qakbot | 3d49f30ed4cef3d532cbc73d99560d7c81db4928e8e2e81d2c83ef09196f17c1

Resubmissions

14-01-2025 14:37

250114-ry87yszrey 10

01-12-2021 16:04

211201-thx6vsgfe7 10

Analysis

max time kernel
148s
max time network
124s
platform
windows7_x64
resource
win7-en-20211104
submitted
01-12-2021 16:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Volet2.ocx.dll
Size

807KB
MD5

70ea022ce20cc54eca56b4ef9b49fcb4
SHA1

d58e7bcf9c7949b8ddaf9129a9504202094b48a3
SHA256

3d49f30ed4cef3d532cbc73d99560d7c81db4928e8e2e81d2c83ef09196f17c1
SHA512

4ae829fc2976bade3f3f49144cf7d19d547c3a9936b32fcb4178cd557595d1b7dc9127c878c4502871b272dd6a75335d387accad73115c7a132c10c81143553a

Score

10^/10

qakbot obama139 1638350683 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.2

Botnet

obama139

Campaign

1638350683

190.73.3.148:2222

39.49.13.81:995

105.198.236.99:995

136.143.11.232:443

2.222.167.138:443

197.89.11.160:443

117.248.109.38:21

174.20.72.123:443

140.82.49.12:443

78.180.170.159:995

103.142.10.177:443

120.150.218.241:995

91.178.126.51:995

81.250.153.227:2222

194.36.28.26:443

89.101.97.139:443

117.198.158.34:443

189.252.184.31:32101

38.70.253.226:2222

93.48.80.198:995

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Loads dropped DLL 1 IoCs

pid	Process
1268	regsvr32.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
836	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Udrjueo\4fac1d59 = 7fcf6455002555dab7bc4d6ca1cc578ca3fabb309a9ab1d571d6494358a2f3cd31a0dcfd244c3e4ccdb155d1c2af2f901512dbea72be5dbf9c96cd3cdce5dd	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Udrjueo\57aa2e1 = 5cf2f62f42bb34a5ed42050cc210fab7c56bbb8e92dc1dd31e915a97b4255967499f6c16c8478e07627da8704038591ee766b3c55e59c2ab1adc6bcd253605e5c273c181087b269c33	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Udrjueo\57aa2e1 = 5cf2e12f42bb01aead1de11a99b5a8a1cac4e9837bbcd6ad134e51559931797805e4ece1da4a306aa5a71c00b98deac81cef8e31	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Udrjueo\32a452d3 = 233c2d7662fb75edf1f02a5dc6ad1d1241c7255e69154dc6221e13de9e240ab9a765043329ab4f8f947d084a06ecbf5f65b15d1febff63db761a6a55696227d37b0b725042473d62d245aff19cef2b6e54b9664a	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Udrjueo\8a1835b6 = 08f7b28205f036dc60b51e7c514238c56712ea41672c4264d895d1a894874a6d076802a8dbff4faf8936f08925254bc4d25b93c3b042cf7bdd9b56cb42cb3e1145acd8fea4bf4979c43c010ba54b825d9f431192cd9f3d032f49c7724ec30f6ebd5e93e15d353a173643fb77dd41d0	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Udrjueo\885915ca = 95b69339ff3216f8f9fc03b49ba90093ec3fe6b63d0f5738feb0d6437ae1e33fc86da96fb1268026471b90dd5c516e1babd92ce7f4dc42d62c8a55	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Udrjueo\7a33cd17 = ce0dc31fac74557bd205b00665a036310a7c2210695d42db9cf131a5427fca2865378631df4162182a6896667d9bee69deaf94a0035d520d23	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Udrjueo	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Udrjueo\30e572af = 718de7a9390601479f1087941eea8a325fe144ffaf00cad833ccbc625fa92f933dfa2323993a380b457a7dd304c5146b3fe1f77ddf9b6e446bafb4bee654315824594b523811313954c3039ff98c054c158e0f34944ba36a36a74aa7eba9f2410532617306811fa38842b7d62976c278b51e464a1282b73d5379655106f30c7bc07faac216f9aac748bf9897b77e58f6a885bb5be6	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Udrjueo\f7107a3c = 3f794ee0c377381d7d987ea6a83fca0ae3579d88c9ed1162e317ec7f37ce32d390817559fa3e67	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
596	rundll32.exe
1268	regsvr32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
596	rundll32.exe
1268	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 1472 wrote to memory of 596	1472	rundll32.exe	28
PID 1472 wrote to memory of 596	1472	rundll32.exe	28
PID 1472 wrote to memory of 596	1472	rundll32.exe	28
PID 1472 wrote to memory of 596	1472	rundll32.exe	28
PID 1472 wrote to memory of 596	1472	rundll32.exe	28
PID 1472 wrote to memory of 596	1472	rundll32.exe	28
PID 1472 wrote to memory of 596	1472	rundll32.exe	28
PID 596 wrote to memory of 1256	596	rundll32.exe	29
PID 596 wrote to memory of 1256	596	rundll32.exe	29
PID 596 wrote to memory of 1256	596	rundll32.exe	29
PID 596 wrote to memory of 1256	596	rundll32.exe	29
PID 596 wrote to memory of 1256	596	rundll32.exe	29
PID 596 wrote to memory of 1256	596	rundll32.exe	29
PID 1256 wrote to memory of 836	1256	explorer.exe	30
PID 1256 wrote to memory of 836	1256	explorer.exe	30
PID 1256 wrote to memory of 836	1256	explorer.exe	30
PID 1256 wrote to memory of 836	1256	explorer.exe	30
PID 1052 wrote to memory of 856	1052	taskeng.exe	33
PID 1052 wrote to memory of 856	1052	taskeng.exe	33
PID 1052 wrote to memory of 856	1052	taskeng.exe	33
PID 1052 wrote to memory of 856	1052	taskeng.exe	33
PID 1052 wrote to memory of 856	1052	taskeng.exe	33
PID 856 wrote to memory of 1268	856	regsvr32.exe	34
PID 856 wrote to memory of 1268	856	regsvr32.exe	34
PID 856 wrote to memory of 1268	856	regsvr32.exe	34
PID 856 wrote to memory of 1268	856	regsvr32.exe	34
PID 856 wrote to memory of 1268	856	regsvr32.exe	34
PID 856 wrote to memory of 1268	856	regsvr32.exe	34
PID 856 wrote to memory of 1268	856	regsvr32.exe	34
PID 1268 wrote to memory of 1680	1268	regsvr32.exe	35
PID 1268 wrote to memory of 1680	1268	regsvr32.exe	35
PID 1268 wrote to memory of 1680	1268	regsvr32.exe	35
PID 1268 wrote to memory of 1680	1268	regsvr32.exe	35
PID 1268 wrote to memory of 1680	1268	regsvr32.exe	35
PID 1268 wrote to memory of 1680	1268	regsvr32.exe	35
PID 1680 wrote to memory of 2016	1680	explorer.exe	36
PID 1680 wrote to memory of 2016	1680	explorer.exe	36
PID 1680 wrote to memory of 2016	1680	explorer.exe	36
PID 1680 wrote to memory of 2016	1680	explorer.exe	36
PID 1680 wrote to memory of 580	1680	explorer.exe	38
PID 1680 wrote to memory of 580	1680	explorer.exe	38
PID 1680 wrote to memory of 580	1680	explorer.exe	38
PID 1680 wrote to memory of 580	1680	explorer.exe	38

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Volet2.ocx.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\Volet2.ocx.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:596
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1256
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn fsnqwju /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\Volet2.ocx.dll\"" /SC ONCE /Z /ST 16:09 /ET 16:21
      4⤵
      Creates scheduled task(s)
      PID:836

C:\Windows\system32\taskeng.exe
taskeng.exe {504273E8-9BF6-4C03-B9B3-9622AC98B538} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\Volet2.ocx.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:856
- - C:\Windows\SysWOW64\regsvr32.exe
    -s "C:\Users\Admin\AppData\Local\Temp\Volet2.ocx.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1268
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      4⤵
      Modifies data under HKEY_USERS
      Suspicious use of WriteProcessMemory
      PID:1680
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Bhmmoyha" /d "0"
        5⤵
        
        PID:2016
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Gleuy" /d "0"
        5⤵
        
        PID:580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/596-59-0x0000000000420000-0x0000000000441000-memory.dmp

Filesize
132KB

Download
memory/596-61-0x0000000000240000-0x000000000026E000-memory.dmp

Filesize
184KB

Download
memory/596-62-0x0000000000420000-0x0000000000441000-memory.dmp

Filesize
132KB

Download
memory/596-60-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/596-64-0x0000000000420000-0x0000000000441000-memory.dmp

Filesize
132KB

Download
memory/596-63-0x0000000000420000-0x0000000000441000-memory.dmp

Filesize
132KB

Download
memory/596-58-0x0000000000420000-0x0000000000441000-memory.dmp

Filesize
132KB

Download
memory/596-57-0x0000000000350000-0x000000000041F000-memory.dmp

Filesize
828KB

Download
memory/596-56-0x0000000075C51000-0x0000000075C53000-memory.dmp

Filesize
8KB

Download
memory/856-72-0x000007FEFBAB1000-0x000007FEFBAB3000-memory.dmp

Filesize
8KB

Download
memory/1256-70-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/1256-68-0x0000000074551000-0x0000000074553000-memory.dmp

Filesize
8KB

Download
memory/1256-65-0x00000000000F0000-0x00000000000F2000-memory.dmp

Filesize
8KB

Download
memory/1268-80-0x00000000005B0000-0x00000000005D1000-memory.dmp

Filesize
132KB

Download
memory/1268-78-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1268-79-0x00000000005B0000-0x00000000005D1000-memory.dmp

Filesize
132KB

Download
memory/1268-77-0x00000000004E0000-0x00000000005AF000-memory.dmp

Filesize
828KB

Download
memory/1268-81-0x00000000005B0000-0x00000000005D1000-memory.dmp

Filesize
132KB

Download
memory/1268-82-0x00000000005B0000-0x00000000005D1000-memory.dmp

Filesize
132KB

Download
memory/1268-83-0x00000000005B0000-0x00000000005D1000-memory.dmp

Filesize
132KB

Download
memory/1680-90-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download