qakbot | d3220cd7725feffe76ab026ac3f11661d9f1aa6b04042a57897e8856399e3eef

General

Target

d3220cd7725feffe76ab026ac3f11661d9f1aa6b04042a57897e8856399e3eef.dll
Size

1.8MB
MD5

e4e3767fd3a1b1f325c4074f501795ec
SHA1

13b2f0954773bd06eab8eeedfd88c6ff905061c5
SHA256

d3220cd7725feffe76ab026ac3f11661d9f1aa6b04042a57897e8856399e3eef
SHA512

42c274ef9a408863a56fe728cb5233cda1de4ba6c74dff4cdd32ef55627d0e7673599aa406b699f7bca1554d5eddd67b005beb0daf7dfff0b55acf322b585a13
SSDEEP

6144:bpIOAXjt4ni0WsAloYToJo9nKS2JX48hffTvzk:mtzanpYTP1KS8X48hfrzk

Score

10^/10

qakbot tr 1639042735 banker discovery evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.2

Botnet

tr

Campaign

1639042735

C2

190.73.3.148:2222

95.14.105.39:995

140.82.49.12:443

207.246.112.221:443

216.238.71.31:443

207.246.112.221:995

89.137.52.44:443

197.89.105.123:443

96.37.113.36:993

2.222.167.138:443

41.228.22.180:443

105.198.236.99:995

103.142.10.177:443

218.101.110.3:995

202.163.113.56:995

186.64.87.197:443

102.65.38.67:443

117.248.109.38:21

31.215.98.160:443

89.101.97.139:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot family
qakbot
Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Thxaegckqpce = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Cydwelksg = "0"	reg.exe

Loads dropped DLL 1 IoCs

pid	Process
3340	regsvr32.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Cryughtrkglwp	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Cryughtrkglwp\f733378b = 5580e8c86cf8dc63bf425b3101ff2e1c65e1f754e68921d0eafc7cf733e48c655b3a9c118a46e6c581c9c27464f233176e458bfcfde1283f6c0b68f69e3db957f4f33ec88cab881f99f4e7e0870ed428b3e80d3e52e6a8a6ec8a461f5c	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Cryughtrkglwp\c2ace7c5 = 3eb086ecdb2b7994a855f52c2ce606d44ed7421fb08e937d787a1a446c609321dec31f1fa0255690319d9eea2413a6d70913d2a4b8c1ec40624755acf79d3eb3c7577c56b4fb6a7301d2098ddc2834cff34dcde819fb5fa4b62ca16b7bc87d744c86ac32f301b1b56dcd7cf41791a7c5d858fb2fa7e1e1efc87c23eaafee65a07d2640	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Cryughtrkglwp\7851a0dc = 14b4b574c24a3a95e0c5105be4870a10c3f9fde22d06469db47290dae0f9d73dc5dbdf88f97d176dee7daa7953926a32fc	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Cryughtrkglwp\c0edc7b9 = 36a623b1037c514d053a1ecc7c7f29d00a2acdd278a4303590168cc9e29973734c2afb3b9787c9848d79b81f2a9ecf86481a358f103e2c91e7eceac1a3c890afde351c468f858a503eb681a90d29922fffb514b07639	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Cryughtrkglwp\559ef56 = 2b99c32a626c9251345ff7cff1f1abd145c7bc055cd68a94749471a354f7d2870ae4487865e2871d52d62c478ae4928ee7dcd96b0109903e1e9884f93b02e162ab717d11202ab9f5cd6b4c0faef04cc8e85e1abf	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Cryughtrkglwp\bde58833 = b0b7bfa2c45714b671071429e978305a79ea9a26a9725bb07192451d4c1342677e77dcaa19d67ffff6911966e685611edc4238536a0e734ad1d6826cb6fc	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Cryughtrkglwp\7a1080a0 = b9dc5345f30f963926948859e71e0d30f4c415f16b9b00630b49b3294e028d0f67eda312affacd290967031c1ddd035824c23d0fb2f847d6d18c1a8c4e72e6567f6b57f0c6744db5db9a	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Cryughtrkglwp\887a587d = 7ee2243e78454115e2a4b648e88e6a4d16647647504ba2bbf28ded9cd2a95b63b1883c36ad6180594b70c78e71097d0b122be0446ed8e6aaa42536e83c15568f7e	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Cryughtrkglwp\f733378b = 5580ffc86cf8e9f51c23edb607ff17a93500590371e3bfa5ed4d4e51675f509a7142c8e45f674f7ec63193d4619c808e56c520226ceb0327451022c28e11eb3a2fd1010fa014cfe43de9adbc5367a2ed9462df404aadd1ba3d60c3fbcbb98b11e62370e091393c822e1fb5f23bb6627b1f22	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3952	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2800	regsvr32.exe
2800	regsvr32.exe
3340	regsvr32.exe
3340	regsvr32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2800	regsvr32.exe
3340	regsvr32.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 3196 wrote to memory of 2800	3196	regsvr32.exe	83
PID 3196 wrote to memory of 2800	3196	regsvr32.exe	83
PID 3196 wrote to memory of 2800	3196	regsvr32.exe	83
PID 2800 wrote to memory of 3696	2800	regsvr32.exe	84
PID 2800 wrote to memory of 3696	2800	regsvr32.exe	84
PID 2800 wrote to memory of 3696	2800	regsvr32.exe	84
PID 2800 wrote to memory of 3696	2800	regsvr32.exe	84
PID 2800 wrote to memory of 3696	2800	regsvr32.exe	84
PID 3696 wrote to memory of 3952	3696	explorer.exe	85
PID 3696 wrote to memory of 3952	3696	explorer.exe	85
PID 3696 wrote to memory of 3952	3696	explorer.exe	85
PID 852 wrote to memory of 3340	852	regsvr32.exe	103
PID 852 wrote to memory of 3340	852	regsvr32.exe	103
PID 852 wrote to memory of 3340	852	regsvr32.exe	103
PID 3340 wrote to memory of 332	3340	regsvr32.exe	104
PID 3340 wrote to memory of 332	3340	regsvr32.exe	104
PID 3340 wrote to memory of 332	3340	regsvr32.exe	104
PID 3340 wrote to memory of 332	3340	regsvr32.exe	104
PID 3340 wrote to memory of 332	3340	regsvr32.exe	104
PID 332 wrote to memory of 1976	332	explorer.exe	105
PID 332 wrote to memory of 1976	332	explorer.exe	105
PID 332 wrote to memory of 1904	332	explorer.exe	107
PID 332 wrote to memory of 1904	332	explorer.exe	107

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\d3220cd7725feffe76ab026ac3f11661d9f1aa6b04042a57897e8856399e3eef.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3196
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\d3220cd7725feffe76ab026ac3f11661d9f1aa6b04042a57897e8856399e3eef.dll
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3696
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn gxqscur /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\d3220cd7725feffe76ab026ac3f11661d9f1aa6b04042a57897e8856399e3eef.dll\"" /SC ONCE /Z /ST 08:07 /ET 08:19
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:3952

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\d3220cd7725feffe76ab026ac3f11661d9f1aa6b04042a57897e8856399e3eef.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:852
- C:\Windows\SysWOW64\regsvr32.exe
  -s "C:\Users\Admin\AppData\Local\Temp\d3220cd7725feffe76ab026ac3f11661d9f1aa6b04042a57897e8856399e3eef.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3340
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious use of WriteProcessMemory
    PID:332
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Thxaegckqpce" /d "0"
      4⤵
      Windows security bypass
      PID:1976
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Cydwelksg" /d "0"
      4⤵
      Windows security bypass
      PID:1904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d3220cd7725feffe76ab026ac3f11661d9f1aa6b04042a57897e8856399e3eef.dll

Filesize
1.8MB

MD5
e4e3767fd3a1b1f325c4074f501795ec

SHA1
13b2f0954773bd06eab8eeedfd88c6ff905061c5

SHA256
d3220cd7725feffe76ab026ac3f11661d9f1aa6b04042a57897e8856399e3eef

SHA512
42c274ef9a408863a56fe728cb5233cda1de4ba6c74dff4cdd32ef55627d0e7673599aa406b699f7bca1554d5eddd67b005beb0daf7dfff0b55acf322b585a13

Download Submit
memory/332-21-0x0000000000800000-0x0000000000821000-memory.dmp

Filesize
132KB

Download
memory/332-20-0x0000000000800000-0x0000000000821000-memory.dmp

Filesize
132KB

Download
memory/332-19-0x0000000000800000-0x0000000000821000-memory.dmp

Filesize
132KB

Download
memory/2800-1-0x0000000010000000-0x00000000101CA000-memory.dmp

Filesize
1.8MB

Download
memory/2800-2-0x0000000010000000-0x00000000101CA000-memory.dmp

Filesize
1.8MB

Download
memory/2800-0-0x000000001003F000-0x0000000010041000-memory.dmp

Filesize
8KB

Download
memory/2800-5-0x0000000010000000-0x00000000101CA000-memory.dmp

Filesize
1.8MB

Download
memory/3340-17-0x0000000010000000-0x00000000101CA000-memory.dmp

Filesize
1.8MB

Download
memory/3696-3-0x0000000000860000-0x0000000000881000-memory.dmp

Filesize
132KB

Download
memory/3696-12-0x0000000000860000-0x0000000000881000-memory.dmp

Filesize
132KB

Download
memory/3696-9-0x0000000000860000-0x0000000000881000-memory.dmp

Filesize
132KB

Download
memory/3696-10-0x0000000000860000-0x0000000000881000-memory.dmp

Filesize
132KB

Download
memory/3696-8-0x0000000000860000-0x0000000000881000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads