qakbot | 1b3fc9c250b8cf0e52c491376aaa6c1929c3b5e264d59ed77033ee0214bc3f9e

General

Target

1b3fc9c250b8cf0e52c491376aaa6c1929c3b5e264d59ed77033ee0214bc3f9e.dll
Size

1.0MB
MD5

bc5cd9ba1b2f9df9617335a64ef4915f
SHA1

1630dd1cb577c44d3f9f28c06208f660c8d82aed
SHA256

1b3fc9c250b8cf0e52c491376aaa6c1929c3b5e264d59ed77033ee0214bc3f9e
SHA512

020798e77af15e8aafe1c69a115ebdfe51f3f4416d0a4ecb3a441f63c31d07a36f1b5d7d722db088f1508dc057b48e0d6284dcdc6efcddf464c75c83caa98dec

Score

10^/10

qakbot obama189 1655107308 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.688

Botnet

obama189

Campaign

1655107308

C2

91.177.173.10:995

117.248.109.38:21

182.191.92.203:995

39.52.38.164:995

217.165.84.253:993

84.241.8.23:32103

82.152.39.39:443

202.134.152.2:2222

122.118.131.132:995

120.150.218.241:995

222.169.71.98:2222

37.34.253.233:443

93.48.80.198:995

148.0.55.173:443

175.145.235.37:443

41.130.140.32:993

120.61.0.71:443

89.101.97.139:443

62.204.41.187:443

62.204.41.187:2222

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Xpqoueoqnke = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Waapnh = "0"	reg.exe

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

3056 regsvr32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1416 2760 WerFault.exe rundll32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

812 schtasks.exe

pid	process
3056	regsvr32.exe

pid	pid_target	process	target process
1416	2760	WerFault.exe	rundll32.exe

pid	process
812	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ouypfyaew\2c3dc2e2 = 42907140a01319a662132a93cb6d3caa578f8e4bc6ef76675334f4aec7feb82beb966f2758ff8eb1de390c011c73967d2c8fd4428091816dd3ebf35a3615796ae32a07e4a3b71d3ae56f51a3d77f71715e9120ba61f22640a564f008ca07b67c669048e3b96b68	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ouypfyaew\9481a587 = 07966963f306160fb0e44bd974ce39401415b725a9a1a69cc58d2b9891aced94085856da2b4ed6af58375ba64f4c4701272a4f1c7ee5bb4190e4cb877e53e02385d6677f50b0424e405ffcbb265d6da9430caacd944a507750d1736bbf4f	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ouypfyaew\e989ea0d = 464e4b505bf86114929e2bb02d69a8a3350fbc91f815d97bd387fceeb666b7f5692e57ad744588c5cb0ba954f19eb6646dac839a48	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ouypfyaew\1be332d0 = 413258a709ac75b728b96e632f071a16be4ce8b503dc8b5a63570b3309afc0d50cedac3929	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ouypfyaew	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ouypfyaew\1be332d0 = 41324fa709ac40f3cb24455c2d040f86	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ouypfyaew\2e7ce29e = f6f116898a49201764e26cfd73bb9ffc54d4e8a50ab7615ba2dbba7ffd008331dcdf98896b4871e38ecf2e43299bed92a5a26d8a34f4bd1ed336efb0e1661af87c12d2aa6da72f23be7b5614ea8e467d0460efa0cd39e4ac08ceba9fd7ec536c9a59079f4190bb6c5d629184b2e7241f74c9b9aaeadc60419f155f47e0c798ab18bd38f036b8dff86aecbbd0fb3ae95dfb27580b6997bf5f3f8f26ddb4a5eb7feb8d95b5b61eee64d5b202f546635b2eef04b981ebf610c513f4a08a	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ouypfyaew\51358d68 = b82e37024aadca5de9ff7656961ffde4f277b38ef64fbc9bc973fcd97b3837f96ecdbad9ee3eb8d68e15286055baac2c606930cf5a203795169f00b302c73d536407e0203f15e5da63d959ba81b72fda04faa36651dd1005b4ef44bdb95cd25acb222235526b8fa90cf7072f3261b069	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ouypfyaew\96c085fb = a9303e7fb71ef18ac8a94052719f4df48b9068085c0e4cec83209cb09141031c42b727ece5bd87742bceeab053db98fc7c9f0acd73a53c499bbf47303056cfed458b0f9f5c52047dc08816efa40692a6b00202c5a9	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Ouypfyaew\64aa5d26 = b24cd8bb702f38fc46297ddf3ba00be64a12cb322af6ae2c3e8c58d9982720b9e3e866fe326fb6a9	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeexplorer.exe

pid	process
2760	rundll32.exe
2760	rundll32.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe
4628	explorer.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

2760 rundll32.exe
3056 regsvr32.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 4400 wrote to memory of 2760	4400	rundll32.exe	rundll32.exe
PID 4400 wrote to memory of 2760	4400	rundll32.exe	rundll32.exe
PID 4400 wrote to memory of 2760	4400	rundll32.exe	rundll32.exe
PID 2760 wrote to memory of 4628	2760	rundll32.exe	explorer.exe
PID 2760 wrote to memory of 4628	2760	rundll32.exe	explorer.exe
PID 2760 wrote to memory of 4628	2760	rundll32.exe	explorer.exe
PID 2760 wrote to memory of 4628	2760	rundll32.exe	explorer.exe
PID 2760 wrote to memory of 4628	2760	rundll32.exe	explorer.exe
PID 4628 wrote to memory of 812	4628	explorer.exe	schtasks.exe
PID 4628 wrote to memory of 812	4628	explorer.exe	schtasks.exe
PID 4628 wrote to memory of 812	4628	explorer.exe	schtasks.exe
PID 3216 wrote to memory of 3056	3216	regsvr32.exe	regsvr32.exe
PID 3216 wrote to memory of 3056	3216	regsvr32.exe	regsvr32.exe
PID 3216 wrote to memory of 3056	3216	regsvr32.exe	regsvr32.exe
PID 3056 wrote to memory of 1768	3056	regsvr32.exe	explorer.exe
PID 3056 wrote to memory of 1768	3056	regsvr32.exe	explorer.exe
PID 3056 wrote to memory of 1768	3056	regsvr32.exe	explorer.exe
PID 3056 wrote to memory of 1768	3056	regsvr32.exe	explorer.exe
PID 3056 wrote to memory of 1768	3056	regsvr32.exe	explorer.exe
PID 1768 wrote to memory of 1756	1768	explorer.exe	reg.exe
PID 1768 wrote to memory of 1756	1768	explorer.exe	reg.exe
PID 1768 wrote to memory of 4856	1768	explorer.exe	reg.exe
PID 1768 wrote to memory of 4856	1768	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1b3fc9c250b8cf0e52c491376aaa6c1929c3b5e264d59ed77033ee0214bc3f9e.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4400

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1b3fc9c250b8cf0e52c491376aaa6c1929c3b5e264d59ed77033ee0214bc3f9e.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2760

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4628

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn gyelqakgjt /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\1b3fc9c250b8cf0e52c491376aaa6c1929c3b5e264d59ed77033ee0214bc3f9e.dll\"" /SC ONCE /Z /ST 03:02 /ET 03:14
4⤵
- Creates scheduled task(s)
PID:812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 808
3⤵
- Program crash
PID:1416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2760 -ip 2760
1⤵
PID:4632

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\1b3fc9c250b8cf0e52c491376aaa6c1929c3b5e264d59ed77033ee0214bc3f9e.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:3216

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\1b3fc9c250b8cf0e52c491376aaa6c1929c3b5e264d59ed77033ee0214bc3f9e.dll"
2⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3056

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Waapnh" /d "0"
4⤵
- Windows security bypass
PID:1756

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Xpqoueoqnke" /d "0"
4⤵
- Windows security bypass
PID:4856

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1b3fc9c250b8cf0e52c491376aaa6c1929c3b5e264d59ed77033ee0214bc3f9e.dll
Filesize
1.0MB

MD5
bc5cd9ba1b2f9df9617335a64ef4915f

SHA1
1630dd1cb577c44d3f9f28c06208f660c8d82aed

SHA256
1b3fc9c250b8cf0e52c491376aaa6c1929c3b5e264d59ed77033ee0214bc3f9e

SHA512
020798e77af15e8aafe1c69a115ebdfe51f3f4416d0a4ecb3a441f63c31d07a36f1b5d7d722db088f1508dc057b48e0d6284dcdc6efcddf464c75c83caa98dec

Download Submit
C:\Users\Admin\AppData\Local\Temp\1b3fc9c250b8cf0e52c491376aaa6c1929c3b5e264d59ed77033ee0214bc3f9e.dll
Filesize
1.0MB

MD5
bc5cd9ba1b2f9df9617335a64ef4915f

SHA1
1630dd1cb577c44d3f9f28c06208f660c8d82aed

SHA256
1b3fc9c250b8cf0e52c491376aaa6c1929c3b5e264d59ed77033ee0214bc3f9e

SHA512
020798e77af15e8aafe1c69a115ebdfe51f3f4416d0a4ecb3a441f63c31d07a36f1b5d7d722db088f1508dc057b48e0d6284dcdc6efcddf464c75c83caa98dec

Download Submit
memory/812-137-0x0000000000000000-mapping.dmp

Download
memory/1756-147-0x0000000000000000-mapping.dmp

Download
memory/1768-145-0x0000000000000000-mapping.dmp

Download
memory/1768-150-0x00000000007C0000-0x00000000007E2000-memory.dmp

Filesize
136KB

Download
memory/1768-149-0x00000000007C0000-0x00000000007E2000-memory.dmp

Filesize
136KB

Download
memory/2760-131-0x0000000004600000-0x0000000004622000-memory.dmp

Filesize
136KB

Download
memory/2760-132-0x00000000045A0000-0x00000000045D2000-memory.dmp

Filesize
200KB

Download
memory/2760-133-0x0000000004600000-0x0000000004622000-memory.dmp

Filesize
136KB

Download
memory/2760-136-0x0000000004600000-0x0000000004622000-memory.dmp

Filesize
136KB

Download
memory/2760-130-0x0000000000000000-mapping.dmp

Download
memory/3056-140-0x0000000000000000-mapping.dmp

Download
memory/3056-143-0x0000000002C90000-0x0000000002CC2000-memory.dmp

Filesize
200KB

Download
memory/3056-144-0x0000000002CF0000-0x0000000002D12000-memory.dmp

Filesize
136KB

Download
memory/3056-142-0x0000000002CF0000-0x0000000002D12000-memory.dmp

Filesize
136KB

Download
memory/3056-146-0x0000000002CF0000-0x0000000002D12000-memory.dmp

Filesize
136KB

Download
memory/4628-138-0x0000000000B10000-0x0000000000B32000-memory.dmp

Filesize
136KB

Download
memory/4628-135-0x0000000000B10000-0x0000000000B32000-memory.dmp

Filesize
136KB

Download
memory/4628-134-0x0000000000000000-mapping.dmp

Download
memory/4856-148-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads