qakbot | 4b206bf8f7c890059e8a4b112a86d066005318b8bc204be353d737743c51e893

Analysis

max time kernel
147s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19-12-2023 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d39550a26cc664be68c89f6317a3f72.dll
Size

1.0MB
MD5

6d39550a26cc664be68c89f6317a3f72
SHA1

e20bf2724a4b2d514f33a52605def521c912c8a1
SHA256

4b206bf8f7c890059e8a4b112a86d066005318b8bc204be353d737743c51e893
SHA512

5046f204888c426c2febc594e5a9c156c5c923241dc0419dbeaa7b7a051120bd1497441a2a9f465890a58808e5cf4293251855c2abf8c1d56cdb05d8c6af86e6
SSDEEP

24576:T+N4RsxwZIlcgFagUOqtQ1e78l1T9N36OfMMElHNGlpJMFymEYe/uAg9JXkQKLK7:TzIOgFa41l1T9N36OUMzlpJMFymEYe/6

Score

10^/10

qakbot tr 1633334141 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

Campaign

1633334141

75.75.179.226:443

185.250.148.74:443

122.11.220.212:2222

120.150.218.241:995

103.148.120.144:443

140.82.49.12:443

40.131.140.155:995

206.47.134.234:2222

73.230.205.91:443

190.198.206.189:2222

103.157.122.198:995

81.250.153.227:2222

167.248.100.227:443

96.57.188.174:2078

217.17.56.163:2222

217.17.56.163:2078

41.228.22.180:443

136.232.34.70:443

68.186.192.69:443

167.248.111.245:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Hhpyzohes = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Atohegxryg = "0"	reg.exe

Loads dropped DLL 1 IoCs

pid	Process
1084	regsvr32.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2728	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Extofuhjasx	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Extofuhjasx\ebfea43f = 943a186fca43b1faa738ea517c5cc5ca4d664056e961393977b4d30cdfc00f92957298f8fd9230901562779e92e4a1a4b14b09053730957bad1f157faf7f4a04ea3afb4ebe8e8b90bb3d83ae03767e644d12595461f851aeca1f795a7c338cd4818f	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Extofuhjasx\dc20540d = 23eb9ebad6b2b2d77c11ee41869cc3aa9130d5cbe5816219b566567516a4bdd2089643058fd6ad31d08b062579dd7791b5cdf1032a7e8d7845b40081ef87ea8b570e96374fcde3403444c8c4d600789b50268e238f3f8a209509b125da8863	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Extofuhjasx\649c3368 = c448eede3364e81079efbe4914ac2931234025d0ae1e461951369aa80b90cafd3ab1ac5fecf588c86b3647492351cfeed8a076c90a0f9c38	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Extofuhjasx\de617471 = 6b246554fbe1b47ab9a0697a238f6e1ad437b71c4c4a12adb56966aefaac65758a0fe370b835ce31c5c47eacdbf013d24f5c64e2c9e91f472f65fde13dd4ad1c843de96f395ead64ca07434328a221d6763276cd6baafdc7c07c9aedd36baec93114787383a664d0dc3b683168984a4eac5ac15857ad925582ac15fb8483f5f6d00c5e23c3d80a28ba6066c3db271370a2	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Extofuhjasx\19947ce2 = fb541e04a2e58f654da88488b4dda173fbb4bfdf57e2b78c5560364eabfce2a77347aeff337aad9cdcec	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Extofuhjasx\a1281b87 = 2c71ad2200512d59decf9ebe4dd746657e56460ed87cac985f96574e49d6872af7cc45eae18330fe34d540087ba25a4504e17192fedd0134d6ddb9a8810051743f9f24271c68b073cfc79977d98d4b99ad047b099396001fab7091c5d251c9d0f35c09defd297c81e539d7	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Extofuhjasx\66dd1314 = 5293b14137daf72569e751560bfe810b0dda5c292aae928135e15f7065693b6685e50b9c786aee097cf0568759868c6ba271555c0447f24565c8e62671d4f3380cd6b1a62b736bfc65f0c1c242a9e37188890d	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Extofuhjasx\94b7cbc9 = d6cecb64d83d10cf839a78e33d1439d71d2ac94e2573d396679965686b7d5fc92652e081914ebb1ef73772f438045a71d7d44868f4d538b61af1a315e67fdcc637fdc9254387467f59160f4d767c016c1ba1c11664aafac9ba37ad349bb97ddea8aec74cdf5451cc4c0339139720541a5172	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Extofuhjasx\ebfea43f = 943a0f6fca4384d9248bd71474636e666d951eadf8f587a8b3238c0aa42c23e59b74a7c58f7fc77f4eeb02396041fe7d69697b87e4fb32d1dcd8a5ae6d4670a544af137ab4294d3d8a28deb4700d8271d842fb10654e1f5f0655d677713c41a1ce1fa0f023356d3ab4fa97e64cd984326b5b0ab5018129	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3028	rundll32.exe
1084	regsvr32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
3028	rundll32.exe
1084	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 3028	2300	rundll32.exe	28
PID 2300 wrote to memory of 3028	2300	rundll32.exe	28
PID 2300 wrote to memory of 3028	2300	rundll32.exe	28
PID 2300 wrote to memory of 3028	2300	rundll32.exe	28
PID 2300 wrote to memory of 3028	2300	rundll32.exe	28
PID 2300 wrote to memory of 3028	2300	rundll32.exe	28
PID 2300 wrote to memory of 3028	2300	rundll32.exe	28
PID 3028 wrote to memory of 2788	3028	rundll32.exe	29
PID 3028 wrote to memory of 2788	3028	rundll32.exe	29
PID 3028 wrote to memory of 2788	3028	rundll32.exe	29
PID 3028 wrote to memory of 2788	3028	rundll32.exe	29
PID 3028 wrote to memory of 2788	3028	rundll32.exe	29
PID 3028 wrote to memory of 2788	3028	rundll32.exe	29
PID 2788 wrote to memory of 2728	2788	explorer.exe	30
PID 2788 wrote to memory of 2728	2788	explorer.exe	30
PID 2788 wrote to memory of 2728	2788	explorer.exe	30
PID 2788 wrote to memory of 2728	2788	explorer.exe	30
PID 2204 wrote to memory of 1688	2204	taskeng.exe	35
PID 2204 wrote to memory of 1688	2204	taskeng.exe	35
PID 2204 wrote to memory of 1688	2204	taskeng.exe	35
PID 2204 wrote to memory of 1688	2204	taskeng.exe	35
PID 2204 wrote to memory of 1688	2204	taskeng.exe	35
PID 1688 wrote to memory of 1084	1688	regsvr32.exe	36
PID 1688 wrote to memory of 1084	1688	regsvr32.exe	36
PID 1688 wrote to memory of 1084	1688	regsvr32.exe	36
PID 1688 wrote to memory of 1084	1688	regsvr32.exe	36
PID 1688 wrote to memory of 1084	1688	regsvr32.exe	36
PID 1688 wrote to memory of 1084	1688	regsvr32.exe	36
PID 1688 wrote to memory of 1084	1688	regsvr32.exe	36
PID 1084 wrote to memory of 2916	1084	regsvr32.exe	37
PID 1084 wrote to memory of 2916	1084	regsvr32.exe	37
PID 1084 wrote to memory of 2916	1084	regsvr32.exe	37
PID 1084 wrote to memory of 2916	1084	regsvr32.exe	37
PID 1084 wrote to memory of 2916	1084	regsvr32.exe	37
PID 1084 wrote to memory of 2916	1084	regsvr32.exe	37
PID 2916 wrote to memory of 1484	2916	explorer.exe	38
PID 2916 wrote to memory of 1484	2916	explorer.exe	38
PID 2916 wrote to memory of 1484	2916	explorer.exe	38
PID 2916 wrote to memory of 1484	2916	explorer.exe	38
PID 2916 wrote to memory of 1580	2916	explorer.exe	41
PID 2916 wrote to memory of 1580	2916	explorer.exe	41
PID 2916 wrote to memory of 1580	2916	explorer.exe	41
PID 2916 wrote to memory of 1580	2916	explorer.exe	41

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6d39550a26cc664be68c89f6317a3f72.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\6d39550a26cc664be68c89f6317a3f72.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn ccwkjopvh /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\6d39550a26cc664be68c89f6317a3f72.dll\"" /SC ONCE /Z /ST 18:55 /ET 19:07
      4⤵
      Creates scheduled task(s)
      PID:2728

C:\Windows\system32\taskeng.exe
taskeng.exe {EF4CF40C-8878-4C90-877F-97AED0A1FC69} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\6d39550a26cc664be68c89f6317a3f72.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Windows\SysWOW64\regsvr32.exe
    -s "C:\Users\Admin\AppData\Local\Temp\6d39550a26cc664be68c89f6317a3f72.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1084
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      4⤵
      Modifies data under HKEY_USERS
      Suspicious use of WriteProcessMemory
      PID:2916
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Hhpyzohes" /d "0"
        5⤵
        Windows security bypass
        
        PID:1484
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Atohegxryg" /d "0"
        5⤵
        Windows security bypass
        
        PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6d39550a26cc664be68c89f6317a3f72.dll

Filesize
1.0MB

MD5
6d39550a26cc664be68c89f6317a3f72

SHA1
e20bf2724a4b2d514f33a52605def521c912c8a1

SHA256
4b206bf8f7c890059e8a4b112a86d066005318b8bc204be353d737743c51e893

SHA512
5046f204888c426c2febc594e5a9c156c5c923241dc0419dbeaa7b7a051120bd1497441a2a9f465890a58808e5cf4293251855c2abf8c1d56cdb05d8c6af86e6

Download Submit
memory/1084-26-0x00000000729A0000-0x00000000733AC000-memory.dmp

Filesize
10.0MB

Download
memory/1084-21-0x00000000729A0000-0x00000000733AC000-memory.dmp

Filesize
10.0MB

Download
memory/1084-20-0x00000000729A0000-0x00000000733AC000-memory.dmp

Filesize
10.0MB

Download
memory/2788-5-0x00000000000F0000-0x00000000000F2000-memory.dmp

Filesize
8KB

Download
memory/2788-15-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/2788-8-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/2788-11-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/2788-12-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/2788-13-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/2916-25-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2916-28-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2916-30-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2916-29-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/3028-0-0x00000000733B0000-0x0000000073DBC000-memory.dmp

Filesize
10.0MB

Download
memory/3028-4-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/3028-2-0x00000000733B0000-0x0000000073DBC000-memory.dmp

Filesize
10.0MB

Download
memory/3028-7-0x00000000733B0000-0x0000000073DBC000-memory.dmp

Filesize
10.0MB

Download
memory/3028-1-0x00000000733B0000-0x0000000073DBC000-memory.dmp

Filesize
10.0MB

Download