qakbot | 4b0c5b9e5bcc744b7af5b11f77219d6a28c75167f031e5773e2eff3c46cd4235

General

Target

Drezd.red.dll
Size

750KB
MD5

bf82897e4245cd0ad4582e46c9ff5674
SHA1

58f5a1ab77e88693f05946d4336c1a7ac338243f
SHA256

4b0c5b9e5bcc744b7af5b11f77219d6a28c75167f031e5773e2eff3c46cd4235
SHA512

9582b740795d06cf615df14d6920d3ef7880ee7ae2e209b3b975eea896e42861fb82ec8fcf95696f8b7425080f5b6964fd49fcb0af127f52774a0915f35fcba9

Score

10^/10

qakbot obama105 1632821932 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

obama105

Campaign

1632821932

C2

120.151.47.189:443

41.228.22.180:443

39.52.241.3:995

199.27.127.129:443

216.201.162.158:443

136.232.34.70:443

196.217.156.63:995

120.150.218.241:995

95.77.223.148:443

185.250.148.74:443

181.118.183.94:443

105.198.236.99:443

140.82.49.12:443

37.210.152.224:995

89.101.97.139:443

81.241.252.59:2078

27.223.92.142:995

81.250.153.227:2222

73.151.236.31:443

47.22.148.6:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

964 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1768 schtasks.exe

pid	process
964	regsvr32.exe

pid	process
1768	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ymdrrkudnm\b8d17efc = fc7e497ac3e6257116f4d5dd37ee02ec1fd52d58d1d12e8354c32ca55559886d8af1a7ef0198a644df713089bc4eb7401da389d462d82c268dcf75b2eb4cea56ca438f53a187ad9619cd19807df016c35a417d268765d1a8a4eb9420430f26b326e74e7cfb0690a1e52d5d6e656861232f41cc8fcf5d2ebea32cd2a0a0c73a6f611f8b3e	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ymdrrkudnm\ba905e80 = 3e60990928ce1ea29ac3504e719da1e6c2fd6cabe505ab8f99e4e781d309093d6a0a443815c6ceb37c8d5aa2eeb834ff5d30d859fbae26d9e29cf2c2444648efeea959ea3205b76782759be43cee6ce2c53cc00f82bfa063f808770ec1	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ymdrrkudnm\22c39e5 = 964e312af77a6bd008da7b3cd1af89ac2d5cbd6b54d442b2d137cc8c09f203f78115e568613c58dc35c81b2ac8c16c97b23fc278e422e58f66a74f7878b9fd9af20cfc992defd4eaf21adff31acc44bf28672169f9ea7a8c9b492269	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ymdrrkudnm\7f24766f = 37217f85d22b7fe281b6c4ca0f4de8938ed0fa7cb94392d69a2334d3ba7ea157fe9eac87cdb2c6cb610288f61de7e13a5f9083eeefa377cfdc21c33a84420f305f69e5fa4848bd22b436428a8923b78a2a2c702c7b11a90971c8eab6d104c7ff4497	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ymdrrkudnm\6d1999 = f1d3b6265d832f9ccb73b14646f94d8f7d36	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ymdrrkudnm\8d4eaeb2 = 094dad3ad8a52cc6828d35518382b33af18c41125ef804191c09ed01cce1e8bd61bd4c8c1a04ddfb17bcee7efd68f4330334e690061ac331a1876d2b0d7af61689a9811828605835ef655b1c3c80d73df3b178fa562c29b711cbda9ed9a0078cd2075d586718ab045727	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ymdrrkudnm\c798110a = 77a79b54a2026db9bf67b97f1f6430b5af18d6677dd652217351063b27dbac62087eb56e	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ymdrrkudnm\f207c144 = fa797b78c1a85973fd3135b118787f264370a5fd	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Ymdrrkudnm\8d4eaeb2 = 094dba3ad8a5199ebdbfd61eb01e5897ac34033391d5ea3386e0bbfad069cc3a469d6c09cc5e9c72a9c52c3f8cc2894b967170e03fcd389ea53abb098b301141c19ebab66c005751ad1594b1254f5331df3197247e7aa0542d9e5744c00c5eacbc358a2def44f481e3a9abf7246310a3401691dc21fcbdb0231ce7c8096b92	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ymdrrkudnm	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

832 rundll32.exe
964 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

832 rundll32.exe
964 regsvr32.exe

pid	process
832	rundll32.exe
964	regsvr32.exe

pid	process
832	rundll32.exe
964	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 1116 wrote to memory of 832	1116	rundll32.exe	rundll32.exe
PID 1116 wrote to memory of 832	1116	rundll32.exe	rundll32.exe
PID 1116 wrote to memory of 832	1116	rundll32.exe	rundll32.exe
PID 1116 wrote to memory of 832	1116	rundll32.exe	rundll32.exe
PID 1116 wrote to memory of 832	1116	rundll32.exe	rundll32.exe
PID 1116 wrote to memory of 832	1116	rundll32.exe	rundll32.exe
PID 1116 wrote to memory of 832	1116	rundll32.exe	rundll32.exe
PID 832 wrote to memory of 1616	832	rundll32.exe	explorer.exe
PID 832 wrote to memory of 1616	832	rundll32.exe	explorer.exe
PID 832 wrote to memory of 1616	832	rundll32.exe	explorer.exe
PID 832 wrote to memory of 1616	832	rundll32.exe	explorer.exe
PID 832 wrote to memory of 1616	832	rundll32.exe	explorer.exe
PID 832 wrote to memory of 1616	832	rundll32.exe	explorer.exe
PID 1616 wrote to memory of 1768	1616	explorer.exe	schtasks.exe
PID 1616 wrote to memory of 1768	1616	explorer.exe	schtasks.exe
PID 1616 wrote to memory of 1768	1616	explorer.exe	schtasks.exe
PID 1616 wrote to memory of 1768	1616	explorer.exe	schtasks.exe
PID 792 wrote to memory of 1220	792	taskeng.exe	regsvr32.exe
PID 792 wrote to memory of 1220	792	taskeng.exe	regsvr32.exe
PID 792 wrote to memory of 1220	792	taskeng.exe	regsvr32.exe
PID 792 wrote to memory of 1220	792	taskeng.exe	regsvr32.exe
PID 792 wrote to memory of 1220	792	taskeng.exe	regsvr32.exe
PID 1220 wrote to memory of 964	1220	regsvr32.exe	regsvr32.exe
PID 1220 wrote to memory of 964	1220	regsvr32.exe	regsvr32.exe
PID 1220 wrote to memory of 964	1220	regsvr32.exe	regsvr32.exe
PID 1220 wrote to memory of 964	1220	regsvr32.exe	regsvr32.exe
PID 1220 wrote to memory of 964	1220	regsvr32.exe	regsvr32.exe
PID 1220 wrote to memory of 964	1220	regsvr32.exe	regsvr32.exe
PID 1220 wrote to memory of 964	1220	regsvr32.exe	regsvr32.exe
PID 964 wrote to memory of 1688	964	regsvr32.exe	explorer.exe
PID 964 wrote to memory of 1688	964	regsvr32.exe	explorer.exe
PID 964 wrote to memory of 1688	964	regsvr32.exe	explorer.exe
PID 964 wrote to memory of 1688	964	regsvr32.exe	explorer.exe
PID 964 wrote to memory of 1688	964	regsvr32.exe	explorer.exe
PID 964 wrote to memory of 1688	964	regsvr32.exe	explorer.exe
PID 1688 wrote to memory of 1816	1688	explorer.exe	reg.exe
PID 1688 wrote to memory of 1816	1688	explorer.exe	reg.exe
PID 1688 wrote to memory of 1816	1688	explorer.exe	reg.exe
PID 1688 wrote to memory of 1816	1688	explorer.exe	reg.exe
PID 1688 wrote to memory of 1432	1688	explorer.exe	reg.exe
PID 1688 wrote to memory of 1432	1688	explorer.exe	reg.exe
PID 1688 wrote to memory of 1432	1688	explorer.exe	reg.exe
PID 1688 wrote to memory of 1432	1688	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Drezd.red.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Drezd.red.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn ydsjcxkpm /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\Drezd.red.dll\"" /SC ONCE /Z /ST 13:48 /ET 14:00
4⤵
- Creates scheduled task(s)
PID:1768

C:\Windows\system32\taskeng.exe
taskeng.exe {051C2B15-16C4-49C2-9116-83C8EAE8EFD6} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:792

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\Drezd.red.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:1220

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\Drezd.red.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Gevirthq" /d "0"
5⤵
PID:1816

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Rzugeocczz" /d "0"
5⤵
PID:1432

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Drezd.red.dll
MD5
bf82897e4245cd0ad4582e46c9ff5674

SHA1
58f5a1ab77e88693f05946d4336c1a7ac338243f

SHA256
4b0c5b9e5bcc744b7af5b11f77219d6a28c75167f031e5773e2eff3c46cd4235

SHA512
9582b740795d06cf615df14d6920d3ef7880ee7ae2e209b3b975eea896e42861fb82ec8fcf95696f8b7425080f5b6964fd49fcb0af127f52774a0915f35fcba9

Download Submit
\Users\Admin\AppData\Local\Temp\Drezd.red.dll
MD5
bf82897e4245cd0ad4582e46c9ff5674

SHA1
58f5a1ab77e88693f05946d4336c1a7ac338243f

SHA256
4b0c5b9e5bcc744b7af5b11f77219d6a28c75167f031e5773e2eff3c46cd4235

SHA512
9582b740795d06cf615df14d6920d3ef7880ee7ae2e209b3b975eea896e42861fb82ec8fcf95696f8b7425080f5b6964fd49fcb0af127f52774a0915f35fcba9

Download Submit
memory/832-54-0x0000000075BF1000-0x0000000075BF3000-memory.dmp

Filesize
8KB

Download
memory/832-55-0x0000000074640000-0x0000000074661000-memory.dmp

Filesize
132KB

Download
memory/832-56-0x0000000074640000-0x0000000074712000-memory.dmp

Filesize
840KB

Download
memory/832-60-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/832-53-0x0000000000000000-mapping.dmp

Download
memory/964-75-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/964-69-0x0000000073C80000-0x0000000073CA1000-memory.dmp

Filesize
132KB

Download
memory/964-70-0x0000000073C80000-0x0000000073D52000-memory.dmp

Filesize
840KB

Download
memory/964-66-0x0000000000000000-mapping.dmp

Download
memory/1220-64-0x000007FEFB891000-0x000007FEFB893000-memory.dmp

Filesize
8KB

Download
memory/1220-63-0x0000000000000000-mapping.dmp

Download
memory/1432-77-0x0000000000000000-mapping.dmp

Download
memory/1616-61-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/1616-59-0x00000000744D1000-0x00000000744D3000-memory.dmp

Filesize
8KB

Download
memory/1616-57-0x0000000000000000-mapping.dmp

Download
memory/1688-71-0x0000000000000000-mapping.dmp

Download
memory/1688-76-0x0000000000110000-0x0000000000131000-memory.dmp

Filesize
132KB

Download
memory/1768-62-0x0000000000000000-mapping.dmp

Download
memory/1816-74-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads