qakbot | c05fc0120c066ef16e6ae53400d3d7965f83114635ef41900246d021ed58019e

Analysis

max time kernel
145s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19-12-2023 16:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60a68dfff01d04bd02058f23ca26aa1e.dll
Size

1.0MB
MD5

60a68dfff01d04bd02058f23ca26aa1e
SHA1

f5aba7d1633d8eb6ba7574f7ac4beab140aaeb42
SHA256

c05fc0120c066ef16e6ae53400d3d7965f83114635ef41900246d021ed58019e
SHA512

0b4ab9029da737e6464de6603849323a63c35e5c2a4396fb535ccfb110b9e588ab3efa0ea04374cda32f4147fd87b833b27c442d338a60e478ab2f3314b53428
SSDEEP

24576:f+N4RsxeZIlcgFagUOqtQ1e78l1T9N36OfMMElHNGlpJMFymEYe/uAg9JXkQKLKr:fhIOgFa41l1T9N36OUMzlpJMFymEYe/S

Score

10^/10

qakbot tr 1633334141 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

Campaign

1633334141

75.75.179.226:443

185.250.148.74:443

122.11.220.212:2222

120.150.218.241:995

103.148.120.144:443

140.82.49.12:443

40.131.140.155:995

206.47.134.234:2222

73.230.205.91:443

190.198.206.189:2222

103.157.122.198:995

81.250.153.227:2222

167.248.100.227:443

96.57.188.174:2078

217.17.56.163:2222

217.17.56.163:2078

41.228.22.180:443

136.232.34.70:443

68.186.192.69:443

167.248.111.245:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Gdramctbif = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Exviqeiryrk = "0"	reg.exe

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid	Process
2376	regsvr32.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exe

pid	Process
2932	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Dnenvylglcbyi\55652727 = 7516232facdc0652adeba0e9c29fb2821bb0825ba15e4ecc7a8c331748c68d47664c2b8f9cb4cdc51801bfc56f2cdf618928f8caf1152dca8a64567a561c5528eda568f7359e3bf2	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Dnenvylglcbyi\a70ffffa = ecb255347143f8a5d519c5994d42a92e4b3a7e097191022473ea04ed20f8d034e97fd961844a7c5083c4711af5143e40d44f8096500c8578acc7acf672d492ee0323a3928e95e7aaf2c12625a8e58079b43d5c9e58487e0a953bafdc4cccc1d771	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Dnenvylglcbyi\55652727 = 7516342facdc33c8764e9576f3b88db88a1815bbb384e61343a39d9e634012cc83aad9d4416e822ecd7d25f67f916cc1662d6374336a35af8997a25d6bda0f656b39421c517218bbee3db15e03d27975781960bb6eaf91beb2a2465b39	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Dnenvylglcbyi	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Dnenvylglcbyi\60faf769 = a040ac57439a393251f58e0b6368fac7ff8c2c3858401b4779286fd32a23e4a154e8bbf203eb725da37aa95533db35172767e241b1ad9a1ffc2f46bfb091e2898514e646db6c931f8c07000bde1db304cdd4f0d04226794d7b88e3a4f2d5cf07771b5bb12b732c26a0b06062e616ac8dce4d3eee8ba06b8bb7bceae99ed8710277215871ba81264ca3e472b0de88f9c3ca098458e46fe8349b90443471b849ca8aa3deaeb126473c4f1bdb03c738d44e4b924519fc1e29be9c96e4cb8f41e78b367a783aa16fc769daf6e9	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Dnenvylglcbyi\62bbd715 = 099a0913dc8d52fb2985873881e9af37ed886218d6168250804af259d00fba36da5d4ce000512eead2649bd522e7303c692bb9a07ee4a86931c268c708e5595ad6504d020a7c1bf8f3b32eb960acac85a1	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Dnenvylglcbyi\da07b070 = c17fcb84f35d827057c7f87cfda2c1857cbb45951258fd1b35c55a4755b98434033bba19d7a655690d8d1c906680ab514214d3f76f7379ec6b6efcaa4e6e669a6eaa2dde86008e8ebda84cb514f5644dd6216fae8e606ceb4f7382	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Dnenvylglcbyi\1fb3989f = 08bfe864f002d07a9be63f117ef20a63fc7e6a87198d209b4a036c2f48	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Dnenvylglcbyi\d846900c = 746fbe22ee34eced56fd07717af1a7e52d4b37d359f79b22d7572aecc7	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Dnenvylglcbyi\2a2c48d1 = 3d8ddca9c61690306a0e14d7151419be71f57bb908ed4db7d7c3b6	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid	Process
2204	rundll32.exe
2376	regsvr32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid	Process
2204	rundll32.exe
2376	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	Process	procid_target
PID 688 wrote to memory of 2204	688	rundll32.exe	28
PID 688 wrote to memory of 2204	688	rundll32.exe	28
PID 688 wrote to memory of 2204	688	rundll32.exe	28
PID 688 wrote to memory of 2204	688	rundll32.exe	28
PID 688 wrote to memory of 2204	688	rundll32.exe	28
PID 688 wrote to memory of 2204	688	rundll32.exe	28
PID 688 wrote to memory of 2204	688	rundll32.exe	28
PID 2204 wrote to memory of 2128	2204	rundll32.exe	31
PID 2204 wrote to memory of 2128	2204	rundll32.exe	31
PID 2204 wrote to memory of 2128	2204	rundll32.exe	31
PID 2204 wrote to memory of 2128	2204	rundll32.exe	31
PID 2204 wrote to memory of 2128	2204	rundll32.exe	31
PID 2204 wrote to memory of 2128	2204	rundll32.exe	31
PID 2128 wrote to memory of 2932	2128	explorer.exe	32
PID 2128 wrote to memory of 2932	2128	explorer.exe	32
PID 2128 wrote to memory of 2932	2128	explorer.exe	32
PID 2128 wrote to memory of 2932	2128	explorer.exe	32
PID 2824 wrote to memory of 1888	2824	taskeng.exe	35
PID 2824 wrote to memory of 1888	2824	taskeng.exe	35
PID 2824 wrote to memory of 1888	2824	taskeng.exe	35
PID 2824 wrote to memory of 1888	2824	taskeng.exe	35
PID 2824 wrote to memory of 1888	2824	taskeng.exe	35
PID 1888 wrote to memory of 2376	1888	regsvr32.exe	36
PID 1888 wrote to memory of 2376	1888	regsvr32.exe	36
PID 1888 wrote to memory of 2376	1888	regsvr32.exe	36
PID 1888 wrote to memory of 2376	1888	regsvr32.exe	36
PID 1888 wrote to memory of 2376	1888	regsvr32.exe	36
PID 1888 wrote to memory of 2376	1888	regsvr32.exe	36
PID 1888 wrote to memory of 2376	1888	regsvr32.exe	36
PID 2376 wrote to memory of 1640	2376	regsvr32.exe	37
PID 2376 wrote to memory of 1640	2376	regsvr32.exe	37
PID 2376 wrote to memory of 1640	2376	regsvr32.exe	37
PID 2376 wrote to memory of 1640	2376	regsvr32.exe	37
PID 2376 wrote to memory of 1640	2376	regsvr32.exe	37
PID 2376 wrote to memory of 1640	2376	regsvr32.exe	37
PID 1640 wrote to memory of 2660	1640	explorer.exe	38
PID 1640 wrote to memory of 2660	1640	explorer.exe	38
PID 1640 wrote to memory of 2660	1640	explorer.exe	38
PID 1640 wrote to memory of 2660	1640	explorer.exe	38
PID 1640 wrote to memory of 1876	1640	explorer.exe	40
PID 1640 wrote to memory of 1876	1640	explorer.exe	40
PID 1640 wrote to memory of 1876	1640	explorer.exe	40
PID 1640 wrote to memory of 1876	1640	explorer.exe	40

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\60a68dfff01d04bd02058f23ca26aa1e.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:688
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\60a68dfff01d04bd02058f23ca26aa1e.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2128
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn iixkrjfpj /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\60a68dfff01d04bd02058f23ca26aa1e.dll\"" /SC ONCE /Z /ST 18:16 /ET 18:28
      4⤵
      Creates scheduled task(s)
      PID:2932

C:\Windows\system32\taskeng.exe
taskeng.exe {A6B1229B-D13F-4BE6-A089-8EE756DB50B4} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\60a68dfff01d04bd02058f23ca26aa1e.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Windows\SysWOW64\regsvr32.exe
    -s "C:\Users\Admin\AppData\Local\Temp\60a68dfff01d04bd02058f23ca26aa1e.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2376
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      4⤵
      Modifies data under HKEY_USERS
      Suspicious use of WriteProcessMemory
      PID:1640
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Gdramctbif" /d "0"
        5⤵
        Windows security bypass
        
        PID:2660
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Exviqeiryrk" /d "0"
        5⤵
        Windows security bypass
        
        PID:1876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\60a68dfff01d04bd02058f23ca26aa1e.dll

Filesize
1.0MB

MD5
60a68dfff01d04bd02058f23ca26aa1e

SHA1
f5aba7d1633d8eb6ba7574f7ac4beab140aaeb42

SHA256
c05fc0120c066ef16e6ae53400d3d7965f83114635ef41900246d021ed58019e

SHA512
0b4ab9029da737e6464de6603849323a63c35e5c2a4396fb535ccfb110b9e588ab3efa0ea04374cda32f4147fd87b833b27c442d338a60e478ab2f3314b53428

Download Submit
memory/1640-32-0x00000000000D0000-0x00000000000F1000-memory.dmp

Filesize
132KB

Download
memory/1640-30-0x00000000000D0000-0x00000000000F1000-memory.dmp

Filesize
132KB

Download
memory/1640-29-0x00000000000D0000-0x00000000000F1000-memory.dmp

Filesize
132KB

Download
memory/1640-28-0x00000000000D0000-0x00000000000F1000-memory.dmp

Filesize
132KB

Download
memory/1640-25-0x00000000000D0000-0x00000000000F1000-memory.dmp

Filesize
132KB

Download
memory/2128-15-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2128-7-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2128-12-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2128-13-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2128-11-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2128-5-0x00000000000B0000-0x00000000000B2000-memory.dmp

Filesize
8KB

Download
memory/2204-0-0x00000000734E0000-0x0000000073EEC000-memory.dmp

Filesize
10.0MB

Download
memory/2204-8-0x00000000734E0000-0x0000000073EEC000-memory.dmp

Filesize
10.0MB

Download
memory/2204-4-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2204-1-0x00000000734E0000-0x0000000073EEC000-memory.dmp

Filesize
10.0MB

Download
memory/2204-2-0x00000000734E0000-0x0000000073EEC000-memory.dmp

Filesize
10.0MB

Download
memory/2376-21-0x0000000072AD0000-0x00000000734DC000-memory.dmp

Filesize
10.0MB

Download
memory/2376-20-0x0000000072AD0000-0x00000000734DC000-memory.dmp

Filesize
10.0MB

Download
memory/2376-26-0x0000000072AD0000-0x00000000734DC000-memory.dmp

Filesize
10.0MB

Download