qakbot | e8d0bfcbdfb86ee8c3a2e1db06ade10715e5fdc7acef1fca18e1021b335f9f78

General

Target

local.dll
Size

843KB
MD5

3fb78f4c9c7393ac16f242d32c554f54
SHA1

e72c5ecaa6e5b7a0084accf1c18118a1851fc8ee
SHA256

e8d0bfcbdfb86ee8c3a2e1db06ade10715e5fdc7acef1fca18e1021b335f9f78
SHA512

d5cdd5b7b7277d56ffacc831ac78ca2684551f0c8b6b58debca688b13c50212facaa3c7a05518bc724180bb14ba4ebb00e910179f25205d4e5a80205d837826f

Score

10^/10

qakbot obama187 1654695312 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.688

Botnet

obama187

Campaign

1654695312

C2

197.164.182.46:993

70.51.135.90:2222

187.251.132.144:22

37.186.54.254:995

80.11.74.81:2222

41.84.236.245:995

24.139.72.117:443

177.94.57.126:32101

37.34.253.233:443

186.90.153.162:2222

32.221.224.140:995

208.107.221.224:443

67.165.206.193:993

63.143.92.99:995

88.232.220.207:443

189.78.107.163:32101

74.14.5.179:2222

148.0.56.63:443

40.134.246.185:995

173.21.10.71:2222

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Qprxa = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Ryudqgufcdl = "0"	reg.exe

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

336 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1136 schtasks.exe

pid	process
336	regsvr32.exe

pid	process
1136	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Wqdornghnlui	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Wqdornghnlui\e390fa27 = 43f074860a25e31cb3460d96d04e937b1b80f446e556a21110eb79d158afce37bc899a089a8c4458cdf9938da445de9726d8dc91be11d0561a76864f08106e0a1aac0cf1df0e9d78ba8c1f	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Wqdornghnlui\d60f2a69 = f7cc2891d36c1819afae9fc38751139b256caa9cb1b418c739994c7c086db5d0bc2eb0cd93e79e99ec630af54f64bb5ff8adb7381e73838e9c711bded4a89ff4d622df3a9a25ac0a1e9a1d6893cf6b84cfb5e44e1d6630514bf93ef591ed5af5a8ebe54ab763dc2a09eac49e0d0f73cd5dbe411d316baca056e9fa2d84cd9af27046a425f6803c524c9d7a	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Wqdornghnlui\d44e0a15 = 3c953ac55e7b1238031e2589f703494548	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Wqdornghnlui\a946459f = 9836a4d8ef633f7865a91d3866670011575d	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Wqdornghnlui\6eb34d0c = f9bb91719a9cb2be15b214f8c438dadee17501c9f91a9abcf5e8dd01feaac77f49419ec039f8e14bd355e1aabf032668	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Wqdornghnlui\6cf26d70 = 5e5f0590c4d70bfabdf9155517f170496515de138aaaba5500d08a3cd128bd1ddb94031182	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Wqdornghnlui\11fa22fa = 3b47a511e79f5dea820123ac77a4ba0dea7eed76cdaedc7895ef72d3c676183978c21c6368dcf0ac703723f0e0ebf4246a586b3203cbe022c2596610a878e7	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Wqdornghnlui\9cd995d1 = 785864a2a04db15b4c711933858ebe4f0fdbca4ea225c0a7839c1a74b05d60bb830a8b3b29cc6249dd3f02fc709b172093548523b8985557b35a3fad999a7fdd1b078ddbc2526fd7432d75687d201ac3a2fc359fdc802699f848febbe196a718144a8a06d14ac9cf9febc9de84e0f867	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Wqdornghnlui\e390fa27 = 43f063860a25d60c333aef64a049d98e513ae70c53e79daba0fe0c87c3fcdfe1e51f1fc2eeb20b8ad5b2838b4c98e981f750daec5a8ea4ec59991309a0208fc282121768eb182035611758fc1146662aee3fa16858bcf4bcf13391bd541592c6	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeexplorer.exeregsvr32.exe

pid	process
1668	rundll32.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
336	regsvr32.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

1668 rundll32.exe
336 regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 376 wrote to memory of 1668	376	rundll32.exe	rundll32.exe
PID 376 wrote to memory of 1668	376	rundll32.exe	rundll32.exe
PID 376 wrote to memory of 1668	376	rundll32.exe	rundll32.exe
PID 376 wrote to memory of 1668	376	rundll32.exe	rundll32.exe
PID 376 wrote to memory of 1668	376	rundll32.exe	rundll32.exe
PID 376 wrote to memory of 1668	376	rundll32.exe	rundll32.exe
PID 376 wrote to memory of 1668	376	rundll32.exe	rundll32.exe
PID 1668 wrote to memory of 1060	1668	rundll32.exe	explorer.exe
PID 1668 wrote to memory of 1060	1668	rundll32.exe	explorer.exe
PID 1668 wrote to memory of 1060	1668	rundll32.exe	explorer.exe
PID 1668 wrote to memory of 1060	1668	rundll32.exe	explorer.exe
PID 1668 wrote to memory of 1060	1668	rundll32.exe	explorer.exe
PID 1668 wrote to memory of 1060	1668	rundll32.exe	explorer.exe
PID 1060 wrote to memory of 1136	1060	explorer.exe	schtasks.exe
PID 1060 wrote to memory of 1136	1060	explorer.exe	schtasks.exe
PID 1060 wrote to memory of 1136	1060	explorer.exe	schtasks.exe
PID 1060 wrote to memory of 1136	1060	explorer.exe	schtasks.exe
PID 1820 wrote to memory of 1448	1820	taskeng.exe	regsvr32.exe
PID 1820 wrote to memory of 1448	1820	taskeng.exe	regsvr32.exe
PID 1820 wrote to memory of 1448	1820	taskeng.exe	regsvr32.exe
PID 1820 wrote to memory of 1448	1820	taskeng.exe	regsvr32.exe
PID 1820 wrote to memory of 1448	1820	taskeng.exe	regsvr32.exe
PID 1448 wrote to memory of 336	1448	regsvr32.exe	regsvr32.exe
PID 1448 wrote to memory of 336	1448	regsvr32.exe	regsvr32.exe
PID 1448 wrote to memory of 336	1448	regsvr32.exe	regsvr32.exe
PID 1448 wrote to memory of 336	1448	regsvr32.exe	regsvr32.exe
PID 1448 wrote to memory of 336	1448	regsvr32.exe	regsvr32.exe
PID 1448 wrote to memory of 336	1448	regsvr32.exe	regsvr32.exe
PID 1448 wrote to memory of 336	1448	regsvr32.exe	regsvr32.exe
PID 336 wrote to memory of 1944	336	regsvr32.exe	explorer.exe
PID 336 wrote to memory of 1944	336	regsvr32.exe	explorer.exe
PID 336 wrote to memory of 1944	336	regsvr32.exe	explorer.exe
PID 336 wrote to memory of 1944	336	regsvr32.exe	explorer.exe
PID 336 wrote to memory of 1944	336	regsvr32.exe	explorer.exe
PID 336 wrote to memory of 1944	336	regsvr32.exe	explorer.exe
PID 1944 wrote to memory of 2024	1944	explorer.exe	reg.exe
PID 1944 wrote to memory of 2024	1944	explorer.exe	reg.exe
PID 1944 wrote to memory of 2024	1944	explorer.exe	reg.exe
PID 1944 wrote to memory of 2024	1944	explorer.exe	reg.exe
PID 1944 wrote to memory of 864	1944	explorer.exe	reg.exe
PID 1944 wrote to memory of 864	1944	explorer.exe	reg.exe
PID 1944 wrote to memory of 864	1944	explorer.exe	reg.exe
PID 1944 wrote to memory of 864	1944	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\local.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:376

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\local.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn lczhpackl /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\local.dll\"" /SC ONCE /Z /ST 00:03 /ET 00:15
4⤵
- Creates scheduled task(s)
PID:1136

C:\Windows\system32\taskeng.exe
taskeng.exe {AA33897C-B966-466F-92B7-3CA6276D42B5} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\local.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\local.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Qprxa" /d "0"
5⤵
- Windows security bypass
PID:2024

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Ryudqgufcdl" /d "0"
5⤵
- Windows security bypass
PID:864

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\local.dll
Filesize
843KB

MD5
3fb78f4c9c7393ac16f242d32c554f54

SHA1
e72c5ecaa6e5b7a0084accf1c18118a1851fc8ee

SHA256
e8d0bfcbdfb86ee8c3a2e1db06ade10715e5fdc7acef1fca18e1021b335f9f78

SHA512
d5cdd5b7b7277d56ffacc831ac78ca2684551f0c8b6b58debca688b13c50212facaa3c7a05518bc724180bb14ba4ebb00e910179f25205d4e5a80205d837826f

Download Submit
\Users\Admin\AppData\Local\Temp\local.dll
Filesize
843KB

MD5
3fb78f4c9c7393ac16f242d32c554f54

SHA1
e72c5ecaa6e5b7a0084accf1c18118a1851fc8ee

SHA256
e8d0bfcbdfb86ee8c3a2e1db06ade10715e5fdc7acef1fca18e1021b335f9f78

SHA512
d5cdd5b7b7277d56ffacc831ac78ca2684551f0c8b6b58debca688b13c50212facaa3c7a05518bc724180bb14ba4ebb00e910179f25205d4e5a80205d837826f

Download Submit
memory/336-84-0x0000000000B00000-0x0000000000B22000-memory.dmp

Filesize
136KB

Download
memory/336-80-0x0000000000B00000-0x0000000000B22000-memory.dmp

Filesize
136KB

Download
memory/336-79-0x0000000000AC0000-0x0000000000AF2000-memory.dmp

Filesize
200KB

Download
memory/336-77-0x0000000000B00000-0x0000000000B22000-memory.dmp

Filesize
136KB

Download
memory/336-78-0x0000000000B00000-0x0000000000B22000-memory.dmp

Filesize
136KB

Download
memory/336-76-0x0000000000B00000-0x0000000000B22000-memory.dmp

Filesize
136KB

Download
memory/336-72-0x0000000000000000-mapping.dmp

Download
memory/336-75-0x0000000000760000-0x0000000000837000-memory.dmp

Filesize
860KB

Download
memory/864-87-0x0000000000000000-mapping.dmp

Download
memory/1060-62-0x0000000000000000-mapping.dmp

Download
memory/1060-68-0x00000000000C0000-0x00000000000E2000-memory.dmp

Filesize
136KB

Download
memory/1060-66-0x00000000000C0000-0x00000000000E2000-memory.dmp

Filesize
136KB

Download
memory/1060-64-0x0000000074861000-0x0000000074863000-memory.dmp

Filesize
8KB

Download
memory/1136-67-0x0000000000000000-mapping.dmp

Download
memory/1448-69-0x0000000000000000-mapping.dmp

Download
memory/1448-70-0x000007FEFBD41000-0x000007FEFBD43000-memory.dmp

Filesize
8KB

Download
memory/1668-58-0x0000000000240000-0x0000000000262000-memory.dmp

Filesize
136KB

Download
memory/1668-65-0x0000000000240000-0x0000000000262000-memory.dmp

Filesize
136KB

Download
memory/1668-61-0x0000000000240000-0x0000000000262000-memory.dmp

Filesize
136KB

Download
memory/1668-60-0x0000000000AE0000-0x0000000000B12000-memory.dmp

Filesize
200KB

Download
memory/1668-59-0x0000000000240000-0x0000000000262000-memory.dmp

Filesize
136KB

Download
memory/1668-54-0x0000000000000000-mapping.dmp

Download
memory/1668-57-0x0000000000240000-0x0000000000262000-memory.dmp

Filesize
136KB

Download
memory/1668-56-0x00000000002B0000-0x0000000000387000-memory.dmp

Filesize
860KB

Download
memory/1668-55-0x00000000764C1000-0x00000000764C3000-memory.dmp

Filesize
8KB

Download
memory/1944-81-0x0000000000000000-mapping.dmp

Download
memory/1944-86-0x00000000000C0000-0x00000000000E2000-memory.dmp

Filesize
136KB

Download
memory/2024-85-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads