qakbot | 4b206bf8f7c890059e8a4b112a86d066005318b8bc204be353d737743c51e893

General

Target

6d39550a26cc664be68c89f6317a3f72.dll
Size

1.0MB
MD5

6d39550a26cc664be68c89f6317a3f72
SHA1

e20bf2724a4b2d514f33a52605def521c912c8a1
SHA256

4b206bf8f7c890059e8a4b112a86d066005318b8bc204be353d737743c51e893
SHA512

5046f204888c426c2febc594e5a9c156c5c923241dc0419dbeaa7b7a051120bd1497441a2a9f465890a58808e5cf4293251855c2abf8c1d56cdb05d8c6af86e6
SSDEEP

24576:T+N4RsxwZIlcgFagUOqtQ1e78l1T9N36OfMMElHNGlpJMFymEYe/uAg9JXkQKLK7:TzIOgFa41l1T9N36OUMzlpJMFymEYe/6

Score

10^/10

qakbot tr 1633334141 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

tr

Campaign

1633334141

C2

75.75.179.226:443

185.250.148.74:443

122.11.220.212:2222

120.150.218.241:995

103.148.120.144:443

140.82.49.12:443

40.131.140.155:995

206.47.134.234:2222

73.230.205.91:443

190.198.206.189:2222

103.157.122.198:995

81.250.153.227:2222

167.248.100.227:443

96.57.188.174:2078

217.17.56.163:2222

217.17.56.163:2078

41.228.22.180:443

136.232.34.70:443

68.186.192.69:443

167.248.111.245:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Dbexiavu = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Ymaxp = "0"	reg.exe

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid	Process
4888	regsvr32.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exe

pid	Process
2612	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ydfmvduor	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ydfmvduor\62f0fb7d = c9a5a4fe14e4f222de5225008c4ab361d7a9c819ac97912e716418e2f5bece6fd76277c98a05df7cc1d08da7b5b24e84900db49b6319ac4ab4ab6d09adaa7225bc32eb9204d0f0894b5e9259eee1b2dc9aa20d6ccc09927cf86a00db2206b207cfbc0d52c96a15923e9f456e0dfb64688407b0c8c1a6219080313009be087e7772fd1be05f05b6e505967d5d13ab161ce519311a44d1fd56c385a5a3c08fed886fa55ba4ad9a02166dc0a3b993410e7074	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ydfmvduor\a505f3ee = 3cda0a63b03daa9067036fe97dd20e3142a39846fbea2ae89b2f4058d2a8e10e276cb48a1382	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ydfmvduor\1db9948b = 77641f4d4f04639f09711393953de2e4c8873bcf648d627b1011f43c4e94	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ydfmvduor\576f2b33 = bc742ef01f8355a7918224c3ea0eb9f99cce682c8e371c6dfe2403400d2ac1cef38de2a88baa28a5b037d7525036d6	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ydfmvduor\576f2b33 = bc7439f01f83605bf5bc3f3bca1c8ab13ad5409a552fc462cdad	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ydfmvduor\60b1db01 = 2901e9e8a7d4f135aca2a183e7935d566ca84aaca17ff3e88aa77ba83016f9b847f86d05435e68ad881c96ccedb629754f70a145c2dbdbd59ef8c08346f156997becaa5b010a908893ec0613659ffb3b2df8a27c124bf6a8	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ydfmvduor\d80dbc64 = c36fab93f73f02d73ea1fa6799f8a1551545e99f36a86ac94de7fad25c46a3f7f8597bdf4c233895273d755c8cb61e20b7c719632d87818fe3e4ac6155b6e8226f35d80c57420ca90124af86e2787967ba59064b5d7c5035c48b86a8a9	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ydfmvduor\da4c9c18 = 2b3c953194ebe77d19b3a47b23fa791747fa8a8d	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ydfmvduor\282644c5 = b9f198c60cae98c0d0b28888377670bf9911571bc74f26533fc1c53e741ac08a10bd12b2c8af3ea8de020b77023bb91b2fb651db7081c36b8ff3224f	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exeregsvr32.exe

pid	Process
4368	rundll32.exe
4368	rundll32.exe
4888	regsvr32.exe
4888	regsvr32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid	Process
4368	rundll32.exe
4888	regsvr32.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	Process	procid_target
PID 528 wrote to memory of 4368	528	rundll32.exe	87
PID 528 wrote to memory of 4368	528	rundll32.exe	87
PID 528 wrote to memory of 4368	528	rundll32.exe	87
PID 4368 wrote to memory of 4740	4368	rundll32.exe	93
PID 4368 wrote to memory of 4740	4368	rundll32.exe	93
PID 4368 wrote to memory of 4740	4368	rundll32.exe	93
PID 4368 wrote to memory of 4740	4368	rundll32.exe	93
PID 4368 wrote to memory of 4740	4368	rundll32.exe	93
PID 4740 wrote to memory of 2612	4740	explorer.exe	94
PID 4740 wrote to memory of 2612	4740	explorer.exe	94
PID 4740 wrote to memory of 2612	4740	explorer.exe	94
PID 2784 wrote to memory of 4888	2784	regsvr32.exe	101
PID 2784 wrote to memory of 4888	2784	regsvr32.exe	101
PID 2784 wrote to memory of 4888	2784	regsvr32.exe	101
PID 4888 wrote to memory of 3240	4888	regsvr32.exe	102
PID 4888 wrote to memory of 3240	4888	regsvr32.exe	102
PID 4888 wrote to memory of 3240	4888	regsvr32.exe	102
PID 4888 wrote to memory of 3240	4888	regsvr32.exe	102
PID 4888 wrote to memory of 3240	4888	regsvr32.exe	102
PID 3240 wrote to memory of 3564	3240	explorer.exe	103
PID 3240 wrote to memory of 3564	3240	explorer.exe	103
PID 3240 wrote to memory of 4668	3240	explorer.exe	106
PID 3240 wrote to memory of 4668	3240	explorer.exe	106

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6d39550a26cc664be68c89f6317a3f72.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:528
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\6d39550a26cc664be68c89f6317a3f72.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4368
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4740
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn ckrgdqpvs /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\6d39550a26cc664be68c89f6317a3f72.dll\"" /SC ONCE /Z /ST 18:55 /ET 19:07
      4⤵
      Creates scheduled task(s)
      PID:2612

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\6d39550a26cc664be68c89f6317a3f72.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Windows\SysWOW64\regsvr32.exe
  -s "C:\Users\Admin\AppData\Local\Temp\6d39550a26cc664be68c89f6317a3f72.dll"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4888
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious use of WriteProcessMemory
    PID:3240
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Dbexiavu" /d "0"
      4⤵
      Windows security bypass
      PID:3564
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Ymaxp" /d "0"
      4⤵
      Windows security bypass
      PID:4668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6d39550a26cc664be68c89f6317a3f72.dll

Filesize
669KB

MD5
34ea7c13d176110857a70c0611afa00d

SHA1
2ac407cbc83f72fff56877e4e3e9837bcde3ea51

SHA256
a05d430d5ad79f13213d3666664aad683a0a7015a2115a246344cf1ab691a955

SHA512
0c9da299d03a8f55892a59432542084646bdeb23b382f1bf59c0fb21871fe1a8105f5aa20f1818ae41bacef721a197751455c88da54081a0aeef3a838c7643af

Download Submit
C:\Users\Admin\AppData\Local\Temp\6d39550a26cc664be68c89f6317a3f72.dll

Filesize
115KB

MD5
29b29548c868e4ba8650339aef3f64bc

SHA1
c5d88cfdd82b1e88437812eef1e5efca0b9fa309

SHA256
082b35b1702294767c0dfc9d566d69ddf098e2be6dcddc31b9691dc886e000ca

SHA512
57fbde7514f66f55f8a98fc3808d468d0433bc2d4efd280fa254f25b01d517f648b4d64f6f37f8bfd2b03cb67e7e7b00f825e74368be893e90ebe6ef255af5ab

Download Submit
memory/3240-27-0x0000000000440000-0x0000000000461000-memory.dmp

Filesize
132KB

Download
memory/3240-28-0x0000000000440000-0x0000000000461000-memory.dmp

Filesize
132KB

Download
memory/3240-29-0x0000000000440000-0x0000000000461000-memory.dmp

Filesize
132KB

Download
memory/3240-24-0x0000000000440000-0x0000000000461000-memory.dmp

Filesize
132KB

Download
memory/4368-1-0x0000000074B90000-0x000000007559C000-memory.dmp

Filesize
10.0MB

Download
memory/4368-3-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/4368-2-0x0000000074B90000-0x000000007559C000-memory.dmp

Filesize
10.0MB

Download
memory/4368-5-0x0000000074B90000-0x000000007559C000-memory.dmp

Filesize
10.0MB

Download
memory/4368-0-0x0000000074B90000-0x000000007559C000-memory.dmp

Filesize
10.0MB

Download
memory/4740-6-0x0000000001050000-0x0000000001071000-memory.dmp

Filesize
132KB

Download
memory/4740-14-0x0000000001050000-0x0000000001071000-memory.dmp

Filesize
132KB

Download
memory/4740-10-0x0000000001050000-0x0000000001071000-memory.dmp

Filesize
132KB

Download
memory/4740-11-0x0000000001050000-0x0000000001071000-memory.dmp

Filesize
132KB

Download
memory/4740-12-0x0000000001050000-0x0000000001071000-memory.dmp

Filesize
132KB

Download
memory/4888-18-0x0000000072B90000-0x000000007359C000-memory.dmp

Filesize
10.0MB

Download
memory/4888-20-0x0000000072B90000-0x000000007359C000-memory.dmp

Filesize
10.0MB

Download
memory/4888-19-0x0000000072B90000-0x000000007359C000-memory.dmp

Filesize
10.0MB

Download
memory/4888-22-0x00000000014C0000-0x00000000014C1000-memory.dmp

Filesize
4KB

Download
memory/4888-23-0x0000000072B90000-0x000000007359C000-memory.dmp

Filesize
10.0MB

Download
memory/4888-25-0x0000000072B90000-0x000000007359C000-memory.dmp

Filesize
10.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads