qakbot | 863c95381f044af0f3c8a012cb8de00f0ef51e078602a880e1945e76fc869c4a

Analysis

max time kernel
4294194s
max time network
126s
platform
windows7_x64
resource
win7-20220311-en
submitted
14-03-2022 11:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58878537dcf0d621aeffb66a32a40c52fa8588c832d631b988e59673bede9914.dll
Size

276KB
MD5

92ed637108b0bbfbb8434207447183bc
SHA1

1b529f3422024ce6b431435f5d37b88393ff9f02
SHA256

58878537dcf0d621aeffb66a32a40c52fa8588c832d631b988e59673bede9914
SHA512

25cf828fd0818bbabf06738cc32aabca798d430eabfe659cfa0bf62ac1d9e980af64885d432a3af3fe62838b55187980534a048789a522ce092f84fbde993d1b

Score

10^/10

qakbot obama127 1636711808 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.2

Botnet

obama127

Campaign

1636711808

136.232.34.70:443

181.118.183.31:443

72.252.147.208:465

94.200.181.154:443

71.13.93.154:2083

96.21.251.127:2222

182.176.180.73:443

88.234.20.155:995

41.228.22.180:443

89.137.52.44:443

102.65.38.57:443

94.196.209.83:995

207.246.112.221:995

207.246.112.221:443

39.49.116.108:995

190.73.3.148:2222

63.143.92.99:995

216.238.71.31:443

216.238.71.31:995

216.238.72.121:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

796 regsvr32.exe

pid	process
796	regsvr32.exe

Drops file in System32 directory 21 IoCs

Processes:

regsvr32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\sdiGfuHDJ\8XDnS2\3YbrtkFc0Q\iyR	regsvr32.exe
File opened for modification	C:\Windows\SysWOW64\BFHudU\T6AUG2kMXWB\fPLvA8YJ0f	regsvr32.exe
File opened for modification	C:\Windows\SysWOW64\anwBjeKj\OD1OUg0yc	regsvr32.exe
File created	C:\Windows\SysWOW64\kBJvNX3uGa\7xkC1aLmJ4\Trb\BfoY5	regsvr32.exe
File opened for modification	C:\Windows\SysWOW64\am\v1naycqAd	regsvr32.exe
File opened for modification	C:\Windows\SysWOW64\462pF9E\ZlfPcyTQq	regsvr32.exe
File created	C:\Windows\SysWOW64\J0OJOAp\qG0XKb\a5Wn5fI	regsvr32.exe
File created	C:\Windows\SysWOW64\3d\pLbDvlaH\Ll5vgZiR	regsvr32.exe
File opened for modification	C:\Windows\SysWOW64\tgrT\Or3	regsvr32.exe
File opened for modification	C:\Windows\SysWOW64\mkFpM\4CSzvAQzMlj	regsvr32.exe
File created	C:\Windows\SysWOW64\Cb\eyFrmsaUMc3\QO\m80oim	regsvr32.exe
File created	C:\Windows\SysWOW64\TNUq8Cq5UI\1zfm\GAEc7\FX415vUkEk	regsvr32.exe
File opened for modification	C:\Windows\SysWOW64\pEDGYin\s7g64m	regsvr32.exe
File opened for modification	C:\Windows\SysWOW64\X0MQ5n6vH8A\C3Eil\XKwgHjkB\uOvzDQL5	regsvr32.exe
File opened for modification	C:\Windows\SysWOW64\IMO\6m0tTEjT9\kj4D0	regsvr32.exe
File opened for modification	C:\Windows\SysWOW64\NXKG\Ug5	regsvr32.exe
File opened for modification	C:\Windows\SysWOW64\HV33mP0a2J\mdHPqT6G	regsvr32.exe
File opened for modification	C:\Windows\SysWOW64\VO\mYKCri	regsvr32.exe
File opened for modification	C:\Windows\SysWOW64\yG31feCkrs\Yzf0jlmB\I9pwaim2C8J\YjAFUS	regsvr32.exe
File created	C:\Windows\SysWOW64\A6kc5VDz\l45rVhrFwb\AW5VEBOZGoC\XE	regsvr32.exe
File opened for modification	C:\Windows\SysWOW64\ci\jZiznap\Cfnc	regsvr32.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1508 schtasks.exe

pid	process
1508	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Oorrbrzvuztu	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Oorrbrzvuztu\4e571582 = 7198867e044ec9545da038a7b6b4de8ba623b4a9c8d50edbdc1a03beb363be441d3203399a02	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Oorrbrzvuztu\bc3dcd5f = dbbe4fddc19a68a6160e0229818e75a832208ed0fb6a3113833af366b37a38298d5f96bd9c466f35b74b1d3c810c622ae38d6a756e92219315e4172b80688a1fe95d161c3cfa509bfbba2f9274abe56167b5df0267	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Oorrbrzvuztu\4e571582 = 7198917e044efc1549a753693ea146117475d847d2c6959d92e1cb013f68b986a1142cf0844a7bf8a24bcbe7933a815d4cdd9d753540dbc44200de	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Oorrbrzvuztu\c374a2a9 = 78c2b34e724db09e419ab7cb37c123d88699a9438bd1301d32fb6cf392edbcd7f465b1c3ce718de07c19ded6bdb80bb95180474d706a56727c424baf72cdaccdc198d4a90bae11c9a376302b3b1dfd0d9abce315f885fba47b75b161155996	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Oorrbrzvuztu\311e7a74 = 94505c6df79c721c96a7bc1f8d4984d2ac	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Oorrbrzvuztu\7bc8c5cc = 2fbba15e5a7a9d81e3227a2cc80e36c374f10e3738c19d844ff6b950ccbdbd4178da4c71861eb99b675167d35823c20f6a2c2a014e503423b797313f32ff33bc64190cd7b897d3aa3bc729bb9b22c0058a9defddaedac2bee345877744e3aa488a57a8c0720e863de2beef3b97	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Oorrbrzvuztu\7989e5b0 = 63e27162b2cca27eccb88bcb2a5b80aefa7abfa833cbc136c920c04fca910f3e261b90ad53a77b6ddd3518e4acc67882d2a5ed1283fc2da779a1ceccd8be96edf562742e4214ba1364f7fc443cc3f0f01fc4	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Oorrbrzvuztu\c13582d5 = b3d3e172dcbc482a385e3eb97a68b9508e9e99e5433389ce72275866e0ba9d31002a2413808cef6f317e3d74f1f8414f80f5d39cb7687fbeb9aebff0824a2c3dec47599a2a8c0d87522e588734f1b3a5d56b13063be1ba1efb	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Oorrbrzvuztu\481aa3a = 5e8e028c920c5c8a34e1f11c74e780ec46860144cdcaeda666b65ffcdcc871420ee9bbd7	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

1824 rundll32.exe
796 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

1824 rundll32.exe
796 regsvr32.exe

pid	process
1824	rundll32.exe
796	regsvr32.exe

pid	process
1824	rundll32.exe
796	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 1108 wrote to memory of 1824	1108	rundll32.exe	rundll32.exe
PID 1108 wrote to memory of 1824	1108	rundll32.exe	rundll32.exe
PID 1108 wrote to memory of 1824	1108	rundll32.exe	rundll32.exe
PID 1108 wrote to memory of 1824	1108	rundll32.exe	rundll32.exe
PID 1108 wrote to memory of 1824	1108	rundll32.exe	rundll32.exe
PID 1108 wrote to memory of 1824	1108	rundll32.exe	rundll32.exe
PID 1108 wrote to memory of 1824	1108	rundll32.exe	rundll32.exe
PID 1824 wrote to memory of 468	1824	rundll32.exe	explorer.exe
PID 1824 wrote to memory of 468	1824	rundll32.exe	explorer.exe
PID 1824 wrote to memory of 468	1824	rundll32.exe	explorer.exe
PID 1824 wrote to memory of 468	1824	rundll32.exe	explorer.exe
PID 1824 wrote to memory of 468	1824	rundll32.exe	explorer.exe
PID 1824 wrote to memory of 468	1824	rundll32.exe	explorer.exe
PID 468 wrote to memory of 1508	468	explorer.exe	schtasks.exe
PID 468 wrote to memory of 1508	468	explorer.exe	schtasks.exe
PID 468 wrote to memory of 1508	468	explorer.exe	schtasks.exe
PID 468 wrote to memory of 1508	468	explorer.exe	schtasks.exe
PID 828 wrote to memory of 808	828	taskeng.exe	regsvr32.exe
PID 828 wrote to memory of 808	828	taskeng.exe	regsvr32.exe
PID 828 wrote to memory of 808	828	taskeng.exe	regsvr32.exe
PID 828 wrote to memory of 808	828	taskeng.exe	regsvr32.exe
PID 828 wrote to memory of 808	828	taskeng.exe	regsvr32.exe
PID 808 wrote to memory of 796	808	regsvr32.exe	regsvr32.exe
PID 808 wrote to memory of 796	808	regsvr32.exe	regsvr32.exe
PID 808 wrote to memory of 796	808	regsvr32.exe	regsvr32.exe
PID 808 wrote to memory of 796	808	regsvr32.exe	regsvr32.exe
PID 808 wrote to memory of 796	808	regsvr32.exe	regsvr32.exe
PID 808 wrote to memory of 796	808	regsvr32.exe	regsvr32.exe
PID 808 wrote to memory of 796	808	regsvr32.exe	regsvr32.exe
PID 796 wrote to memory of 992	796	regsvr32.exe	explorer.exe
PID 796 wrote to memory of 992	796	regsvr32.exe	explorer.exe
PID 796 wrote to memory of 992	796	regsvr32.exe	explorer.exe
PID 796 wrote to memory of 992	796	regsvr32.exe	explorer.exe
PID 796 wrote to memory of 992	796	regsvr32.exe	explorer.exe
PID 796 wrote to memory of 992	796	regsvr32.exe	explorer.exe
PID 992 wrote to memory of 300	992	explorer.exe	reg.exe
PID 992 wrote to memory of 300	992	explorer.exe	reg.exe
PID 992 wrote to memory of 300	992	explorer.exe	reg.exe
PID 992 wrote to memory of 300	992	explorer.exe	reg.exe
PID 992 wrote to memory of 1748	992	explorer.exe	reg.exe
PID 992 wrote to memory of 1748	992	explorer.exe	reg.exe
PID 992 wrote to memory of 1748	992	explorer.exe	reg.exe
PID 992 wrote to memory of 1748	992	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\58878537dcf0d621aeffb66a32a40c52fa8588c832d631b988e59673bede9914.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\58878537dcf0d621aeffb66a32a40c52fa8588c832d631b988e59673bede9914.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:468

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn jvwjamiqix /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\58878537dcf0d621aeffb66a32a40c52fa8588c832d631b988e59673bede9914.dll\"" /SC ONCE /Z /ST 11:24 /ET 11:36
4⤵
- Creates scheduled task(s)
PID:1508

C:\Windows\system32\taskeng.exe
taskeng.exe {DC7835EF-E09C-4E48-A540-FD1B362F1DDB} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\58878537dcf0d621aeffb66a32a40c52fa8588c832d631b988e59673bede9914.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:808

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\58878537dcf0d621aeffb66a32a40c52fa8588c832d631b988e59673bede9914.dll"
3⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:796

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:992

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Zyajvgao" /d "0"
5⤵
PID:300

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Omireeoyr" /d "0"
5⤵
PID:1748

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\58878537dcf0d621aeffb66a32a40c52fa8588c832d631b988e59673bede9914.dll
MD5
92ed637108b0bbfbb8434207447183bc

SHA1
1b529f3422024ce6b431435f5d37b88393ff9f02

SHA256
58878537dcf0d621aeffb66a32a40c52fa8588c832d631b988e59673bede9914

SHA512
25cf828fd0818bbabf06738cc32aabca798d430eabfe659cfa0bf62ac1d9e980af64885d432a3af3fe62838b55187980534a048789a522ce092f84fbde993d1b

Download Submit
\Users\Admin\AppData\Local\Temp\58878537dcf0d621aeffb66a32a40c52fa8588c832d631b988e59673bede9914.dll
MD5
92ed637108b0bbfbb8434207447183bc

SHA1
1b529f3422024ce6b431435f5d37b88393ff9f02

SHA256
58878537dcf0d621aeffb66a32a40c52fa8588c832d631b988e59673bede9914

SHA512
25cf828fd0818bbabf06738cc32aabca798d430eabfe659cfa0bf62ac1d9e980af64885d432a3af3fe62838b55187980534a048789a522ce092f84fbde993d1b

Download Submit
memory/468-57-0x00000000000B0000-0x00000000000B2000-memory.dmp

Filesize
8KB

Download
memory/468-60-0x00000000741E1000-0x00000000741E3000-memory.dmp

Filesize
8KB

Download
memory/468-61-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/796-67-0x00000000744B0000-0x00000000744FA000-memory.dmp

Filesize
296KB

Download
memory/796-66-0x0000000000D70000-0x0000000000D91000-memory.dmp

Filesize
132KB

Download
memory/808-62-0x000007FEFB561000-0x000007FEFB563000-memory.dmp

Filesize
8KB

Download
memory/992-72-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/1824-54-0x0000000074F31000-0x0000000074F33000-memory.dmp

Filesize
8KB

Download
memory/1824-55-0x00000000001D0000-0x00000000001F1000-memory.dmp

Filesize
132KB

Download
memory/1824-56-0x00000000744D0000-0x000000007451A000-memory.dmp

Filesize
296KB

Download