qakbot | cf0c686564c106b2da71b916c7d022e77894c6dd48e5dc8fec000254def55f11

General

Target

44467.702902662.dat.dll
Size

750KB
MD5

3adc41a38c53d9798e9be8d135ba47d8
SHA1

854b7b23da76f583e6c157e643e1e0e50dd902e4
SHA256

cf0c686564c106b2da71b916c7d022e77894c6dd48e5dc8fec000254def55f11
SHA512

c9b9302e9ab3fd345b561e856183d15a65b3f042eb168927abc8177538e97bb271cd6bd7bd87411f46671abbc48bafbb997ccdfa4ba4999ce4335059530da581

Score

10^/10

qakbot obama105 1632821932 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

obama105

Campaign

1632821932

C2

120.151.47.189:443

41.228.22.180:443

39.52.241.3:995

199.27.127.129:443

216.201.162.158:443

136.232.34.70:443

196.217.156.63:995

120.150.218.241:995

95.77.223.148:443

185.250.148.74:443

181.118.183.94:443

105.198.236.99:443

140.82.49.12:443

37.210.152.224:995

89.101.97.139:443

81.241.252.59:2078

27.223.92.142:995

81.250.153.227:2222

73.151.236.31:443

47.22.148.6:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

524 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1724 schtasks.exe

pid	process
524	regsvr32.exe

pid	process
1724	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Sluvbhpzdabv	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Sluvbhpzdabv\5faa97d1 = 6e7a6515ffa2b07df3a70d0ca1ab07b535c724025922103e2c5d8d67c20bb7a75e75657d0ebd80785d7eeaf8149b3578fa6a6efe409061ebeeb185bef9e57c6b61fc4f9672d29fee44d4bb1537b7a40bb77ad8af33ffccb743fd9cd0	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Sluvbhpzdabv\20e3f827 = af755359ddc11083d810077a793d8156a0a4e0f807157464d547600433b5092b0e3868518168547c5cc52e1f90b8b0f0bfd8ac50ca954a0f39d5a3589a549b56097a9283ceeed487341a7eaf9807cb0f273e6dc0b6cb2d89f16c01063674c0e1749f4bae390334e5c9a2	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Sluvbhpzdabv\d28920fa = 24792d034f062bc52531c76547579d83455228576017b8eba797cc88310aeba2b6c86e7518f25b3b6e5f00e3fa91d3c41f4abcf7fcba06e75d40f760218ffea86748f2c928fc5456abf36035b5b7f96da8631cbbce53e9189c90270dfd60969bfe800e9e3e6f	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Sluvbhpzdabv\adc04f0c = a6933acbe28075346805adaa40c455d1af829dccad3d0d7ccdacbcc3a9	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Sluvbhpzdabv\adc04f0c = a6932dcbe2804008	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Sluvbhpzdabv\985f9f42 = 482ff6dbe733eb75ef89d8196f7ded944107271f8ea5710af4c9e50538d879b5a3b5614447a43e8bbc25fe426736374dfd05b01c4b3f3470ec40bb3bb8515aa6790bcd4268c2391a13023b8f6ee0fb9bdcec351b1dcde603dbf48ed8e5c5f78c272e5d091eb13ac1f756bddaeb9111d171e23ee06560e8a6d48481d59185a8b21dd662a6c2915f8599b843fb241c64efba2ad4414a3716943dc03111a3279301ecb7b2bee18a008c7d203b0f11eaaab389627cb5a23fb8bc93298e2e36dedcc45927	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Sluvbhpzdabv\9a1ebf3e = e263ee1fdcd44d36112c6223da709a248ed435225ccee22b117f9350d717381b0934064ff882aebc736b2a037d0bf34ce62dff40cad541ba4c13a15d400348ef76f3637ee0d1902b99d56e12654a3b43331b8d35cb34	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Sluvbhpzdabv\22a2d85b = 4cd03284a2fab62a615033f48b2281bdffb30aaf7e3f1cc10cfa0c10b41a917647b7f80538ead8ed4f6e56f3751ecf2797d0f5860963	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Sluvbhpzdabv\e716f0b4 = 2d648d087fb442bf3f04c4ea34f7835351e8ea595a10ffd64e4904a638bd2fb3f5e3210956faad4d86d8ad327399fae2902fcc1a1b91d095eb02a215670855313c1ef842072d8b18aa28f3f639e31730695bee	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

1800 rundll32.exe
524 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

1800 rundll32.exe
524 regsvr32.exe

pid	process
1800	rundll32.exe
524	regsvr32.exe

pid	process
1800	rundll32.exe
524	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 1208 wrote to memory of 1800	1208	rundll32.exe	rundll32.exe
PID 1208 wrote to memory of 1800	1208	rundll32.exe	rundll32.exe
PID 1208 wrote to memory of 1800	1208	rundll32.exe	rundll32.exe
PID 1208 wrote to memory of 1800	1208	rundll32.exe	rundll32.exe
PID 1208 wrote to memory of 1800	1208	rundll32.exe	rundll32.exe
PID 1208 wrote to memory of 1800	1208	rundll32.exe	rundll32.exe
PID 1208 wrote to memory of 1800	1208	rundll32.exe	rundll32.exe
PID 1800 wrote to memory of 1780	1800	rundll32.exe	explorer.exe
PID 1800 wrote to memory of 1780	1800	rundll32.exe	explorer.exe
PID 1800 wrote to memory of 1780	1800	rundll32.exe	explorer.exe
PID 1800 wrote to memory of 1780	1800	rundll32.exe	explorer.exe
PID 1800 wrote to memory of 1780	1800	rundll32.exe	explorer.exe
PID 1800 wrote to memory of 1780	1800	rundll32.exe	explorer.exe
PID 1780 wrote to memory of 1724	1780	explorer.exe	schtasks.exe
PID 1780 wrote to memory of 1724	1780	explorer.exe	schtasks.exe
PID 1780 wrote to memory of 1724	1780	explorer.exe	schtasks.exe
PID 1780 wrote to memory of 1724	1780	explorer.exe	schtasks.exe
PID 1312 wrote to memory of 1368	1312	taskeng.exe	regsvr32.exe
PID 1312 wrote to memory of 1368	1312	taskeng.exe	regsvr32.exe
PID 1312 wrote to memory of 1368	1312	taskeng.exe	regsvr32.exe
PID 1312 wrote to memory of 1368	1312	taskeng.exe	regsvr32.exe
PID 1312 wrote to memory of 1368	1312	taskeng.exe	regsvr32.exe
PID 1368 wrote to memory of 524	1368	regsvr32.exe	regsvr32.exe
PID 1368 wrote to memory of 524	1368	regsvr32.exe	regsvr32.exe
PID 1368 wrote to memory of 524	1368	regsvr32.exe	regsvr32.exe
PID 1368 wrote to memory of 524	1368	regsvr32.exe	regsvr32.exe
PID 1368 wrote to memory of 524	1368	regsvr32.exe	regsvr32.exe
PID 1368 wrote to memory of 524	1368	regsvr32.exe	regsvr32.exe
PID 1368 wrote to memory of 524	1368	regsvr32.exe	regsvr32.exe
PID 524 wrote to memory of 976	524	regsvr32.exe	explorer.exe
PID 524 wrote to memory of 976	524	regsvr32.exe	explorer.exe
PID 524 wrote to memory of 976	524	regsvr32.exe	explorer.exe
PID 524 wrote to memory of 976	524	regsvr32.exe	explorer.exe
PID 524 wrote to memory of 976	524	regsvr32.exe	explorer.exe
PID 524 wrote to memory of 976	524	regsvr32.exe	explorer.exe
PID 976 wrote to memory of 576	976	explorer.exe	reg.exe
PID 976 wrote to memory of 576	976	explorer.exe	reg.exe
PID 976 wrote to memory of 576	976	explorer.exe	reg.exe
PID 976 wrote to memory of 576	976	explorer.exe	reg.exe
PID 976 wrote to memory of 1644	976	explorer.exe	reg.exe
PID 976 wrote to memory of 1644	976	explorer.exe	reg.exe
PID 976 wrote to memory of 1644	976	explorer.exe	reg.exe
PID 976 wrote to memory of 1644	976	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\44467.702902662.dat.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\44467.702902662.dat.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn nljvnjpo /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\44467.702902662.dat.dll\"" /SC ONCE /Z /ST 17:01 /ET 17:13
4⤵
- Creates scheduled task(s)
PID:1724

C:\Windows\system32\taskeng.exe
taskeng.exe {5D5D6235-A1ED-461B-9EB1-27D835AD55AE} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\44467.702902662.dat.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\44467.702902662.dat.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:524

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Gbwwuqtk" /d "0"
5⤵
PID:576

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Cizigswwizb" /d "0"
5⤵
PID:1644

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\44467.702902662.dat.dll
MD5
3adc41a38c53d9798e9be8d135ba47d8

SHA1
854b7b23da76f583e6c157e643e1e0e50dd902e4

SHA256
cf0c686564c106b2da71b916c7d022e77894c6dd48e5dc8fec000254def55f11

SHA512
c9b9302e9ab3fd345b561e856183d15a65b3f042eb168927abc8177538e97bb271cd6bd7bd87411f46671abbc48bafbb997ccdfa4ba4999ce4335059530da581

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\44467.702902662.dat.dll
MD5
3adc41a38c53d9798e9be8d135ba47d8

SHA1
854b7b23da76f583e6c157e643e1e0e50dd902e4

SHA256
cf0c686564c106b2da71b916c7d022e77894c6dd48e5dc8fec000254def55f11

SHA512
c9b9302e9ab3fd345b561e856183d15a65b3f042eb168927abc8177538e97bb271cd6bd7bd87411f46671abbc48bafbb997ccdfa4ba4999ce4335059530da581

Download Submit
memory/524-84-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/524-76-0x0000000073CE0000-0x0000000073D01000-memory.dmp

Filesize
132KB

Download
memory/524-77-0x0000000073CE0000-0x0000000073DB2000-memory.dmp

Filesize
840KB

Download
memory/524-73-0x0000000000000000-mapping.dmp

Download
memory/576-82-0x0000000000000000-mapping.dmp

Download
memory/976-85-0x0000000000110000-0x0000000000131000-memory.dmp

Filesize
132KB

Download
memory/976-78-0x0000000000000000-mapping.dmp

Download
memory/1368-71-0x000007FEFB9F1000-0x000007FEFB9F3000-memory.dmp

Filesize
8KB

Download
memory/1368-70-0x0000000000000000-mapping.dmp

Download
memory/1644-83-0x0000000000000000-mapping.dmp

Download
memory/1724-68-0x0000000000000000-mapping.dmp

Download
memory/1780-69-0x00000000000D0000-0x00000000000F1000-memory.dmp

Filesize
132KB

Download
memory/1780-67-0x0000000074551000-0x0000000074553000-memory.dmp

Filesize
8KB

Download
memory/1780-65-0x0000000000000000-mapping.dmp

Download
memory/1800-60-0x0000000000000000-mapping.dmp

Download
memory/1800-64-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/1800-62-0x0000000074730000-0x0000000074751000-memory.dmp

Filesize
132KB

Download
memory/1800-63-0x0000000074730000-0x0000000074802000-memory.dmp

Filesize
840KB

Download
memory/1800-61-0x0000000075C71000-0x0000000075C73000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads