qakbot | d7db78c9d345372e746a3f0769532c71d9596d084f77fc75d3c992fdd528a49d

General

Target

d7db78c9d345372e746a3f0769532c71d9596d084f77fc75d3c992fdd528a49d.dll
Size

1.6MB
MD5

9e07c7734ebe26f50037757a577a9cfc
SHA1

6ecf7db4b483922559ce0f7000cf47e46b0a97e8
SHA256

d7db78c9d345372e746a3f0769532c71d9596d084f77fc75d3c992fdd528a49d
SHA512

8d881a7d82f6e9c8de009ac4aeb5dd2480f49ff999f8a3f34dc6ac92ac279e247e0d1a22b6c6769a03f5db6758db1cb7cbaaf0ee6cbbaf65ddc6f56acbf399d6

Score

10^/10

qakbot obama152 1643038242 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.10

Botnet

obama152

Campaign

1643038242

C2

67.209.195.198:443

75.156.151.34:443

89.101.97.139:443

23.229.117.237:443

45.9.20.200:443

70.45.174.173:443

140.82.49.12:443

86.98.47.119:61200

96.246.158.154:995

185.249.85.209:443

89.114.156.182:995

92.99.167.144:2078

136.143.11.232:443

190.73.3.148:2222

78.101.147.76:61202

37.210.172.200:2222

82.152.39.39:443

70.51.153.245:2222

103.143.8.71:6881

39.49.110.129:995

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

868 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1652 schtasks.exe

pid	process
868	regsvr32.exe

pid	process
1652	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ulraiij	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ulraiij\6bd96740 = bdcdf63626ec5323fb2e6b14d97c8ae1905241dcb100c7c0187496451426698c708bc887757f2dee7121eace4e30d559cdc07f5b7045a1f0	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ulraiij\5e46b70e = 3ae144585e3e83d05d578815d019a8e051fc6e746ab42c2612523d53e7dfc99ecd324352db795a3e8727bcfb3fcbad43ca8346815f76b907fa60b93f957902ab6eee8485acda48a78109d992df282c655d4e0a7ffbbb2dcec07cf646d6388961eb8f44bad9d864c176d5fd34	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ulraiij\5c079772 = 7e16d1fb1a24f248388e2be10817790483245bd89312cf894f8cc00ac3f6c1fb101192ce98b74b1317b3ce8f593ee1db82ed6285be2136431f4bb4dcc2bb5c212ee8daac03d28a2e515561f7b094abf6af692dd9c1137d91f11ea726ea8082dd23e5b805c9c08a8491ff	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ulraiij\210fd8f8 = 7eff23010fc6fa6b1838065d6e097bd5480d7116bde0e27f0831	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ulraiij\e6fad06b = 0b64a274b15c98bb1316fd9657e248b4b451c4f49e65e8771d40b940a538	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ulraiij\6bd96740 = bdcde13626ec6628d006f876561e3b067749be28ed54a931bf2aa5eea16e615267b99c864624155cb6021ab0e9a085137be0994b87deffbfea299a88228e649bdf9ba28e0c87d9f4845778cf92	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ulraiij\e4bbf017 = a88e36a0c4eda3e7b283ebc90c6d94aa569cd8d3e8ef4c57fbe69b6d8b54923a8deb72b7a5526b	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ulraiij\99b3bf9d = d1081ece0bda4fca9750e533c8058fe374574074eb4be4b125fcba3fb3b2892cae61aec2e791e0588604798f8eecb7b0afbbf96444c2c0889f06a94134fc9167719079f68931caa32ae94848483c5a1136b7c686107a1039857ef44a389ed7bd8a	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ulraiij\149008b6 = 28c246b88e26d57439d68f2ec0b2fd509cb8ffb53d45	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

1732 rundll32.exe
868 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

1732 rundll32.exe
868 regsvr32.exe

pid	process
1732	rundll32.exe
868	regsvr32.exe

pid	process
1732	rundll32.exe
868	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 1492 wrote to memory of 1732	1492	rundll32.exe	rundll32.exe
PID 1492 wrote to memory of 1732	1492	rundll32.exe	rundll32.exe
PID 1492 wrote to memory of 1732	1492	rundll32.exe	rundll32.exe
PID 1492 wrote to memory of 1732	1492	rundll32.exe	rundll32.exe
PID 1492 wrote to memory of 1732	1492	rundll32.exe	rundll32.exe
PID 1492 wrote to memory of 1732	1492	rundll32.exe	rundll32.exe
PID 1492 wrote to memory of 1732	1492	rundll32.exe	rundll32.exe
PID 1732 wrote to memory of 552	1732	rundll32.exe	explorer.exe
PID 1732 wrote to memory of 552	1732	rundll32.exe	explorer.exe
PID 1732 wrote to memory of 552	1732	rundll32.exe	explorer.exe
PID 1732 wrote to memory of 552	1732	rundll32.exe	explorer.exe
PID 1732 wrote to memory of 552	1732	rundll32.exe	explorer.exe
PID 1732 wrote to memory of 552	1732	rundll32.exe	explorer.exe
PID 552 wrote to memory of 1652	552	explorer.exe	schtasks.exe
PID 552 wrote to memory of 1652	552	explorer.exe	schtasks.exe
PID 552 wrote to memory of 1652	552	explorer.exe	schtasks.exe
PID 552 wrote to memory of 1652	552	explorer.exe	schtasks.exe
PID 620 wrote to memory of 1000	620	taskeng.exe	regsvr32.exe
PID 620 wrote to memory of 1000	620	taskeng.exe	regsvr32.exe
PID 620 wrote to memory of 1000	620	taskeng.exe	regsvr32.exe
PID 620 wrote to memory of 1000	620	taskeng.exe	regsvr32.exe
PID 620 wrote to memory of 1000	620	taskeng.exe	regsvr32.exe
PID 1000 wrote to memory of 868	1000	regsvr32.exe	regsvr32.exe
PID 1000 wrote to memory of 868	1000	regsvr32.exe	regsvr32.exe
PID 1000 wrote to memory of 868	1000	regsvr32.exe	regsvr32.exe
PID 1000 wrote to memory of 868	1000	regsvr32.exe	regsvr32.exe
PID 1000 wrote to memory of 868	1000	regsvr32.exe	regsvr32.exe
PID 1000 wrote to memory of 868	1000	regsvr32.exe	regsvr32.exe
PID 1000 wrote to memory of 868	1000	regsvr32.exe	regsvr32.exe
PID 868 wrote to memory of 1784	868	regsvr32.exe	explorer.exe
PID 868 wrote to memory of 1784	868	regsvr32.exe	explorer.exe
PID 868 wrote to memory of 1784	868	regsvr32.exe	explorer.exe
PID 868 wrote to memory of 1784	868	regsvr32.exe	explorer.exe
PID 868 wrote to memory of 1784	868	regsvr32.exe	explorer.exe
PID 868 wrote to memory of 1784	868	regsvr32.exe	explorer.exe
PID 1784 wrote to memory of 1252	1784	explorer.exe	reg.exe
PID 1784 wrote to memory of 1252	1784	explorer.exe	reg.exe
PID 1784 wrote to memory of 1252	1784	explorer.exe	reg.exe
PID 1784 wrote to memory of 1252	1784	explorer.exe	reg.exe
PID 1784 wrote to memory of 1836	1784	explorer.exe	reg.exe
PID 1784 wrote to memory of 1836	1784	explorer.exe	reg.exe
PID 1784 wrote to memory of 1836	1784	explorer.exe	reg.exe
PID 1784 wrote to memory of 1836	1784	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d7db78c9d345372e746a3f0769532c71d9596d084f77fc75d3c992fdd528a49d.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d7db78c9d345372e746a3f0769532c71d9596d084f77fc75d3c992fdd528a49d.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:552

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn hglufriqw /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\d7db78c9d345372e746a3f0769532c71d9596d084f77fc75d3c992fdd528a49d.dll\"" /SC ONCE /Z /ST 17:05 /ET 17:17
4⤵
- Creates scheduled task(s)
PID:1652

C:\Windows\system32\taskeng.exe
taskeng.exe {0C565F0A-3453-468E-B317-BF1C0A31BCCA} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:620

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\d7db78c9d345372e746a3f0769532c71d9596d084f77fc75d3c992fdd528a49d.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\d7db78c9d345372e746a3f0769532c71d9596d084f77fc75d3c992fdd528a49d.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:868

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Wodmqh" /d "0"
5⤵
PID:1252

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Ilyaipewav" /d "0"
5⤵
PID:1836

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d7db78c9d345372e746a3f0769532c71d9596d084f77fc75d3c992fdd528a49d.dll
MD5
9e07c7734ebe26f50037757a577a9cfc

SHA1
6ecf7db4b483922559ce0f7000cf47e46b0a97e8

SHA256
d7db78c9d345372e746a3f0769532c71d9596d084f77fc75d3c992fdd528a49d

SHA512
8d881a7d82f6e9c8de009ac4aeb5dd2480f49ff999f8a3f34dc6ac92ac279e247e0d1a22b6c6769a03f5db6758db1cb7cbaaf0ee6cbbaf65ddc6f56acbf399d6

Download Submit
\Users\Admin\AppData\Local\Temp\d7db78c9d345372e746a3f0769532c71d9596d084f77fc75d3c992fdd528a49d.dll
MD5
9e07c7734ebe26f50037757a577a9cfc

SHA1
6ecf7db4b483922559ce0f7000cf47e46b0a97e8

SHA256
d7db78c9d345372e746a3f0769532c71d9596d084f77fc75d3c992fdd528a49d

SHA512
8d881a7d82f6e9c8de009ac4aeb5dd2480f49ff999f8a3f34dc6ac92ac279e247e0d1a22b6c6769a03f5db6758db1cb7cbaaf0ee6cbbaf65ddc6f56acbf399d6

Download Submit
memory/552-63-0x0000000000380000-0x0000000000382000-memory.dmp

Filesize
8KB

Download
memory/552-66-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/552-65-0x0000000075031000-0x0000000075033000-memory.dmp

Filesize
8KB

Download
memory/868-73-0x0000000000820000-0x0000000000841000-memory.dmp

Filesize
132KB

Download
memory/868-71-0x00000000009D0000-0x0000000000B78000-memory.dmp

Filesize
1.7MB

Download
memory/868-79-0x0000000000820000-0x0000000000841000-memory.dmp

Filesize
132KB

Download
memory/868-74-0x0000000000820000-0x0000000000841000-memory.dmp

Filesize
132KB

Download
memory/868-75-0x0000000000820000-0x0000000000841000-memory.dmp

Filesize
132KB

Download
memory/868-72-0x0000000000820000-0x0000000000841000-memory.dmp

Filesize
132KB

Download
memory/1000-67-0x000007FEFC371000-0x000007FEFC373000-memory.dmp

Filesize
8KB

Download
memory/1732-58-0x00000000002B0000-0x00000000002D1000-memory.dmp

Filesize
132KB

Download
memory/1732-56-0x0000000001E70000-0x0000000002018000-memory.dmp

Filesize
1.7MB

Download
memory/1732-61-0x0000000000240000-0x0000000000283000-memory.dmp

Filesize
268KB

Download
memory/1732-55-0x0000000076851000-0x0000000076853000-memory.dmp

Filesize
8KB

Download
memory/1732-57-0x00000000002B0000-0x00000000002D1000-memory.dmp

Filesize
132KB

Download
memory/1732-60-0x00000000002B0000-0x00000000002D1000-memory.dmp

Filesize
132KB

Download
memory/1732-59-0x00000000002B0000-0x00000000002D1000-memory.dmp

Filesize
132KB

Download
memory/1732-62-0x00000000002B0000-0x00000000002D1000-memory.dmp

Filesize
132KB

Download
memory/1784-80-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads