ioc[.]one - OSINT Cyber Threat Intelligence Database

[QuickNote] Qakbot 5.0 – Decrypt strings and configuration

Tags

attack-pattern:

Data Powershell - T1059.001 Python - T1059.006 Regsvr32 - T1218.010 Rundll32 - T1218.011 Server - T1583.004 Server - T1584.004 Software - T1592.002 Connection Proxy - T1090 Powershell - T1086 Regsvr32 - T1117 Rundll32 - T1085 Scripting - T1064 Scripting

Show in Graph

Common Information

Type	Value
UUID	80ee18e0-3344-4532-94cc-a68ca625aa9c
Fingerprint	530047dd68d4e3f6
Analysis status	DONE
Considered CTI value	0
Text language
Published	April 24, 2024, 7:57 a.m.
Added to db	Aug. 31, 2024, 6:08 a.m.
Last updated	Nov. 17, 2024, 6:55 p.m.
Headline	0day in {REA_TEAM}
Title	[QuickNote] Qakbot 5.0 – Decrypt strings and configuration
Detected Hints/Tags/Attributes	47/1/180

Source URLs

	Redirection	Url
Details	Source	https://kienmanowar.wordpress.com/2024/04/24/quicknote-qakbot-5-0-decrypt-strings-and-configuration/

URL Provider

Details	Provider	Source level domain
Details	wordpress.com	kienmanowar.wordpress.com

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	146	✔	0day in {REA_TEAM}	https://kienmanowar.wordpress.com/feed/	2024-08-30 22:08

Attributes

Details	Type	#Events	Value
Details	File	4	%systemroot%\syswow64\xwizard.exe
Details	File	82	kernelbase.dll
Details	File	45	mpr.dll
Details	File	11	%systemroot%\explorer.exe
Details	File	2	%systemroot%\system32\certenrollctrl.exe
Details	File	6	sentinelservicehost.exe
Details	File	5	sentinelstaticengine.exe
Details	File	7	sentinelagent.exe
Details	File	6	sentinelstaticenginescanner.exe
Details	File	4	sentinelui.exe
Details	File	1	%systemroot%\syswow64\sndvol.exe
Details	File	1	%systemroot%\system32\utilman.exe
Details	File	1	%systemroot%\syswow64\wextract.exe
Details	File	13	avgcsrvx.exe
Details	File	9	avgsvcx.exe
Details	File	10	avgcsrva.exe
Details	File	9	bytefence.exe
Details	File	5	aswhooka.dll
Details	File	23	dwengine.exe
Details	File	11	dwarkdaemon.exe
Details	File	7	dwwatcher.exe
Details	File	1	%systemroot%\syswow64\grpconv.exe
Details	File	9	x.dll
Details	File	146	wininet.dll
Details	File	119	avp.exe
Details	File	8	kavtray.exe
Details	File	1018	rundll32.exe
Details	File	1	%systemroot%\system32\sethc.exe
Details	File	41	avastsvc.exe
Details	File	2	aswengsrv.exe
Details	File	2	aswtoolssvc.exe
Details	File	5	afwserv.exe
Details	File	3	aswidsagent.exe
Details	File	41	avastui.exe
Details	File	12	vkise.exe
Details	File	8	isesrv.exe
Details	File	23	cmdagent.exe
Details	File	1	sonicwallclientprotectionservice.exe
Details	File	1	swdash.exe
Details	File	8	%systemroot%\syswow64\explorer.exe
Details	File	2	cyneteps.exe
Details	File	2	cynetms.exe
Details	File	2	cynetconsole.exe
Details	File	2125	cmd.exe
Details	File	198	msmpeng.exe
Details	File	50	urlmon.dll
Details	File	1	%systemroot%\system32\backgroundtaskhost.exe
Details	File	229	advapi32.dll
Details	File	5	%programfiles%\windows media player\wmplayer.exe
Details	File	533	ntdll.dll
Details	File	1	%systemroot%\syswow64\utilman.exe
Details	File	37	userenv.dll
Details	File	16	coreserviceshell.exe
Details	File	29	pccntmon.exe
Details	File	29	ntrtscan.exe
Details	File	14	ui.exe
Details	File	5	sophosui.exe
Details	File	19	savadminservice.exe
Details	File	25	savservice.exe
Details	File	2	%systemroot%\syswow64\certenrollctrl.exe
Details	File	1	%systemroot%\syswow64\backgroundtaskhost.exe
Details	File	18	pstorec.dll
Details	File	5	repux.exe
Details	File	13	sf2.dll
Details	File	3	%systemroot%\system32\dxdiag.exe
Details	File	5	csfalconservice.exe
Details	File	3	csfalconcontainer.exe
Details	File	20	wrsa.exe
Details	File	83	crypt32.dll
Details	File	14	setupapi.dll
Details	File	1	c:\saurufdifsdudqat.sys
Details	File	3	%programfiles(x86)%\windows media player\wmplayer.exe
Details	File	59	netapi32.dll
Details	File	1	%systemroot%\system32\grpconv.exe
Details	File	41	wtsapi32.dll
Details	File	6	wpcap.dll
Details	File	459	regsvr32.exe
Details	File	6	aswhookx.dll
Details	File	1	%systemroot%\syswow64\searchindexer.exe
Details	File	2	%systemroot%\syswow64\atbroker.exe
Details	File	2	%systemroot%\system32\werfault.exe
Details	File	11	vmnat.exe
Details	File	185	shell32.dll
Details	File	8	%systemroot%\syswow64\mobsync.exe
Details	File	130	ws2_32.dll
Details	File	52	bcrypt.dll
Details	File	12	fshoster32.exe
Details	File	1	%systemroot%\system32\searchindexer.exe
Details	File	165	reg.exe
Details	File	76	gdi32.dll
Details	File	11	objwmiservice.exe
Details	File	291	user32.dll
Details	File	28	mbamservice.exe
Details	File	11	mbamgui.exe
Details	File	1	%systemroot%\syswow64\mspaint.exe
Details	File	10	frida-winjector-helper-32.exe
Details	File	8	frida-winjector-helper-64.exe
Details	File	22	tcpdump.exe
Details	File	22	windump.exe
Details	File	17	ethereal.exe
Details	File	71	wireshark.exe
Details	File	15	ettercap.exe
Details	File	7	rtsniff.exe
Details	File	7	packetcapture.exe
Details	File	7	capturenet.exe
Details	File	30	dumpcap.exe
Details	File	1260	explorer.exe
Details	File	6	not_rundll32.exe
Details	File	56	processhacker.exe
Details	File	29	tcpview.exe
Details	File	29	filemon.exe
Details	File	74	procmon.exe
Details	File	16	idaq64.exe
Details	File	4	loaddll32.exe
Details	File	14	petools.exe
Details	File	11	importrec.exe
Details	File	17	lordpe.exe
Details	File	7	sysinspector.exe
Details	File	8	proc_analyzer.exe
Details	File	13	sysanalyzer.exe
Details	File	11	sniff_hit.exe
Details	File	19	joeboxcontrol.exe
Details	File	19	joeboxserver.exe
Details	File	11	resourcehacker.exe
Details	File	23	x64dbg.exe
Details	File	24	fiddler.exe
Details	File	3	behaviordumper.exe
Details	File	2	processdumperx64.exe
Details	File	3	anti-virus.exe
Details	File	2	sysinfox64.exe
Details	File	2	sctoolswrapper.exe
Details	File	2	fakeexplorer.exe
Details	File	3	apimonitor-x86.exe
Details	File	17	idaq.exe
Details	File	2	dumper64.exe
Details	File	2	user_imitator.exe
Details	File	3	velociraptor.exe
Details	File	1	%systemroot%\system32\wextract.exe
Details	File	36	egui.exe
Details	File	53	ekrn.exe
Details	File	2	%systemroot%\system32\wermgr.exe
Details	File	53	iphlpapi.dll
Details	File	3	%systemroot%\syswow64\dxdiag.exe
Details	File	1	%systemroot%\syswow64\werfault.exe
Details	File	2	%systemroot%\system32\atbroker.exe
Details	File	1	%systemroot%\syswow64\sethc.exe
Details	File	11	fmon.exe
Details	File	4	%systemroot%\system32\xwizard.exe
Details	File	155	cscript.exe
Details	File	3	xagtnotif.exe
Details	File	2	appuimonitor.exe
Details	File	10	%programfiles%\internet explorer\iexplore.exe
Details	File	9	%systemroot%\system32\mobsync.exe
Details	File	4	%systemroot%\syswow64\wermgr.exe
Details	File	748	kernel32.dll
Details	File	1	%systemroot%\system32\mspaint.exe
Details	File	42	bdagent.exe
Details	File	22	vsserv.exe
Details	File	9	vsservppl.exe
Details	File	193	ntuser.dat
Details	File	35	ccsvchst.exe
Details	File	15	nortonsecurity.exe
Details	File	7	nswscsvc.exe
Details	File	45	mcshield.exe
Details	File	1	%systemroot%\system32\sndvol.exe
Details	File	69	shlwapi.dll
Details	File	1	csc_ui.exe
Details	File	4	cramtray.exe
Details	File	6	%programfiles(x86)%\internet explorer\iexplore.exe
Details	File	1208	powershell.exe
Details	File	249	schtasks.exe
Details	File	1	adrclient.dll
Details	File	30	at.exe
Details	File	76	ping.exe
Details	File	312	calc.exe
Details	sha256	1	af6a9b7e7aefeb903c76417ed2b8399b73657440ad5f8b48a25cfe5e97ff868f
Details	IPv4	1441	127.0.0.1
Details	IPv4	1	31.210.173.10
Details	IPv4	2	185.156.172.62
Details	IPv4	1	185.113.8.123