qakbot | e7e9ac9bbc69589e627f913f8605938b96afd929ebc974ffa0955598d19498d1

General

Target

44481.6902336806.dat.dll
Size

756KB
MD5

acdcd26de7e78893c0b6861316721469
SHA1

2f8716ea8f2747f7fdac054ec58644d6a3a175a4
SHA256

e7e9ac9bbc69589e627f913f8605938b96afd929ebc974ffa0955598d19498d1
SHA512

84c29ce85551beda34e86c56da1d0a2a97f080b0073de679183eb5a1493c3a2bd760d414526f43643ec9689a3a010ed357e9428d4bd18c08cc664c9903f00aa7

Score

10^/10

qakbot obama113 1634023197 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

obama113

Campaign

1634023197

C2

73.52.50.32:443

167.248.117.81:443

209.236.35.178:443

67.230.44.194:443

72.173.78.211:443

146.66.238.74:443

181.118.183.94:443

94.200.181.154:443

81.250.153.227:2222

69.30.186.190:443

93.48.58.123:2222

136.232.34.70:443

103.142.10.177:443

185.250.148.74:443

174.54.193.186:443

39.49.64.244:995

89.137.52.44:443

77.31.162.93:443

24.107.165.50:443

73.230.205.91:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1320 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1496 schtasks.exe

pid	process
1320	regsvr32.exe

pid	process
1496	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Gkellmub\b6dda77 = aa5670c3233d23ba3cd4d66fe52f40cf6fa3f92564afdaf1311517204f5c4f3fcc522fd4b5f5a227dfa1dfd58a054b50858eb958aa9fddc283b132c2a14c33e2a1fd1417df143f9dcaec7f09216d0107a4	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Gkellmub\ced9f298 = 1dfee2f63996d30d52a5c78ccb5941d8b6377ea7b69ed18e5cb50cc387ab86fb60398acb6017dafaa6e73b60b596496bd8f9f34f81ba96bc6aba305162885776122307cbbb9e6a3d56fbb8238092866063f578e4465dbbfd26e851eabd047a9fd7e35830d267e17de9a37d	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Gkellmub\766595fd = 1c8e3c9a46805ba94ab546400e3d974d21c01422f28da8e22bcd7363f5c5fd7c8fb3b4619f0037bab7	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Gkellmub\b1909d6e = a56364f22e4d25612187949a423a76d17e0c4bbf0b6a01	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Gkellmub	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Gkellmub\3cb32a45 = 7ed98b7d15958a299700688773498d207030d68fef75ddf23c9fc9ee8abfd9cf4d5f58b92f304fd1996da9b2950149dc2ccdf54e0e6d59bc27a1ec66bdb5e20bb8055cbafbbd5ea89e19c445277c	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Gkellmub\43fa45b3 = 2974c31876f3394a7fc7e99c322fe1542da3f360a8d705d2b25806f47f4b486d603bebfb5a50bcf250b4793a2a815ad3ee5d0226fb5fce4fee84d5047894ce07f1e555c7685bcfa42c5c01dca2c21cee75135cac9df773a95b72d7c7f85cb973e641	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Gkellmub\3cb32a45 = 7ed99c7d1595bf03a78ca65b8110cf2134b9d814da08af495f6fc1ff9ce5f91f45bf937b8bc089682c40a286bf118d593af8cc910d36a90fd8cb54e321dd65b25b29a59c4b01a792f4aeb3b9884cf845b731fc5e39938b2372d81a166e38348a511394	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Gkellmub\92cfa0b = 5f3370a0c4f923f9fe240013304c04d16a9f4890fdce21688035c427fb30cc3c9542f48974177dfe17718d5ae19cc4c1dbd5b299b3f46872c36a4ee60dd80fd39b785f1cb04e25c2a28f89cbc585fd2fbd361b10cbc0c89f82ef650b28b77cd96f7809d23201e830a1783712239690ec5f38169a3e9083311f28fd8245c75e52d2596077e98bd5a354b723f9e4e6b26bb6bcd7	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Gkellmub\b3d1bd12 = 479ba6b0403e78808855b3a1d3bdf29efef4b64d4d6463d282799b7996e95696e845064e76b7677f9430d687d45742ea34c028	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

952 rundll32.exe
1320 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

952 rundll32.exe
1320 regsvr32.exe

pid	process
952	rundll32.exe
1320	regsvr32.exe

pid	process
952	rundll32.exe
1320	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 1324 wrote to memory of 952	1324	rundll32.exe	rundll32.exe
PID 1324 wrote to memory of 952	1324	rundll32.exe	rundll32.exe
PID 1324 wrote to memory of 952	1324	rundll32.exe	rundll32.exe
PID 1324 wrote to memory of 952	1324	rundll32.exe	rundll32.exe
PID 1324 wrote to memory of 952	1324	rundll32.exe	rundll32.exe
PID 1324 wrote to memory of 952	1324	rundll32.exe	rundll32.exe
PID 1324 wrote to memory of 952	1324	rundll32.exe	rundll32.exe
PID 952 wrote to memory of 864	952	rundll32.exe	explorer.exe
PID 952 wrote to memory of 864	952	rundll32.exe	explorer.exe
PID 952 wrote to memory of 864	952	rundll32.exe	explorer.exe
PID 952 wrote to memory of 864	952	rundll32.exe	explorer.exe
PID 952 wrote to memory of 864	952	rundll32.exe	explorer.exe
PID 952 wrote to memory of 864	952	rundll32.exe	explorer.exe
PID 864 wrote to memory of 1496	864	explorer.exe	schtasks.exe
PID 864 wrote to memory of 1496	864	explorer.exe	schtasks.exe
PID 864 wrote to memory of 1496	864	explorer.exe	schtasks.exe
PID 864 wrote to memory of 1496	864	explorer.exe	schtasks.exe
PID 1060 wrote to memory of 1580	1060	taskeng.exe	regsvr32.exe
PID 1060 wrote to memory of 1580	1060	taskeng.exe	regsvr32.exe
PID 1060 wrote to memory of 1580	1060	taskeng.exe	regsvr32.exe
PID 1060 wrote to memory of 1580	1060	taskeng.exe	regsvr32.exe
PID 1060 wrote to memory of 1580	1060	taskeng.exe	regsvr32.exe
PID 1580 wrote to memory of 1320	1580	regsvr32.exe	regsvr32.exe
PID 1580 wrote to memory of 1320	1580	regsvr32.exe	regsvr32.exe
PID 1580 wrote to memory of 1320	1580	regsvr32.exe	regsvr32.exe
PID 1580 wrote to memory of 1320	1580	regsvr32.exe	regsvr32.exe
PID 1580 wrote to memory of 1320	1580	regsvr32.exe	regsvr32.exe
PID 1580 wrote to memory of 1320	1580	regsvr32.exe	regsvr32.exe
PID 1580 wrote to memory of 1320	1580	regsvr32.exe	regsvr32.exe
PID 1320 wrote to memory of 1704	1320	regsvr32.exe	explorer.exe
PID 1320 wrote to memory of 1704	1320	regsvr32.exe	explorer.exe
PID 1320 wrote to memory of 1704	1320	regsvr32.exe	explorer.exe
PID 1320 wrote to memory of 1704	1320	regsvr32.exe	explorer.exe
PID 1320 wrote to memory of 1704	1320	regsvr32.exe	explorer.exe
PID 1320 wrote to memory of 1704	1320	regsvr32.exe	explorer.exe
PID 1704 wrote to memory of 1428	1704	explorer.exe	reg.exe
PID 1704 wrote to memory of 1428	1704	explorer.exe	reg.exe
PID 1704 wrote to memory of 1428	1704	explorer.exe	reg.exe
PID 1704 wrote to memory of 1428	1704	explorer.exe	reg.exe
PID 1704 wrote to memory of 816	1704	explorer.exe	reg.exe
PID 1704 wrote to memory of 816	1704	explorer.exe	reg.exe
PID 1704 wrote to memory of 816	1704	explorer.exe	reg.exe
PID 1704 wrote to memory of 816	1704	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\44481.6902336806.dat.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\44481.6902336806.dat.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:952

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn jjmwutvw /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\44481.6902336806.dat.dll\"" /SC ONCE /Z /ST 14:20 /ET 14:32
4⤵
- Creates scheduled task(s)
PID:1496

C:\Windows\system32\taskeng.exe
taskeng.exe {C366AD48-DA1C-41DF-8F73-B5A69D2DD5F7} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\44481.6902336806.dat.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\44481.6902336806.dat.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Hurifvtp" /d "0"
5⤵
PID:1428

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Nfavsuxygwu" /d "0"
5⤵
PID:816

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\44481.6902336806.dat.dll
MD5
acdcd26de7e78893c0b6861316721469

SHA1
2f8716ea8f2747f7fdac054ec58644d6a3a175a4

SHA256
e7e9ac9bbc69589e627f913f8605938b96afd929ebc974ffa0955598d19498d1

SHA512
84c29ce85551beda34e86c56da1d0a2a97f080b0073de679183eb5a1493c3a2bd760d414526f43643ec9689a3a010ed357e9428d4bd18c08cc664c9903f00aa7

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\44481.6902336806.dat.dll
MD5
acdcd26de7e78893c0b6861316721469

SHA1
2f8716ea8f2747f7fdac054ec58644d6a3a175a4

SHA256
e7e9ac9bbc69589e627f913f8605938b96afd929ebc974ffa0955598d19498d1

SHA512
84c29ce85551beda34e86c56da1d0a2a97f080b0073de679183eb5a1493c3a2bd760d414526f43643ec9689a3a010ed357e9428d4bd18c08cc664c9903f00aa7

Download Submit
memory/816-89-0x0000000000000000-mapping.dmp

Download
memory/864-64-0x0000000000130000-0x0000000000132000-memory.dmp

Filesize
8KB

Download
memory/864-69-0x0000000000100000-0x0000000000121000-memory.dmp

Filesize
132KB

Download
memory/864-67-0x00000000749E1000-0x00000000749E3000-memory.dmp

Filesize
8KB

Download
memory/864-65-0x0000000000000000-mapping.dmp

Download
memory/952-59-0x0000000000430000-0x0000000000451000-memory.dmp

Filesize
132KB

Download
memory/952-62-0x00000000003E0000-0x000000000041B000-memory.dmp

Filesize
236KB

Download
memory/952-63-0x0000000000430000-0x0000000000451000-memory.dmp

Filesize
132KB

Download
memory/952-60-0x0000000000430000-0x0000000000451000-memory.dmp

Filesize
132KB

Download
memory/952-61-0x0000000000430000-0x0000000000451000-memory.dmp

Filesize
132KB

Download
memory/952-58-0x0000000000430000-0x0000000000451000-memory.dmp

Filesize
132KB

Download
memory/952-57-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/952-56-0x00000000004E0000-0x00000000005A1000-memory.dmp

Filesize
772KB

Download
memory/952-54-0x0000000000000000-mapping.dmp

Download
memory/952-55-0x0000000075661000-0x0000000075663000-memory.dmp

Filesize
8KB

Download
memory/1320-81-0x0000000000E40000-0x0000000000E61000-memory.dmp

Filesize
132KB

Download
memory/1320-80-0x0000000000E40000-0x0000000000E61000-memory.dmp

Filesize
132KB

Download
memory/1320-76-0x0000000000860000-0x0000000000921000-memory.dmp

Filesize
772KB

Download
memory/1320-77-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1320-79-0x0000000000E40000-0x0000000000E61000-memory.dmp

Filesize
132KB

Download
memory/1320-78-0x0000000000E40000-0x0000000000E61000-memory.dmp

Filesize
132KB

Download
memory/1320-82-0x0000000000E40000-0x0000000000E61000-memory.dmp

Filesize
132KB

Download
memory/1320-73-0x0000000000000000-mapping.dmp

Download
memory/1428-88-0x0000000000000000-mapping.dmp

Download
memory/1496-68-0x0000000000000000-mapping.dmp

Download
memory/1580-71-0x000007FEFC051000-0x000007FEFC053000-memory.dmp

Filesize
8KB

Download
memory/1580-70-0x0000000000000000-mapping.dmp

Download
memory/1704-84-0x0000000000000000-mapping.dmp

Download
memory/1704-90-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads