qakbot | f96e231472ef73cfee0e574b7f3df122433bd372c41a1f1f28681f8861a48543

General

Target

knowSoDay.dll
Size

377KB
MD5

b03acd4fde7a62a021834d8e8cbaba51
SHA1

5f3bfba9cf1f0c697c6e5b48ccbc818cc9f806ee
SHA256

f96e231472ef73cfee0e574b7f3df122433bd372c41a1f1f28681f8861a48543
SHA512

3568caf606fb37f71d59065a9c1859825adfdc207891af1f3220dd52c6961513cb59f1d304d2d290e72d9783404ed5a639c673ecb17a0e0f58a6e01b1300ef5e

Score

10^/10

qakbot obama195 1656400725 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.780

Botnet

obama195

Campaign

1656400725

C2

74.14.5.179:2222

104.34.212.7:32103

142.186.49.224:2222

93.48.80.198:995

94.59.15.180:2222

217.128.122.65:2222

45.241.173.232:993

24.43.99.75:443

89.101.97.139:443

70.46.220.114:443

32.221.224.140:995

67.209.195.198:443

37.34.253.233:443

80.11.74.81:2222

81.214.215.234:443

67.165.206.193:993

173.174.216.62:443

186.90.153.162:2222

148.64.96.100:443

176.205.23.138:2222

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1192 regsvr32.exe

pid	process
1192	regsvr32.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1072 schtasks.exe

pid	process
1072	schtasks.exe

Modifies data under HKEY_USERS 12 IoCs

Processes:

powershell.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Deesevt	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Deesevt\328f32e9 = 8c8d32294900e968800d4dc1bc55e14becaf4aef7c89ea5fa01882e2b862cbbed79b7bc683e0fc5429cc3974480677283abece9b7183f71b3a5df2b26b5a2ebe91f4fd64f78359fe49a7e2894580a3ef6d19b929ae3bdacae18d45393f7967510f616e515d0c772418	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Deesevt\c2a4ca48 = 9751d61d7405c6a50efeb76bfbc9f9459a72badb2a81f2368e337a5e1eaab5969e34b55bd333050408d01553732e66fda58f50a1dcfaef70861dedeb15f0b80d288f	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Deesevt\f73b1a06 = a2390b096095ad884feacc8839f6637ab7ede2ec94ef6018eaf14ee5ae61a9190dd47c36d9c2d1	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Deesevt\30ce1295 = bd242fed12497e1fd523b3485735c8bbd95c737aec7350b267d5577f6b4796418652112c2f36a30c268b8eed79c37e65d1f12d5780c6114aee27a1	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Deesevt\bdeda5be = b921e0d0af032dd20f73d97c6bd55761497ecd8eb89a30a1ab42224fe7840695ef8839299d8f04416a3f7cc05305f0195a88307cda1678344cd6607a0f2c40d4e1a62638289a5832d5117e3278fa814135865faa300f7d	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 20cb13e1c38bd801	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Deesevt\bdeda5be = b921f7d0af031ef5c3855d576500ac71120eb1fc0661aa03b7cbef420acc554e047b6ccca867789227c2abf5fcdd20fa5270ff83ce40e6294f4be04d0f6e239a17d7	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Deesevt\887275f0 = 1dac353a09dcc84b0822486329d15239cfd490407d3e67cc1c0516610acc97412654f76011dd2a9deda065a8924fd870d7ebbcc038f22481383cb4a6e0990acbe5873288a1170c8f427c65b90789c82f4a46c862ffce8b87e6ac97de92b42b416c0145693223fddf04f490d866fe428a18235bd31b7e427c2874b1ec81	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Deesevt\8a33558c = d678cc4e90df56e40c3fe2c86444eb4eb85f64c884f0c0eff70923f06979be486db2cb21f7eafe6a5b5e4f1127ec124216b08d8356df8d231833642666c617826af2a67a7b20d98bff8ad9de1e3a5dcaf501aa09f35afce5bed958444c8ed778a0babbcf9fe925ae	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Deesevt\4f877d63 = 199a8fa981bbc010463cea0a47250c2dab40498c520b02a085e4bd273b5a9e68d0	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exeexplorer.exepowershell.exeregsvr32.exe

pid	process
1096	regsvr32.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1676	powershell.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1192	regsvr32.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

1096 regsvr32.exe
1192 regsvr32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1676 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1676	powershell.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

regsvr32.exeregsvr32.exeexplorer.exetaskeng.exepowershell.exeregsvr32.exeregsvr32.exe

description	pid	process	target process
PID 1100 wrote to memory of 1096	1100	regsvr32.exe	regsvr32.exe
PID 1100 wrote to memory of 1096	1100	regsvr32.exe	regsvr32.exe
PID 1100 wrote to memory of 1096	1100	regsvr32.exe	regsvr32.exe
PID 1100 wrote to memory of 1096	1100	regsvr32.exe	regsvr32.exe
PID 1100 wrote to memory of 1096	1100	regsvr32.exe	regsvr32.exe
PID 1100 wrote to memory of 1096	1100	regsvr32.exe	regsvr32.exe
PID 1100 wrote to memory of 1096	1100	regsvr32.exe	regsvr32.exe
PID 1096 wrote to memory of 1964	1096	regsvr32.exe	explorer.exe
PID 1096 wrote to memory of 1964	1096	regsvr32.exe	explorer.exe
PID 1096 wrote to memory of 1964	1096	regsvr32.exe	explorer.exe
PID 1096 wrote to memory of 1964	1096	regsvr32.exe	explorer.exe
PID 1096 wrote to memory of 1964	1096	regsvr32.exe	explorer.exe
PID 1096 wrote to memory of 1964	1096	regsvr32.exe	explorer.exe
PID 1964 wrote to memory of 1072	1964	explorer.exe	schtasks.exe
PID 1964 wrote to memory of 1072	1964	explorer.exe	schtasks.exe
PID 1964 wrote to memory of 1072	1964	explorer.exe	schtasks.exe
PID 1964 wrote to memory of 1072	1964	explorer.exe	schtasks.exe
PID 1080 wrote to memory of 1676	1080	taskeng.exe	powershell.exe
PID 1080 wrote to memory of 1676	1080	taskeng.exe	powershell.exe
PID 1080 wrote to memory of 1676	1080	taskeng.exe	powershell.exe
PID 1676 wrote to memory of 1540	1676	powershell.exe	regsvr32.exe
PID 1676 wrote to memory of 1540	1676	powershell.exe	regsvr32.exe
PID 1676 wrote to memory of 1540	1676	powershell.exe	regsvr32.exe
PID 1676 wrote to memory of 1540	1676	powershell.exe	regsvr32.exe
PID 1676 wrote to memory of 1540	1676	powershell.exe	regsvr32.exe
PID 1540 wrote to memory of 1192	1540	regsvr32.exe	regsvr32.exe
PID 1540 wrote to memory of 1192	1540	regsvr32.exe	regsvr32.exe
PID 1540 wrote to memory of 1192	1540	regsvr32.exe	regsvr32.exe
PID 1540 wrote to memory of 1192	1540	regsvr32.exe	regsvr32.exe
PID 1540 wrote to memory of 1192	1540	regsvr32.exe	regsvr32.exe
PID 1540 wrote to memory of 1192	1540	regsvr32.exe	regsvr32.exe
PID 1540 wrote to memory of 1192	1540	regsvr32.exe	regsvr32.exe
PID 1192 wrote to memory of 1812	1192	regsvr32.exe	explorer.exe
PID 1192 wrote to memory of 1812	1192	regsvr32.exe	explorer.exe
PID 1192 wrote to memory of 1812	1192	regsvr32.exe	explorer.exe
PID 1192 wrote to memory of 1812	1192	regsvr32.exe	explorer.exe
PID 1192 wrote to memory of 1812	1192	regsvr32.exe	explorer.exe
PID 1192 wrote to memory of 1812	1192	regsvr32.exe	explorer.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\knowSoDay.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\knowSoDay.dll
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /Z /ST 14:24 /tn ghhgiwwv /ET 14:35 /tr "powershell.exe -encodedCommand cgBlAGcAcwB2AHIAMwAyAC4AZQB4AGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAawBuAG8AdwBTAG8ARABhAHkALgBkAGwAbAAiAA==" /SC ONCE
4⤵
- Creates scheduled task(s)
PID:1072

C:\Windows\system32\taskeng.exe
taskeng.exe {1C101BB7-2481-4780-B1C7-3E20E3B00CA3} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -encodedCommand cgBlAGcAcwB2AHIAMwAyAC4AZQB4AGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAawBuAG8AdwBTAG8ARABhAHkALgBkAGwAbAAiAA==
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" C:\Users\Admin\AppData\Local\Temp\knowSoDay.dll
3⤵
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\SysWOW64\regsvr32.exe
C:\Users\Admin\AppData\Local\Temp\knowSoDay.dll
4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1192

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
5⤵
- Modifies data under HKEY_USERS
PID:1812

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\knowSoDay.dll
Filesize
377KB

MD5
b03acd4fde7a62a021834d8e8cbaba51

SHA1
5f3bfba9cf1f0c697c6e5b48ccbc818cc9f806ee

SHA256
f96e231472ef73cfee0e574b7f3df122433bd372c41a1f1f28681f8861a48543

SHA512
3568caf606fb37f71d59065a9c1859825adfdc207891af1f3220dd52c6961513cb59f1d304d2d290e72d9783404ed5a639c673ecb17a0e0f58a6e01b1300ef5e

Download Submit
\Users\Admin\AppData\Local\Temp\knowSoDay.dll
Filesize
377KB

MD5
b03acd4fde7a62a021834d8e8cbaba51

SHA1
5f3bfba9cf1f0c697c6e5b48ccbc818cc9f806ee

SHA256
f96e231472ef73cfee0e574b7f3df122433bd372c41a1f1f28681f8861a48543

SHA512
3568caf606fb37f71d59065a9c1859825adfdc207891af1f3220dd52c6961513cb59f1d304d2d290e72d9783404ed5a639c673ecb17a0e0f58a6e01b1300ef5e

Download Submit
memory/1072-65-0x0000000000000000-mapping.dmp

Download
memory/1096-57-0x0000000000140000-0x0000000000162000-memory.dmp

Filesize
136KB

Download
memory/1096-59-0x0000000000140000-0x0000000000162000-memory.dmp

Filesize
136KB

Download
memory/1096-63-0x0000000000140000-0x0000000000162000-memory.dmp

Filesize
136KB

Download
memory/1096-56-0x0000000075E31000-0x0000000075E33000-memory.dmp

Filesize
8KB

Download
memory/1096-55-0x0000000000000000-mapping.dmp

Download
memory/1100-54-0x000007FEFC511000-0x000007FEFC513000-memory.dmp

Filesize
8KB

Download
memory/1192-85-0x00000000001B0000-0x00000000001D2000-memory.dmp

Filesize
136KB

Download
memory/1192-81-0x00000000001B0000-0x00000000001D2000-memory.dmp

Filesize
136KB

Download
memory/1192-79-0x00000000001B0000-0x00000000001D2000-memory.dmp

Filesize
136KB

Download
memory/1192-76-0x0000000000000000-mapping.dmp

Download
memory/1540-71-0x0000000000000000-mapping.dmp

Download
memory/1676-69-0x000007FEF3F80000-0x000007FEF49A3000-memory.dmp

Filesize
10.1MB

Download
memory/1676-73-0x000000000119B000-0x00000000011BA000-memory.dmp

Filesize
124KB

Download
memory/1676-70-0x000007FEF3420000-0x000007FEF3F7D000-memory.dmp

Filesize
11.4MB

Download
memory/1676-72-0x0000000001194000-0x0000000001197000-memory.dmp

Filesize
12KB

Download
memory/1676-67-0x0000000000000000-mapping.dmp

Download
memory/1812-82-0x0000000000000000-mapping.dmp

Download
memory/1812-86-0x0000000000080000-0x00000000000A2000-memory.dmp

Filesize
136KB

Download
memory/1964-66-0x00000000000D0000-0x00000000000F2000-memory.dmp

Filesize
136KB

Download
memory/1964-64-0x00000000000D0000-0x00000000000F2000-memory.dmp

Filesize
136KB

Download
memory/1964-62-0x0000000074D01000-0x0000000074D03000-memory.dmp

Filesize
8KB

Download
memory/1964-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads