qakbot | c0e2338d900cbe9a460794c654a2647b3466cc11eb14791cf54c58c9a8c832ad

General

Target

Cancellation-1617961783$-May5.xlsb
Size

65KB
MD5

50b9d40af63502d875146f3534b3fdcd
SHA1

fd9310a452b43d05bb59b141f31dae7ca86a6c60
SHA256

21af29b0997577c1bb039c379e50372ad7df0b1d36a33bc8528489d24abb3858
SHA512

c18a245cfc03328a8af11ed09cf6b51ea99d292fd135cd81d569020fea8f4f2c42599476f6b9e6f8804ce22ea29f2b52d762c83ceb1deaf3730268adc6b38608

Score

10^/10

qakbot obama182 1651756499 banker evasion stealer trojan

Malware Config

Extracted

Language

xlm4.0

Source

Extracted

Family

qakbot

Version

403.683

Botnet

obama182

Campaign

1651756499

C2

103.107.113.120:443

80.11.74.81:2222

177.102.2.175:32101

24.178.196.158:2222

91.177.173.10:995

181.208.248.227:443

176.67.56.94:443

202.134.152.2:2222

148.0.57.85:443

179.179.162.9:993

40.134.246.185:995

37.186.54.254:995

196.203.37.215:80

120.150.218.241:995

208.107.221.224:443

113.53.151.59:443

70.46.220.114:443

69.14.172.24:443

108.60.213.141:443

24.55.67.176:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4600	4948	regsvr32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	112	4948	regsvr32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1220	4948	regsvr32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1728	4948	regsvr32.exe	EXCEL.EXE

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Downloads MZ/PE file
Loads dropped DLL 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

116 regsvr32.exe
1332 regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4588 schtasks.exe

pid	process
4588	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Fjlvtujrdpywzk\d4cfff66 = 499929d92f5668a9d87b51ee0f388dde44ec34b24ae59a30483b0ed1e539d52eed0de48b9351cf2f64a793bac4d301c538646a07e9131e4ca0b13d8624c500d5d9a63d1be06802fad201435ffcc32a8505a835dfeeaa4fc1e1cc05b662dae71888d41ad27f02848dae	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Fjlvtujrdpywzk\a9c7b0ec = 79c1ed3195b1beb3fc96906238d349896395db141ea34b78fda03e39e31b37912792959417c9b7efda2771e448736758c30da0b70d2f78300f1c67ca2c5f0d43cce89358a4dca5a83ee63e9954695f8ee35980ae5ebb70defa0dc387b1811ef14037b7d5513006bf	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Fjlvtujrdpywzk\d68edf1a = 995c46e32246940565dff212ff13274485	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Fjlvtujrdpywzk\5bad6831 = e75676f17a9f0172ca5ada7b1ed8c007d7033ed63e6c6d4fa34012c8cd2b32c5cf181008cde372d0acd558f017ccdf0486e107b16aa07dec77d2efd946a8e29d970859746017ce3a84bfd83b556db2be579f969e32ba7736f6b326f0f35550	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Fjlvtujrdpywzk	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Fjlvtujrdpywzk\6c739803 = 8616c3ec44c26b9a16615d06851696c00ed20965a07be7377965d0035016de97969ea5263acc609cc6e39657409a4e55874a114e39f4f3ca475bbd2ea98f323882fcde9b5d3e9451	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Fjlvtujrdpywzk\117bd789 = 6c8d437d0f633fe8290d2564232d59f083e6cbcd56bf1823af0231fe290f4a11992ff80865e33a5b7d36f8cbfc30e88e42984067010b17cbae4284e4a77802d2b804f3c73e4a976121	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Fjlvtujrdpywzk\24e407c7 = dba3e44e49c0952f606a570be95490da10e7c8a2f2cc46b86d4c5fc20d22652cba807cd248e019077154ceb2207fc0d95b957ac0f5415bac288322ad9825e716bfc6	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Fjlvtujrdpywzk\5bad6831 = e75661f17a9f342e59adeebff2f5ebf72105835fe7e6b644e1ea08da5093014d2a83df5743ddeecffce510e16238a42fbe6941b30b91c3438b0b2a29efee4eb8edd4aa56987322fcb4e6	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Fjlvtujrdpywzk\6e32b87f = 8fdcade71f42dd6987793e2d5148d1be1f64e20d809d49aadaf523f1d3a64dbd40920d2d6745518bae086e20adf66e2fd22e3fe6d0f3ab0320cc1c676352003303dbf44f9e4b4675a0f283472e410e32fe51d63afbee9c20de70a7361b1954e78936f797563361dcd33ff2027803a122fd8deef26d2e229db52791e82aa6603ec54f584d5753ab1278d412b00022917bd6c021a3233efe3c84267f63f8519e5b4b269b7f60c5aac7f7ec9db21e12fba8cf9d6f	explorer.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4948 EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exeexplorer.exe

pid	process
116	regsvr32.exe
116	regsvr32.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe
1572	explorer.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

116 regsvr32.exe
1332 regsvr32.exe

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

EXCEL.EXE

pid	process
4948	EXCEL.EXE
4948	EXCEL.EXE
4948	EXCEL.EXE
4948	EXCEL.EXE
4948	EXCEL.EXE
4948	EXCEL.EXE
4948	EXCEL.EXE
4948	EXCEL.EXE
4948	EXCEL.EXE
4948	EXCEL.EXE
4948	EXCEL.EXE
4948	EXCEL.EXE
4948	EXCEL.EXE
4948	EXCEL.EXE
4948	EXCEL.EXE
4948	EXCEL.EXE
4948	EXCEL.EXE

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

EXCEL.EXEregsvr32.exeregsvr32.exeexplorer.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 4948 wrote to memory of 4600	4948	EXCEL.EXE	regsvr32.exe
PID 4948 wrote to memory of 4600	4948	EXCEL.EXE	regsvr32.exe
PID 4948 wrote to memory of 112	4948	EXCEL.EXE	regsvr32.exe
PID 4948 wrote to memory of 112	4948	EXCEL.EXE	regsvr32.exe
PID 112 wrote to memory of 116	112	regsvr32.exe	regsvr32.exe
PID 112 wrote to memory of 116	112	regsvr32.exe	regsvr32.exe
PID 112 wrote to memory of 116	112	regsvr32.exe	regsvr32.exe
PID 116 wrote to memory of 1572	116	regsvr32.exe	explorer.exe
PID 116 wrote to memory of 1572	116	regsvr32.exe	explorer.exe
PID 116 wrote to memory of 1572	116	regsvr32.exe	explorer.exe
PID 116 wrote to memory of 1572	116	regsvr32.exe	explorer.exe
PID 116 wrote to memory of 1572	116	regsvr32.exe	explorer.exe
PID 4948 wrote to memory of 1220	4948	EXCEL.EXE	regsvr32.exe
PID 4948 wrote to memory of 1220	4948	EXCEL.EXE	regsvr32.exe
PID 4948 wrote to memory of 1728	4948	EXCEL.EXE	regsvr32.exe
PID 4948 wrote to memory of 1728	4948	EXCEL.EXE	regsvr32.exe
PID 1572 wrote to memory of 4588	1572	explorer.exe	schtasks.exe
PID 1572 wrote to memory of 4588	1572	explorer.exe	schtasks.exe
PID 1572 wrote to memory of 4588	1572	explorer.exe	schtasks.exe
PID 4076 wrote to memory of 1332	4076	regsvr32.exe	regsvr32.exe
PID 4076 wrote to memory of 1332	4076	regsvr32.exe	regsvr32.exe
PID 4076 wrote to memory of 1332	4076	regsvr32.exe	regsvr32.exe
PID 1332 wrote to memory of 968	1332	regsvr32.exe	explorer.exe
PID 1332 wrote to memory of 968	1332	regsvr32.exe	explorer.exe
PID 1332 wrote to memory of 968	1332	regsvr32.exe	explorer.exe
PID 1332 wrote to memory of 968	1332	regsvr32.exe	explorer.exe
PID 1332 wrote to memory of 968	1332	regsvr32.exe	explorer.exe
PID 968 wrote to memory of 4160	968	explorer.exe	reg.exe
PID 968 wrote to memory of 4160	968	explorer.exe	reg.exe
PID 968 wrote to memory of 1180	968	explorer.exe	reg.exe
PID 968 wrote to memory of 1180	968	explorer.exe	reg.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Cancellation-1617961783$-May5.xlsb"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4948

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32 /s calc
2⤵
- Process spawned unexpected child process
PID:4600

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32 C:\Merto\Byrost\Veonse.OOOCCCXXX
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:112

C:\Windows\SysWOW64\regsvr32.exe
C:\Merto\Byrost\Veonse.OOOCCCXXX
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:116

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn sfmltkkjw /tr "regsvr32.exe -s \"C:\Merto\Byrost\Veonse.OOOCCCXXX\"" /SC ONCE /Z /ST 00:09 /ET 00:21
5⤵
- Creates scheduled task(s)
PID:4588

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32 C:\Merto\Byrost\Veonsea.OOOCCCXXX
2⤵
- Process spawned unexpected child process
PID:1220

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32 C:\Merto\Byrost\Veonseb.OOOCCCXXX
2⤵
- Process spawned unexpected child process
PID:1728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:1384

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Merto\Byrost\Veonse.OOOCCCXXX"
1⤵
- Suspicious use of WriteProcessMemory
PID:4076

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Merto\Byrost\Veonse.OOOCCCXXX"
2⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1332

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Eyavomjpki" /d "0"
4⤵
PID:4160

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Tnpofi" /d "0"
4⤵
PID:1180

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Merto\Byrost\Veonse.OOOCCCXXX
Filesize
855KB

MD5
b421410d6c08a39d6dd94dd4c6435b23

SHA1
e4bc64093485ebd412ce61d7d811c4a234867025

SHA256
b85c3695c3ab9d5b02cface05ecc9b45da33bb26d4186ea2c6e485689c5b8f99

SHA512
03b76fb7d72be88c0c843839383fdbe7a25535af026b1ee8797c1958255190aae3308e5a74359be7225964ec02139a0f66d715900590ccd8c1320d8187ea6e8d

Download Submit
C:\Merto\Byrost\Veonse.OOOCCCXXX
Filesize
855KB

MD5
b421410d6c08a39d6dd94dd4c6435b23

SHA1
e4bc64093485ebd412ce61d7d811c4a234867025

SHA256
b85c3695c3ab9d5b02cface05ecc9b45da33bb26d4186ea2c6e485689c5b8f99

SHA512
03b76fb7d72be88c0c843839383fdbe7a25535af026b1ee8797c1958255190aae3308e5a74359be7225964ec02139a0f66d715900590ccd8c1320d8187ea6e8d

Download Submit
C:\Merto\Byrost\Veonse.OOOCCCXXX
Filesize
855KB

MD5
b421410d6c08a39d6dd94dd4c6435b23

SHA1
e4bc64093485ebd412ce61d7d811c4a234867025

SHA256
b85c3695c3ab9d5b02cface05ecc9b45da33bb26d4186ea2c6e485689c5b8f99

SHA512
03b76fb7d72be88c0c843839383fdbe7a25535af026b1ee8797c1958255190aae3308e5a74359be7225964ec02139a0f66d715900590ccd8c1320d8187ea6e8d

Download Submit
C:\Merto\Byrost\Veonse.OOOCCCXXX
Filesize
855KB

MD5
b421410d6c08a39d6dd94dd4c6435b23

SHA1
e4bc64093485ebd412ce61d7d811c4a234867025

SHA256
b85c3695c3ab9d5b02cface05ecc9b45da33bb26d4186ea2c6e485689c5b8f99

SHA512
03b76fb7d72be88c0c843839383fdbe7a25535af026b1ee8797c1958255190aae3308e5a74359be7225964ec02139a0f66d715900590ccd8c1320d8187ea6e8d

Download Submit
memory/112-138-0x0000000000000000-mapping.dmp

Download
memory/116-142-0x0000000002DE0000-0x0000000002E02000-memory.dmp

Filesize
136KB

Download
memory/116-143-0x0000000002D90000-0x0000000002DB2000-memory.dmp

Filesize
136KB

Download
memory/116-140-0x0000000000000000-mapping.dmp

Download
memory/116-144-0x0000000002DE0000-0x0000000002E02000-memory.dmp

Filesize
136KB

Download
memory/968-156-0x0000000000000000-mapping.dmp

Download
memory/968-159-0x0000000001240000-0x0000000001262000-memory.dmp

Filesize
136KB

Download
memory/1180-158-0x0000000000000000-mapping.dmp

Download
memory/1220-146-0x0000000000000000-mapping.dmp

Download
memory/1332-151-0x0000000000000000-mapping.dmp

Download
memory/1332-153-0x0000000001950000-0x0000000001972000-memory.dmp

Filesize
136KB

Download
memory/1332-155-0x0000000001950000-0x0000000001972000-memory.dmp

Filesize
136KB

Download
memory/1332-154-0x0000000001900000-0x0000000001922000-memory.dmp

Filesize
136KB

Download
memory/1572-145-0x0000000000000000-mapping.dmp

Download
memory/1572-149-0x0000000001240000-0x0000000001262000-memory.dmp

Filesize
136KB

Download
memory/1728-147-0x0000000000000000-mapping.dmp

Download
memory/4160-157-0x0000000000000000-mapping.dmp

Download
memory/4588-148-0x0000000000000000-mapping.dmp

Download
memory/4600-137-0x0000000000000000-mapping.dmp

Download
memory/4948-134-0x00007FFC49CD0000-0x00007FFC49CE0000-memory.dmp

Filesize
64KB

Download
memory/4948-130-0x00007FFC49CD0000-0x00007FFC49CE0000-memory.dmp

Filesize
64KB

Download
memory/4948-135-0x00007FFC474A0000-0x00007FFC474B0000-memory.dmp

Filesize
64KB

Download
memory/4948-133-0x00007FFC49CD0000-0x00007FFC49CE0000-memory.dmp

Filesize
64KB

Download
memory/4948-136-0x00007FFC474A0000-0x00007FFC474B0000-memory.dmp

Filesize
64KB

Download
memory/4948-132-0x00007FFC49CD0000-0x00007FFC49CE0000-memory.dmp

Filesize
64KB

Download
memory/4948-131-0x00007FFC49CD0000-0x00007FFC49CE0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads