qakbot | 08713b548ad4cd818ac03227d1b5fd453e7af13313feeac7e4e564ff125e3efe

General

Target

Cancellation-1070520191$-May5.xlsb
Size

65KB
MD5

34fee3c22bb8083223fd247fcdd37105
SHA1

a7d976dd7e40e5d96195cc0d596e6853f1c5fca9
SHA256

cf466f71763ed24dfdb8504a79c0866cf9f13ff57a3aeee2f726bc9242b50525
SHA512

defa15e90117fbb2d86a53ba645630d62cf6f387360eddae51f19ec89c1038d71a1b2c574446e2c6a21f50009d7dd81633dc88d0a000134b3bf3952a3430edfa

Score

10^/10

qakbot obama182 1651756499 banker evasion stealer trojan

Malware Config

Extracted

Language

xlm4.0

Source

Extracted

Family

qakbot

Version

403.683

Botnet

obama182

Campaign

1651756499

C2

103.107.113.120:443

80.11.74.81:2222

177.102.2.175:32101

24.178.196.158:2222

91.177.173.10:995

181.208.248.227:443

176.67.56.94:443

202.134.152.2:2222

148.0.57.85:443

179.179.162.9:993

40.134.246.185:995

37.186.54.254:995

196.203.37.215:80

120.150.218.241:995

208.107.221.224:443

113.53.151.59:443

70.46.220.114:443

69.14.172.24:443

108.60.213.141:443

24.55.67.176:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4916	4844	regsvr32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	212	4844	regsvr32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4136	4844	regsvr32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3840	4844	regsvr32.exe	EXCEL.EXE

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Downloads MZ/PE file
Loads dropped DLL 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

4564 regsvr32.exe
2972 regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3284 schtasks.exe

pid	process
3284	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Oapxemtaej\a565311f = 1a47ce36bc2bdd6ebaf3d6c81e48b7546246cceb9b1e77d896eb826a20f7baeabec251241644f5408f9ad648561473f65cceddb3bb46c70fed61282cdc881cba1a7816c174ac3483f08d0702564ab3775d9016bac79857c2d4a536cd1975ceda06fa2ebd80bb7bdc6a5eb1cd846745fd9cbfe0f417cf7c9fca61a31438fd721180633174f74e1012b6b65bcf26b1366074d88907736ef44a6a07fcb8158b	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Oapxemtaej\a7241163 = ead7a2161da8bebc9f8bfe1dcac98084e5be32c58daffbd1a3fc80aa9762380756e48bfb65	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Oapxemtaej\6290398c = 9acaed19dbd8aaaa857a8fbe0d26ad16337352eb339d000e952e8f850d4878ec4dc8f2f61b0896bb666f1d808de66727cedef782000ed5715af3a486260f1bd6a4fa4fa6f99a	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Oapxemtaej\efb38ea7 = 149f7266ec6e2df5f76e8e4e5b7811fa2db7b7b54aa23c5ecb291070a8b7449b353030dbd8655d90e0310aa51f674da97fcab2a6749c2967fa9bae7ae14e2afcf0cbca168967b60c6b71fbce4a9ee35acec432eb653b2bbd1f79c2	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Oapxemtaej	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Oapxemtaej\90fae151 = c730109a3d6bb5991b9dcabe0175f5db3a5e5f1c32e1b97857513e54e73541896611cdee8075bb0fc8dd693a7683e196	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Oapxemtaej\1dd9567a = 07f18ac9232f2319842153288a00b3	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Oapxemtaej\90fae151 = c730079a3d6b807fd114bcd43a5374b682433a0eac68c12ed3b3dc8296e9b274786dbf3eaff28da3dfe8289adb04ab180af0c6a26c5c5d334c1400863c4102f82e076955e8	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Oapxemtaej\1f987606 = 62a7cb6acb816a69808f54560b041ff96221cb2051ee98b08e586c287ba0d5d2fad124450e1b13f8a4aac4ca63c04e964dad7774ad9a441cb49595821bf9c10ec320f047a18761ff0060876a	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Oapxemtaej\da2c5ee9 = de6a34e01c2be343735f46d51230e048baf9	explorer.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4844 EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exeexplorer.exe

pid	process
4564	regsvr32.exe
4564	regsvr32.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

4564 regsvr32.exe
2972 regsvr32.exe

Suspicious use of SetWindowsHookEx 18 IoCs

Processes:

EXCEL.EXE

pid	process
4844	EXCEL.EXE
4844	EXCEL.EXE
4844	EXCEL.EXE
4844	EXCEL.EXE
4844	EXCEL.EXE
4844	EXCEL.EXE
4844	EXCEL.EXE
4844	EXCEL.EXE
4844	EXCEL.EXE
4844	EXCEL.EXE
4844	EXCEL.EXE
4844	EXCEL.EXE
4844	EXCEL.EXE
4844	EXCEL.EXE
4844	EXCEL.EXE
4844	EXCEL.EXE
4844	EXCEL.EXE
4844	EXCEL.EXE

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

EXCEL.EXEregsvr32.exeregsvr32.exeexplorer.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 4844 wrote to memory of 4916	4844	EXCEL.EXE	regsvr32.exe
PID 4844 wrote to memory of 4916	4844	EXCEL.EXE	regsvr32.exe
PID 4844 wrote to memory of 212	4844	EXCEL.EXE	regsvr32.exe
PID 4844 wrote to memory of 212	4844	EXCEL.EXE	regsvr32.exe
PID 212 wrote to memory of 4564	212	regsvr32.exe	regsvr32.exe
PID 212 wrote to memory of 4564	212	regsvr32.exe	regsvr32.exe
PID 212 wrote to memory of 4564	212	regsvr32.exe	regsvr32.exe
PID 4564 wrote to memory of 1296	4564	regsvr32.exe	explorer.exe
PID 4564 wrote to memory of 1296	4564	regsvr32.exe	explorer.exe
PID 4564 wrote to memory of 1296	4564	regsvr32.exe	explorer.exe
PID 4564 wrote to memory of 1296	4564	regsvr32.exe	explorer.exe
PID 4564 wrote to memory of 1296	4564	regsvr32.exe	explorer.exe
PID 4844 wrote to memory of 4136	4844	EXCEL.EXE	regsvr32.exe
PID 4844 wrote to memory of 4136	4844	EXCEL.EXE	regsvr32.exe
PID 4844 wrote to memory of 3840	4844	EXCEL.EXE	regsvr32.exe
PID 4844 wrote to memory of 3840	4844	EXCEL.EXE	regsvr32.exe
PID 1296 wrote to memory of 3284	1296	explorer.exe	schtasks.exe
PID 1296 wrote to memory of 3284	1296	explorer.exe	schtasks.exe
PID 1296 wrote to memory of 3284	1296	explorer.exe	schtasks.exe
PID 3240 wrote to memory of 2972	3240	regsvr32.exe	regsvr32.exe
PID 3240 wrote to memory of 2972	3240	regsvr32.exe	regsvr32.exe
PID 3240 wrote to memory of 2972	3240	regsvr32.exe	regsvr32.exe
PID 2972 wrote to memory of 812	2972	regsvr32.exe	explorer.exe
PID 2972 wrote to memory of 812	2972	regsvr32.exe	explorer.exe
PID 2972 wrote to memory of 812	2972	regsvr32.exe	explorer.exe
PID 2972 wrote to memory of 812	2972	regsvr32.exe	explorer.exe
PID 2972 wrote to memory of 812	2972	regsvr32.exe	explorer.exe
PID 812 wrote to memory of 3760	812	explorer.exe	reg.exe
PID 812 wrote to memory of 3760	812	explorer.exe	reg.exe
PID 812 wrote to memory of 3936	812	explorer.exe	reg.exe
PID 812 wrote to memory of 3936	812	explorer.exe	reg.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Cancellation-1070520191$-May5.xlsb"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4844

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32 /s calc
2⤵
- Process spawned unexpected child process
PID:4916

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32 C:\Merto\Byrost\Veonse.OOOCCCXXX
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:212

C:\Windows\SysWOW64\regsvr32.exe
C:\Merto\Byrost\Veonse.OOOCCCXXX
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4564

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1296

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn dxjrqrl /tr "regsvr32.exe -s \"C:\Merto\Byrost\Veonse.OOOCCCXXX\"" /SC ONCE /Z /ST 01:58 /ET 02:10
5⤵
- Creates scheduled task(s)
PID:3284

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32 C:\Merto\Byrost\Veonsea.OOOCCCXXX
2⤵
- Process spawned unexpected child process
PID:4136

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32 C:\Merto\Byrost\Veonseb.OOOCCCXXX
2⤵
- Process spawned unexpected child process
PID:3840

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Merto\Byrost\Veonse.OOOCCCXXX"
1⤵
- Suspicious use of WriteProcessMemory
PID:3240

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Merto\Byrost\Veonse.OOOCCCXXX"
2⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2972

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:812

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Qxbnarpf" /d "0"
4⤵
PID:3760

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Uepamko" /d "0"
4⤵
PID:3936

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Merto\Byrost\Veonse.OOOCCCXXX
Filesize
855KB

MD5
62f1286d63e2bb4bb35e064af8d907b1

SHA1
b8da94e29154bbfb9c448987b0a7e1d7c27d2acc

SHA256
a68cf07c363d4dbe6fc3c2c07c77ccded074b449aaa0d6b6495c4dda6db002f7

SHA512
4cd4e143ee53f1d84bdd2762c453d701e89d6d0d2efcb4143308a3dea5ff786184b7eb28f26fec8d55e0f3227116db2fe4a2959ef8c6abdb03cb97a9ca370d81

Download Submit
C:\Merto\Byrost\Veonse.OOOCCCXXX
Filesize
855KB

MD5
62f1286d63e2bb4bb35e064af8d907b1

SHA1
b8da94e29154bbfb9c448987b0a7e1d7c27d2acc

SHA256
a68cf07c363d4dbe6fc3c2c07c77ccded074b449aaa0d6b6495c4dda6db002f7

SHA512
4cd4e143ee53f1d84bdd2762c453d701e89d6d0d2efcb4143308a3dea5ff786184b7eb28f26fec8d55e0f3227116db2fe4a2959ef8c6abdb03cb97a9ca370d81

Download Submit
C:\Merto\Byrost\Veonse.OOOCCCXXX
Filesize
855KB

MD5
62f1286d63e2bb4bb35e064af8d907b1

SHA1
b8da94e29154bbfb9c448987b0a7e1d7c27d2acc

SHA256
a68cf07c363d4dbe6fc3c2c07c77ccded074b449aaa0d6b6495c4dda6db002f7

SHA512
4cd4e143ee53f1d84bdd2762c453d701e89d6d0d2efcb4143308a3dea5ff786184b7eb28f26fec8d55e0f3227116db2fe4a2959ef8c6abdb03cb97a9ca370d81

Download Submit
C:\Merto\Byrost\Veonse.OOOCCCXXX
Filesize
855KB

MD5
62f1286d63e2bb4bb35e064af8d907b1

SHA1
b8da94e29154bbfb9c448987b0a7e1d7c27d2acc

SHA256
a68cf07c363d4dbe6fc3c2c07c77ccded074b449aaa0d6b6495c4dda6db002f7

SHA512
4cd4e143ee53f1d84bdd2762c453d701e89d6d0d2efcb4143308a3dea5ff786184b7eb28f26fec8d55e0f3227116db2fe4a2959ef8c6abdb03cb97a9ca370d81

Download Submit
memory/212-138-0x0000000000000000-mapping.dmp

Download
memory/812-156-0x0000000000000000-mapping.dmp

Download
memory/812-159-0x0000000000FD0000-0x0000000000FF2000-memory.dmp

Filesize
136KB

Download
memory/1296-149-0x0000000000FD0000-0x0000000000FF2000-memory.dmp

Filesize
136KB

Download
memory/1296-145-0x0000000000000000-mapping.dmp

Download
memory/2972-154-0x00000000017F0000-0x0000000001812000-memory.dmp

Filesize
136KB

Download
memory/2972-153-0x0000000001840000-0x0000000001862000-memory.dmp

Filesize
136KB

Download
memory/2972-155-0x0000000001840000-0x0000000001862000-memory.dmp

Filesize
136KB

Download
memory/2972-151-0x0000000000000000-mapping.dmp

Download
memory/3284-148-0x0000000000000000-mapping.dmp

Download
memory/3760-157-0x0000000000000000-mapping.dmp

Download
memory/3840-147-0x0000000000000000-mapping.dmp

Download
memory/3936-158-0x0000000000000000-mapping.dmp

Download
memory/4136-146-0x0000000000000000-mapping.dmp

Download
memory/4564-144-0x0000000002AB0000-0x0000000002AD2000-memory.dmp

Filesize
136KB

Download
memory/4564-143-0x0000000002A60000-0x0000000002A82000-memory.dmp

Filesize
136KB

Download
memory/4564-142-0x0000000002AB0000-0x0000000002AD2000-memory.dmp

Filesize
136KB

Download
memory/4564-140-0x0000000000000000-mapping.dmp

Download
memory/4844-130-0x00007FFF77E70000-0x00007FFF77E80000-memory.dmp

Filesize
64KB

Download
memory/4844-136-0x00007FFF75DE0000-0x00007FFF75DF0000-memory.dmp

Filesize
64KB

Download
memory/4844-135-0x00007FFF75DE0000-0x00007FFF75DF0000-memory.dmp

Filesize
64KB

Download
memory/4844-134-0x00007FFF77E70000-0x00007FFF77E80000-memory.dmp

Filesize
64KB

Download
memory/4844-133-0x00007FFF77E70000-0x00007FFF77E80000-memory.dmp

Filesize
64KB

Download
memory/4844-131-0x00007FFF77E70000-0x00007FFF77E80000-memory.dmp

Filesize
64KB

Download
memory/4844-132-0x00007FFF77E70000-0x00007FFF77E80000-memory.dmp

Filesize
64KB

Download
memory/4916-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads