qakbot | fcd1c25b4cac18e915240d22819bb7839cad6563b311d9ee5a66233c594c6362

General

Target

7fddaac4e8553705b2a5446791e6df47.dll
Size

436KB
MD5

7fddaac4e8553705b2a5446791e6df47
SHA1

50436c243ece999bec579ea5a18516d9119b68d1
SHA256

fcd1c25b4cac18e915240d22819bb7839cad6563b311d9ee5a66233c594c6362
SHA512

3501c360b69ffe0ac537652f5e06da021570b22979af9e942cf0155ffef301c470ad0f2a23f95ca0d224292b0c1f965d4f22d21a29f04ced7aeae28c53b834e3
SSDEEP

12288:EvT1+i+eRbPqeSIvNMenaJ8NECkSNDopGI5coPYb:Ev3F+ex1MrwECBf3oPYb

Score

10^/10

qakbot tr 1632817399 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

tr

Campaign

1632817399

C2

105.198.236.99:443

140.82.49.12:443

37.210.152.224:995

89.101.97.139:443

81.241.252.59:2078

27.223.92.142:995

81.250.153.227:2222

73.151.236.31:443

47.22.148.6:443

122.11.220.212:2222

120.151.47.189:443

199.27.127.129:443

216.201.162.158:443

136.232.34.70:443

76.25.142.196:443

181.118.183.94:443

120.150.218.241:995

185.250.148.74:443

95.77.223.148:443

75.66.88.33:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Byarpr = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Jjekiwfb = "0"	reg.exe

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

2212 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2740 schtasks.exe

pid	process
2212	regsvr32.exe

pid	process
2740	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Mtqfesut	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Mtqfesut\9a90313 = 14f6f2b6846157864fbe64c42876dc9e610c9764dee0f75d65e041472bcc5a70ce8de52b0817ce	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Mtqfesut\b1156476 = 7b9692ce2454aa597d875315679ecc1778781982e83d03b8e49d018a050c3aad876853d9b47b5e8d2c771c2a1c9aa8335f0bf7403ba1e70355cbb83bd9bf61056f53859e696a	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Mtqfesut\413e9cd7 = 7492a481417b2074b675fc525601e4feb56e358e78554c24b9ce4abb0f1fdab7a5ced21dfbdcbe4ce1e6a16101cbf9c2e91968cc3fa0a646ad802aaa026cd362	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Mtqfesut\3e77f321 = dca92401241b9cc2cc5c9f404dde9ab6e14fb925f38a68de12b828fb997230407b2f6c3f06559540e7e2677518	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Mtqfesut\3e77f321 = dca93301241ba9333c4be35f7cddd2b8d42a7bd336e981f4	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Mtqfesut\be8236f = b743a9eadfc3329dc9c3d9565eb968bdc702ee309df397be5f2e131847665f821e87c8002fcd145b4464b6245951bfa6b0bef6581f04332469c3b56effde20d72ea35125c38d566ea2e87053745cd10015ff811587df7520167a7729bea8d09ef8776a44ff2225	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Mtqfesut\cc1d2bfc = cc06900b6d026b849dc396b45befea2e1b884f14440e92dabb1f24c81c2563e01d249c4758fa21fe415ae3b2be4be4c5a9bbfafe7c52994613da5ad74d3a79ee37bd	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Mtqfesut\74a14c99 = ad63a8802f8217630c6ea51d4f4f710ad8059a5d7f7fa0cf32c1e789d8bd6c8a058d283ebf3a1b64bf7db998a69c1b9224cfc2433fa38a4c6796b8f27f70ffe080d8c0acafe67e902597295e8c5f8634cecf2799b5125b6b077da21fa67144832b03018b408c084c9b6a3c32c1	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Mtqfesut\b354440a = 302983edc9f551296c65cce592fe7dbd0565f75138dab01f28cc64a0d87e05c189537dbacd65234ec4549686bfac	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

3040 rundll32.exe
2212 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

3040 rundll32.exe
2212 regsvr32.exe

pid	process
3040	rundll32.exe
2212	regsvr32.exe

pid	process
3040	rundll32.exe
2212	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 776 wrote to memory of 3040	776	rundll32.exe	rundll32.exe
PID 776 wrote to memory of 3040	776	rundll32.exe	rundll32.exe
PID 776 wrote to memory of 3040	776	rundll32.exe	rundll32.exe
PID 776 wrote to memory of 3040	776	rundll32.exe	rundll32.exe
PID 776 wrote to memory of 3040	776	rundll32.exe	rundll32.exe
PID 776 wrote to memory of 3040	776	rundll32.exe	rundll32.exe
PID 776 wrote to memory of 3040	776	rundll32.exe	rundll32.exe
PID 3040 wrote to memory of 2832	3040	rundll32.exe	explorer.exe
PID 3040 wrote to memory of 2832	3040	rundll32.exe	explorer.exe
PID 3040 wrote to memory of 2832	3040	rundll32.exe	explorer.exe
PID 3040 wrote to memory of 2832	3040	rundll32.exe	explorer.exe
PID 3040 wrote to memory of 2832	3040	rundll32.exe	explorer.exe
PID 3040 wrote to memory of 2832	3040	rundll32.exe	explorer.exe
PID 2832 wrote to memory of 2740	2832	explorer.exe	schtasks.exe
PID 2832 wrote to memory of 2740	2832	explorer.exe	schtasks.exe
PID 2832 wrote to memory of 2740	2832	explorer.exe	schtasks.exe
PID 2832 wrote to memory of 2740	2832	explorer.exe	schtasks.exe
PID 952 wrote to memory of 1224	952	taskeng.exe	regsvr32.exe
PID 952 wrote to memory of 1224	952	taskeng.exe	regsvr32.exe
PID 952 wrote to memory of 1224	952	taskeng.exe	regsvr32.exe
PID 952 wrote to memory of 1224	952	taskeng.exe	regsvr32.exe
PID 952 wrote to memory of 1224	952	taskeng.exe	regsvr32.exe
PID 1224 wrote to memory of 2212	1224	regsvr32.exe	regsvr32.exe
PID 1224 wrote to memory of 2212	1224	regsvr32.exe	regsvr32.exe
PID 1224 wrote to memory of 2212	1224	regsvr32.exe	regsvr32.exe
PID 1224 wrote to memory of 2212	1224	regsvr32.exe	regsvr32.exe
PID 1224 wrote to memory of 2212	1224	regsvr32.exe	regsvr32.exe
PID 1224 wrote to memory of 2212	1224	regsvr32.exe	regsvr32.exe
PID 1224 wrote to memory of 2212	1224	regsvr32.exe	regsvr32.exe
PID 2212 wrote to memory of 1560	2212	regsvr32.exe	explorer.exe
PID 2212 wrote to memory of 1560	2212	regsvr32.exe	explorer.exe
PID 2212 wrote to memory of 1560	2212	regsvr32.exe	explorer.exe
PID 2212 wrote to memory of 1560	2212	regsvr32.exe	explorer.exe
PID 2212 wrote to memory of 1560	2212	regsvr32.exe	explorer.exe
PID 2212 wrote to memory of 1560	2212	regsvr32.exe	explorer.exe
PID 1560 wrote to memory of 1512	1560	explorer.exe	reg.exe
PID 1560 wrote to memory of 1512	1560	explorer.exe	reg.exe
PID 1560 wrote to memory of 1512	1560	explorer.exe	reg.exe
PID 1560 wrote to memory of 1512	1560	explorer.exe	reg.exe
PID 1560 wrote to memory of 1384	1560	explorer.exe	reg.exe
PID 1560 wrote to memory of 1384	1560	explorer.exe	reg.exe
PID 1560 wrote to memory of 1384	1560	explorer.exe	reg.exe
PID 1560 wrote to memory of 1384	1560	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7fddaac4e8553705b2a5446791e6df47.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:776

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7fddaac4e8553705b2a5446791e6df47.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3040

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2832

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn altowkdkkz /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\7fddaac4e8553705b2a5446791e6df47.dll\"" /SC ONCE /Z /ST 22:41 /ET 22:53
4⤵
- Creates scheduled task(s)
PID:2740

C:\Windows\system32\taskeng.exe
taskeng.exe {A6A36240-0CF6-42DE-B1D2-BE459D61DF52} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:952

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\7fddaac4e8553705b2a5446791e6df47.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:1224

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\7fddaac4e8553705b2a5446791e6df47.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2212

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Byarpr" /d "0"
5⤵
- Windows security bypass
PID:1512

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Jjekiwfb" /d "0"
5⤵
- Windows security bypass
PID:1384

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7fddaac4e8553705b2a5446791e6df47.dll
Filesize
436KB

MD5
7fddaac4e8553705b2a5446791e6df47

SHA1
50436c243ece999bec579ea5a18516d9119b68d1

SHA256
fcd1c25b4cac18e915240d22819bb7839cad6563b311d9ee5a66233c594c6362

SHA512
3501c360b69ffe0ac537652f5e06da021570b22979af9e942cf0155ffef301c470ad0f2a23f95ca0d224292b0c1f965d4f22d21a29f04ced7aeae28c53b834e3

Download Submit
memory/1560-31-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1560-30-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1560-29-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1560-26-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2212-27-0x0000000010000000-0x000000001007E000-memory.dmp

Filesize
504KB

Download
memory/2212-22-0x0000000010000000-0x000000001007E000-memory.dmp

Filesize
504KB

Download
memory/2212-20-0x0000000010000000-0x000000001007E000-memory.dmp

Filesize
504KB

Download
memory/2832-5-0x00000000000F0000-0x00000000000F2000-memory.dmp

Filesize
8KB

Download
memory/2832-13-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/2832-15-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/2832-12-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/2832-11-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/2832-7-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/3040-8-0x0000000010000000-0x000000001007E000-memory.dmp

Filesize
504KB

Download
memory/3040-1-0x0000000010000000-0x000000001007E000-memory.dmp

Filesize
504KB

Download
memory/3040-2-0x0000000010000000-0x000000001007E000-memory.dmp

Filesize
504KB

Download
memory/3040-4-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/3040-0-0x0000000010000000-0x000000001007E000-memory.dmp

Filesize
504KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads