qakbot | 124e21d7703c5c6180684f184752f50d78e12ab15dc18657c2e8f7fa70173af9

Analysis

max time kernel
93s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 03:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

124e21d7703c5c6180684f184752f50d78e12ab15dc18657c2e8f7fa70173af9.dll
Size

890KB
MD5

c5123472fea581386bb7836b3d74ad41
SHA1

fd70e66ca5dad0546d306dad9e4c94c8ff9f55e1
SHA256

124e21d7703c5c6180684f184752f50d78e12ab15dc18657c2e8f7fa70173af9
SHA512

30edec6c59881d793b39cbdcee831c424f5e9d8bd57c97723eda4958da93ffbd224a62a330625e1b94e6f95ccdcd7e0f4155448d15ebda4b230d1dc4927fc5d7
SSDEEP

24576:tvmCkl3miQH9ZfSCFEz8uViMKvb/o2ggJcWMeQRqgW:tvmr3m1jSCFMKvjjXJcF9qgW

Score

10^/10

qakbot biden54 1634810637 banker discovery evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

biden54

Campaign

1634810637

136.143.11.232:443

63.143.92.99:995

182.176.180.73:443

136.232.34.70:443

123.252.190.14:443

216.201.162.158:443

37.208.181.198:61200

140.82.49.12:443

197.89.144.102:443

89.137.52.44:443

109.12.111.14:443

78.191.24.189:995

105.198.236.99:995

196.207.140.40:995

41.235.69.115:443

2.222.167.138:443

117.198.156.56:443

24.231.209.2:6881

27.223.92.142:995

96.246.158.154:995

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot family
qakbot
Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Eonazpkaibat = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Ifdylkxn = "0"	reg.exe

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid	Process
2812	regsvr32.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

regsvr32.exeexplorer.exerundll32.exeexplorer.exeschtasks.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Zugrzdma\a49a0e25 = 36b28911ca41b447d1f35e6de190331a09bf37fa779031a1af93012d9eff4d04b3f371c4e0e5c4b6189aa3e282340fba545a16966a596103f3f090268b89e4aac2a11b844add66bac11cd24009051f6c1ff7	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Zugrzdma\1c266940 = 6ad12fbfb552ec61f20b4e96087699ec92dfbe36e5b9ad84b95963577d05114ceea09888dc57f6958f031a129712d2fa026c395c8d99b039dc70e5198c81d61e22cf8b8785ea8248	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Zugrzdma\dbd361d3 = fbda0f316e481efc96a8615eaec2ec3c1c73b2c5802b1d8561347a43bf900bf9910b9ad753aceeba99b2d3	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Zugrzdma\29b9b90e = 61d3ddf25b7735cb839a76afc6ce44367d18c97f7114d97aad54f1cb794ffcc09c866c1aadb3cac9cce2425f119bdd3fc9517eef5558e25f373fecaa37fb60b4af2f4f01b8f350e25bc60dbc	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Zugrzdma\56f0d6f8 = c6d002aa5965020174b8702de049832e553a3c3ef0e4f2035d65483448d44048bb03fe3f51ab917960e8414eb3c14d3667a3a1cc480058fe83	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Zugrzdma	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Zugrzdma\d99241af = 2cc535855e296329cd072d4fcc05fdb728d4bfa104b2c281e5f6cfe27310c57415ca847153728230e6243cec8f9704ad51f1408be144d2d25918b8d78bc8d54dfecb22940c49f1e8e8828d0ecb5895e0e9c476f80b77906afec9644d8265246747fcf66c788602ef3ee38a	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Zugrzdma\612e26ca = 070f5f89665485ebdb919e6953cc791780aafef00f573e945e1829e0c0431108ae51b5559915398eb33a775fc8737fe47f983c64640f2b4d47e2096f171ae10130d2	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Zugrzdma\56f0d6f8 = c6d015aa596537668a02d8ca5572e9551cc65bd7b63011ddbcc383e2b6d5506cda0a291c	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Zugrzdma\636f06b6 = 3aa63bd3fa25c0c02b7c2b2ba08a16a222c255fe740f9924647c810070ac66ade057e0f4a56aff21d3e821f13e77df21955bdfd9b54b18c6aa3f316eed0c1a065307126069cd08d3b21a582e28135b33f9e90575ad4b873e92e4bd43c81fb218becb547fae9bc3f891	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exe

pid	Process
2372	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid	Process
2280	rundll32.exe
2812	regsvr32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid	Process
2280	rundll32.exe
2812	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	Process	procid_target
PID 1044 wrote to memory of 2280	1044	rundll32.exe	28
PID 1044 wrote to memory of 2280	1044	rundll32.exe	28
PID 1044 wrote to memory of 2280	1044	rundll32.exe	28
PID 1044 wrote to memory of 2280	1044	rundll32.exe	28
PID 1044 wrote to memory of 2280	1044	rundll32.exe	28
PID 1044 wrote to memory of 2280	1044	rundll32.exe	28
PID 1044 wrote to memory of 2280	1044	rundll32.exe	28
PID 2280 wrote to memory of 2128	2280	rundll32.exe	29
PID 2280 wrote to memory of 2128	2280	rundll32.exe	29
PID 2280 wrote to memory of 2128	2280	rundll32.exe	29
PID 2280 wrote to memory of 2128	2280	rundll32.exe	29
PID 2280 wrote to memory of 2128	2280	rundll32.exe	29
PID 2280 wrote to memory of 2128	2280	rundll32.exe	29
PID 2128 wrote to memory of 2372	2128	explorer.exe	30
PID 2128 wrote to memory of 2372	2128	explorer.exe	30
PID 2128 wrote to memory of 2372	2128	explorer.exe	30
PID 2128 wrote to memory of 2372	2128	explorer.exe	30
PID 1484 wrote to memory of 552	1484	taskeng.exe	35
PID 1484 wrote to memory of 552	1484	taskeng.exe	35
PID 1484 wrote to memory of 552	1484	taskeng.exe	35
PID 1484 wrote to memory of 552	1484	taskeng.exe	35
PID 1484 wrote to memory of 552	1484	taskeng.exe	35
PID 552 wrote to memory of 2812	552	regsvr32.exe	36
PID 552 wrote to memory of 2812	552	regsvr32.exe	36
PID 552 wrote to memory of 2812	552	regsvr32.exe	36
PID 552 wrote to memory of 2812	552	regsvr32.exe	36
PID 552 wrote to memory of 2812	552	regsvr32.exe	36
PID 552 wrote to memory of 2812	552	regsvr32.exe	36
PID 552 wrote to memory of 2812	552	regsvr32.exe	36
PID 2812 wrote to memory of 2336	2812	regsvr32.exe	37
PID 2812 wrote to memory of 2336	2812	regsvr32.exe	37
PID 2812 wrote to memory of 2336	2812	regsvr32.exe	37
PID 2812 wrote to memory of 2336	2812	regsvr32.exe	37
PID 2812 wrote to memory of 2336	2812	regsvr32.exe	37
PID 2812 wrote to memory of 2336	2812	regsvr32.exe	37
PID 2336 wrote to memory of 1336	2336	explorer.exe	38
PID 2336 wrote to memory of 1336	2336	explorer.exe	38
PID 2336 wrote to memory of 1336	2336	explorer.exe	38
PID 2336 wrote to memory of 1336	2336	explorer.exe	38
PID 2336 wrote to memory of 1656	2336	explorer.exe	40
PID 2336 wrote to memory of 1656	2336	explorer.exe	40
PID 2336 wrote to memory of 1656	2336	explorer.exe	40
PID 2336 wrote to memory of 1656	2336	explorer.exe	40

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\124e21d7703c5c6180684f184752f50d78e12ab15dc18657c2e8f7fa70173af9.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\124e21d7703c5c6180684f184752f50d78e12ab15dc18657c2e8f7fa70173af9.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2128
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn iaixkbndm /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\124e21d7703c5c6180684f184752f50d78e12ab15dc18657c2e8f7fa70173af9.dll\"" /SC ONCE /Z /ST 03:54 /ET 04:06
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2372

C:\Windows\system32\taskeng.exe
taskeng.exe {167A4F3A-BF8D-4892-A412-E7A45BC0314D} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\124e21d7703c5c6180684f184752f50d78e12ab15dc18657c2e8f7fa70173af9.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:552
- - C:\Windows\SysWOW64\regsvr32.exe
    -s "C:\Users\Admin\AppData\Local\Temp\124e21d7703c5c6180684f184752f50d78e12ab15dc18657c2e8f7fa70173af9.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious use of WriteProcessMemory
      PID:2336
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Eonazpkaibat" /d "0"
        5⤵
        Windows security bypass
        
        PID:1336
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Ifdylkxn" /d "0"
        5⤵
        Windows security bypass
        
        PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\124e21d7703c5c6180684f184752f50d78e12ab15dc18657c2e8f7fa70173af9.dll

Filesize
890KB

MD5
c5123472fea581386bb7836b3d74ad41

SHA1
fd70e66ca5dad0546d306dad9e4c94c8ff9f55e1

SHA256
124e21d7703c5c6180684f184752f50d78e12ab15dc18657c2e8f7fa70173af9

SHA512
30edec6c59881d793b39cbdcee831c424f5e9d8bd57c97723eda4958da93ffbd224a62a330625e1b94e6f95ccdcd7e0f4155448d15ebda4b230d1dc4927fc5d7

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2128-13-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2128-11-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2128-5-0x00000000000B0000-0x00000000000B2000-memory.dmp

Filesize
8KB

Download
memory/2128-6-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2128-14-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2128-10-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2280-4-0x0000000074640000-0x0000000074733000-memory.dmp

Filesize
972KB

Download
memory/2280-0-0x0000000074640000-0x0000000074733000-memory.dmp

Filesize
972KB

Download
memory/2280-7-0x0000000074640000-0x0000000074733000-memory.dmp

Filesize
972KB

Download
memory/2280-3-0x000000007471F000-0x0000000074725000-memory.dmp

Filesize
24KB

Download
memory/2280-1-0x0000000074640000-0x0000000074733000-memory.dmp

Filesize
972KB

Download
memory/2336-26-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2336-27-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2336-28-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2812-20-0x0000000073BD0000-0x0000000073CC3000-memory.dmp

Filesize
972KB

Download
memory/2812-19-0x0000000073BD0000-0x0000000073CC3000-memory.dmp

Filesize
972KB

Download
memory/2812-24-0x0000000073BD0000-0x0000000073CC3000-memory.dmp

Filesize
972KB

Download