qakbot | 7cd8216e129493641bbe7f573b13425bcf52923bad83ee532abd66fed293d9fc

General

Target

1.dat.dll
Size

905KB
MD5

dbf66cf845c6af2445cb611215c84282
SHA1

ae1c4b5d117e57bf8d541edab0e0bd100db07ea1
SHA256

7cd8216e129493641bbe7f573b13425bcf52923bad83ee532abd66fed293d9fc
SHA512

300c569c6221b7d24ecee114d9cee1a7f9f6873de2ba21cf41f115f2e456a81b7348b584c1d5c442b5bfa3624538f16e3f9e7f756158a302f12187f657c984b7

Score

10^/10

qakbot obama116 1634289383 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

obama116

Campaign

1634289383

C2

41.228.22.180:443

188.55.249.239:995

120.150.218.241:995

37.117.191.19:2222

68.204.7.158:443

81.241.252.59:2078

196.207.140.40:995

174.54.193.186:443

63.143.92.99:995

197.89.144.200:443

86.220.112.26:2222

73.52.50.32:443

103.82.211.39:465

146.66.238.74:443

167.248.117.81:443

2.222.167.138:443

181.118.183.94:443

103.82.211.39:995

78.179.137.102:995

89.137.52.44:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1276 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

628 schtasks.exe

pid	process
1276	regsvr32.exe

pid	process
628	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Seazvegg	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Seazvegg\6cfb5bae = 4fe14604c7230f20cce23ffee32ab33d205cfe7cf2a488d94fe11e8b7b6021c5d76f9232d4cd43914949d3461ee1a02cd4f426f2fed21cf6f85fad30c3b92db42ab902fb54760713db6e05cb9ef15cd24ca40767541e2db4e198077053696869f9e82354859e96b88b31b572172590cfbea981538ff8990508e8edda036c14e7336116f54e034eda29fde78ce383a7499906969e5e21e7021691cd8afd9c9a543673de144474813a801dd0fc8d61da19bd3b42fc9172bd296d5273ec2bd9	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Seazvegg\6eba7bd2 = f4d502b39b240b089572b1a22b5b26ef546fa151b2df2a01985d6ce84948a58141dacb505fde1d24a82febe8cc0e892fe74cf4754637b183f79b017b8fd776d73f7f144297bf160652ad39b646bf98aaca89fa9dd2878148badf897be760141e99924aefcfd8	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Seazvegg\d6061cb7 = 3060b75cb9d075df240542a8d3a7b9255b3e210ca81d4bf65e2771eb5a921f687a962fad6be66a85cf929a36e459fb488a74a0be2f6f93	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Seazvegg\13b23458 = 1779072eadc9288143ee990c89e501b57e9acdb52344472816c2a1c2dea9452106a12a9d32058cb77ca0c9c7ca73f48300ee9afd9b4b05456843d92e64567ef1d1313f0532b71e82e1ff981d816ec8ee3767956066d69beed75cbb5b65046a80a69e006c5a5dd20c294793c8f33df907d0	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Seazvegg\59648be0 = f58363c2ac226d9dd30cc2ef2d8001d81a95eff001462d98b57e9901486ac898ebed462335454522a0ada1d404139aa34e7c2630f6e0ed3b147454214e4bf770d202323d55efe263f53416dd48a2eb0e403041fd	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Seazvegg\59648be0 = f58374c2ac2258726800dc0528c74ae00a1f2dc29d6518b69c3467904ca83b711e3c9515e785f68a912e5f0a2b37bb1286e6aa3e8bcffd5ae454e1365837db	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Seazvegg\ab0e533d = ed24145c2efca79ec1a29c3fccbe8b7bd55e2ceb67fc53142ca79b727093de458efee8426e0451d4819dde9bfd0ca0f361497b	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Seazvegg\d4473ccb = cdea06a8c21f7cf1988afd504943356b8b22cb1a750c9031d7ae94f96e9f2bbde68540b0b67d5ce616e30a6bf6ded6957c67227669	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Seazvegg\262de416 = 04dfd8a309757a35e243d9a3c654a72e7fe893789024d5d0a867018be464d770a1390e6c8e0553a4fa76b25cac5c6775a3fbd5017d23d8293c4ae03df7843171ca1dce2d4386bcc9f682678777	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

968 rundll32.exe
1276 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

968 rundll32.exe
1276 regsvr32.exe

pid	process
968	rundll32.exe
1276	regsvr32.exe

pid	process
968	rundll32.exe
1276	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 1504 wrote to memory of 968	1504	rundll32.exe	rundll32.exe
PID 1504 wrote to memory of 968	1504	rundll32.exe	rundll32.exe
PID 1504 wrote to memory of 968	1504	rundll32.exe	rundll32.exe
PID 1504 wrote to memory of 968	1504	rundll32.exe	rundll32.exe
PID 1504 wrote to memory of 968	1504	rundll32.exe	rundll32.exe
PID 1504 wrote to memory of 968	1504	rundll32.exe	rundll32.exe
PID 1504 wrote to memory of 968	1504	rundll32.exe	rundll32.exe
PID 968 wrote to memory of 1388	968	rundll32.exe	explorer.exe
PID 968 wrote to memory of 1388	968	rundll32.exe	explorer.exe
PID 968 wrote to memory of 1388	968	rundll32.exe	explorer.exe
PID 968 wrote to memory of 1388	968	rundll32.exe	explorer.exe
PID 968 wrote to memory of 1388	968	rundll32.exe	explorer.exe
PID 968 wrote to memory of 1388	968	rundll32.exe	explorer.exe
PID 1388 wrote to memory of 628	1388	explorer.exe	schtasks.exe
PID 1388 wrote to memory of 628	1388	explorer.exe	schtasks.exe
PID 1388 wrote to memory of 628	1388	explorer.exe	schtasks.exe
PID 1388 wrote to memory of 628	1388	explorer.exe	schtasks.exe
PID 1516 wrote to memory of 1896	1516	taskeng.exe	regsvr32.exe
PID 1516 wrote to memory of 1896	1516	taskeng.exe	regsvr32.exe
PID 1516 wrote to memory of 1896	1516	taskeng.exe	regsvr32.exe
PID 1516 wrote to memory of 1896	1516	taskeng.exe	regsvr32.exe
PID 1516 wrote to memory of 1896	1516	taskeng.exe	regsvr32.exe
PID 1896 wrote to memory of 1276	1896	regsvr32.exe	regsvr32.exe
PID 1896 wrote to memory of 1276	1896	regsvr32.exe	regsvr32.exe
PID 1896 wrote to memory of 1276	1896	regsvr32.exe	regsvr32.exe
PID 1896 wrote to memory of 1276	1896	regsvr32.exe	regsvr32.exe
PID 1896 wrote to memory of 1276	1896	regsvr32.exe	regsvr32.exe
PID 1896 wrote to memory of 1276	1896	regsvr32.exe	regsvr32.exe
PID 1896 wrote to memory of 1276	1896	regsvr32.exe	regsvr32.exe
PID 1276 wrote to memory of 1832	1276	regsvr32.exe	explorer.exe
PID 1276 wrote to memory of 1832	1276	regsvr32.exe	explorer.exe
PID 1276 wrote to memory of 1832	1276	regsvr32.exe	explorer.exe
PID 1276 wrote to memory of 1832	1276	regsvr32.exe	explorer.exe
PID 1276 wrote to memory of 1832	1276	regsvr32.exe	explorer.exe
PID 1276 wrote to memory of 1832	1276	regsvr32.exe	explorer.exe
PID 1832 wrote to memory of 836	1832	explorer.exe	reg.exe
PID 1832 wrote to memory of 836	1832	explorer.exe	reg.exe
PID 1832 wrote to memory of 836	1832	explorer.exe	reg.exe
PID 1832 wrote to memory of 836	1832	explorer.exe	reg.exe
PID 1832 wrote to memory of 876	1832	explorer.exe	reg.exe
PID 1832 wrote to memory of 876	1832	explorer.exe	reg.exe
PID 1832 wrote to memory of 876	1832	explorer.exe	reg.exe
PID 1832 wrote to memory of 876	1832	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1.dat.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1.dat.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1388

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn iyofmsoe /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\1.dat.dll\"" /SC ONCE /Z /ST 14:41 /ET 14:53
4⤵
- Creates scheduled task(s)
PID:628

C:\Windows\system32\taskeng.exe
taskeng.exe {93DDD8FA-6ED7-4785-898F-ECE2DF82FBEC} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\1.dat.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\1.dat.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1276

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Fjlyirrraue" /d "0"
5⤵
PID:836

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Erwezrtqs" /d "0"
5⤵
PID:876

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.dat.dll
MD5
dbf66cf845c6af2445cb611215c84282

SHA1
ae1c4b5d117e57bf8d541edab0e0bd100db07ea1

SHA256
7cd8216e129493641bbe7f573b13425bcf52923bad83ee532abd66fed293d9fc

SHA512
300c569c6221b7d24ecee114d9cee1a7f9f6873de2ba21cf41f115f2e456a81b7348b584c1d5c442b5bfa3624538f16e3f9e7f756158a302f12187f657c984b7

Download Submit
\Users\Admin\AppData\Local\Temp\1.dat.dll
MD5
dbf66cf845c6af2445cb611215c84282

SHA1
ae1c4b5d117e57bf8d541edab0e0bd100db07ea1

SHA256
7cd8216e129493641bbe7f573b13425bcf52923bad83ee532abd66fed293d9fc

SHA512
300c569c6221b7d24ecee114d9cee1a7f9f6873de2ba21cf41f115f2e456a81b7348b584c1d5c442b5bfa3624538f16e3f9e7f756158a302f12187f657c984b7

Download Submit
memory/628-63-0x0000000000000000-mapping.dmp

Download
memory/836-78-0x0000000000000000-mapping.dmp

Download
memory/876-79-0x0000000000000000-mapping.dmp

Download
memory/968-57-0x0000000074400000-0x0000000074585000-memory.dmp

Filesize
1.5MB

Download
memory/968-53-0x0000000000000000-mapping.dmp

Download
memory/968-58-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/968-56-0x0000000074400000-0x0000000074421000-memory.dmp

Filesize
132KB

Download
memory/968-55-0x0000000074400000-0x0000000074585000-memory.dmp

Filesize
1.5MB

Download
memory/968-54-0x00000000751A1000-0x00000000751A3000-memory.dmp

Filesize
8KB

Download
memory/1276-80-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1276-71-0x0000000073970000-0x0000000073AF5000-memory.dmp

Filesize
1.5MB

Download
memory/1276-73-0x0000000073970000-0x0000000073AF5000-memory.dmp

Filesize
1.5MB

Download
memory/1276-72-0x0000000073970000-0x0000000073991000-memory.dmp

Filesize
132KB

Download
memory/1276-68-0x0000000000000000-mapping.dmp

Download
memory/1388-59-0x00000000000B0000-0x00000000000B2000-memory.dmp

Filesize
8KB

Download
memory/1388-64-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1388-62-0x0000000074291000-0x0000000074293000-memory.dmp

Filesize
8KB

Download
memory/1388-60-0x0000000000000000-mapping.dmp

Download
memory/1832-75-0x0000000000000000-mapping.dmp

Download
memory/1832-81-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1896-66-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmp

Filesize
8KB

Download
memory/1896-65-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads