qakbot | 5597159f5b250a487e4f0eb7242dc938f6e335839131601d8ec22d34756489aa

General

Target

Cancellation-1228813013$-May5.xlsb
Size

65KB
MD5

4ed18e5cf0345e1fec51922960217b52
SHA1

1dd2279ce4c569ff462884c1a283c6c9d5505dc7
SHA256

8aa260005950bb9d062fa127e0f7fa615b02fafb15000cac4ff52e4aa97f1d16
SHA512

df53c2ce7788cbce925014ce03c6efbb6e4354c73b9fe14615e5a3798203d18dc0f67117602472c2743e043f51993e4327334ac90fd0de185708a0c9bf3a89f3

Score

10^/10

qakbot obama182 1651756499 banker evasion stealer trojan

Malware Config

Extracted

Language

xlm4.0

Source

Extracted

Family

qakbot

Version

403.683

Botnet

obama182

Campaign

1651756499

C2

103.107.113.120:443

80.11.74.81:2222

177.102.2.175:32101

24.178.196.158:2222

91.177.173.10:995

181.208.248.227:443

176.67.56.94:443

202.134.152.2:2222

148.0.57.85:443

179.179.162.9:993

40.134.246.185:995

37.186.54.254:995

196.203.37.215:80

120.150.218.241:995

208.107.221.224:443

113.53.151.59:443

70.46.220.114:443

69.14.172.24:443

108.60.213.141:443

24.55.67.176:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	936	924	regsvr32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4004	924	regsvr32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3240	924	regsvr32.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1548	924	regsvr32.exe	EXCEL.EXE

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Downloads MZ/PE file
Loads dropped DLL 3 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

3908 regsvr32.exe
3908 regsvr32.exe
1392 regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1172 schtasks.exe

pid	process
1172	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ugvmujzqvr\2d4286cf = 29e2c6c3412f6aa4f2184754df3f353d90decd64843ebf9416169fbc9b4fe3879f2ecce2c034b9badff3d5d3bd9bc2133c95b84a1de56b10fd33f3a290c4a5f1a7bf55514cba2231	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ugvmujzqvr\520be939 = c9a60384c08382e07ce336f088ee8af7c8c04085f746	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ugvmujzqvr\dd697e6e = bed3822d4dfca370b6e0682ff1ce8d904c5d08fb5c98483393b2b6	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ugvmujzqvr\a06131e4 = 36046cc0022a1213657dce560d02a9d861855f64f33f0ec55225e2d9b0eb451b5eab13ebca5946c468994b9eda0f8376b902ff495e71f5bfa3b24ebf3cc8619f03fe82d1888e057e6a1dcbc16f4572a71acd1849d54652cc00978461	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ugvmujzqvr\df285e12 = 0e9b0e2a1ec2da750d2393a3912c39d25861764a8032861d492e56fe25c9ee281ea5e6ccf5952f87be8f169d992c808ad65d4526b438c4523e17f109f9096ec61fd8b63bdd7478ba962d8c72ec6322f4ff9d72c408	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ugvmujzqvr\520be939 = c9a61484c083b74954d949ac6cc612c3d55c2c6861ce7770eb17439bf099169154b44f7480afda2661017d	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ugvmujzqvr	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ugvmujzqvr\67943977 = 4b0e04b481eb6e7bb4ee6c8bcff7f3a7309a7dc1c0e78d5a0b7de64a7ff4713adc55af4c1f90baf1cee07ddb6775b9ee0e8affe4ee6ee4c11474b236e4fcb0bf6b9fedca5df5bab904d3861b098e6349d13d42483f3ab5786feba52895ded8620c42d9447db3f87de2e880bac00e907e93a656707da4d33cf506e4c47ee9d75a07c89f32b3ae75c2b6ec28ce10de43c20d50488c71fb04dc5ce4fd7eec	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ugvmujzqvr\65d5190b = af411b5e691ff792baa86a17ccc93e5f9d295884ca2a9a50d1cc913d964205d64bda13d67880ba826840c6a9b45d39898ae3338de0a8c265f181c3398f66b0b3505dbd84c91f681431b1cdb5b3	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ugvmujzqvr\18dd5681 = aa90421c1dc6a2c766ae2d54510900f2f16eb88de7caeea3e98cb9d73b0d56a2cafe3de68bf20289e7906c4a36	explorer.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

924 EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exeexplorer.exe

pid	process
3908	regsvr32.exe
3908	regsvr32.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe
3856	explorer.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

3908 regsvr32.exe
1392 regsvr32.exe

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

EXCEL.EXE

pid	process
924	EXCEL.EXE
924	EXCEL.EXE
924	EXCEL.EXE
924	EXCEL.EXE
924	EXCEL.EXE
924	EXCEL.EXE
924	EXCEL.EXE
924	EXCEL.EXE
924	EXCEL.EXE
924	EXCEL.EXE
924	EXCEL.EXE
924	EXCEL.EXE
924	EXCEL.EXE
924	EXCEL.EXE
924	EXCEL.EXE
924	EXCEL.EXE
924	EXCEL.EXE

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

EXCEL.EXEregsvr32.exeregsvr32.exeexplorer.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 924 wrote to memory of 936	924	EXCEL.EXE	regsvr32.exe
PID 924 wrote to memory of 936	924	EXCEL.EXE	regsvr32.exe
PID 924 wrote to memory of 4004	924	EXCEL.EXE	regsvr32.exe
PID 924 wrote to memory of 4004	924	EXCEL.EXE	regsvr32.exe
PID 4004 wrote to memory of 3908	4004	regsvr32.exe	regsvr32.exe
PID 4004 wrote to memory of 3908	4004	regsvr32.exe	regsvr32.exe
PID 4004 wrote to memory of 3908	4004	regsvr32.exe	regsvr32.exe
PID 3908 wrote to memory of 3856	3908	regsvr32.exe	explorer.exe
PID 3908 wrote to memory of 3856	3908	regsvr32.exe	explorer.exe
PID 3908 wrote to memory of 3856	3908	regsvr32.exe	explorer.exe
PID 3908 wrote to memory of 3856	3908	regsvr32.exe	explorer.exe
PID 3908 wrote to memory of 3856	3908	regsvr32.exe	explorer.exe
PID 924 wrote to memory of 3240	924	EXCEL.EXE	regsvr32.exe
PID 924 wrote to memory of 3240	924	EXCEL.EXE	regsvr32.exe
PID 924 wrote to memory of 1548	924	EXCEL.EXE	regsvr32.exe
PID 924 wrote to memory of 1548	924	EXCEL.EXE	regsvr32.exe
PID 3856 wrote to memory of 1172	3856	explorer.exe	schtasks.exe
PID 3856 wrote to memory of 1172	3856	explorer.exe	schtasks.exe
PID 3856 wrote to memory of 1172	3856	explorer.exe	schtasks.exe
PID 1804 wrote to memory of 1392	1804	regsvr32.exe	regsvr32.exe
PID 1804 wrote to memory of 1392	1804	regsvr32.exe	regsvr32.exe
PID 1804 wrote to memory of 1392	1804	regsvr32.exe	regsvr32.exe
PID 1392 wrote to memory of 3708	1392	regsvr32.exe	explorer.exe
PID 1392 wrote to memory of 3708	1392	regsvr32.exe	explorer.exe
PID 1392 wrote to memory of 3708	1392	regsvr32.exe	explorer.exe
PID 1392 wrote to memory of 3708	1392	regsvr32.exe	explorer.exe
PID 1392 wrote to memory of 3708	1392	regsvr32.exe	explorer.exe
PID 3708 wrote to memory of 4320	3708	explorer.exe	reg.exe
PID 3708 wrote to memory of 4320	3708	explorer.exe	reg.exe
PID 3708 wrote to memory of 1204	3708	explorer.exe	reg.exe
PID 3708 wrote to memory of 1204	3708	explorer.exe	reg.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Cancellation-1228813013$-May5.xlsb"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:924

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32 /s calc
2⤵
- Process spawned unexpected child process
PID:936

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32 C:\Merto\Byrost\Veonse.OOOCCCXXX
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4004

C:\Windows\SysWOW64\regsvr32.exe
C:\Merto\Byrost\Veonse.OOOCCCXXX
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3908

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3856

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn nhytxhtw /tr "regsvr32.exe -s \"C:\Merto\Byrost\Veonse.OOOCCCXXX\"" /SC ONCE /Z /ST 14:42 /ET 14:54
5⤵
- Creates scheduled task(s)
PID:1172

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32 C:\Merto\Byrost\Veonsea.OOOCCCXXX
2⤵
- Process spawned unexpected child process
PID:3240

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32 C:\Merto\Byrost\Veonseb.OOOCCCXXX
2⤵
- Process spawned unexpected child process
PID:1548

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Merto\Byrost\Veonse.OOOCCCXXX"
1⤵
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Merto\Byrost\Veonse.OOOCCCXXX"
2⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1392

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3708

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Ozaze" /d "0"
4⤵
PID:4320

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Yjntrponbv" /d "0"
4⤵
PID:1204

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Merto\Byrost\Veonse.OOOCCCXXX
Filesize
855KB

MD5
5a49dbfaa8b7ae74bd5bbbdbca791e1c

SHA1
7709845bfa39b4e48be26fe609908fe72ee0f658

SHA256
ef7a23ebe3be9c2fa37d399f0056ed5cd9e4376aa0b45cbce7d04435be61a531

SHA512
6fa67a6cec117ab63bc98e1695c9c86b4b459ba4edd733be55729c0287049e84dd3fe48d5eb1883c52da964cb56f91e9611550384a56c04f73081b38b95841cb

Download Submit
C:\Merto\Byrost\Veonse.OOOCCCXXX
Filesize
855KB

MD5
5a49dbfaa8b7ae74bd5bbbdbca791e1c

SHA1
7709845bfa39b4e48be26fe609908fe72ee0f658

SHA256
ef7a23ebe3be9c2fa37d399f0056ed5cd9e4376aa0b45cbce7d04435be61a531

SHA512
6fa67a6cec117ab63bc98e1695c9c86b4b459ba4edd733be55729c0287049e84dd3fe48d5eb1883c52da964cb56f91e9611550384a56c04f73081b38b95841cb

Download Submit
C:\Merto\Byrost\Veonse.OOOCCCXXX
Filesize
855KB

MD5
5a49dbfaa8b7ae74bd5bbbdbca791e1c

SHA1
7709845bfa39b4e48be26fe609908fe72ee0f658

SHA256
ef7a23ebe3be9c2fa37d399f0056ed5cd9e4376aa0b45cbce7d04435be61a531

SHA512
6fa67a6cec117ab63bc98e1695c9c86b4b459ba4edd733be55729c0287049e84dd3fe48d5eb1883c52da964cb56f91e9611550384a56c04f73081b38b95841cb

Download Submit
C:\Merto\Byrost\Veonse.OOOCCCXXX
Filesize
855KB

MD5
5a49dbfaa8b7ae74bd5bbbdbca791e1c

SHA1
7709845bfa39b4e48be26fe609908fe72ee0f658

SHA256
ef7a23ebe3be9c2fa37d399f0056ed5cd9e4376aa0b45cbce7d04435be61a531

SHA512
6fa67a6cec117ab63bc98e1695c9c86b4b459ba4edd733be55729c0287049e84dd3fe48d5eb1883c52da964cb56f91e9611550384a56c04f73081b38b95841cb

Download Submit
C:\Merto\Byrost\Veonse.OOOCCCXXX
Filesize
855KB

MD5
5a49dbfaa8b7ae74bd5bbbdbca791e1c

SHA1
7709845bfa39b4e48be26fe609908fe72ee0f658

SHA256
ef7a23ebe3be9c2fa37d399f0056ed5cd9e4376aa0b45cbce7d04435be61a531

SHA512
6fa67a6cec117ab63bc98e1695c9c86b4b459ba4edd733be55729c0287049e84dd3fe48d5eb1883c52da964cb56f91e9611550384a56c04f73081b38b95841cb

Download Submit
memory/924-136-0x00007FF9BA220000-0x00007FF9BA230000-memory.dmp

Filesize
64KB

Download
memory/924-130-0x00007FF9BC5B0000-0x00007FF9BC5C0000-memory.dmp

Filesize
64KB

Download
memory/924-131-0x00007FF9BC5B0000-0x00007FF9BC5C0000-memory.dmp

Filesize
64KB

Download
memory/924-135-0x00007FF9BA220000-0x00007FF9BA230000-memory.dmp

Filesize
64KB

Download
memory/924-134-0x00007FF9BC5B0000-0x00007FF9BC5C0000-memory.dmp

Filesize
64KB

Download
memory/924-133-0x00007FF9BC5B0000-0x00007FF9BC5C0000-memory.dmp

Filesize
64KB

Download
memory/924-132-0x00007FF9BC5B0000-0x00007FF9BC5C0000-memory.dmp

Filesize
64KB

Download
memory/936-137-0x0000000000000000-mapping.dmp

Download
memory/1172-150-0x0000000000000000-mapping.dmp

Download
memory/1204-160-0x0000000000000000-mapping.dmp

Download
memory/1392-157-0x0000000001F40000-0x0000000001F62000-memory.dmp

Filesize
136KB

Download
memory/1392-156-0x0000000001EF0000-0x0000000001F12000-memory.dmp

Filesize
136KB

Download
memory/1392-155-0x0000000001F40000-0x0000000001F62000-memory.dmp

Filesize
136KB

Download
memory/1392-153-0x0000000000000000-mapping.dmp

Download
memory/1548-149-0x0000000000000000-mapping.dmp

Download
memory/3240-148-0x0000000000000000-mapping.dmp

Download
memory/3708-158-0x0000000000000000-mapping.dmp

Download
memory/3708-161-0x0000000000EA0000-0x0000000000EC2000-memory.dmp

Filesize
136KB

Download
memory/3856-147-0x0000000000000000-mapping.dmp

Download
memory/3856-151-0x0000000000930000-0x0000000000952000-memory.dmp

Filesize
136KB

Download
memory/3908-146-0x0000000002130000-0x0000000002152000-memory.dmp

Filesize
136KB

Download
memory/3908-145-0x00000000020E0000-0x0000000002102000-memory.dmp

Filesize
136KB

Download
memory/3908-144-0x0000000002130000-0x0000000002152000-memory.dmp

Filesize
136KB

Download
memory/3908-143-0x0000000001FD0000-0x00000000020AA000-memory.dmp

Filesize
872KB

Download
memory/3908-140-0x0000000000000000-mapping.dmp

Download
memory/4004-138-0x0000000000000000-mapping.dmp

Download
memory/4320-159-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads