qakbot | d3220cd7725feffe76ab026ac3f11661d9f1aa6b04042a57897e8856399e3eef

Analysis

max time kernel
126s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
16-01-2025 08:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3220cd7725feffe76ab026ac3f11661d9f1aa6b04042a57897e8856399e3eef.dll
Size

1.8MB
MD5

e4e3767fd3a1b1f325c4074f501795ec
SHA1

13b2f0954773bd06eab8eeedfd88c6ff905061c5
SHA256

d3220cd7725feffe76ab026ac3f11661d9f1aa6b04042a57897e8856399e3eef
SHA512

42c274ef9a408863a56fe728cb5233cda1de4ba6c74dff4cdd32ef55627d0e7673599aa406b699f7bca1554d5eddd67b005beb0daf7dfff0b55acf322b585a13
SSDEEP

6144:bpIOAXjt4ni0WsAloYToJo9nKS2JX48hffTvzk:mtzanpYTP1KS8X48hfrzk

Score

10^/10

qakbot tr 1639042735 banker discovery evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.2

Botnet

Campaign

1639042735

190.73.3.148:2222

95.14.105.39:995

140.82.49.12:443

207.246.112.221:443

216.238.71.31:443

207.246.112.221:995

89.137.52.44:443

197.89.105.123:443

96.37.113.36:993

2.222.167.138:443

41.228.22.180:443

105.198.236.99:995

103.142.10.177:443

218.101.110.3:995

202.163.113.56:995

186.64.87.197:443

102.65.38.67:443

117.248.109.38:21

31.215.98.160:443

89.101.97.139:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot family
qakbot
Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Powynsfviam = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Tczdiysrove = "0"	reg.exe

Loads dropped DLL 1 IoCs

pid	Process
1084	regsvr32.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Pctjpfnufr\64fc91ee = 0463033c22d3ee5e081b8ee2956b4d1d0f54fd29d0d29ebfc00711561973a5d4bee9103296de6256d1f53a06dfb74a37ec7c7ffda1f3	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Pctjpfnufr\a148b901 = bcfe4d200ed3ad741f0096f8198eb283b200a598	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Pctjpfnufr\94d7694f = 571def791c2e8f3dcf67336d73f94ad56db2ca67ed87a104632616526891af784b2ef949693b2a19a2	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Pctjpfnufr\eb9e06b9 = c9ce24561f2261bb3df4b73ca2911c12e3844c2424dcf8b1138b87c767a65c19f440d41369728d8db2661b5968d6d9c7b8	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Pctjpfnufr	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Pctjpfnufr\eb9e06b9 = c9ce33561f2254ba4d7ed68c893e374fb135ce65a0a902df5ae5520f	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Pctjpfnufr\de01d6f7 = b3a0329fdcb247ac0b073b73793ecbc14f7e437da41b3dedfb7de394f3db8ed2ccc6bb8644079a4004a660c131d2569b3a4bf914c9ec3a4e021dd1b8472011edd4799bc4969a43b7539fbe4a7964b2aec0918f04cb06732651c3cff087e876e86bf4693e427477b0f18c09d486690f2fc50930c34af16e1b6ebd30684c5d39a3b28d74fc2201c3fc10d91f77a1ba4b5fc0c010a6f25da1d5c3e6bcefe8b69e2f8706accb66ab	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Pctjpfnufr\dc40f68b = 50a9769d5e994c64f1b2aef270c0ac56873962e90b666e33c5cec949417f6e5703910909e6789aad3e0b26c58e8dcc092aaf2fa534e655e95f5f1fc3d29e2f04ec3cf20abde6f8098289527fbfa7ced62ca5d5cb5c611b96b6de04cdec49b46b4813b9053b9f58907d8be9	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Pctjpfnufr\19f4de64 = ad661ef1f1100685a8ec9103fcc4507360cd6ac44941445d675aac923c57a8bae9896795b25763e252f9c7b8	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Pctjpfnufr\66bdb192 = 72e8fd70efd0ab5be5225b59a5696e842f8e77ea959ee7bbc471ccc3e165c1a48528b3b1539897cd8aa9e1862ddba85a907cb8becc195102f942f77b	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2908	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2968	regsvr32.exe
1084	regsvr32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2968	regsvr32.exe
1084	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 2968	2440	regsvr32.exe	30
PID 2440 wrote to memory of 2968	2440	regsvr32.exe	30
PID 2440 wrote to memory of 2968	2440	regsvr32.exe	30
PID 2440 wrote to memory of 2968	2440	regsvr32.exe	30
PID 2440 wrote to memory of 2968	2440	regsvr32.exe	30
PID 2440 wrote to memory of 2968	2440	regsvr32.exe	30
PID 2440 wrote to memory of 2968	2440	regsvr32.exe	30
PID 2968 wrote to memory of 2124	2968	regsvr32.exe	31
PID 2968 wrote to memory of 2124	2968	regsvr32.exe	31
PID 2968 wrote to memory of 2124	2968	regsvr32.exe	31
PID 2968 wrote to memory of 2124	2968	regsvr32.exe	31
PID 2968 wrote to memory of 2124	2968	regsvr32.exe	31
PID 2968 wrote to memory of 2124	2968	regsvr32.exe	31
PID 2124 wrote to memory of 2908	2124	explorer.exe	32
PID 2124 wrote to memory of 2908	2124	explorer.exe	32
PID 2124 wrote to memory of 2908	2124	explorer.exe	32
PID 2124 wrote to memory of 2908	2124	explorer.exe	32
PID 1064 wrote to memory of 436	1064	taskeng.exe	35
PID 1064 wrote to memory of 436	1064	taskeng.exe	35
PID 1064 wrote to memory of 436	1064	taskeng.exe	35
PID 1064 wrote to memory of 436	1064	taskeng.exe	35
PID 1064 wrote to memory of 436	1064	taskeng.exe	35
PID 436 wrote to memory of 1084	436	regsvr32.exe	36
PID 436 wrote to memory of 1084	436	regsvr32.exe	36
PID 436 wrote to memory of 1084	436	regsvr32.exe	36
PID 436 wrote to memory of 1084	436	regsvr32.exe	36
PID 436 wrote to memory of 1084	436	regsvr32.exe	36
PID 436 wrote to memory of 1084	436	regsvr32.exe	36
PID 436 wrote to memory of 1084	436	regsvr32.exe	36
PID 1084 wrote to memory of 2008	1084	regsvr32.exe	37
PID 1084 wrote to memory of 2008	1084	regsvr32.exe	37
PID 1084 wrote to memory of 2008	1084	regsvr32.exe	37
PID 1084 wrote to memory of 2008	1084	regsvr32.exe	37
PID 1084 wrote to memory of 2008	1084	regsvr32.exe	37
PID 1084 wrote to memory of 2008	1084	regsvr32.exe	37
PID 2008 wrote to memory of 2928	2008	explorer.exe	38
PID 2008 wrote to memory of 2928	2008	explorer.exe	38
PID 2008 wrote to memory of 2928	2008	explorer.exe	38
PID 2008 wrote to memory of 2928	2008	explorer.exe	38
PID 2008 wrote to memory of 1416	2008	explorer.exe	40
PID 2008 wrote to memory of 1416	2008	explorer.exe	40
PID 2008 wrote to memory of 1416	2008	explorer.exe	40
PID 2008 wrote to memory of 1416	2008	explorer.exe	40

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\d3220cd7725feffe76ab026ac3f11661d9f1aa6b04042a57897e8856399e3eef.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\d3220cd7725feffe76ab026ac3f11661d9f1aa6b04042a57897e8856399e3eef.dll
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2124
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn ihossatib /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\d3220cd7725feffe76ab026ac3f11661d9f1aa6b04042a57897e8856399e3eef.dll\"" /SC ONCE /Z /ST 08:07 /ET 08:19
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2908

C:\Windows\system32\taskeng.exe
taskeng.exe {958565D1-0BE1-478B-B58D-D1C0D5BB483D} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\d3220cd7725feffe76ab026ac3f11661d9f1aa6b04042a57897e8856399e3eef.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:436
- - C:\Windows\SysWOW64\regsvr32.exe
    -s "C:\Users\Admin\AppData\Local\Temp\d3220cd7725feffe76ab026ac3f11661d9f1aa6b04042a57897e8856399e3eef.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1084
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious use of WriteProcessMemory
      PID:2008
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Powynsfviam" /d "0"
        5⤵
        Windows security bypass
        
        PID:2928
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Tczdiysrove" /d "0"
        5⤵
        Windows security bypass
        
        PID:1416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d3220cd7725feffe76ab026ac3f11661d9f1aa6b04042a57897e8856399e3eef.dll

Filesize
1.8MB

MD5
e4e3767fd3a1b1f325c4074f501795ec

SHA1
13b2f0954773bd06eab8eeedfd88c6ff905061c5

SHA256
d3220cd7725feffe76ab026ac3f11661d9f1aa6b04042a57897e8856399e3eef

SHA512
42c274ef9a408863a56fe728cb5233cda1de4ba6c74dff4cdd32ef55627d0e7673599aa406b699f7bca1554d5eddd67b005beb0daf7dfff0b55acf322b585a13

Download Submit
memory/1084-20-0x0000000010000000-0x00000000101CA000-memory.dmp

Filesize
1.8MB

Download
memory/2008-24-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2008-23-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2008-22-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2124-4-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2124-11-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2124-13-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2124-10-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2124-9-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2124-2-0x00000000000B0000-0x00000000000B2000-memory.dmp

Filesize
8KB

Download
memory/2968-6-0x0000000010000000-0x00000000101CA000-memory.dmp

Filesize
1.8MB

Download
memory/2968-0-0x000000001003F000-0x0000000010041000-memory.dmp

Filesize
8KB

Download
memory/2968-1-0x0000000010000000-0x00000000101CA000-memory.dmp

Filesize
1.8MB

Download