qakbot | 8f08ce574fd51a476bc0f4f861eafba73786fb2c3c32bf8a0cd9ffe00d01fdd8

General

Target

8f08ce574fd51a476bc0f4f861eafba73786fb2c3c32bf8a0cd9ffe00d01fdd8.dll
Size

1.0MB
MD5

6cff5dbdfc5ecc92843d23ead14452ca
SHA1

513c0cfab63ac8b44f7e17bbdeac831674024b46
SHA256

8f08ce574fd51a476bc0f4f861eafba73786fb2c3c32bf8a0cd9ffe00d01fdd8
SHA512

0187ff64f59f8a85097112eb628dfa400233c4b440b7824adf005e198f04f099ce3630e38c9512df46bfc61dbf0a3abc5cf3897d867fdaf0a1d057ab65b6c256

Score

10^/10

qakbot obama189 1655107308 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.688

Botnet

obama189

Campaign

1655107308

C2

91.177.173.10:995

117.248.109.38:21

182.191.92.203:995

39.52.38.164:995

217.165.84.253:993

84.241.8.23:32103

82.152.39.39:443

202.134.152.2:2222

122.118.131.132:995

120.150.218.241:995

222.169.71.98:2222

37.34.253.233:443

93.48.80.198:995

148.0.55.173:443

175.145.235.37:443

41.130.140.32:993

120.61.0.71:443

89.101.97.139:443

62.204.41.187:443

62.204.41.187:2222

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Nacobnbvbk = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Jtivcie = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe

Loads dropped DLL 2 IoCs

Processes:

regsvr32.exe

pid process

4196 regsvr32.exe
4196 regsvr32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3448 4460 WerFault.exe rundll32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3088 schtasks.exe

pid	process
4196	regsvr32.exe
4196	regsvr32.exe

pid	pid_target	process	target process
3448	4460	WerFault.exe	rundll32.exe

pid	process
3088	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ldnyoiygiy\ae4e30d1 = 2029f1a1a36b54a18180d982dca887f4c8f42c39171a55ed8afb7008de561e223868b2e9a830553175374f0378b02ca7ce12b20fc99a81787a6ac5abc0c25f6a1ff21f4a4b3ea36a0b14d46fe5b98648ca	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ldnyoiygiy\212ca786 = 6e4d472fca0c4b5955c2962eb9fb0b2369eb05a874e439a6db70ee986b6ad24814fa2e832943c37d5029da90bda6a51382f1c041a88b86fb97c1781fea0cabfb	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ldnyoiygiy	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ldnyoiygiy\212ca786 = 6e4d502fca0c7e2e033f2d94eda21853a9c2180c2f4d611d34d99ca461f4e06edc457e92e319c3140e6546	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ldnyoiygiy\14b377c8 = 3db4e031c0382f6caf0fdd07b0a6d43455cd6ef812cd45c079831c72ec1487f277f7babf3a77f9250322f150590fe592b70fdcfe39190ff72d5fc340ef2eb5e7b53a398d57c5f3b8f78a6f1915627cb21bef3c992335c3534bf75f3bf8fec6962a450f61d2352afd68a135c7dc148b217e15279512bb715dce915d90760418a29fde8b994c334e616779102fd4b01851f1d25392ce56	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ldnyoiygiy\ac0f10ad = 9ad7bc8a6834328654daa1c482eb674b0dbceb485511de2e9c4e68fb7c705d006e61c5f3	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ldnyoiygiy\5e65c870 = b4735768899aff7aae07c5aea5e48ba1d8c343cf74	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ldnyoiygiy\16f257b4 = a779d4a778d8de5642a2eefbd3561e630a568dde75e9205ea25e57d0cae563733a810db1bc666ff3af2471b6727c4f0d265bc7eff3060f46e026c6f46cd9ee93af57ad03522a7545541c294237ae78e3a6bdd4060c37d88407daec75508bc08567d29cc6d88f75e7	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ldnyoiygiy\d3467f5b = 4b3133d9b796f8c15a972193834d39fef32dc6236234fcf8b3921dca8329476fcd8d408d98c8ac4ba4ff6ba871249a65eb1d954293c7a508871bddedc8bcafbb	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ldnyoiygiy\6bfa183e = 08b6662384e1293d022354e85aaf4de9a9cadaf6778952ba7aba37a7c93f61a699831c0d552ee1b25061d91991212f1db849ec55617daef9d3f95f12873e92e577ef9e39c3	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeexplorer.exe

pid	process
4460	rundll32.exe
4460	rundll32.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe
4408	explorer.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

4460 rundll32.exe
4196 regsvr32.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 1364 wrote to memory of 4460	1364	rundll32.exe	rundll32.exe
PID 1364 wrote to memory of 4460	1364	rundll32.exe	rundll32.exe
PID 1364 wrote to memory of 4460	1364	rundll32.exe	rundll32.exe
PID 4460 wrote to memory of 4408	4460	rundll32.exe	explorer.exe
PID 4460 wrote to memory of 4408	4460	rundll32.exe	explorer.exe
PID 4460 wrote to memory of 4408	4460	rundll32.exe	explorer.exe
PID 4460 wrote to memory of 4408	4460	rundll32.exe	explorer.exe
PID 4460 wrote to memory of 4408	4460	rundll32.exe	explorer.exe
PID 4408 wrote to memory of 3088	4408	explorer.exe	schtasks.exe
PID 4408 wrote to memory of 3088	4408	explorer.exe	schtasks.exe
PID 4408 wrote to memory of 3088	4408	explorer.exe	schtasks.exe
PID 3804 wrote to memory of 4196	3804	regsvr32.exe	regsvr32.exe
PID 3804 wrote to memory of 4196	3804	regsvr32.exe	regsvr32.exe
PID 3804 wrote to memory of 4196	3804	regsvr32.exe	regsvr32.exe
PID 4196 wrote to memory of 1660	4196	regsvr32.exe	explorer.exe
PID 4196 wrote to memory of 1660	4196	regsvr32.exe	explorer.exe
PID 4196 wrote to memory of 1660	4196	regsvr32.exe	explorer.exe
PID 4196 wrote to memory of 1660	4196	regsvr32.exe	explorer.exe
PID 4196 wrote to memory of 1660	4196	regsvr32.exe	explorer.exe
PID 1660 wrote to memory of 4324	1660	explorer.exe	reg.exe
PID 1660 wrote to memory of 4324	1660	explorer.exe	reg.exe
PID 1660 wrote to memory of 1088	1660	explorer.exe	reg.exe
PID 1660 wrote to memory of 1088	1660	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8f08ce574fd51a476bc0f4f861eafba73786fb2c3c32bf8a0cd9ffe00d01fdd8.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8f08ce574fd51a476bc0f4f861eafba73786fb2c3c32bf8a0cd9ffe00d01fdd8.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4460

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4408

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn vyksdbdo /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\8f08ce574fd51a476bc0f4f861eafba73786fb2c3c32bf8a0cd9ffe00d01fdd8.dll\"" /SC ONCE /Z /ST 17:02 /ET 17:14
4⤵
- Creates scheduled task(s)
PID:3088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 744
3⤵
- Program crash
PID:3448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4460 -ip 4460
1⤵
PID:4724

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\8f08ce574fd51a476bc0f4f861eafba73786fb2c3c32bf8a0cd9ffe00d01fdd8.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:3804

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\8f08ce574fd51a476bc0f4f861eafba73786fb2c3c32bf8a0cd9ffe00d01fdd8.dll"
2⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4196

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Jtivcie" /d "0"
4⤵
- Windows security bypass
PID:4324

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Nacobnbvbk" /d "0"
4⤵
- Windows security bypass
PID:1088

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8f08ce574fd51a476bc0f4f861eafba73786fb2c3c32bf8a0cd9ffe00d01fdd8.dll
Filesize
1.0MB

MD5
6cff5dbdfc5ecc92843d23ead14452ca

SHA1
513c0cfab63ac8b44f7e17bbdeac831674024b46

SHA256
8f08ce574fd51a476bc0f4f861eafba73786fb2c3c32bf8a0cd9ffe00d01fdd8

SHA512
0187ff64f59f8a85097112eb628dfa400233c4b440b7824adf005e198f04f099ce3630e38c9512df46bfc61dbf0a3abc5cf3897d867fdaf0a1d057ab65b6c256

Download Submit
C:\Users\Admin\AppData\Local\Temp\8f08ce574fd51a476bc0f4f861eafba73786fb2c3c32bf8a0cd9ffe00d01fdd8.dll
Filesize
1.0MB

MD5
6cff5dbdfc5ecc92843d23ead14452ca

SHA1
513c0cfab63ac8b44f7e17bbdeac831674024b46

SHA256
8f08ce574fd51a476bc0f4f861eafba73786fb2c3c32bf8a0cd9ffe00d01fdd8

SHA512
0187ff64f59f8a85097112eb628dfa400233c4b440b7824adf005e198f04f099ce3630e38c9512df46bfc61dbf0a3abc5cf3897d867fdaf0a1d057ab65b6c256

Download Submit
C:\Users\Admin\AppData\Local\Temp\8f08ce574fd51a476bc0f4f861eafba73786fb2c3c32bf8a0cd9ffe00d01fdd8.dll
Filesize
1.0MB

MD5
6cff5dbdfc5ecc92843d23ead14452ca

SHA1
513c0cfab63ac8b44f7e17bbdeac831674024b46

SHA256
8f08ce574fd51a476bc0f4f861eafba73786fb2c3c32bf8a0cd9ffe00d01fdd8

SHA512
0187ff64f59f8a85097112eb628dfa400233c4b440b7824adf005e198f04f099ce3630e38c9512df46bfc61dbf0a3abc5cf3897d867fdaf0a1d057ab65b6c256

Download Submit
memory/1088-151-0x0000000000000000-mapping.dmp

Download
memory/1660-148-0x0000000000000000-mapping.dmp

Download
memory/1660-153-0x0000000000C80000-0x0000000000CA2000-memory.dmp

Filesize
136KB

Download
memory/1660-152-0x0000000000C80000-0x0000000000CA2000-memory.dmp

Filesize
136KB

Download
memory/3088-138-0x0000000000000000-mapping.dmp

Download
memory/4196-145-0x0000000001240000-0x0000000001262000-memory.dmp

Filesize
136KB

Download
memory/4196-149-0x0000000001240000-0x0000000001262000-memory.dmp

Filesize
136KB

Download
memory/4196-141-0x0000000000000000-mapping.dmp

Download
memory/4196-147-0x0000000001240000-0x0000000001262000-memory.dmp

Filesize
136KB

Download
memory/4196-146-0x0000000001200000-0x0000000001232000-memory.dmp

Filesize
200KB

Download
memory/4196-144-0x0000000000C30000-0x0000000000D3C000-memory.dmp

Filesize
1.0MB

Download
memory/4324-150-0x0000000000000000-mapping.dmp

Download
memory/4408-139-0x0000000000D60000-0x0000000000D82000-memory.dmp

Filesize
136KB

Download
memory/4408-135-0x0000000000000000-mapping.dmp

Download
memory/4408-136-0x0000000000D60000-0x0000000000D82000-memory.dmp

Filesize
136KB

Download
memory/4460-132-0x0000000002DA0000-0x0000000002DC2000-memory.dmp

Filesize
136KB

Download
memory/4460-133-0x0000000002D40000-0x0000000002D72000-memory.dmp

Filesize
200KB

Download
memory/4460-130-0x0000000000000000-mapping.dmp

Download
memory/4460-134-0x0000000002DA0000-0x0000000002DC2000-memory.dmp

Filesize
136KB

Download
memory/4460-131-0x0000000000DD0000-0x0000000000EDC000-memory.dmp

Filesize
1.0MB

Download
memory/4460-137-0x0000000002DA0000-0x0000000002DC2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads