qakbot | 76936c1191d8c272676f4a45fdca9979e6cd785fc51a688aaeee01231ddf5dc4

General

Target

44481.3965[2].dat.dll
Size

756KB
MD5

acdcd26de7e78893c0b6861316721469
SHA1

2f8716ea8f2747f7fdac054ec58644d6a3a175a4
SHA256

e7e9ac9bbc69589e627f913f8605938b96afd929ebc974ffa0955598d19498d1
SHA512

84c29ce85551beda34e86c56da1d0a2a97f080b0073de679183eb5a1493c3a2bd760d414526f43643ec9689a3a010ed357e9428d4bd18c08cc664c9903f00aa7

Score

10^/10

qakbot obama113 1634023197 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

obama113

Campaign

1634023197

C2

73.52.50.32:443

167.248.117.81:443

209.236.35.178:443

67.230.44.194:443

72.173.78.211:443

146.66.238.74:443

181.118.183.94:443

94.200.181.154:443

81.250.153.227:2222

69.30.186.190:443

93.48.58.123:2222

136.232.34.70:443

103.142.10.177:443

185.250.148.74:443

174.54.193.186:443

39.49.64.244:995

89.137.52.44:443

77.31.162.93:443

24.107.165.50:443

73.230.205.91:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

800 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1708 schtasks.exe

pid	process
800	regsvr32.exe

pid	process
1708	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Iuooschhaqz	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Iuooschhaqz\e1a78cd3 = 7a49cd35469eb94ab67c05efc40f2b81f5565c420e1721b0f2de05f021266de568f497f7057289227d7ed579e1a1b28b68d348fbb8dd135603d9c69be3162f457def57508a98fe7c7fad29dfce0f759937d7fa78daaafcfbd77736ec8a5014b11fcacef0fad1b7b5101a709bfa4b2c6ea4036bd902a02e6203355eddf58b9e47c8b339852b914be100aee1e487c75ce42d8da23d1031a1450c3796a2ae871bb734f5bf64e40d13efcf06aa4c56b109e3bcc4d597ddd7bcad2fa3ce564ed66cfa53ce8c43bc901de8a51fbf33	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Iuooschhaqz\e3e6acaf = 5f36fd2644e76fda1b51be491f8b66ad9953c9f4d9a699fdb0875df6b88935275544b8db74c2	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Iuooschhaqz\5b5acbca = 7e41c10d37e24e0322b2fcffcfc6a2b7ca051f7b277d60796ab3163e8ce1f93761954f434632146fa26ea9d078a1da3f871b0f030fe144d30fef8fa52159336b0789566d89a71ab9a3ad156c8f54682321103fd84b3378355cb8	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Iuooschhaqz\26528440 = 5430881149f12bfc2adb2f017956b74e123c36fc3d1df965a73724efdec594ec45150aca4b1595fed7267d36844f397473fa4a6efc9f2a217f12ea817fd82266b944a2b6be	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Iuooschhaqz\d4385c9d = 267f1130edba21eac4278cf636c064ab7e029c5f7ecd6d8a19444927d0adb27497f6a052b21940b5f75b41266e454c	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Iuooschhaqz\d4385c9d = 267f0630edba142c92bcf8e0b891912b9be4deec7f3048654602	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Iuooschhaqz\9eeee325 = 08e4d8ae5eae2112275fbd33784c8d68b437bad0a7f9	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Iuooschhaqz\591bebb6 = eb3da744838dd7f84700f0fd428edf4844ab95b4fe11131c0366c261492a29	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Iuooschhaqz\ab71336b = bdef4b788bc7a7e87ab1acd601f8fc0274574f354ee887979bbd565eda522f6aa8548b1614a90a257e17c01400cc963b5381b4cbf9e7541c97fc2fcb4832a99a766e8f11acf18dce46e60e8a5d7a88c1f28eaf1daa0c68	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

1308 rundll32.exe
800 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

1308 rundll32.exe
800 regsvr32.exe

pid	process
1308	rundll32.exe
800	regsvr32.exe

pid	process
1308	rundll32.exe
800	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 1988 wrote to memory of 1308	1988	rundll32.exe	rundll32.exe
PID 1988 wrote to memory of 1308	1988	rundll32.exe	rundll32.exe
PID 1988 wrote to memory of 1308	1988	rundll32.exe	rundll32.exe
PID 1988 wrote to memory of 1308	1988	rundll32.exe	rundll32.exe
PID 1988 wrote to memory of 1308	1988	rundll32.exe	rundll32.exe
PID 1988 wrote to memory of 1308	1988	rundll32.exe	rundll32.exe
PID 1988 wrote to memory of 1308	1988	rundll32.exe	rundll32.exe
PID 1308 wrote to memory of 1964	1308	rundll32.exe	explorer.exe
PID 1308 wrote to memory of 1964	1308	rundll32.exe	explorer.exe
PID 1308 wrote to memory of 1964	1308	rundll32.exe	explorer.exe
PID 1308 wrote to memory of 1964	1308	rundll32.exe	explorer.exe
PID 1308 wrote to memory of 1964	1308	rundll32.exe	explorer.exe
PID 1308 wrote to memory of 1964	1308	rundll32.exe	explorer.exe
PID 1964 wrote to memory of 1708	1964	explorer.exe	schtasks.exe
PID 1964 wrote to memory of 1708	1964	explorer.exe	schtasks.exe
PID 1964 wrote to memory of 1708	1964	explorer.exe	schtasks.exe
PID 1964 wrote to memory of 1708	1964	explorer.exe	schtasks.exe
PID 672 wrote to memory of 1808	672	taskeng.exe	regsvr32.exe
PID 672 wrote to memory of 1808	672	taskeng.exe	regsvr32.exe
PID 672 wrote to memory of 1808	672	taskeng.exe	regsvr32.exe
PID 672 wrote to memory of 1808	672	taskeng.exe	regsvr32.exe
PID 672 wrote to memory of 1808	672	taskeng.exe	regsvr32.exe
PID 1808 wrote to memory of 800	1808	regsvr32.exe	regsvr32.exe
PID 1808 wrote to memory of 800	1808	regsvr32.exe	regsvr32.exe
PID 1808 wrote to memory of 800	1808	regsvr32.exe	regsvr32.exe
PID 1808 wrote to memory of 800	1808	regsvr32.exe	regsvr32.exe
PID 1808 wrote to memory of 800	1808	regsvr32.exe	regsvr32.exe
PID 1808 wrote to memory of 800	1808	regsvr32.exe	regsvr32.exe
PID 1808 wrote to memory of 800	1808	regsvr32.exe	regsvr32.exe
PID 800 wrote to memory of 588	800	regsvr32.exe	explorer.exe
PID 800 wrote to memory of 588	800	regsvr32.exe	explorer.exe
PID 800 wrote to memory of 588	800	regsvr32.exe	explorer.exe
PID 800 wrote to memory of 588	800	regsvr32.exe	explorer.exe
PID 800 wrote to memory of 588	800	regsvr32.exe	explorer.exe
PID 800 wrote to memory of 588	800	regsvr32.exe	explorer.exe
PID 588 wrote to memory of 1332	588	explorer.exe	reg.exe
PID 588 wrote to memory of 1332	588	explorer.exe	reg.exe
PID 588 wrote to memory of 1332	588	explorer.exe	reg.exe
PID 588 wrote to memory of 1332	588	explorer.exe	reg.exe
PID 588 wrote to memory of 916	588	explorer.exe	reg.exe
PID 588 wrote to memory of 916	588	explorer.exe	reg.exe
PID 588 wrote to memory of 916	588	explorer.exe	reg.exe
PID 588 wrote to memory of 916	588	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\44481.3965[2].dat.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\44481.3965[2].dat.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1308

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn rhhcocoy /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\44481.3965[2].dat.dll\"" /SC ONCE /Z /ST 18:53 /ET 19:05
4⤵
- Creates scheduled task(s)
PID:1708

C:\Windows\system32\taskeng.exe
taskeng.exe {148CB617-5C04-40AF-803A-F87F8FAC13C6} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:672

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\44481.3965[2].dat.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\44481.3965[2].dat.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:800

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:588

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Fpvzqxtfbykw" /d "0"
5⤵
PID:1332

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Qeahofeolvrv" /d "0"
5⤵
PID:916

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\44481.3965[2].dat.dll
MD5
acdcd26de7e78893c0b6861316721469

SHA1
2f8716ea8f2747f7fdac054ec58644d6a3a175a4

SHA256
e7e9ac9bbc69589e627f913f8605938b96afd929ebc974ffa0955598d19498d1

SHA512
84c29ce85551beda34e86c56da1d0a2a97f080b0073de679183eb5a1493c3a2bd760d414526f43643ec9689a3a010ed357e9428d4bd18c08cc664c9903f00aa7

Download Submit
\Users\Admin\AppData\Local\Temp\44481.3965[2].dat.dll
MD5
acdcd26de7e78893c0b6861316721469

SHA1
2f8716ea8f2747f7fdac054ec58644d6a3a175a4

SHA256
e7e9ac9bbc69589e627f913f8605938b96afd929ebc974ffa0955598d19498d1

SHA512
84c29ce85551beda34e86c56da1d0a2a97f080b0073de679183eb5a1493c3a2bd760d414526f43643ec9689a3a010ed357e9428d4bd18c08cc664c9903f00aa7

Download Submit
memory/588-94-0x0000000000310000-0x0000000000331000-memory.dmp

Filesize
132KB

Download
memory/588-89-0x0000000000000000-mapping.dmp

Download
memory/800-87-0x00000000003C0000-0x00000000003E1000-memory.dmp

Filesize
132KB

Download
memory/800-86-0x00000000003C0000-0x00000000003E1000-memory.dmp

Filesize
132KB

Download
memory/800-85-0x00000000003C0000-0x00000000003E1000-memory.dmp

Filesize
132KB

Download
memory/800-83-0x00000000003C0000-0x00000000003E1000-memory.dmp

Filesize
132KB

Download
memory/800-84-0x00000000003C0000-0x00000000003E1000-memory.dmp

Filesize
132KB

Download
memory/800-82-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/800-79-0x0000000000000000-mapping.dmp

Download
memory/916-93-0x0000000000000000-mapping.dmp

Download
memory/1308-68-0x00000000002F0000-0x000000000032B000-memory.dmp

Filesize
236KB

Download
memory/1308-65-0x0000000000620000-0x0000000000641000-memory.dmp

Filesize
132KB

Download
memory/1308-61-0x0000000075B31000-0x0000000075B33000-memory.dmp

Filesize
8KB

Download
memory/1308-63-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1308-64-0x0000000000620000-0x0000000000641000-memory.dmp

Filesize
132KB

Download
memory/1308-66-0x0000000000620000-0x0000000000641000-memory.dmp

Filesize
132KB

Download
memory/1308-67-0x0000000000620000-0x0000000000641000-memory.dmp

Filesize
132KB

Download
memory/1308-60-0x0000000000000000-mapping.dmp

Download
memory/1308-69-0x0000000000620000-0x0000000000641000-memory.dmp

Filesize
132KB

Download
memory/1332-92-0x0000000000000000-mapping.dmp

Download
memory/1708-74-0x0000000000000000-mapping.dmp

Download
memory/1808-77-0x000007FEFC391000-0x000007FEFC393000-memory.dmp

Filesize
8KB

Download
memory/1808-76-0x0000000000000000-mapping.dmp

Download
memory/1964-70-0x0000000000340000-0x0000000000342000-memory.dmp

Filesize
8KB

Download
memory/1964-71-0x0000000000000000-mapping.dmp

Download
memory/1964-73-0x0000000074EB1000-0x0000000074EB3000-memory.dmp

Filesize
8KB

Download
memory/1964-75-0x0000000000310000-0x0000000000331000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads