qakbot | 52f818ae518c008f0139fe006ba139239db225d8d67816274d9ad3efb4bc81ca

General

Target

44351.7355255787.dat.dll
Size

378KB
MD5

f84f4afdf87d8ca3e8b72f8283514143
SHA1

e8851df38788d0c3e24f6a414b05e15de57fabff
SHA256

52f818ae518c008f0139fe006ba139239db225d8d67816274d9ad3efb4bc81ca
SHA512

a3ca3b3c198e0582cca739f72f1e01f5bcd643fb268c1b529315e430e8f440296c7cd7bcac427b470510e84262715b44f81b0ce31e703a362eb6083576cf2618

Score

10^/10

qakbot obama104 1632729661 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.343

Botnet

obama104

Campaign

1632729661

C2

95.77.223.148:443

47.22.148.6:443

89.101.97.139:443

27.223.92.142:995

120.151.47.189:443

136.232.34.70:443

120.150.218.241:995

185.250.148.74:443

181.118.183.94:443

140.82.49.12:443

67.165.206.193:993

103.148.120.144:443

71.74.12.34:443

76.25.142.196:443

73.151.236.31:443

173.21.10.71:2222

75.188.35.168:443

2.178.88.145:61202

71.80.168.245:443

45.46.53.140:2222

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

2420 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1084 schtasks.exe

pid	process
2420	regsvr32.exe

pid	process
1084	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Xkwuqxft	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Xkwuqxft\cbbdd33e = 70fb5506a1ba9121f78a667012f1c91522e637690ce931ff22c3ebf7e4a713d0538207bdf2825311651159e42f1dfff9614935dbccc9359be31250a7c2b218	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Xkwuqxft\39d70be3 = 4df4a3f1ec431f43f7dc791cecc3fe54672ccaa77615d87dca8bbb9dcbd23a187fde99d4e3f72a3c825ab1f89c	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Xkwuqxft\469e6415 = edad39aa1cbfd2f0eb80de65c2f6ba65811ff4e527da99378e78ba5bbbc737d3eb0c05446385670ef5776cd714671a04c683e52df4c71e03f38ce376ee69599c1b64c1fe34416d55e34129c5874f10f6a7e1420d8b433da2e6298eee	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Xkwuqxft\fe220370 = b99a1310f188814d5d9c597e777ec610351a2f1a5917fc7f91e8cb21428c0d02c8e2f63da454a3edf24843a30a0b8d05456984b78470d032bc43a70451e14db275020d827d6f6498d2d457a3dd126d5e6bdf31162c62f0851995cd0abf98085a6d92b292b5eb0061ba0848f78e3ba50172d00d9bceaca6265c613ae8ff809579c056d1babefa285adbb9f8e5cf418cf72f64832be3949fff99a3dd40ccdd8065765a675509	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Xkwuqxft\fc63230c = 42b241cf85aefb875f89df040b84ea89f97456be9fcaf711e8b71da6b556e690a5c75584043a06cf214f3d1ee8dc7f9d19e3ee8054c64d800263ad1b34d2a20fffb04b5660bcaae2e2a0	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Xkwuqxft\44df4469 = 8dd5e3e03fb13a495ab8a4a9f39b92b93d79f2604eab234e3837a9a7443edfeb6468417ca58ef29138e676f5f34022e2f0e3ee68321aaa49119f6a6159b3159d8ea5f51c2fdc86481f41e8045194d61f5b87e6b7438ff8efd942283c04c2437e90	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Xkwuqxft\816b6c86 = 3ff33060e0ae3105d1fabf4464a2a3ea3bf9ccc12acf137f33f81dc50c8152ed21f8d2888d61ca2e252b5113805083dcb1873e2c2002acf91d9cf2bb30f0ee36d64901608472e689ebecc80f7c206236307b575bd295aaca68b25dbbcb80a12696	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Xkwuqxft\b4f4bcc8 = 7e8185bb028b0596327d9ebfea340f07bec66c40514393037b677ff3e9e83ca0b0128186bdbd5a9f86c7b247995c130217e122c09623	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Xkwuqxft\cbbdd33e = 70fb4206a1baa4ae10c47535e130b07cf02ba3eaf605947973ea04248eaf22218f83155f01a7c682cabd32536414dff00071c10b98b9c1b4da72dfd942087b50d46a847617628237f75008ef20800b7f437b3d5e	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

908 rundll32.exe
908 rundll32.exe
2420 regsvr32.exe
2420 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

908 rundll32.exe
2420 regsvr32.exe

pid	process
908	rundll32.exe
908	rundll32.exe
2420	regsvr32.exe
2420	regsvr32.exe

pid	process
908	rundll32.exe
2420	regsvr32.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 644 wrote to memory of 908	644	rundll32.exe	rundll32.exe
PID 644 wrote to memory of 908	644	rundll32.exe	rundll32.exe
PID 644 wrote to memory of 908	644	rundll32.exe	rundll32.exe
PID 908 wrote to memory of 476	908	rundll32.exe	explorer.exe
PID 908 wrote to memory of 476	908	rundll32.exe	explorer.exe
PID 908 wrote to memory of 476	908	rundll32.exe	explorer.exe
PID 908 wrote to memory of 476	908	rundll32.exe	explorer.exe
PID 908 wrote to memory of 476	908	rundll32.exe	explorer.exe
PID 476 wrote to memory of 1084	476	explorer.exe	schtasks.exe
PID 476 wrote to memory of 1084	476	explorer.exe	schtasks.exe
PID 476 wrote to memory of 1084	476	explorer.exe	schtasks.exe
PID 1544 wrote to memory of 2420	1544	regsvr32.exe	regsvr32.exe
PID 1544 wrote to memory of 2420	1544	regsvr32.exe	regsvr32.exe
PID 1544 wrote to memory of 2420	1544	regsvr32.exe	regsvr32.exe
PID 2420 wrote to memory of 3744	2420	regsvr32.exe	explorer.exe
PID 2420 wrote to memory of 3744	2420	regsvr32.exe	explorer.exe
PID 2420 wrote to memory of 3744	2420	regsvr32.exe	explorer.exe
PID 2420 wrote to memory of 3744	2420	regsvr32.exe	explorer.exe
PID 2420 wrote to memory of 3744	2420	regsvr32.exe	explorer.exe
PID 3744 wrote to memory of 3960	3744	explorer.exe	reg.exe
PID 3744 wrote to memory of 3960	3744	explorer.exe	reg.exe
PID 3744 wrote to memory of 3100	3744	explorer.exe	reg.exe
PID 3744 wrote to memory of 3100	3744	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\44351.7355255787.dat.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\44351.7355255787.dat.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:476

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn knvhpkimn /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\44351.7355255787.dat.dll\"" /SC ONCE /Z /ST 16:36 /ET 16:48
4⤵
- Creates scheduled task(s)
PID:1084

\??\c:\windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\44351.7355255787.dat.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\44351.7355255787.dat.dll"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2420

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3744

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Hjheu" /d "0"
4⤵
PID:3960

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Psxpy" /d "0"
4⤵
PID:3100

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\44351.7355255787.dat.dll
MD5
f84f4afdf87d8ca3e8b72f8283514143

SHA1
e8851df38788d0c3e24f6a414b05e15de57fabff

SHA256
52f818ae518c008f0139fe006ba139239db225d8d67816274d9ad3efb4bc81ca

SHA512
a3ca3b3c198e0582cca739f72f1e01f5bcd643fb268c1b529315e430e8f440296c7cd7bcac427b470510e84262715b44f81b0ce31e703a362eb6083576cf2618

Download Submit
\Users\Admin\AppData\Local\Temp\44351.7355255787.dat.dll
MD5
f84f4afdf87d8ca3e8b72f8283514143

SHA1
e8851df38788d0c3e24f6a414b05e15de57fabff

SHA256
52f818ae518c008f0139fe006ba139239db225d8d67816274d9ad3efb4bc81ca

SHA512
a3ca3b3c198e0582cca739f72f1e01f5bcd643fb268c1b529315e430e8f440296c7cd7bcac427b470510e84262715b44f81b0ce31e703a362eb6083576cf2618

Download Submit
memory/476-117-0x0000000000000000-mapping.dmp

Download
memory/476-121-0x0000000002900000-0x0000000002921000-memory.dmp

Filesize
132KB

Download
memory/908-114-0x0000000000000000-mapping.dmp

Download
memory/908-116-0x0000000010000000-0x0000000010062000-memory.dmp

Filesize
392KB

Download
memory/908-115-0x0000000004DE0000-0x0000000004E6E000-memory.dmp

Filesize
568KB

Download
memory/1084-118-0x0000000000000000-mapping.dmp

Download
memory/2420-123-0x0000000000000000-mapping.dmp

Download
memory/2420-125-0x0000000003560000-0x00000000035A2000-memory.dmp

Filesize
264KB

Download
memory/3100-128-0x0000000000000000-mapping.dmp

Download
memory/3744-126-0x0000000000000000-mapping.dmp

Download
memory/3744-131-0x00000000028B0000-0x00000000028D1000-memory.dmp

Filesize
132KB

Download
memory/3960-127-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads