qakbot | eee264ecc1c65fad0987ca6d00d8b5ccada71e4fceba8ad9d46cc9e1182a4c01

General

Target

44467.5427719907.dat.dll
Size

750KB
MD5

ab8c8cc09d957afa7ca748011d8ae2d5
SHA1

fc4e881c04b30da109555901e28e10de5fbd42e5
SHA256

09c8d348a81e3a8688e44a78b4fcb1577163fcba3f36fcb116950a3814edccd7
SHA512

e6e0f4d4ca4ff12d025c728dddd18ae47b95769b1a40e28e5f5bdb7ff153a089901c380d262259a729e20a8022fe589a6f681db9cec71f8940dfdaa84dcbb440

Score

10^/10

qakbot obama105 1632821932 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

obama105

Campaign

1632821932

C2

120.151.47.189:443

41.228.22.180:443

39.52.241.3:995

199.27.127.129:443

216.201.162.158:443

136.232.34.70:443

196.217.156.63:995

120.150.218.241:995

95.77.223.148:443

185.250.148.74:443

181.118.183.94:443

105.198.236.99:443

140.82.49.12:443

37.210.152.224:995

89.101.97.139:443

81.241.252.59:2078

27.223.92.142:995

81.250.153.227:2222

73.151.236.31:443

47.22.148.6:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1344 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1112 schtasks.exe

pid	process
1344	regsvr32.exe

pid	process
1112	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Hefjarbojuxpe\9c482cf = faf6dde3468c39ec50456607bd07b0c0	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Hefjarbojuxpe\b339c5d6 = 7d2d5c6a50f8676cf3be90ccc2bf4733f425f6dbc4442688156b165dd4b193c8e09a254dbb748cd3aa9849591aae5b0ee94f3fe5c450302c728c86425dbbb88d2502921a9de65e2b2827c94070ca07bfbd0440685e53a7bc2949d331c0	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Hefjarbojuxpe\41531d0b = a0f3399c8e212bd35d2798135650f89e3ffeb4ebec93b0129c63bbb8c884ed4a15a9ef9bc72db00c1ecc880e5ce7da10064a217a9a9997bd0444fc5469b80e0360e88383f79ca1f977584e69ec	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Hefjarbojuxpe	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Hefjarbojuxpe\b85a2b3 = 9e904dd7d4504a5ddf980418a32da6a25b3c527015b37c5a1d6d140f7aedf5f2326026d80400fa4edfd5a832e65e2394d0a2b17012297c3a07686f544754a7b2113439df4283d21a8f48f86a39270ddad7c3e0ee6a720b9c1c8e117825c769104dc965326d6e49bd7924032dcea62dda308167d5bbafd2e32b8d61a28b35eb435a4eed10c2ac1492fdb6fc6db9898f14f9315b67239f6c62a8d986eca6963f137a347f	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Hefjarbojuxpe\cc70aa20 = 8010253ba1cc2e91a2576cada29fea529f4dff0692eff1ba9935ceeff9ed7256adcc1969e554e41c79bc519899ba7ab9ad53001fbee5ee8c1cce4f6eda80ac2d9cafe9cbc992cd9a5f2fc3eefa54b2227b61893142eca4859d475cccefe2c4853304508c	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Hefjarbojuxpe\74cccd45 = 53f32389f18c7dee17a64bb45805b33aa6af67d116465f874db533c8cc7af283b9934661f50cd3fa16cdcc4d2504152d65c4989f02641e3c8bc37abfd855534d42fc041c509142328976982ebbff37	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Hefjarbojuxpe\3e1a72fd = 4f71d16098161b4f7d6de90d1d2518a6f0850ee914fb094254a70f99bf7b1da208b6cdd5005844af7b0224e3dd74523765f9691a216d1a9657452b45b0caedbed52cf093f83e34d681371142f61a4a141c3d4517efe5d4ae0006245519d8111464280aafc978fa3378009ffb9960d95fe9ce57fdd84e	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Hefjarbojuxpe\3e1a72fd = 4f71c66098162eb71f3913d8b8f0f90c4d38f6342e8540b2637f38e8bd16af0999c9727dfd1a3398b92694305fab6782909dfa19f6e10c4914e1e385ce5d1155c0572a0e45af07a5dbd21b9d54073d6d48390938cfecd42f86ca7a27b3450bc516	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Hefjarbojuxpe\b178e5aa = c3f1d1d23630964d6a57dc9c69a707174f14c16ba8035a387cd0d315c6343cd9148dad2ceb65091e8f4c96e2a568f599d4b4c605afd0647f78d7740f0811597466f73179d25c78a672a14b	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

1104 rundll32.exe
1344 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

1104 rundll32.exe
1344 regsvr32.exe

pid	process
1104	rundll32.exe
1344	regsvr32.exe

pid	process
1104	rundll32.exe
1344	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 1768 wrote to memory of 1104	1768	rundll32.exe	rundll32.exe
PID 1768 wrote to memory of 1104	1768	rundll32.exe	rundll32.exe
PID 1768 wrote to memory of 1104	1768	rundll32.exe	rundll32.exe
PID 1768 wrote to memory of 1104	1768	rundll32.exe	rundll32.exe
PID 1768 wrote to memory of 1104	1768	rundll32.exe	rundll32.exe
PID 1768 wrote to memory of 1104	1768	rundll32.exe	rundll32.exe
PID 1768 wrote to memory of 1104	1768	rundll32.exe	rundll32.exe
PID 1104 wrote to memory of 524	1104	rundll32.exe	explorer.exe
PID 1104 wrote to memory of 524	1104	rundll32.exe	explorer.exe
PID 1104 wrote to memory of 524	1104	rundll32.exe	explorer.exe
PID 1104 wrote to memory of 524	1104	rundll32.exe	explorer.exe
PID 1104 wrote to memory of 524	1104	rundll32.exe	explorer.exe
PID 1104 wrote to memory of 524	1104	rundll32.exe	explorer.exe
PID 524 wrote to memory of 1112	524	explorer.exe	schtasks.exe
PID 524 wrote to memory of 1112	524	explorer.exe	schtasks.exe
PID 524 wrote to memory of 1112	524	explorer.exe	schtasks.exe
PID 524 wrote to memory of 1112	524	explorer.exe	schtasks.exe
PID 1160 wrote to memory of 1992	1160	taskeng.exe	regsvr32.exe
PID 1160 wrote to memory of 1992	1160	taskeng.exe	regsvr32.exe
PID 1160 wrote to memory of 1992	1160	taskeng.exe	regsvr32.exe
PID 1160 wrote to memory of 1992	1160	taskeng.exe	regsvr32.exe
PID 1160 wrote to memory of 1992	1160	taskeng.exe	regsvr32.exe
PID 1992 wrote to memory of 1344	1992	regsvr32.exe	regsvr32.exe
PID 1992 wrote to memory of 1344	1992	regsvr32.exe	regsvr32.exe
PID 1992 wrote to memory of 1344	1992	regsvr32.exe	regsvr32.exe
PID 1992 wrote to memory of 1344	1992	regsvr32.exe	regsvr32.exe
PID 1992 wrote to memory of 1344	1992	regsvr32.exe	regsvr32.exe
PID 1992 wrote to memory of 1344	1992	regsvr32.exe	regsvr32.exe
PID 1992 wrote to memory of 1344	1992	regsvr32.exe	regsvr32.exe
PID 1344 wrote to memory of 1672	1344	regsvr32.exe	explorer.exe
PID 1344 wrote to memory of 1672	1344	regsvr32.exe	explorer.exe
PID 1344 wrote to memory of 1672	1344	regsvr32.exe	explorer.exe
PID 1344 wrote to memory of 1672	1344	regsvr32.exe	explorer.exe
PID 1344 wrote to memory of 1672	1344	regsvr32.exe	explorer.exe
PID 1344 wrote to memory of 1672	1344	regsvr32.exe	explorer.exe
PID 1672 wrote to memory of 984	1672	explorer.exe	reg.exe
PID 1672 wrote to memory of 984	1672	explorer.exe	reg.exe
PID 1672 wrote to memory of 984	1672	explorer.exe	reg.exe
PID 1672 wrote to memory of 984	1672	explorer.exe	reg.exe
PID 1672 wrote to memory of 1944	1672	explorer.exe	reg.exe
PID 1672 wrote to memory of 1944	1672	explorer.exe	reg.exe
PID 1672 wrote to memory of 1944	1672	explorer.exe	reg.exe
PID 1672 wrote to memory of 1944	1672	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\44467.5427719907.dat.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\44467.5427719907.dat.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:524
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn sotkmgcqnk /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\44467.5427719907.dat.dll\"" /SC ONCE /Z /ST 13:04 /ET 13:16
      4⤵
      Creates scheduled task(s)
      PID:1112

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2028

C:\Windows\system32\taskeng.exe
taskeng.exe {A5A4BFB6-C63A-48DD-802E-C457A1A9F988} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\44467.5427719907.dat.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Windows\SysWOW64\regsvr32.exe
    -s "C:\Users\Admin\AppData\Local\Temp\44467.5427719907.dat.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1344
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      4⤵
      Modifies data under HKEY_USERS
      Suspicious use of WriteProcessMemory
      PID:1672
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Nusmacuwd" /d "0"
        5⤵
        
        PID:984
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Yhnquokiar" /d "0"
        5⤵
        
        PID:1944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\44467.5427719907.dat.dll

MD5
ab8c8cc09d957afa7ca748011d8ae2d5

SHA1
fc4e881c04b30da109555901e28e10de5fbd42e5

SHA256
09c8d348a81e3a8688e44a78b4fcb1577163fcba3f36fcb116950a3814edccd7

SHA512
e6e0f4d4ca4ff12d025c728dddd18ae47b95769b1a40e28e5f5bdb7ff153a089901c380d262259a729e20a8022fe589a6f681db9cec71f8940dfdaa84dcbb440

Download Submit
\Users\Admin\AppData\Local\Temp\44467.5427719907.dat.dll

MD5
ab8c8cc09d957afa7ca748011d8ae2d5

SHA1
fc4e881c04b30da109555901e28e10de5fbd42e5

SHA256
09c8d348a81e3a8688e44a78b4fcb1577163fcba3f36fcb116950a3814edccd7

SHA512
e6e0f4d4ca4ff12d025c728dddd18ae47b95769b1a40e28e5f5bdb7ff153a089901c380d262259a729e20a8022fe589a6f681db9cec71f8940dfdaa84dcbb440

Download Submit
memory/524-58-0x0000000000000000-mapping.dmp

Download
memory/524-60-0x0000000074AF1000-0x0000000074AF3000-memory.dmp

Filesize
8KB

Download
memory/524-63-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/984-75-0x0000000000000000-mapping.dmp

Download
memory/1104-54-0x0000000075821000-0x0000000075823000-memory.dmp

Filesize
8KB

Download
memory/1104-57-0x0000000074CD0000-0x0000000074DA2000-memory.dmp

Filesize
840KB

Download
memory/1104-56-0x0000000074CD0000-0x0000000074CF1000-memory.dmp

Filesize
132KB

Download
memory/1104-62-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1104-53-0x0000000000000000-mapping.dmp

Download
memory/1112-61-0x0000000000000000-mapping.dmp

Download
memory/1344-70-0x0000000074280000-0x00000000742A1000-memory.dmp

Filesize
132KB

Download
memory/1344-67-0x0000000000000000-mapping.dmp

Download
memory/1344-71-0x0000000074280000-0x0000000074352000-memory.dmp

Filesize
840KB

Download
memory/1344-76-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1672-72-0x0000000000000000-mapping.dmp

Download
memory/1672-77-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1944-78-0x0000000000000000-mapping.dmp

Download
memory/1992-64-0x0000000000000000-mapping.dmp

Download
memory/2028-55-0x000007FEFBE61000-0x000007FEFBE63000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads