qakbot | 5b1928e0f4afd659d9a1aa169ba9e794e57251725a8674af205392d3a2f255b5

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
19-12-2023 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a.dll
Size

543KB
MD5

ffaf9cd085434fd5230511ab895ba494
SHA1

9e49d29d66d380255e5e8e2ccf19f5b51eb92001
SHA256

c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a
SHA512

01890758e839b3eb90dc3711dd470ba1e232798ed0f62d89185e450877161fd321b5b125ab0a64f270c2f37ef129f59eb5848164d26fb4965534d77a0d4f2300
SSDEEP

12288:DSG3daX8glK/McVThyhRBof4byx7ILypuLT+CLWNhM3Q2Bz:DSc3l/ML3bypxOT+CLsu

Score

10^/10

qakbot aa 1649660679 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.573

Botnet

Campaign

1649660679

41.228.22.180:443

47.23.89.62:995

176.67.56.94:443

103.107.113.120:443

148.64.96.100:443

47.180.172.159:443

181.118.183.98:443

140.82.49.12:443

103.87.95.133:2222

96.21.251.127:2222

197.167.62.14:993

46.107.48.202:443

24.43.99.75:443

172.115.177.204:2222

80.11.74.81:2222

66.98.42.102:443

75.99.168.194:61201

173.174.216.62:443

45.9.20.200:443

39.41.158.185:995

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Jjiewipouh = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Wjtwty = "0"	reg.exe

Loads dropped DLL 1 IoCs

pid	Process
2536	regsvr32.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2144	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Fmjyohsn\6b8c5fb7 = d71cc6517cc8444120104646fe1f2b1239acbb41da3e0fbfee3d34880256d17f1e2a100e35411aca5c52afafd910816bad0419bb71a86a2e1e5ebcf20971cd118fc95127ecca55744a78247774fd05bfe8e7b2	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Fmjyohsn\5e138ff9 = ef26f37c66b7b5ff2b78fa71de22f89edadbda2e270cc321fef5917dfe501ceef97aaa8f4a904e6a50075baf20d1c70afb2e5b1cf4bd80cd45259c7d67b81238987391a0f0c8f36f40e16c3d3a1bf4ceadf6599767f5a2f6e376625043b54a040da33772dca9c36134133a7f8fe9427aed0a5ad9779617beb30c37ccfb7c70c1e8312fd3fdc80d6b611b9cbaba20e0bd33f525dc46d6e7798429d502c17ab96c9ac768ca7b4df5f1c70ce32bd4b0e457a26822	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Fmjyohsn\5c52af85 = f98771e4ec817fceb75ac0fcc940a72f1bd8b4d4ff9f34e02ab3d7ae611e4885c0fef1bba3629890c3e66e1082c3c9541bc8652ff3d666ecff7af2321538d10e49595a30f6bf737f3e1aa7ed513628b20baf497ab7089fa018d2eae178c208e15bb479fac139618e26e68e80	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Fmjyohsn\e4eec8e0 = a92aac5f6d4ccf475ca927a9437a95a0c6901d9c090310563b34f5eb43b50bf0f3c8aa5ab747a4649f2489	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Fmjyohsn\215ae00f = 4c158d3578e61f943b3440326edaad81f008aeb19da5b6d21067b47425c6248e2c65b1b7ef42c48e92482b1ae47f354078f760f538c9e5fd457a	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Fmjyohsn\14c53041 = 4170fb32603620cf9ffed6747d82d6963561766529eab765800109ce3cf34d56e4b8b30e12993b11451223f3eea026e0ece7a65c1de6cf70f17032f5cc96b2cb4410fc6588950c07def3d89f66cea1b8f64dc046e53f9d8a46958f43897bd553b280a7766d877f	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Fmjyohsn	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Fmjyohsn\99e6876a = 2ab86343a321703f346740acd36f56	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Fmjyohsn\e6afe89c = 762a79ca0bf294873406437295f21bc8399d9ef24b4cdfc4200f648f41cfcec1906fbf960419179e2784d5b50b22c1900995c200d448a9	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Fmjyohsn\6b8c5fb7 = d71cd1517cc871818de0b13dfccf6797db5445fae3c414ece4a069ad371b0e0727bb644585b2625acbe796ec8f6f6e531dd31dd506e6e24c920ad135a7e89631c1822273bb5f66015cc6a90d133c023ed1caf20f147ef6e5fb59d2de03dbc3a5cd42783d933ca4b0	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2128	regsvr32.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2184	explorer.exe
2536	regsvr32.exe
2184	explorer.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2128	regsvr32.exe
2536	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2128	2336	regsvr32.exe	28
PID 2336 wrote to memory of 2128	2336	regsvr32.exe	28
PID 2336 wrote to memory of 2128	2336	regsvr32.exe	28
PID 2336 wrote to memory of 2128	2336	regsvr32.exe	28
PID 2336 wrote to memory of 2128	2336	regsvr32.exe	28
PID 2336 wrote to memory of 2128	2336	regsvr32.exe	28
PID 2336 wrote to memory of 2128	2336	regsvr32.exe	28
PID 2128 wrote to memory of 2184	2128	regsvr32.exe	29
PID 2128 wrote to memory of 2184	2128	regsvr32.exe	29
PID 2128 wrote to memory of 2184	2128	regsvr32.exe	29
PID 2128 wrote to memory of 2184	2128	regsvr32.exe	29
PID 2128 wrote to memory of 2184	2128	regsvr32.exe	29
PID 2128 wrote to memory of 2184	2128	regsvr32.exe	29
PID 2184 wrote to memory of 2144	2184	explorer.exe	30
PID 2184 wrote to memory of 2144	2184	explorer.exe	30
PID 2184 wrote to memory of 2144	2184	explorer.exe	30
PID 2184 wrote to memory of 2144	2184	explorer.exe	30
PID 2080 wrote to memory of 2176	2080	taskeng.exe	36
PID 2080 wrote to memory of 2176	2080	taskeng.exe	36
PID 2080 wrote to memory of 2176	2080	taskeng.exe	36
PID 2080 wrote to memory of 2176	2080	taskeng.exe	36
PID 2080 wrote to memory of 2176	2080	taskeng.exe	36
PID 2176 wrote to memory of 2536	2176	regsvr32.exe	35
PID 2176 wrote to memory of 2536	2176	regsvr32.exe	35
PID 2176 wrote to memory of 2536	2176	regsvr32.exe	35
PID 2176 wrote to memory of 2536	2176	regsvr32.exe	35
PID 2176 wrote to memory of 2536	2176	regsvr32.exe	35
PID 2176 wrote to memory of 2536	2176	regsvr32.exe	35
PID 2176 wrote to memory of 2536	2176	regsvr32.exe	35
PID 2536 wrote to memory of 1620	2536	regsvr32.exe	37
PID 2536 wrote to memory of 1620	2536	regsvr32.exe	37
PID 2536 wrote to memory of 1620	2536	regsvr32.exe	37
PID 2536 wrote to memory of 1620	2536	regsvr32.exe	37
PID 2536 wrote to memory of 1620	2536	regsvr32.exe	37
PID 2536 wrote to memory of 1620	2536	regsvr32.exe	37
PID 1620 wrote to memory of 804	1620	explorer.exe	39
PID 1620 wrote to memory of 804	1620	explorer.exe	39
PID 1620 wrote to memory of 804	1620	explorer.exe	39
PID 1620 wrote to memory of 804	1620	explorer.exe	39
PID 1620 wrote to memory of 2716	1620	explorer.exe	41
PID 1620 wrote to memory of 2716	1620	explorer.exe	41
PID 1620 wrote to memory of 2716	1620	explorer.exe	41
PID 1620 wrote to memory of 2716	1620	explorer.exe	41

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a.dll
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2184
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn dlkzihzrjy /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a.dll\"" /SC ONCE /Z /ST 19:08 /ET 19:20
      4⤵
      Creates scheduled task(s)
      PID:2144

C:\Windows\system32\taskeng.exe
taskeng.exe {1D31A009-27C2-42B5-9977-BC4C8D736053} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2176

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a.dll"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Jjiewipouh" /d "0"
    3⤵
    - Windows security bypass
    PID:804
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Wjtwty" /d "0"
    3⤵
    - Windows security bypass
    PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a.dll

Filesize
543KB

MD5
ffaf9cd085434fd5230511ab895ba494

SHA1
9e49d29d66d380255e5e8e2ccf19f5b51eb92001

SHA256
c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a

SHA512
01890758e839b3eb90dc3711dd470ba1e232798ed0f62d89185e450877161fd321b5b125ab0a64f270c2f37ef129f59eb5848164d26fb4965534d77a0d4f2300

Download Submit
memory/1620-23-0x0000000000080000-0x000000000010F000-memory.dmp

Filesize
572KB

Download
memory/1620-18-0x0000000000080000-0x000000000010F000-memory.dmp

Filesize
572KB

Download
memory/1620-19-0x0000000000080000-0x000000000010F000-memory.dmp

Filesize
572KB

Download
memory/1620-20-0x0000000000080000-0x000000000010F000-memory.dmp

Filesize
572KB

Download
memory/1620-21-0x0000000000080000-0x000000000010F000-memory.dmp

Filesize
572KB

Download
memory/1620-17-0x0000000000080000-0x000000000010F000-memory.dmp

Filesize
572KB

Download
memory/2184-6-0x00000000000F0000-0x000000000017F000-memory.dmp

Filesize
572KB

Download
memory/2184-10-0x00000000000F0000-0x000000000017F000-memory.dmp

Filesize
572KB

Download
memory/2184-8-0x00000000000F0000-0x000000000017F000-memory.dmp

Filesize
572KB

Download
memory/2184-7-0x00000000000F0000-0x000000000017F000-memory.dmp

Filesize
572KB

Download
memory/2184-0-0x0000000000080000-0x0000000000082000-memory.dmp

Filesize
8KB

Download
memory/2184-5-0x00000000000F0000-0x000000000017F000-memory.dmp

Filesize
572KB

Download
memory/2184-2-0x00000000000F0000-0x000000000017F000-memory.dmp

Filesize
572KB

Download