qakbot | eee264ecc1c65fad0987ca6d00d8b5ccada71e4fceba8ad9d46cc9e1182a4c01

General

Target

44467.5427719907.dat.dll
Size

750KB
MD5

ab8c8cc09d957afa7ca748011d8ae2d5
SHA1

fc4e881c04b30da109555901e28e10de5fbd42e5
SHA256

09c8d348a81e3a8688e44a78b4fcb1577163fcba3f36fcb116950a3814edccd7
SHA512

e6e0f4d4ca4ff12d025c728dddd18ae47b95769b1a40e28e5f5bdb7ff153a089901c380d262259a729e20a8022fe589a6f681db9cec71f8940dfdaa84dcbb440

Score

10^/10

qakbot obama105 1632821932 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

obama105

Campaign

1632821932

C2

120.151.47.189:443

41.228.22.180:443

39.52.241.3:995

199.27.127.129:443

216.201.162.158:443

136.232.34.70:443

196.217.156.63:995

120.150.218.241:995

95.77.223.148:443

185.250.148.74:443

181.118.183.94:443

105.198.236.99:443

140.82.49.12:443

37.210.152.224:995

89.101.97.139:443

81.241.252.59:2078

27.223.92.142:995

81.250.153.227:2222

73.151.236.31:443

47.22.148.6:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

3284 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2716 schtasks.exe

pid	process
3284	regsvr32.exe

pid	process
2716	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Qecxkooqb\6dd47dff = f5a828aa5610b4cd21fd94842e12d62d8c48f290680684d164f790113d72da5d93b7d9120ff1d53a6e147e5b3e529c35bb6b195df2b168f2ff268bf4c0a79cdc71d521e457	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Qecxkooqb	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Qecxkooqb\129d1209 = 0eb4d6ed468e6c4aef2592a88cf316b88ac8385bb965223ab4044b21ed5627a8c0ac00694e82da9522aa22e7ed1aa8b2a7ca3fd88a5fa843b6c677570cc41afa73a7fc7a419c56c096e39321e109d9a610f4f368c95565d9c743a175626201931a0c5aa8db675a21f1cc2001d26c251af7d9c4a0e84c20a9893eaa6e1d6f586e08ed6e34e24cd927b4e66b436c6a7b8876b7b601f13566fd1089c94d8aa47470efa0eb123cc09f743bb84703a55ae0fac60e609efb9fa7	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Qecxkooqb\a8605510 = 70ca53fb35cf014a754a3505e039492075a3f8ecd1cf54aaf160a8e3a71cf6f6518c6abb0efe2b265ec7b80a2d6ea95589c1baeab44994d73d6ceebf319672a756e17756b12568e221c4a4c5b98c190ddc99aaa30f624f2d1c8d68d3d18ecc93617639e40d2602703d9aba	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Qecxkooqb\aa21756c = 937bcbb7877505837bcdd87a76d237a6f8209ebe62c4ea11387f6564da965ccc40a5e07ddfd9ddecad696620d7fd095c6cdd8f57f586f5333b726b348413e473643257942a	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Qecxkooqb\584badb1 = 338f89a7a5c65c8404afbfa447b71e9468a1f572f8f5294862a041b5b40b710fd7d508aa1760788bfd7fb9d159e0decf0f51afcbf3dbf5986b0be4559f099b5d34b55d3bd2b0552ff56356bb7ae4dc380fb59236	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Qecxkooqb\2702c247 = 006ba1f17817dd7a3fab4c30cde974dd017961f806724bb0054e8571039b62fabd1dba7c5f95937d38dde6c69164c434c1b7ad15	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Qecxkooqb\2702c247 = 006bb6f17817e88fee7fd09645ff59f800c2a946b694dc283a32f123c0ecfe	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Qecxkooqb\10dc3275 = 35fa5a6df59fc6d5509dd6d5379c79a91a40671118067a99aa78765d760acc55a86b8e0a19cc	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Qecxkooqb\d5681a9a = da56a3b7ed4d935ea6492673f21403f44024ca4a4cef9b36f874824991b8737a6c1a80f0b3b02f3307144e384ff06f26	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

836 rundll32.exe
836 rundll32.exe
3284 regsvr32.exe
3284 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

836 rundll32.exe
3284 regsvr32.exe

pid	process
836	rundll32.exe
836	rundll32.exe
3284	regsvr32.exe
3284	regsvr32.exe

pid	process
836	rundll32.exe
3284	regsvr32.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 664 wrote to memory of 836	664	rundll32.exe	rundll32.exe
PID 664 wrote to memory of 836	664	rundll32.exe	rundll32.exe
PID 664 wrote to memory of 836	664	rundll32.exe	rundll32.exe
PID 836 wrote to memory of 2528	836	rundll32.exe	explorer.exe
PID 836 wrote to memory of 2528	836	rundll32.exe	explorer.exe
PID 836 wrote to memory of 2528	836	rundll32.exe	explorer.exe
PID 836 wrote to memory of 2528	836	rundll32.exe	explorer.exe
PID 836 wrote to memory of 2528	836	rundll32.exe	explorer.exe
PID 2528 wrote to memory of 2716	2528	explorer.exe	schtasks.exe
PID 2528 wrote to memory of 2716	2528	explorer.exe	schtasks.exe
PID 2528 wrote to memory of 2716	2528	explorer.exe	schtasks.exe
PID 2696 wrote to memory of 3284	2696	regsvr32.exe	regsvr32.exe
PID 2696 wrote to memory of 3284	2696	regsvr32.exe	regsvr32.exe
PID 2696 wrote to memory of 3284	2696	regsvr32.exe	regsvr32.exe
PID 3284 wrote to memory of 3516	3284	regsvr32.exe	explorer.exe
PID 3284 wrote to memory of 3516	3284	regsvr32.exe	explorer.exe
PID 3284 wrote to memory of 3516	3284	regsvr32.exe	explorer.exe
PID 3284 wrote to memory of 3516	3284	regsvr32.exe	explorer.exe
PID 3284 wrote to memory of 3516	3284	regsvr32.exe	explorer.exe
PID 3516 wrote to memory of 3880	3516	explorer.exe	reg.exe
PID 3516 wrote to memory of 3880	3516	explorer.exe	reg.exe
PID 3516 wrote to memory of 3696	3516	explorer.exe	reg.exe
PID 3516 wrote to memory of 3696	3516	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\44467.5427719907.dat.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:664

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\44467.5427719907.dat.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2528

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn osrlwlqag /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\44467.5427719907.dat.dll\"" /SC ONCE /Z /ST 15:05 /ET 15:17
4⤵
- Creates scheduled task(s)
PID:2716

\??\c:\windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\44467.5427719907.dat.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:2696

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\44467.5427719907.dat.dll"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3284

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3516

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Dolifozec" /d "0"
4⤵
PID:3880

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Oukdchpcb" /d "0"
4⤵
PID:3696

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\44467.5427719907.dat.dll
MD5
ab8c8cc09d957afa7ca748011d8ae2d5

SHA1
fc4e881c04b30da109555901e28e10de5fbd42e5

SHA256
09c8d348a81e3a8688e44a78b4fcb1577163fcba3f36fcb116950a3814edccd7

SHA512
e6e0f4d4ca4ff12d025c728dddd18ae47b95769b1a40e28e5f5bdb7ff153a089901c380d262259a729e20a8022fe589a6f681db9cec71f8940dfdaa84dcbb440

Download Submit
\Users\Admin\AppData\Local\Temp\44467.5427719907.dat.dll
MD5
ab8c8cc09d957afa7ca748011d8ae2d5

SHA1
fc4e881c04b30da109555901e28e10de5fbd42e5

SHA256
09c8d348a81e3a8688e44a78b4fcb1577163fcba3f36fcb116950a3814edccd7

SHA512
e6e0f4d4ca4ff12d025c728dddd18ae47b95769b1a40e28e5f5bdb7ff153a089901c380d262259a729e20a8022fe589a6f681db9cec71f8940dfdaa84dcbb440

Download Submit
memory/836-115-0x0000000073620000-0x0000000073641000-memory.dmp

Filesize
132KB

Download
memory/836-116-0x0000000073620000-0x00000000736F2000-memory.dmp

Filesize
840KB

Download
memory/836-117-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/836-114-0x0000000000000000-mapping.dmp

Download
memory/2528-118-0x0000000000000000-mapping.dmp

Download
memory/2528-122-0x0000000002EA0000-0x0000000002EC1000-memory.dmp

Filesize
132KB

Download
memory/2716-119-0x0000000000000000-mapping.dmp

Download
memory/3284-124-0x0000000000000000-mapping.dmp

Download
memory/3284-126-0x0000000072330000-0x0000000072351000-memory.dmp

Filesize
132KB

Download
memory/3284-127-0x0000000072330000-0x0000000072402000-memory.dmp

Filesize
840KB

Download
memory/3284-128-0x0000000003000000-0x00000000030AE000-memory.dmp

Filesize
696KB

Download
memory/3516-129-0x0000000000000000-mapping.dmp

Download
memory/3516-132-0x0000000002B10000-0x0000000002B31000-memory.dmp

Filesize
132KB

Download
memory/3696-131-0x0000000000000000-mapping.dmp

Download
memory/3880-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads