qakbot | ba7e9131dd5aa9f2e7e0050c688d2830787dd01e8d58aef364a878b61156b35b

General

Target

ba7e9131dd5aa9f2e7e0050c688d2830787dd01e8d58aef364a878b61156b35b.dll
Size

1.6MB
MD5

6317f9ae495c49ab7b5e5b501a5639ef
SHA1

2d49c0f32a441d09ddee7c3b2b019ae8904ea1e7
SHA256

ba7e9131dd5aa9f2e7e0050c688d2830787dd01e8d58aef364a878b61156b35b
SHA512

bd9c6df8b2d91959580c6227a990882625c029528c0e53a600de8f6cc970e95fbb26108f3ae7f1bc8ef18d2b4b429490ec4ae5f6935e47c6c44dbf06c21be4f1

Score

10^/10

qakbot obama152 1643019304 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.2

Botnet

obama152

Campaign

1643019304

C2

96.80.109.57:995

209.210.95.228:32100

180.233.150.134:995

149.135.101.20:443

38.70.253.226:2222

24.222.20.254:443

83.110.2.97:443

78.87.44.54:995

86.108.46.251:443

74.15.2.252:2222

102.65.38.67:443

37.203.225.248:443

75.139.7.190:2083

24.53.49.240:443

80.14.196.176:2222

94.60.254.81:443

86.98.32.228:443

130.164.129.3:443

176.67.56.94:443

31.167.160.170:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4832 1924 WerFault.exe rundll32.exe
Discovers systems in the same network 1 TTPs 1 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exe

pid process

2216 net.exe
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exenetstat.exe

pid process

3304 ipconfig.exe
3896 netstat.exe

pid	pid_target	process	target process
4832	1924	WerFault.exe	rundll32.exe

pid	process
2216	net.exe

pid	process
3304	ipconfig.exe
3896	netstat.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

Processes:

msfeedssync.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	msfeedssync.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	msfeedssync.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Suggested Sites	msfeedssync.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Suggested Sites\DeletePending = "0"	msfeedssync.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Suggested Sites\UploadDiagInfo = 02000000000000000000000000000000000000000000000000000000000000001d040000b9abb6c6a1eed70104000000b9abb6c6a1eed701b9abb6c6a1eed7016801000068010000000301	msfeedssync.exe

Modifies data under HKEY_USERS 14 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "00188005E450309F"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	svchost.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

rundll32.exeWerFault.exeexplorer.exe

pid	process
1924	rundll32.exe
1924	rundll32.exe
4832	WerFault.exe
4832	WerFault.exe
4832	WerFault.exe
4832	WerFault.exe
4832	WerFault.exe
4832	WerFault.exe
4832	WerFault.exe
4832	WerFault.exe
4832	WerFault.exe
4832	WerFault.exe
4832	WerFault.exe
4832	WerFault.exe
4832	WerFault.exe
4732	explorer.exe
4732	explorer.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

1924 rundll32.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes:

WerFault.exewhoami.exenetstat.exemsiexec.exe

description	pid	process
Token: SeRestorePrivilege	4832	WerFault.exe
Token: SeBackupPrivilege	4832	WerFault.exe
Token: SeDebugPrivilege	4832	WerFault.exe
Token: SeDebugPrivilege	4456	whoami.exe
Token: SeDebugPrivilege	4456	whoami.exe
Token: SeDebugPrivilege	4456	whoami.exe
Token: SeDebugPrivilege	4456	whoami.exe
Token: SeDebugPrivilege	4456	whoami.exe
Token: SeDebugPrivilege	4456	whoami.exe
Token: SeDebugPrivilege	4456	whoami.exe
Token: SeDebugPrivilege	4456	whoami.exe
Token: SeDebugPrivilege	4456	whoami.exe
Token: SeDebugPrivilege	4456	whoami.exe
Token: SeDebugPrivilege	4456	whoami.exe
Token: SeDebugPrivilege	4456	whoami.exe
Token: SeDebugPrivilege	4456	whoami.exe
Token: SeDebugPrivilege	4456	whoami.exe
Token: SeDebugPrivilege	4456	whoami.exe
Token: SeDebugPrivilege	4456	whoami.exe
Token: SeDebugPrivilege	4456	whoami.exe
Token: SeDebugPrivilege	4456	whoami.exe
Token: SeDebugPrivilege	4456	whoami.exe
Token: SeDebugPrivilege	4456	whoami.exe
Token: SeDebugPrivilege	4456	whoami.exe
Token: SeDebugPrivilege	4456	whoami.exe
Token: SeDebugPrivilege	4456	whoami.exe
Token: SeDebugPrivilege	4456	whoami.exe
Token: SeDebugPrivilege	4456	whoami.exe
Token: SeDebugPrivilege	4456	whoami.exe
Token: SeDebugPrivilege	4456	whoami.exe
Token: SeDebugPrivilege	3896	netstat.exe
Token: SeSecurityPrivilege	2764	msiexec.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exenet.exenet.exe

description	pid	process	target process
PID 3160 wrote to memory of 1924	3160	rundll32.exe	rundll32.exe
PID 3160 wrote to memory of 1924	3160	rundll32.exe	rundll32.exe
PID 3160 wrote to memory of 1924	3160	rundll32.exe	rundll32.exe
PID 1924 wrote to memory of 4732	1924	rundll32.exe	explorer.exe
PID 1924 wrote to memory of 4732	1924	rundll32.exe	explorer.exe
PID 1924 wrote to memory of 4732	1924	rundll32.exe	explorer.exe
PID 1924 wrote to memory of 4732	1924	rundll32.exe	explorer.exe
PID 1924 wrote to memory of 4732	1924	rundll32.exe	explorer.exe
PID 4732 wrote to memory of 4456	4732	explorer.exe	whoami.exe
PID 4732 wrote to memory of 4456	4732	explorer.exe	whoami.exe
PID 4732 wrote to memory of 4456	4732	explorer.exe	whoami.exe
PID 4732 wrote to memory of 3664	4732	explorer.exe	cmd.exe
PID 4732 wrote to memory of 3664	4732	explorer.exe	cmd.exe
PID 4732 wrote to memory of 3664	4732	explorer.exe	cmd.exe
PID 4732 wrote to memory of 3416	4732	explorer.exe	arp.exe
PID 4732 wrote to memory of 3416	4732	explorer.exe	arp.exe
PID 4732 wrote to memory of 3416	4732	explorer.exe	arp.exe
PID 4732 wrote to memory of 3304	4732	explorer.exe	ipconfig.exe
PID 4732 wrote to memory of 3304	4732	explorer.exe	ipconfig.exe
PID 4732 wrote to memory of 3304	4732	explorer.exe	ipconfig.exe
PID 4732 wrote to memory of 2216	4732	explorer.exe	net.exe
PID 4732 wrote to memory of 2216	4732	explorer.exe	net.exe
PID 4732 wrote to memory of 2216	4732	explorer.exe	net.exe
PID 4732 wrote to memory of 3944	4732	explorer.exe	nslookup.exe
PID 4732 wrote to memory of 3944	4732	explorer.exe	nslookup.exe
PID 4732 wrote to memory of 3944	4732	explorer.exe	nslookup.exe
PID 4732 wrote to memory of 4644	4732	explorer.exe	net.exe
PID 4732 wrote to memory of 4644	4732	explorer.exe	net.exe
PID 4732 wrote to memory of 4644	4732	explorer.exe	net.exe
PID 4644 wrote to memory of 980	4644	net.exe	net1.exe
PID 4644 wrote to memory of 980	4644	net.exe	net1.exe
PID 4644 wrote to memory of 980	4644	net.exe	net1.exe
PID 4732 wrote to memory of 4480	4732	explorer.exe	route.exe
PID 4732 wrote to memory of 4480	4732	explorer.exe	route.exe
PID 4732 wrote to memory of 4480	4732	explorer.exe	route.exe
PID 4732 wrote to memory of 3896	4732	explorer.exe	netstat.exe
PID 4732 wrote to memory of 3896	4732	explorer.exe	netstat.exe
PID 4732 wrote to memory of 3896	4732	explorer.exe	netstat.exe
PID 4732 wrote to memory of 1496	4732	explorer.exe	net.exe
PID 4732 wrote to memory of 1496	4732	explorer.exe	net.exe
PID 4732 wrote to memory of 1496	4732	explorer.exe	net.exe
PID 1496 wrote to memory of 2116	1496	net.exe	net1.exe
PID 1496 wrote to memory of 2116	1496	net.exe	net1.exe
PID 1496 wrote to memory of 2116	1496	net.exe	net1.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ba7e9131dd5aa9f2e7e0050c688d2830787dd01e8d58aef364a878b61156b35b.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3160

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ba7e9131dd5aa9f2e7e0050c688d2830787dd01e8d58aef364a878b61156b35b.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 696
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4832

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4732

C:\Windows\SysWOW64\whoami.exe
whoami /all
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4456

C:\Windows\SysWOW64\cmd.exe
cmd /c set
4⤵
PID:3664

C:\Windows\SysWOW64\arp.exe
arp -a
4⤵
PID:3416

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
4⤵
- Gathers network information
PID:3304

C:\Windows\SysWOW64\net.exe
net view /all
4⤵
- Discovers systems in the same network
PID:2216

C:\Windows\SysWOW64\nslookup.exe
nslookup -querytype=ALL -timeout=10 _ldap._tcp.dc._msdcs.WORKGROUP
4⤵
PID:3944

C:\Windows\SysWOW64\net.exe
net share
4⤵
- Suspicious use of WriteProcessMemory
PID:4644

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 share
5⤵
PID:980

C:\Windows\SysWOW64\route.exe
route print
4⤵
PID:4480

C:\Windows\SysWOW64\netstat.exe
netstat -nao
4⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:3896

C:\Windows\SysWOW64\net.exe
net localgroup
4⤵
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup
5⤵
PID:2116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s wlidsvc
1⤵
- Modifies data under HKEY_USERS
PID:1240

C:\Windows\system32\msfeedssync.exe
C:\Windows\system32\msfeedssync.exe sync
1⤵
- Modifies Internet Explorer settings
PID:4860

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2764

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1924-118-0x0000000004950000-0x0000000004971000-memory.dmp

Filesize
132KB

Download
memory/1924-119-0x0000000004950000-0x0000000004971000-memory.dmp

Filesize
132KB

Download
memory/1924-120-0x0000000004900000-0x0000000004943000-memory.dmp

Filesize
268KB

Download
memory/1924-121-0x0000000004950000-0x0000000004971000-memory.dmp

Filesize
132KB

Download
memory/4732-122-0x0000000000E30000-0x0000000000E51000-memory.dmp

Filesize
132KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads