qakbot | 8fc0f803beb1a3c3bde04002a0a75868cf82ae0b5509da1724d9c342397c2540

General

Target

local.dll
Size

843KB
MD5

50b13384387bdd3b6bb05a81a8a1822b
SHA1

3fcdf30622a4f9e81ef1c72cd3a000c6cf1c2ea0
SHA256

8fc0f803beb1a3c3bde04002a0a75868cf82ae0b5509da1724d9c342397c2540
SHA512

51abbb8913c1ac4233e82901230315bffb8af6a3e591a919f51f4a07ce57936329962125baa16f6dc916c98298513a8ea15554c81b47135588583d618ad33748

Score

10^/10

qakbot obama187 1654695312 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.688

Botnet

obama187

Campaign

1654695312

C2

197.164.182.46:993

70.51.135.90:2222

187.251.132.144:22

37.186.54.254:995

80.11.74.81:2222

41.84.236.245:995

24.139.72.117:443

177.94.57.126:32101

37.34.253.233:443

186.90.153.162:2222

32.221.224.140:995

208.107.221.224:443

67.165.206.193:993

63.143.92.99:995

88.232.220.207:443

189.78.107.163:32101

74.14.5.179:2222

148.0.56.63:443

40.134.246.185:995

173.21.10.71:2222

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Egwuobje = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Eerzodm = "0"	reg.exe

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1052 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

984 schtasks.exe

pid	process
1052	regsvr32.exe

pid	process
984	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Vwuxpoasbz\a422c32c = c6fb6ad8e65deea93115af9553399019abb137c930eefcd352df8f02d9e764b3887e0799d0ba692627e5dcda24b9cf960407895e077ecfebc7	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Vwuxpoasbz\63d7cbbf = da5f7ada65af999a86fb5171fd1dedf430d4716d6e475d3a7982179620a9642edd162c09a2d209323498d530ee369795e8c66a8fca58bad2f027d41357b8	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Vwuxpoasbz\eef47c94 = a5aabfbd9bb6229314baa0478bf5968f20be81f14250f95f8391c19216752aac2b	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Vwuxpoasbz	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Vwuxpoasbz\db6bacda = c789cc94f26a6fac3373b3fcb0fea0d0406f8c48251dc520c98dc328dc58d3f6f68b962ad1ab6498241d40e7ffabc01434de3ed37dfdf8efabb1d7dc1d2b05e2bf3201d3abe13ec42de12d1465a2083022db894e02396723eac5a60983529d0a36a653a6e4ee32319ed649fa4ccbeac2d4f61ee01a4c5861d0681866c9dede22	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Vwuxpoasbz\6196ebc3 = d06d32ec43671968e0e6ff82bbd51cf8a7b5f90d7d94f47de8c5db40bc3b155e022262c92709	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Vwuxpoasbz\1c9ea449 = 938cc75e333f5d2b2f4c9aee568d3d329d547947e825e880fa5d3bd8006c29bd646a724abc	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Vwuxpoasbz\eef47c94 = a5aaa8bd9bb617e27c88f76d	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Vwuxpoasbz\d92a8ca6 = 2d200c83eca8d0ebda48774fc813d9fa9d5f1784bf39a140dc46d97f4291ea9ce838b0a31c195a0b30b4e2b9d2aaf914a257171c7658a52c813835f83ebd34342ba90042e88094546ac214c5	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Vwuxpoasbz\91bd1362 = 0b4c3be8fdd15c020035401207d6baa71f7e2188b1a6f872db9b49d890c0676d42047f34065beb1329d8d64d7e85bb7d06c8b2b116aa2c4390c1c061e07c4b781f1e228421db415f0bf7c58a0d797cd25c642c8d8d1e59fc371ecb967af06cb05907dee7b3b2e43482d1abdca78b	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeexplorer.exeregsvr32.exe

pid	process
1664	rundll32.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1052	regsvr32.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

1664 rundll32.exe
1052 regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 756 wrote to memory of 1664	756	rundll32.exe	rundll32.exe
PID 756 wrote to memory of 1664	756	rundll32.exe	rundll32.exe
PID 756 wrote to memory of 1664	756	rundll32.exe	rundll32.exe
PID 756 wrote to memory of 1664	756	rundll32.exe	rundll32.exe
PID 756 wrote to memory of 1664	756	rundll32.exe	rundll32.exe
PID 756 wrote to memory of 1664	756	rundll32.exe	rundll32.exe
PID 756 wrote to memory of 1664	756	rundll32.exe	rundll32.exe
PID 1664 wrote to memory of 1904	1664	rundll32.exe	explorer.exe
PID 1664 wrote to memory of 1904	1664	rundll32.exe	explorer.exe
PID 1664 wrote to memory of 1904	1664	rundll32.exe	explorer.exe
PID 1664 wrote to memory of 1904	1664	rundll32.exe	explorer.exe
PID 1664 wrote to memory of 1904	1664	rundll32.exe	explorer.exe
PID 1664 wrote to memory of 1904	1664	rundll32.exe	explorer.exe
PID 1904 wrote to memory of 984	1904	explorer.exe	schtasks.exe
PID 1904 wrote to memory of 984	1904	explorer.exe	schtasks.exe
PID 1904 wrote to memory of 984	1904	explorer.exe	schtasks.exe
PID 1904 wrote to memory of 984	1904	explorer.exe	schtasks.exe
PID 1880 wrote to memory of 796	1880	taskeng.exe	regsvr32.exe
PID 1880 wrote to memory of 796	1880	taskeng.exe	regsvr32.exe
PID 1880 wrote to memory of 796	1880	taskeng.exe	regsvr32.exe
PID 1880 wrote to memory of 796	1880	taskeng.exe	regsvr32.exe
PID 1880 wrote to memory of 796	1880	taskeng.exe	regsvr32.exe
PID 796 wrote to memory of 1052	796	regsvr32.exe	regsvr32.exe
PID 796 wrote to memory of 1052	796	regsvr32.exe	regsvr32.exe
PID 796 wrote to memory of 1052	796	regsvr32.exe	regsvr32.exe
PID 796 wrote to memory of 1052	796	regsvr32.exe	regsvr32.exe
PID 796 wrote to memory of 1052	796	regsvr32.exe	regsvr32.exe
PID 796 wrote to memory of 1052	796	regsvr32.exe	regsvr32.exe
PID 796 wrote to memory of 1052	796	regsvr32.exe	regsvr32.exe
PID 1052 wrote to memory of 852	1052	regsvr32.exe	explorer.exe
PID 1052 wrote to memory of 852	1052	regsvr32.exe	explorer.exe
PID 1052 wrote to memory of 852	1052	regsvr32.exe	explorer.exe
PID 1052 wrote to memory of 852	1052	regsvr32.exe	explorer.exe
PID 1052 wrote to memory of 852	1052	regsvr32.exe	explorer.exe
PID 1052 wrote to memory of 852	1052	regsvr32.exe	explorer.exe
PID 852 wrote to memory of 516	852	explorer.exe	reg.exe
PID 852 wrote to memory of 516	852	explorer.exe	reg.exe
PID 852 wrote to memory of 516	852	explorer.exe	reg.exe
PID 852 wrote to memory of 516	852	explorer.exe	reg.exe
PID 852 wrote to memory of 1628	852	explorer.exe	reg.exe
PID 852 wrote to memory of 1628	852	explorer.exe	reg.exe
PID 852 wrote to memory of 1628	852	explorer.exe	reg.exe
PID 852 wrote to memory of 1628	852	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\local.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\local.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn mhyitsqevd /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\local.dll\"" /SC ONCE /Z /ST 06:56 /ET 07:08
4⤵
- Creates scheduled task(s)
PID:984

C:\Windows\system32\taskeng.exe
taskeng.exe {A9917E0B-5CC8-44F6-9491-486F18229E98} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1880

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\local.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:796

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\local.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1052

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:852

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Eerzodm" /d "0"
5⤵
- Windows security bypass
PID:516

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Egwuobje" /d "0"
5⤵
- Windows security bypass
PID:1628

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\local.dll
Filesize
843KB

MD5
50b13384387bdd3b6bb05a81a8a1822b

SHA1
3fcdf30622a4f9e81ef1c72cd3a000c6cf1c2ea0

SHA256
8fc0f803beb1a3c3bde04002a0a75868cf82ae0b5509da1724d9c342397c2540

SHA512
51abbb8913c1ac4233e82901230315bffb8af6a3e591a919f51f4a07ce57936329962125baa16f6dc916c98298513a8ea15554c81b47135588583d618ad33748

Download Submit
\Users\Admin\AppData\Local\Temp\local.dll
Filesize
843KB

MD5
50b13384387bdd3b6bb05a81a8a1822b

SHA1
3fcdf30622a4f9e81ef1c72cd3a000c6cf1c2ea0

SHA256
8fc0f803beb1a3c3bde04002a0a75868cf82ae0b5509da1724d9c342397c2540

SHA512
51abbb8913c1ac4233e82901230315bffb8af6a3e591a919f51f4a07ce57936329962125baa16f6dc916c98298513a8ea15554c81b47135588583d618ad33748

Download Submit
memory/516-85-0x0000000000000000-mapping.dmp

Download
memory/796-70-0x000007FEFBB71000-0x000007FEFBB73000-memory.dmp

Filesize
8KB

Download
memory/796-69-0x0000000000000000-mapping.dmp

Download
memory/852-86-0x0000000000080000-0x00000000000A2000-memory.dmp

Filesize
136KB

Download
memory/852-81-0x0000000000000000-mapping.dmp

Download
memory/984-67-0x0000000000000000-mapping.dmp

Download
memory/1052-78-0x00000000003C0000-0x00000000003E2000-memory.dmp

Filesize
136KB

Download
memory/1052-80-0x00000000003C0000-0x00000000003E2000-memory.dmp

Filesize
136KB

Download
memory/1052-84-0x00000000003C0000-0x00000000003E2000-memory.dmp

Filesize
136KB

Download
memory/1052-79-0x0000000000340000-0x0000000000372000-memory.dmp

Filesize
200KB

Download
memory/1052-77-0x00000000003C0000-0x00000000003E2000-memory.dmp

Filesize
136KB

Download
memory/1052-76-0x00000000003C0000-0x00000000003E2000-memory.dmp

Filesize
136KB

Download
memory/1052-75-0x0000000000B60000-0x0000000000C37000-memory.dmp

Filesize
860KB

Download
memory/1052-72-0x0000000000000000-mapping.dmp

Download
memory/1628-87-0x0000000000000000-mapping.dmp

Download
memory/1664-57-0x00000000002F0000-0x0000000000312000-memory.dmp

Filesize
136KB

Download
memory/1664-59-0x00000000002F0000-0x0000000000312000-memory.dmp

Filesize
136KB

Download
memory/1664-61-0x00000000002F0000-0x0000000000312000-memory.dmp

Filesize
136KB

Download
memory/1664-54-0x0000000000000000-mapping.dmp

Download
memory/1664-58-0x00000000002F0000-0x0000000000312000-memory.dmp

Filesize
136KB

Download
memory/1664-65-0x00000000002F0000-0x0000000000312000-memory.dmp

Filesize
136KB

Download
memory/1664-56-0x0000000000890000-0x0000000000967000-memory.dmp

Filesize
860KB

Download
memory/1664-55-0x00000000755B1000-0x00000000755B3000-memory.dmp

Filesize
8KB

Download
memory/1664-60-0x00000000003F0000-0x0000000000422000-memory.dmp

Filesize
200KB

Download
memory/1904-68-0x0000000000080000-0x00000000000A2000-memory.dmp

Filesize
136KB

Download
memory/1904-62-0x0000000000000000-mapping.dmp

Download
memory/1904-66-0x0000000000080000-0x00000000000A2000-memory.dmp

Filesize
136KB

Download
memory/1904-64-0x0000000074691000-0x0000000074693000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads