qakbot | 863c95381f044af0f3c8a012cb8de00f0ef51e078602a880e1945e76fc869c4a

Analysis

max time kernel
161s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20220310-en
submitted
14-03-2022 11:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ce8fbedc5fd65785ce950cd2c6e670f89c6f3e9cdd41d6abcf86b61eee911f2.dll
Size

469KB
MD5

1494919946474545be95298955974403
SHA1

4eb68f8e0efa346aa8cd1976554a26f787537f41
SHA256

6ce8fbedc5fd65785ce950cd2c6e670f89c6f3e9cdd41d6abcf86b61eee911f2
SHA512

912cdb166f92a447d61d94420bfad02776ad22babb390da1f4e72cb2a523e8e3ed5b2b6dc063d73ad6dd22d0704f2f9022355698a2fd93734a62ab61de770247

Score

10^/10

qakbot obama147 1639647898 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.10

Botnet

obama147

Campaign

1639647898

136.143.11.232:443

120.150.218.241:995

218.101.110.3:995

93.48.58.123:2222

190.73.3.148:2222

186.64.87.213:443

65.100.174.110:443

24.95.61.62:443

41.228.22.180:443

86.97.9.219:443

103.142.10.177:443

140.82.49.12:443

24.152.219.253:995

117.248.109.38:21

136.232.34.70:443

93.48.80.198:995

173.21.10.71:2222

78.180.163.25:995

194.36.28.26:443

45.9.20.200:2211

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Loads dropped DLL 2 IoCs

Processes:

regsvr32.exe

pid process

3564 regsvr32.exe
3564 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3668 schtasks.exe

pid	process
3564	regsvr32.exe
3564	regsvr32.exe

pid	process
3668	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tahejdfvaariee\12e29004 = 48a6e59a5d2f94dd8662103c9358dfdbd4	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tahejdfvaariee\e08848d9 = e6d6fb2c9c367da179416af43e2b09529228e2c46a386783f17c0188d9af0a2741d2c493f00af109d2ae	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tahejdfvaariee\9fc1272f = ff8f7f6bbcb4698ca36b2b69113de3b20aa7487d0d2f82b4b79b8e8316fdaa151a43416004c7aa872fb83539a832083e9bef757c04eb3337cb6667aefe7f4a26e4b6	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tahejdfvaariee	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tahejdfvaariee\9fc1272f = ff8f686bbcb45cd905dd318021658919972a797011dbaa0527cdc81a07eeb2edd0cfe883c24b06b446c5568bef	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tahejdfvaariee\aa5ef761 = 0c96cceffe65de320aff78a193325b6dd548dc1a8c86ec14153c56c2632b0c0269539a2f063ff0433c3ce579e63625702f72463aa9bbdc203be794d530825fcd0717364c51653c90072919b2ea4e7a471594cd59a851a322496e709c0ac23310183df22b695ba5eb6ab574c44d852792027ee6ff84aa1567916b0b9c74779354f6641ef5f3e7f45ed0d4b1f6561d9d0251535e32fd4fc3b87c43884c079ee41f04431ab563cf8fb143455b	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tahejdfvaariee\a81fd71d = 121d715c9189cc53f8442b0df918fb7f0946ccf001e99e5bc00fa5540b0308b40e155614f39fa1a35bb1741f0536014cb66f38828c1f50d87aa45837fa	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tahejdfvaariee\10a3b078 = aad530f38d3e73dc5ede9511b9809becb878a16264a8e32caa0b1ace5a3424f0a0e6ceaf0fe07933a0837bbb60a535c104b83d520b1873df48a9c9c791	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tahejdfvaariee\6dabfff2 = 5198a3d347354e4c3aeebba05cf10137efc0211c9173c5c8c8348ca6c9ead1b6102adf6299af18d7792b4295cf4431a967bed9bbe3847e9e5421443ae6957b3e31d574a2951f8edcab090485542e75963b	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tahejdfvaariee\d5179897 = 5cd3b7106e9de9588e120d5cf282174ef3b67ebc7d9583088686a688219ccc9f1546d80aecf9ace576083f1094a2d33f51c396a285a1bc93e04e0b8fd076805d57cd65bf6a68c4d36c05ac8ba5ade41595e8a455a7190895ebd055b5a7e7	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid	process
4100	regsvr32.exe
4100	regsvr32.exe
4100	regsvr32.exe
4100	regsvr32.exe
4100	regsvr32.exe
4100	regsvr32.exe
4100	regsvr32.exe
4100	regsvr32.exe
4100	regsvr32.exe
4100	regsvr32.exe
4100	regsvr32.exe
4100	regsvr32.exe
4100	regsvr32.exe
4100	regsvr32.exe
4100	regsvr32.exe
4100	regsvr32.exe
4100	regsvr32.exe
4100	regsvr32.exe
4100	regsvr32.exe
4100	regsvr32.exe
4100	regsvr32.exe
4100	regsvr32.exe
4100	regsvr32.exe
4100	regsvr32.exe
4100	regsvr32.exe
4100	regsvr32.exe
4100	regsvr32.exe
4100	regsvr32.exe
4100	regsvr32.exe
4100	regsvr32.exe
4100	regsvr32.exe
4100	regsvr32.exe
4100	regsvr32.exe
4100	regsvr32.exe
4100	regsvr32.exe
4100	regsvr32.exe
4100	regsvr32.exe
4100	regsvr32.exe
4100	regsvr32.exe
4100	regsvr32.exe
4100	regsvr32.exe
4100	regsvr32.exe
3564	regsvr32.exe
3564	regsvr32.exe
3564	regsvr32.exe
3564	regsvr32.exe
3564	regsvr32.exe
3564	regsvr32.exe
3564	regsvr32.exe
3564	regsvr32.exe
3564	regsvr32.exe
3564	regsvr32.exe
3564	regsvr32.exe
3564	regsvr32.exe
3564	regsvr32.exe
3564	regsvr32.exe
3564	regsvr32.exe
3564	regsvr32.exe
3564	regsvr32.exe
3564	regsvr32.exe
3564	regsvr32.exe
3564	regsvr32.exe
3564	regsvr32.exe
3564	regsvr32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

4100 regsvr32.exe
3564 regsvr32.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

regsvr32.exeregsvr32.exeexplorer.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 2792 wrote to memory of 4100	2792	regsvr32.exe	regsvr32.exe
PID 2792 wrote to memory of 4100	2792	regsvr32.exe	regsvr32.exe
PID 2792 wrote to memory of 4100	2792	regsvr32.exe	regsvr32.exe
PID 4100 wrote to memory of 752	4100	regsvr32.exe	explorer.exe
PID 4100 wrote to memory of 752	4100	regsvr32.exe	explorer.exe
PID 4100 wrote to memory of 752	4100	regsvr32.exe	explorer.exe
PID 4100 wrote to memory of 752	4100	regsvr32.exe	explorer.exe
PID 4100 wrote to memory of 752	4100	regsvr32.exe	explorer.exe
PID 752 wrote to memory of 3668	752	explorer.exe	schtasks.exe
PID 752 wrote to memory of 3668	752	explorer.exe	schtasks.exe
PID 752 wrote to memory of 3668	752	explorer.exe	schtasks.exe
PID 3720 wrote to memory of 3564	3720	regsvr32.exe	regsvr32.exe
PID 3720 wrote to memory of 3564	3720	regsvr32.exe	regsvr32.exe
PID 3720 wrote to memory of 3564	3720	regsvr32.exe	regsvr32.exe
PID 3564 wrote to memory of 3068	3564	regsvr32.exe	explorer.exe
PID 3564 wrote to memory of 3068	3564	regsvr32.exe	explorer.exe
PID 3564 wrote to memory of 3068	3564	regsvr32.exe	explorer.exe
PID 3564 wrote to memory of 3068	3564	regsvr32.exe	explorer.exe
PID 3564 wrote to memory of 3068	3564	regsvr32.exe	explorer.exe
PID 3068 wrote to memory of 5084	3068	explorer.exe	reg.exe
PID 3068 wrote to memory of 5084	3068	explorer.exe	reg.exe
PID 3068 wrote to memory of 4032	3068	explorer.exe	reg.exe
PID 3068 wrote to memory of 4032	3068	explorer.exe	reg.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6ce8fbedc5fd65785ce950cd2c6e670f89c6f3e9cdd41d6abcf86b61eee911f2.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2792

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\6ce8fbedc5fd65785ce950cd2c6e670f89c6f3e9cdd41d6abcf86b61eee911f2.dll
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4100

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn vbrbiqe /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\6ce8fbedc5fd65785ce950cd2c6e670f89c6f3e9cdd41d6abcf86b61eee911f2.dll\"" /SC ONCE /Z /ST 12:25 /ET 12:37
4⤵
- Creates scheduled task(s)
PID:3668

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\6ce8fbedc5fd65785ce950cd2c6e670f89c6f3e9cdd41d6abcf86b61eee911f2.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:3720

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\6ce8fbedc5fd65785ce950cd2c6e670f89c6f3e9cdd41d6abcf86b61eee911f2.dll"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3564

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3068

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Eajqhey" /d "0"
4⤵
PID:5084

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Umdhib" /d "0"
4⤵
PID:4032

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6ce8fbedc5fd65785ce950cd2c6e670f89c6f3e9cdd41d6abcf86b61eee911f2.dll
MD5
1494919946474545be95298955974403

SHA1
4eb68f8e0efa346aa8cd1976554a26f787537f41

SHA256
6ce8fbedc5fd65785ce950cd2c6e670f89c6f3e9cdd41d6abcf86b61eee911f2

SHA512
912cdb166f92a447d61d94420bfad02776ad22babb390da1f4e72cb2a523e8e3ed5b2b6dc063d73ad6dd22d0704f2f9022355698a2fd93734a62ab61de770247

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ce8fbedc5fd65785ce950cd2c6e670f89c6f3e9cdd41d6abcf86b61eee911f2.dll
MD5
1494919946474545be95298955974403

SHA1
4eb68f8e0efa346aa8cd1976554a26f787537f41

SHA256
6ce8fbedc5fd65785ce950cd2c6e670f89c6f3e9cdd41d6abcf86b61eee911f2

SHA512
912cdb166f92a447d61d94420bfad02776ad22babb390da1f4e72cb2a523e8e3ed5b2b6dc063d73ad6dd22d0704f2f9022355698a2fd93734a62ab61de770247

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ce8fbedc5fd65785ce950cd2c6e670f89c6f3e9cdd41d6abcf86b61eee911f2.dll
MD5
1494919946474545be95298955974403

SHA1
4eb68f8e0efa346aa8cd1976554a26f787537f41

SHA256
6ce8fbedc5fd65785ce950cd2c6e670f89c6f3e9cdd41d6abcf86b61eee911f2

SHA512
912cdb166f92a447d61d94420bfad02776ad22babb390da1f4e72cb2a523e8e3ed5b2b6dc063d73ad6dd22d0704f2f9022355698a2fd93734a62ab61de770247

Download Submit
memory/752-138-0x00000000014D0000-0x00000000014F1000-memory.dmp

Filesize
132KB

Download
memory/3068-148-0x0000000000750000-0x0000000000771000-memory.dmp

Filesize
132KB

Download
memory/3564-144-0x0000000000E10000-0x0000000000E8B000-memory.dmp

Filesize
492KB

Download
memory/3564-142-0x0000000000B80000-0x0000000000BF8000-memory.dmp

Filesize
480KB

Download
memory/3564-146-0x0000000000E90000-0x0000000001033000-memory.dmp

Filesize
1.6MB

Download
memory/3564-145-0x0000000077CE0000-0x0000000077E83000-memory.dmp

Filesize
1.6MB

Download
memory/3564-147-0x0000000000B80000-0x0000000000BF8000-memory.dmp

Filesize
480KB

Download
memory/4100-137-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4100-136-0x0000000002520000-0x00000000026C3000-memory.dmp

Filesize
1.6MB

Download
memory/4100-134-0x0000000002440000-0x00000000024BB000-memory.dmp

Filesize
492KB

Download
memory/4100-135-0x0000000077CE0000-0x0000000077E83000-memory.dmp

Filesize
1.6MB

Download