qakbot | 1c61d76eea89db878348b2de168304396cbe5d404f503a423ed05ae7e7598354

General

Target

another_dll.dll
Size

263KB
MD5

660a42ba7aa190de6de83e577e691b41
SHA1

987d0ea16d3ee9f434be471020ad301bde6853e6
SHA256

1c61d76eea89db878348b2de168304396cbe5d404f503a423ed05ae7e7598354
SHA512

cedf73578bf9d4e91f5d1b9dd1da2c1cfebdf8b468106821996cf61326079096e8373d0085b35cc1668d09e27d8f44d1994ff61b51bbd8e304f4d07305452f86

Score

10^/10

qakbot obama107 1633078880 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

obama107

Campaign

1633078880

C2

140.82.49.12:443

41.250.143.109:995

216.201.162.158:443

86.8.177.143:443

105.198.236.99:443

124.123.42.115:2222

217.17.56.163:443

37.210.152.224:995

190.198.206.189:2222

75.89.195.186:995

78.191.44.76:995

122.11.220.212:2222

68.186.192.69:443

159.2.51.200:2222

217.17.56.163:2222

217.17.56.163:2078

41.228.22.180:443

120.151.47.189:443

47.22.148.6:443

94.200.181.154:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

2116 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

416 schtasks.exe

pid	process
2116	regsvr32.exe

pid	process
416	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Uiykctf\cae71574 = cb989cea0cccfbeeb42366d0fbeb8530f3926b58f3fce3b2e06f92d0de48e5b9ff3a6be2a344d4c21be6b9793d59f0f81c8e5ceddeeb3f9be9a04d6d9aec12228f40f37b44ffbe287310520ff8e507358f92d227ace148218eb77e	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Uiykctf	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Uiykctf\b5ae7a82 = 3dbe1968fb32bb4a1ed5b22ee45ec2f32d98d127f2d1c888058bf45d5b01eec2e19d234a1a35d963d9b754cefdb1a1ace68bc7dc02af7cf2ccf9fe81b596b294ba21c6a0ffd693af05f1eb54aac9785ec34353f60e4f7385ac6658e55f2cba38dd7d00110cff52d3bb5dddba78c3afdc16e9a938c531	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Uiykctf\f533d9b = 8a260a224736912bafd407338d594390e46995aa4af0303fbebc5e8ec68e01c2142f8293945d6e051ca8193087b6b14a957b8fd3b00e68db989282	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Uiykctf\d121de7 = b182800d6246035d8cfaebacbb6019fe1c2994b5e98ffb89b8084e65a063c1753aa68504751176520b69f4d24768b23e329940b6712cc86c4e65fc8f09f22386cc37ccc6fca14c3eebcc571b26af3f	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Uiykctf\ff78c53a = d4efb98ade8bcca69a88491b7e9b321c57507ceb03b08677c634d969223ec25bcfb0778f3594dfb5824bfa7ae7591dfb79b379b92a201f26fc3850bb685d6e768fde200b37362c2535557d5c3779aff0bdfad25108af782de8dfaf3e7f3a59c4e67a6a7a4b3e98cae5ce8bd2f0cb0f	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Uiykctf\8031aacc = ade7fafafecea40ab2cde1d3f952cd2fdc97a645d850e4f3e36b55def8252c13c884a618b99be90714	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Uiykctf\8031aacc = ade7edfafece9181138a0506569c31c8ad39282f	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Uiykctf\b7ef5afe = fc49b082df9e9fc8597236f46fb2f7b131c989b536824d610ed8900d6042d7c55cc5007ff5c35af54bb2b379337e2a638cf525	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Uiykctf\725b7211 = df4d9100fcdefa2351a29f4372943c08968ff57232ab04f870b3bd428e74ebacb1c16798ae444f3771ebb1613c4400d12278a04644923f2ad9afc5ff9ef94b7260f507e5980a0e97d4d4078eb4e092d10efae4e9791733bbf9e0bcb61be26c6bf8962398	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

2824 regsvr32.exe
2824 regsvr32.exe
2116 regsvr32.exe
2116 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

2824 regsvr32.exe
2116 regsvr32.exe

pid	process
2824	regsvr32.exe
2824	regsvr32.exe
2116	regsvr32.exe
2116	regsvr32.exe

pid	process
2824	regsvr32.exe
2116	regsvr32.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

regsvr32.exeregsvr32.exeexplorer.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 904 wrote to memory of 2824	904	regsvr32.exe	regsvr32.exe
PID 904 wrote to memory of 2824	904	regsvr32.exe	regsvr32.exe
PID 904 wrote to memory of 2824	904	regsvr32.exe	regsvr32.exe
PID 2824 wrote to memory of 3004	2824	regsvr32.exe	explorer.exe
PID 2824 wrote to memory of 3004	2824	regsvr32.exe	explorer.exe
PID 2824 wrote to memory of 3004	2824	regsvr32.exe	explorer.exe
PID 2824 wrote to memory of 3004	2824	regsvr32.exe	explorer.exe
PID 2824 wrote to memory of 3004	2824	regsvr32.exe	explorer.exe
PID 3004 wrote to memory of 416	3004	explorer.exe	schtasks.exe
PID 3004 wrote to memory of 416	3004	explorer.exe	schtasks.exe
PID 3004 wrote to memory of 416	3004	explorer.exe	schtasks.exe
PID 2056 wrote to memory of 2116	2056	regsvr32.exe	regsvr32.exe
PID 2056 wrote to memory of 2116	2056	regsvr32.exe	regsvr32.exe
PID 2056 wrote to memory of 2116	2056	regsvr32.exe	regsvr32.exe
PID 2116 wrote to memory of 2640	2116	regsvr32.exe	explorer.exe
PID 2116 wrote to memory of 2640	2116	regsvr32.exe	explorer.exe
PID 2116 wrote to memory of 2640	2116	regsvr32.exe	explorer.exe
PID 2116 wrote to memory of 2640	2116	regsvr32.exe	explorer.exe
PID 2116 wrote to memory of 2640	2116	regsvr32.exe	explorer.exe
PID 2640 wrote to memory of 3492	2640	explorer.exe	reg.exe
PID 2640 wrote to memory of 3492	2640	explorer.exe	reg.exe
PID 2640 wrote to memory of 3768	2640	explorer.exe	reg.exe
PID 2640 wrote to memory of 3768	2640	explorer.exe	reg.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\another_dll.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:904

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\another_dll.dll
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2824

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3004

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn ftdgkevsui /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\another_dll.dll\"" /SC ONCE /Z /ST 05:44 /ET 05:56
4⤵
- Creates scheduled task(s)
PID:416

\??\c:\windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\another_dll.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:2056

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\another_dll.dll"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2116

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2640

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Visteqqhtax" /d "0"
4⤵
PID:3492

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Oyfvtovmchfe" /d "0"
4⤵
PID:3768

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\another_dll.dll
MD5
660a42ba7aa190de6de83e577e691b41

SHA1
987d0ea16d3ee9f434be471020ad301bde6853e6

SHA256
1c61d76eea89db878348b2de168304396cbe5d404f503a423ed05ae7e7598354

SHA512
cedf73578bf9d4e91f5d1b9dd1da2c1cfebdf8b468106821996cf61326079096e8373d0085b35cc1668d09e27d8f44d1994ff61b51bbd8e304f4d07305452f86

Download Submit
\Users\Admin\AppData\Local\Temp\another_dll.dll
MD5
660a42ba7aa190de6de83e577e691b41

SHA1
987d0ea16d3ee9f434be471020ad301bde6853e6

SHA256
1c61d76eea89db878348b2de168304396cbe5d404f503a423ed05ae7e7598354

SHA512
cedf73578bf9d4e91f5d1b9dd1da2c1cfebdf8b468106821996cf61326079096e8373d0085b35cc1668d09e27d8f44d1994ff61b51bbd8e304f4d07305452f86

Download Submit
memory/416-117-0x0000000000000000-mapping.dmp

Download
memory/2116-121-0x0000000000000000-mapping.dmp

Download
memory/2640-123-0x0000000000000000-mapping.dmp

Download
memory/2640-126-0x0000000003330000-0x0000000003331000-memory.dmp

Filesize
4KB

Download
memory/2640-127-0x0000000002E80000-0x0000000002EA1000-memory.dmp

Filesize
132KB

Download
memory/2824-114-0x0000000000000000-mapping.dmp

Download
memory/3004-118-0x0000000003010000-0x0000000003011000-memory.dmp

Filesize
4KB

Download
memory/3004-119-0x0000000003010000-0x0000000003011000-memory.dmp

Filesize
4KB

Download
memory/3004-116-0x0000000002C20000-0x0000000002C41000-memory.dmp

Filesize
132KB

Download
memory/3004-115-0x0000000000000000-mapping.dmp

Download
memory/3492-124-0x0000000000000000-mapping.dmp

Download
memory/3768-125-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads