
1828	regsvr32.exe
1828	regsvr32.exe

pid	process
3748	rundll32.exe
1828	regsvr32.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 2852 wrote to memory of 3748	2852	rundll32.exe	rundll32.exe
PID 2852 wrote to memory of 3748	2852	rundll32.exe	rundll32.exe
PID 2852 wrote to memory of 3748	2852	rundll32.exe	rundll32.exe
PID 3748 wrote to memory of 1648	3748	rundll32.exe	explorer.exe
PID 3748 wrote to memory of 1648	3748	rundll32.exe	explorer.exe
PID 3748 wrote to memory of 1648	3748	rundll32.exe	explorer.exe
PID 3748 wrote to memory of 1648	3748	rundll32.exe	explorer.exe
PID 3748 wrote to memory of 1648	3748	rundll32.exe	explorer.exe
PID 1648 wrote to memory of 1572	1648	explorer.exe	schtasks.exe
PID 1648 wrote to memory of 1572	1648	explorer.exe	schtasks.exe
PID 1648 wrote to memory of 1572	1648	explorer.exe	schtasks.exe
PID 2612 wrote to memory of 1828	2612	regsvr32.exe	regsvr32.exe
PID 2612 wrote to memory of 1828	2612	regsvr32.exe	regsvr32.exe
PID 2612 wrote to memory of 1828	2612	regsvr32.exe	regsvr32.exe
PID 1828 wrote to memory of 2720	1828	regsvr32.exe	explorer.exe
PID 1828 wrote to memory of 2720	1828	regsvr32.exe	explorer.exe
PID 1828 wrote to memory of 2720	1828	regsvr32.exe	explorer.exe
PID 1828 wrote to memory of 2720	1828	regsvr32.exe	explorer.exe
PID 1828 wrote to memory of 2720	1828	regsvr32.exe	explorer.exe
PID 2720 wrote to memory of 4468	2720	explorer.exe	reg.exe
PID 2720 wrote to memory of 4468	2720	explorer.exe	reg.exe
PID 2720 wrote to memory of 1368	2720	explorer.exe	reg.exe
PID 2720 wrote to memory of 1368	2720	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\52eff0300787c5cb4bab4f1f58573f3f.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2852

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\52eff0300787c5cb4bab4f1f58573f3f.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3748

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn jlglelm /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\52eff0300787c5cb4bab4f1f58573f3f.dll\"" /SC ONCE /Z /ST 18:20 /ET 18:32
4⤵
- Creates scheduled task(s)
PID:1572

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\52eff0300787c5cb4bab4f1f58573f3f.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\52eff0300787c5cb4bab4f1f58573f3f.dll"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2720

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Pxkwoo" /d "0"
4⤵
- Windows security bypass
PID:4468

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Iphkbidq" /d "0"
4⤵
- Windows security bypass
PID:1368

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\52eff0300787c5cb4bab4f1f58573f3f.dll
Filesize
429KB

MD5
52eff0300787c5cb4bab4f1f58573f3f

SHA1
13656352e657bb530655c83febd88822c5219729

SHA256
b42dd9fd0efb6f0a45acbd601c142db5ce3ee5e59629afcb8c8e8e7695658d0f

SHA512
787f0fd796d3e4d9f98ab80622203b9997dfc9e943b2fba859ba673f80893c42920af9ab94e59dfe8ebb52df3f87616949cedbb9086e1c5fd085082e623b48ad

Download Submit
memory/1648-5-0x00000000007C0000-0x00000000007E1000-memory.dmp

Filesize
132KB

Download
memory/1648-9-0x00000000007C0000-0x00000000007E1000-memory.dmp

Filesize
132KB

Download
memory/1648-10-0x00000000007C0000-0x00000000007E1000-memory.dmp

Filesize
132KB

Download
memory/1648-11-0x00000000007C0000-0x00000000007E1000-memory.dmp

Filesize
132KB

Download
memory/1648-13-0x00000000007C0000-0x00000000007E1000-memory.dmp

Filesize
132KB

Download
memory/1828-17-0x0000000010000000-0x0000000010082000-memory.dmp

Filesize
520KB

Download
memory/1828-23-0x0000000010000000-0x0000000010082000-memory.dmp

Filesize
520KB

Download
memory/1828-21-0x0000000001160000-0x0000000001161000-memory.dmp

Filesize
4KB

Download
memory/1828-20-0x0000000010000000-0x0000000010082000-memory.dmp

Filesize
520KB

Download
memory/1828-18-0x0000000010000000-0x0000000010082000-memory.dmp

Filesize
520KB

Download
memory/2720-22-0x0000000001230000-0x0000000001251000-memory.dmp

Filesize
132KB

Download
memory/2720-25-0x0000000001230000-0x0000000001251000-memory.dmp

Filesize
132KB

Download
memory/2720-26-0x0000000001230000-0x0000000001251000-memory.dmp

Filesize
132KB

Download
memory/2720-27-0x0000000001230000-0x0000000001251000-memory.dmp

Filesize
132KB

Download
memory/2720-29-0x0000000001230000-0x0000000001251000-memory.dmp

Filesize
132KB

Download
memory/3748-6-0x0000000010000000-0x0000000010082000-memory.dmp

Filesize
520KB

Download
memory/3748-3-0x0000000010000000-0x0000000010082000-memory.dmp

Filesize
520KB

Download
memory/3748-2-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/3748-0-0x0000000010000000-0x0000000010082000-memory.dmp

Filesize
520KB

Download
memory/3748-1-0x0000000010000000-0x0000000010082000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads