qakbot | 05bd9cbf9725884979435d684a7268a75eb05d5916dc85325b0286e9ed71a038

General

Target

44467.7730002314.dat.dll
Size

750KB
MD5

e2ea31f06e36a66fe29fdad302410e36
SHA1

6e7b7faee6212f233373c559f0e8900f80b7098a
SHA256

05bd9cbf9725884979435d684a7268a75eb05d5916dc85325b0286e9ed71a038
SHA512

87b3af9ce4f72e6c7d2920654f6dde2ed274674bf6b3e3092ab987aceb29c2d47b9ee512a4c044e64a37ba703eff775c575d5cfddb64986eafd2572cab442f87

Score

10^/10

qakbot obama105 1632821932 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

obama105

Campaign

1632821932

C2

120.151.47.189:443

41.228.22.180:443

39.52.241.3:995

199.27.127.129:443

216.201.162.158:443

136.232.34.70:443

196.217.156.63:995

120.150.218.241:995

95.77.223.148:443

185.250.148.74:443

181.118.183.94:443

105.198.236.99:443

140.82.49.12:443

37.210.152.224:995

89.101.97.139:443

81.241.252.59:2078

27.223.92.142:995

81.250.153.227:2222

73.151.236.31:443

47.22.148.6:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1108 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2676 schtasks.exe

pid	process
1108	regsvr32.exe

pid	process
2676	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Zadjfjuulax\471add44 = 580d12d1c18d77bc3cbd8aadf615ca446262e02eccf54b88bfff64ffb5f300904a27e589d1a7ce949ef24e54	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Zadjfjuulax\82aef5ab = 43974ce80f3bc28e232e685792bf6763ba40123945074500380a7009a8eae0025fc5c29e09907a0d2f876fcddd2eb00ada7716c310c43fe773236f0168177338eb9b575235	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Zadjfjuulax\455bfd38 = f6f08ccb5d20f12a4327cbfd575f67605bda876e5e3aa4bb4e6b91b02fc1bd746bc98dabb8509b5bb57be13434862d3ec742df5575a488a53ae6baf4	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Zadjfjuulax\b73125e5 = f6fc27554c83852084e52ba525dae2cc0c247b814d18281fe38f16266f550807536d96af49be1562bbb4f24bd6ae028574445f7039ce9ed9cf35a98d6dd3e3f3bed2543d88ca699e0cd0	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Zadjfjuulax	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Zadjfjuulax\c8784a13 = effd73dad2f548be211a360909ebaae6bbb8806ed52741508c8232595600b2619a614b2acca17002265204ec6b0b2bdf1133fed4fc68a58fa44cde7fa17efe21a6f8e5f7fd0a1e9a63e90d1949654e6c71ab8f00	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Zadjfjuulax\fde79a5d = 0397b796965dcfbc2f3acc0554f536d896dd8dbb0d23b5dbc20f892e56276774adfbf830348a467dd59c27469b678bd5f67aff25b9deca4240f3153e29c70ca254705ed89f9613b3eb38e5f2b3227903da814c114803718ea37203cafda8f482d2d9a9f18c2cd473291883f7f188f306e84f5e1bc9f756c9613f530634e3c234c480cb820e5467da5bacc56ce7d69065414b0202de	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Zadjfjuulax\ffa6ba21 = 027c72ecd51af0af3383cc7caba58f87a4d0e00f1e23b247b1081ad4c995127b31c53887cf8e6e0dc756b77869c2788382e196e87af2bab3fa	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Zadjfjuulax\3a1292ce = 603c0e2a0a135c4a422ad60c5b5e96dc17b3421d8155d45d484586893dd2b47d8bfd1787c751faadfc002af34e32b5d391f187c6d9f364d73fe04ac2	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Zadjfjuulax\c8784a13 = effd64dad2f57de255aa814f9abe13cd2e5dbdcca739bf43c9d30b18fb46b02da3747d404785db17dc3e95b741884e42d2ff508b9c64ba7d7f9d6f4065c703ed9b6da1e24fc849d970067ac73ff718f5fe0fb9bce02f9b577a6e63f2368f55d34a52e56748a931e8d4	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

1868 rundll32.exe
1868 rundll32.exe
1108 regsvr32.exe
1108 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

1868 rundll32.exe
1108 regsvr32.exe

pid	process
1868	rundll32.exe
1868	rundll32.exe
1108	regsvr32.exe
1108	regsvr32.exe

pid	process
1868	rundll32.exe
1108	regsvr32.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 1784 wrote to memory of 1868	1784	rundll32.exe	rundll32.exe
PID 1784 wrote to memory of 1868	1784	rundll32.exe	rundll32.exe
PID 1784 wrote to memory of 1868	1784	rundll32.exe	rundll32.exe
PID 1868 wrote to memory of 2516	1868	rundll32.exe	explorer.exe
PID 1868 wrote to memory of 2516	1868	rundll32.exe	explorer.exe
PID 1868 wrote to memory of 2516	1868	rundll32.exe	explorer.exe
PID 1868 wrote to memory of 2516	1868	rundll32.exe	explorer.exe
PID 1868 wrote to memory of 2516	1868	rundll32.exe	explorer.exe
PID 2516 wrote to memory of 2676	2516	explorer.exe	schtasks.exe
PID 2516 wrote to memory of 2676	2516	explorer.exe	schtasks.exe
PID 2516 wrote to memory of 2676	2516	explorer.exe	schtasks.exe
PID 304 wrote to memory of 1108	304	regsvr32.exe	regsvr32.exe
PID 304 wrote to memory of 1108	304	regsvr32.exe	regsvr32.exe
PID 304 wrote to memory of 1108	304	regsvr32.exe	regsvr32.exe
PID 1108 wrote to memory of 2524	1108	regsvr32.exe	explorer.exe
PID 1108 wrote to memory of 2524	1108	regsvr32.exe	explorer.exe
PID 1108 wrote to memory of 2524	1108	regsvr32.exe	explorer.exe
PID 1108 wrote to memory of 2524	1108	regsvr32.exe	explorer.exe
PID 1108 wrote to memory of 2524	1108	regsvr32.exe	explorer.exe
PID 2524 wrote to memory of 840	2524	explorer.exe	reg.exe
PID 2524 wrote to memory of 840	2524	explorer.exe	reg.exe
PID 2524 wrote to memory of 4076	2524	explorer.exe	reg.exe
PID 2524 wrote to memory of 4076	2524	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\44467.7730002314.dat.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\44467.7730002314.dat.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2516
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn aiartfi /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\44467.7730002314.dat.dll\"" /SC ONCE /Z /ST 15:49 /ET 16:01
      4⤵
      Creates scheduled task(s)
      PID:2676

\??\c:\windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\44467.7730002314.dat.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:304
- C:\Windows\SysWOW64\regsvr32.exe
  -s "C:\Users\Admin\AppData\Local\Temp\44467.7730002314.dat.dll"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1108
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Kihyudyiduks" /d "0"
      4⤵
      PID:840
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Nycullaagy" /d "0"
      4⤵
      PID:4076

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\44467.7730002314.dat.dll

MD5
e2ea31f06e36a66fe29fdad302410e36

SHA1
6e7b7faee6212f233373c559f0e8900f80b7098a

SHA256
05bd9cbf9725884979435d684a7268a75eb05d5916dc85325b0286e9ed71a038

SHA512
87b3af9ce4f72e6c7d2920654f6dde2ed274674bf6b3e3092ab987aceb29c2d47b9ee512a4c044e64a37ba703eff775c575d5cfddb64986eafd2572cab442f87

Download Submit
\Users\Admin\AppData\Local\Temp\44467.7730002314.dat.dll

MD5
e2ea31f06e36a66fe29fdad302410e36

SHA1
6e7b7faee6212f233373c559f0e8900f80b7098a

SHA256
05bd9cbf9725884979435d684a7268a75eb05d5916dc85325b0286e9ed71a038

SHA512
87b3af9ce4f72e6c7d2920654f6dde2ed274674bf6b3e3092ab987aceb29c2d47b9ee512a4c044e64a37ba703eff775c575d5cfddb64986eafd2572cab442f87

Download Submit
memory/840-131-0x0000000000000000-mapping.dmp

Download
memory/1108-129-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1108-125-0x0000000000000000-mapping.dmp

Download
memory/1108-128-0x00000000728A0000-0x0000000072972000-memory.dmp

Filesize
840KB

Download
memory/1108-127-0x00000000728A0000-0x00000000728C1000-memory.dmp

Filesize
132KB

Download
memory/1868-118-0x0000000002D00000-0x0000000002D01000-memory.dmp

Filesize
4KB

Download
memory/1868-116-0x0000000073B90000-0x0000000073BB1000-memory.dmp

Filesize
132KB

Download
memory/1868-115-0x0000000000000000-mapping.dmp

Download
memory/1868-117-0x0000000073B90000-0x0000000073C62000-memory.dmp

Filesize
840KB

Download
memory/2516-119-0x0000000000000000-mapping.dmp

Download
memory/2516-123-0x0000000000C70000-0x0000000000C91000-memory.dmp

Filesize
132KB

Download
memory/2524-130-0x0000000000000000-mapping.dmp

Download
memory/2524-133-0x0000000001090000-0x00000000010B1000-memory.dmp

Filesize
132KB

Download
memory/2676-120-0x0000000000000000-mapping.dmp

Download
memory/4076-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads