qakbot | a3d156a136a025ec465e1afd298990dd3ab6eb14b97613ba55e4a33e49704a6d

General

Target

ApplicationReject-1892714497.xlsb
Size

1.1MB
MD5

c794fd47792d403b39b380bcb2cf3e73
SHA1

b930706641ef2bf78fd5d86e1b014efb24398258
SHA256

3bd06b8d943a32fc42410049648d349bfb959cbe7d7ecda94da24d92f69292b0
SHA512

7a912d258b28080c8d7c0ce8598e5c312c1c1b845045ac38aa1f76ce6620bdea927b64a98a6b9aef75d7149ea9ec806efd4779f64980dacc08beef647e1ae544

Score

10^/10

qakbot obama180 1650959141 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.573

Botnet

obama180

Campaign

1650959141

C2

2.50.4.57:443

85.246.82.244:443

121.7.223.59:2222

197.161.137.67:993

38.70.253.226:2222

47.23.89.62:993

172.114.160.81:443

75.99.168.194:443

82.152.39.39:443

108.60.213.141:443

148.64.96.100:443

167.86.191.84:443

187.207.47.198:61202

103.107.113.120:443

203.122.46.130:443

106.51.48.170:50001

47.23.89.62:995

140.82.49.12:443

102.65.38.74:443

103.246.242.202:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

Regsvr32.exeRegsvr32.exeRegsvr32.exeRegsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1568	1948	Regsvr32.exe	EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1656	1948	Regsvr32.exe	EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	684	1948	Regsvr32.exe	EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	852	1948	Regsvr32.exe	EXCEL.EXE

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Downloads MZ/PE file

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\ApplicationReject-1892714497.xlsb
1⤵
- Modifies Internet Explorer settings
PID:1948

C:\Windows\SysWOW64\Regsvr32.exe
Regsvr32 /s calc
2⤵
- Process spawned unexpected child process
PID:1568

C:\Windows\SysWOW64\Regsvr32.exe
Regsvr32 C:\Rujiky\Ubada\Vertua.ooccxx
2⤵
- Process spawned unexpected child process
PID:1656

C:\Windows\SysWOW64\Regsvr32.exe
Regsvr32 C:\Rujiky\Ubada\Vertub.ooccxx
2⤵
- Process spawned unexpected child process
PID:684

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
PID:1380

C:\Windows\SysWOW64\Regsvr32.exe
Regsvr32 C:\Rujiky\Ubada\Vertu.ooccxx
2⤵
- Process spawned unexpected child process
PID:852

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Rujiky\Ubada\Vertub.ooccxx
Filesize
962KB

MD5
e6272be3bd2adad70667461fe40e4850

SHA1
26cc1e20c2cf9241c47e4ec7af27ea19af0ec386

SHA256
60e51e35460c48b66e13bce4991e7ac1400406514bc752aadded0f6bc91806c5

SHA512
1a18de08fb9f27465d2cfa47ae30446c11997178e961187e129ee89466b76164a9e02c9abfc2f0f18cc3e82613fdbd3a63fc85168b572ff1869c354a42705056

Download Submit
\Rujiky\Ubada\Vertub.ooccxx
Filesize
962KB

MD5
e6272be3bd2adad70667461fe40e4850

SHA1
26cc1e20c2cf9241c47e4ec7af27ea19af0ec386

SHA256
60e51e35460c48b66e13bce4991e7ac1400406514bc752aadded0f6bc91806c5

SHA512
1a18de08fb9f27465d2cfa47ae30446c11997178e961187e129ee89466b76164a9e02c9abfc2f0f18cc3e82613fdbd3a63fc85168b572ff1869c354a42705056

Download Submit
memory/684-69-0x0000000010000000-0x000000001008F000-memory.dmp

Filesize
572KB

Download
memory/684-65-0x0000000000000000-mapping.dmp

Download
memory/852-61-0x0000000000000000-mapping.dmp

Download
memory/1380-75-0x0000000000000000-mapping.dmp

Download
memory/1380-77-0x000000006C441000-0x000000006C443000-memory.dmp

Filesize
8KB

Download
memory/1380-78-0x0000000000080000-0x000000000010F000-memory.dmp

Filesize
572KB

Download
memory/1568-59-0x0000000000000000-mapping.dmp

Download
memory/1656-63-0x0000000000000000-mapping.dmp

Download
memory/1948-54-0x000000002F731000-0x000000002F734000-memory.dmp

Filesize
12KB

Download
memory/1948-58-0x00000000754A1000-0x00000000754A3000-memory.dmp

Filesize
8KB

Download
memory/1948-57-0x000000007252D000-0x0000000072538000-memory.dmp

Filesize
44KB

Download
memory/1948-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1948-55-0x0000000071541000-0x0000000071543000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing