qakbot | f45b0c9564822dc1541c0a2e46b3e4675f9e2da5046edd2383b99e1f8b6ed757

General

Target

test2.dll
Size

345KB
MD5

424c43428a5f0ed069b97923d543a827
SHA1

e4fef00c4c64a7a27d21ff7f7e7149ccffdf6e2c
SHA256

f45b0c9564822dc1541c0a2e46b3e4675f9e2da5046edd2383b99e1f8b6ed757
SHA512

e9023054a9b869a16dfa17933b52e37d664d9e162deb9cd96c02c0f7aa4266308793652ea034222e49adc4aad24003b4f48e81a58c0abbc75dc01b4d88a1bd6f
SSDEEP

6144:mm8HFmf2Ee5apzeJ4DSY7Dh6LUr+nxQNBO0fS:GjEuuDC1o

Score

10^/10

qakbot tr 1632730751 banker discovery evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.343

Botnet

tr

Campaign

1632730751

C2

95.77.223.148:443

47.22.148.6:443

89.101.97.139:443

27.223.92.142:995

120.151.47.189:443

136.232.34.70:443

120.150.218.241:995

185.250.148.74:443

181.118.183.94:443

140.82.49.12:443

67.165.206.193:993

103.148.120.144:443

71.74.12.34:443

76.25.142.196:443

73.151.236.31:443

173.21.10.71:2222

75.188.35.168:443

2.178.88.145:61202

71.80.168.245:443

45.46.53.140:2222

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Jbvmbgyz = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Ultlp = "0"	reg.exe

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

3212 regsvr32.exe

pid	process
3212	regsvr32.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

regsvr32.exeexplorer.exerundll32.exeexplorer.exeschtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Wpyitlauc\a0c89a16 = a66afe43e62538754437f6cd37a7e9fc8c332744ada9dd9675ab3c5ade6d3564badc45fd814f3b0ce7dba806afa613b7961e385cedf39cf2ee29fe5ccc541aa840ebff587b5986ee6592c79b3f01f8614791c2ad766ac2dd2cb1bcbb9d3f501fc1f2eb27a5af8aded96d2509a2111a57bf9d78a43f3797e77ccccd294c690acb632ff8c96c86186b9f6d68c5ce6d2d19b1a007ab60c673a650a0d5e12c99	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Wpyitlauc\1a35dd0f = 0aa052df15fbdf4c6fb4269e1babe5a0047a32c2e058077e226035a5c251165a0eff9d1bd97472bbad478901554aa753b33dfbfa6b9d949c12743179	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Wpyitlauc\673d9285 = 1c5f56a020133f737b43418503e7c69020b9de52eb068da54299ff80c23e044f29588784c779333b7ccd6e6f21b298fae275bffcf9b0a328f1fc84c113303a21d0a8eedc19c2d47b76c26977b8277861b6105f1e1b	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Wpyitlauc\95574a58 = 43d782f2167ac57b0b2905d07755a6e123be22ebd23c1bf1e0115bacaebb5f4f449312fab735207c7454701210c5328997761b28bd31cd946f782d19d4	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Wpyitlauc	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Wpyitlauc\95574a58 = 43d795f2167af0981e3112fe2d8d81d47d1c0ea6f3681126c14c1cda3a76e90b51ebd88d381150c7	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Wpyitlauc\a289ba6a = 76b01dd05c89efb9b9035e3261b9	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Wpyitlauc\df81f5e0 = 214ad53c53929389907fc21c46c976900a3c091bea34a52c33334812709ab5b719599ca164f9373f32382661f5f7aac50e38cec57f984258eb7ee6	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Wpyitlauc\1874fd73 = 841a13f50946d262479061bb7f19a521aeb2ec3965bf57d69053a356ee189c781f738320c7549230cdc75b2259b8b0069348c8404f2774b645ba6fee357228e40a2b78701453239cd8bf8b2ddb48a5d5f3194852	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Wpyitlauc\ea1e25ae = 351236b30fc4213c73bc3b0c0c0a9c783563f194db304d31f57ce869a9df8d2766527cda8eeec5d34f96aa93194736426d1e8be9531323fc2432afc27219a806b2666b7e2936	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

4048 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

3468 rundll32.exe
3468 rundll32.exe
3212 regsvr32.exe
3212 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

3468 rundll32.exe
3212 regsvr32.exe

pid	process
4048	schtasks.exe

pid	process
3468	rundll32.exe
3468	rundll32.exe
3212	regsvr32.exe
3212	regsvr32.exe

pid	process
3468	rundll32.exe
3212	regsvr32.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 3296 wrote to memory of 3468	3296	rundll32.exe	rundll32.exe
PID 3296 wrote to memory of 3468	3296	rundll32.exe	rundll32.exe
PID 3296 wrote to memory of 3468	3296	rundll32.exe	rundll32.exe
PID 3468 wrote to memory of 32	3468	rundll32.exe	explorer.exe
PID 3468 wrote to memory of 32	3468	rundll32.exe	explorer.exe
PID 3468 wrote to memory of 32	3468	rundll32.exe	explorer.exe
PID 3468 wrote to memory of 32	3468	rundll32.exe	explorer.exe
PID 3468 wrote to memory of 32	3468	rundll32.exe	explorer.exe
PID 32 wrote to memory of 4048	32	explorer.exe	schtasks.exe
PID 32 wrote to memory of 4048	32	explorer.exe	schtasks.exe
PID 32 wrote to memory of 4048	32	explorer.exe	schtasks.exe
PID 3368 wrote to memory of 3212	3368	regsvr32.exe	regsvr32.exe
PID 3368 wrote to memory of 3212	3368	regsvr32.exe	regsvr32.exe
PID 3368 wrote to memory of 3212	3368	regsvr32.exe	regsvr32.exe
PID 3212 wrote to memory of 1416	3212	regsvr32.exe	explorer.exe
PID 3212 wrote to memory of 1416	3212	regsvr32.exe	explorer.exe
PID 3212 wrote to memory of 1416	3212	regsvr32.exe	explorer.exe
PID 3212 wrote to memory of 1416	3212	regsvr32.exe	explorer.exe
PID 3212 wrote to memory of 1416	3212	regsvr32.exe	explorer.exe
PID 1416 wrote to memory of 4408	1416	explorer.exe	reg.exe
PID 1416 wrote to memory of 4408	1416	explorer.exe	reg.exe
PID 1416 wrote to memory of 4608	1416	explorer.exe	reg.exe
PID 1416 wrote to memory of 4608	1416	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\test2.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3296
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\test2.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3468
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:32
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn elkmrurgul /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\test2.dll\"" /SC ONCE /Z /ST 08:11 /ET 08:23
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4048

\??\c:\windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\test2.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:3368
- C:\Windows\SysWOW64\regsvr32.exe
  -s "C:\Users\Admin\AppData\Local\Temp\test2.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3212
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious use of WriteProcessMemory
    PID:1416
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Jbvmbgyz" /d "0"
      4⤵
      Windows security bypass
      PID:4408
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Ultlp" /d "0"
      4⤵
      Windows security bypass
      PID:4608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\test2.dll

Filesize
345KB

MD5
424c43428a5f0ed069b97923d543a827

SHA1
e4fef00c4c64a7a27d21ff7f7e7149ccffdf6e2c

SHA256
f45b0c9564822dc1541c0a2e46b3e4675f9e2da5046edd2383b99e1f8b6ed757

SHA512
e9023054a9b869a16dfa17933b52e37d664d9e162deb9cd96c02c0f7aa4266308793652ea034222e49adc4aad24003b4f48e81a58c0abbc75dc01b4d88a1bd6f

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/32-2-0x0000000000730000-0x0000000000751000-memory.dmp

Filesize
132KB

Download
memory/32-10-0x0000000000730000-0x0000000000751000-memory.dmp

Filesize
132KB

Download
memory/32-12-0x0000000000730000-0x0000000000751000-memory.dmp

Filesize
132KB

Download
memory/32-11-0x0000000000730000-0x0000000000751000-memory.dmp

Filesize
132KB

Download
memory/32-14-0x0000000000730000-0x0000000000751000-memory.dmp

Filesize
132KB

Download
memory/1416-25-0x0000000000650000-0x0000000000671000-memory.dmp

Filesize
132KB

Download
memory/1416-24-0x0000000000650000-0x0000000000671000-memory.dmp

Filesize
132KB

Download
memory/1416-23-0x0000000000650000-0x0000000000671000-memory.dmp

Filesize
132KB

Download
memory/3212-19-0x0000000010000000-0x0000000010055000-memory.dmp

Filesize
340KB

Download
memory/3468-3-0x0000000010000000-0x0000000010055000-memory.dmp

Filesize
340KB

Download
memory/3468-0-0x0000000004D60000-0x0000000004DA3000-memory.dmp

Filesize
268KB

Download
memory/3468-4-0x0000000004D60000-0x0000000004DA3000-memory.dmp

Filesize
268KB

Download
memory/3468-5-0x0000000010000000-0x0000000010043000-memory.dmp

Filesize
268KB

Download
memory/3468-1-0x0000000010000000-0x0000000010043000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads