qakbot | 0f64719ae1aeb82cb3bacd7846fb0980f0fa058db16aa0c604ab655478d34078

General

Target

unpacked_qbot.dll
Size

119KB
MD5

bacea46a71135fa781914c7778029ee7
SHA1

251efd0ade7526d59404e446971d9e4b617bce0a
SHA256

0f64719ae1aeb82cb3bacd7846fb0980f0fa058db16aa0c604ab655478d34078
SHA512

44a97253250fae932938b1e81f775b31cffc9c69be0d8a1ff3bca5ac866ae4c5d18b1885570fea82e83a362d848674525384f3f1dfdeaf2637184dd911e8b19a

Score

10^/10

qakbot tr 1632730751 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.343

Botnet

tr

Campaign

1632730751

C2

95.77.223.148:443

47.22.148.6:443

89.101.97.139:443

27.223.92.142:995

120.151.47.189:443

136.232.34.70:443

120.150.218.241:995

185.250.148.74:443

181.118.183.94:443

140.82.49.12:443

67.165.206.193:993

103.148.120.144:443

71.74.12.34:443

76.25.142.196:443

73.151.236.31:443

173.21.10.71:2222

75.188.35.168:443

2.178.88.145:61202

71.80.168.245:443

45.46.53.140:2222

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1604 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2512 schtasks.exe

pid	process
1604	regsvr32.exe

pid	process
2512	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ocqiobsviqout	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ocqiobsviqout\f93f8285 = b6937453d780e56c8e72b15f7e4e9059dc32f70fdd998a4b8ab9a8afd3947e215e3f728bbe649b2b7fd75d9d17a4d2b17d90b8b37a4f8ce0536001033311596d82d76a27fd06866fe1f02af4ef17fedf1d9fa4b1c9621c2eb4269fb9e0e211	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ocqiobsviqout\cee172b7 = ed0130bd48522c8c683af532d0ee22b887ccf189ee6514c0b509d675a0be85fdc45545afde1f5ab810b27e0ae75a124ee68f7e3b526a3cb40ccfeecc34f667d373cb42c4d67a7cb6bd8b7325069e651ee8f8831ee4daab89bd76	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ocqiobsviqout\765d15d2 = d69e4de22728cdfe1bf366e78a31abe3d8bd7ec2dfad1b9d215eac0f8ac4be1c2ec1b32f8184f360265a44b80717b7d17a52de2dd877d39282b05a0e8c8f9fe1e98e80cfd9f829876d9d3a	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ocqiobsviqout\b3e93d3d = 3684f71e1e3586d7a8fa20279ecd1eaacad5f9f9f99c1f0a4b8baa42cd2e911d0ebc743d7c6e30e2095854e21868682eb03bbc35f022e05ff5b63716f2d14f1c5625b24aa81f1f866d3b40954bfdc9	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ocqiobsviqout\cca052cb = e0d32fba6cbd1cb9c058c4fd02003ebb5bf3400aad8ba75fbd78ba77aa62bf4c5b1a1911d618967b3c5b576ec3947d357cb0897c5dc09fe1a5b44a675477a32f9c831dd9b1339ae54f5b123a43cec5df6fb29bc2254da04e4ad6d2bae430eed80e19a2fd4fbceef0c473821490ed0e176ade854917f612cd0d8fe4504ca1f6d0e270f745375ffc7f59	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ocqiobsviqout\b555a58 = de63abcb4421a41c9213ab5801234a0879468cc311493d8a7eb93fe81c79013f48bb446cd04be723f16b188483b0216f05b33f5c6dd206cd9b7b42b7e39c00f28f358d38ddd4	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ocqiobsviqout\741c35ae = e7bb8da034949ec0280e6db9f5e405851721f3a1ac3f0decd53fdf2f9057278bf9ea19305258a76e8bb34f5584461191fc6aca27f7	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ocqiobsviqout\8676ed73 = 8079c0507d23e654f0ad8475a698c9539fac2e464ca31602ced35774ee	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ocqiobsviqout\f93f8285 = b6936353d780d06fc1261141ea853784a4b6c870abcf237f5e54c8d06f0b2ae05427d19d04f302edf2a7ba083be4bd44a2e3f5f56c5474ef1f6e970a95e73b95b6066f5c2c0b8848ff422a814223df3c53428ec8954d0feb5ccf02b916849785350765e0b2494234adae2c4d3226fd6082203386	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

2352 regsvr32.exe
2352 regsvr32.exe
1604 regsvr32.exe
1604 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

2352 regsvr32.exe
1604 regsvr32.exe

pid	process
2352	regsvr32.exe
2352	regsvr32.exe
1604	regsvr32.exe
1604	regsvr32.exe

pid	process
2352	regsvr32.exe
1604	regsvr32.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

regsvr32.exeregsvr32.exeexplorer.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 2176 wrote to memory of 2352	2176	regsvr32.exe	regsvr32.exe
PID 2176 wrote to memory of 2352	2176	regsvr32.exe	regsvr32.exe
PID 2176 wrote to memory of 2352	2176	regsvr32.exe	regsvr32.exe
PID 2352 wrote to memory of 2468	2352	regsvr32.exe	explorer.exe
PID 2352 wrote to memory of 2468	2352	regsvr32.exe	explorer.exe
PID 2352 wrote to memory of 2468	2352	regsvr32.exe	explorer.exe
PID 2352 wrote to memory of 2468	2352	regsvr32.exe	explorer.exe
PID 2352 wrote to memory of 2468	2352	regsvr32.exe	explorer.exe
PID 2468 wrote to memory of 2512	2468	explorer.exe	schtasks.exe
PID 2468 wrote to memory of 2512	2468	explorer.exe	schtasks.exe
PID 2468 wrote to memory of 2512	2468	explorer.exe	schtasks.exe
PID 3320 wrote to memory of 1604	3320	regsvr32.exe	regsvr32.exe
PID 3320 wrote to memory of 1604	3320	regsvr32.exe	regsvr32.exe
PID 3320 wrote to memory of 1604	3320	regsvr32.exe	regsvr32.exe
PID 1604 wrote to memory of 508	1604	regsvr32.exe	explorer.exe
PID 1604 wrote to memory of 508	1604	regsvr32.exe	explorer.exe
PID 1604 wrote to memory of 508	1604	regsvr32.exe	explorer.exe
PID 1604 wrote to memory of 508	1604	regsvr32.exe	explorer.exe
PID 1604 wrote to memory of 508	1604	regsvr32.exe	explorer.exe
PID 508 wrote to memory of 1388	508	explorer.exe	reg.exe
PID 508 wrote to memory of 1388	508	explorer.exe	reg.exe
PID 508 wrote to memory of 944	508	explorer.exe	reg.exe
PID 508 wrote to memory of 944	508	explorer.exe	reg.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\unpacked_qbot.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2176

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\unpacked_qbot.dll
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2352

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2468

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn eskfnnyeh /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\unpacked_qbot.dll\"" /SC ONCE /Z /ST 16:37 /ET 16:49
4⤵
- Creates scheduled task(s)
PID:2512

\??\c:\windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\unpacked_qbot.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:3320

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\unpacked_qbot.dll"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1604

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:508

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Hytfw" /d "0"
4⤵
PID:1388

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Bgxvnnmeqg" /d "0"
4⤵
PID:944

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\unpacked_qbot.dll
MD5
bacea46a71135fa781914c7778029ee7

SHA1
251efd0ade7526d59404e446971d9e4b617bce0a

SHA256
0f64719ae1aeb82cb3bacd7846fb0980f0fa058db16aa0c604ab655478d34078

SHA512
44a97253250fae932938b1e81f775b31cffc9c69be0d8a1ff3bca5ac866ae4c5d18b1885570fea82e83a362d848674525384f3f1dfdeaf2637184dd911e8b19a

Download Submit
\Users\Admin\AppData\Local\Temp\unpacked_qbot.dll
MD5
bacea46a71135fa781914c7778029ee7

SHA1
251efd0ade7526d59404e446971d9e4b617bce0a

SHA256
0f64719ae1aeb82cb3bacd7846fb0980f0fa058db16aa0c604ab655478d34078

SHA512
44a97253250fae932938b1e81f775b31cffc9c69be0d8a1ff3bca5ac866ae4c5d18b1885570fea82e83a362d848674525384f3f1dfdeaf2637184dd911e8b19a

Download Submit
memory/508-124-0x0000000000000000-mapping.dmp

Download
memory/508-129-0x0000000000E30000-0x0000000000E51000-memory.dmp

Filesize
132KB

Download
memory/944-126-0x0000000000000000-mapping.dmp

Download
memory/1388-125-0x0000000000000000-mapping.dmp

Download
memory/1604-122-0x0000000000000000-mapping.dmp

Download
memory/2352-115-0x0000000000000000-mapping.dmp

Download
memory/2468-116-0x0000000000000000-mapping.dmp

Download
memory/2468-120-0x0000000001070000-0x0000000001091000-memory.dmp

Filesize
132KB

Download
memory/2512-117-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads