Overview

overview

10

Static

static

QBot/102755.dll

windows10_x64

10

QBot/TXRTN...70.lnk

windows10_x64

3

QBot/Windo...cs.dll

windows10_x64

1

QBot/calc.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10-20220414-en
  • submitted
    12-07-2022 13:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    QBot/calc.exe

  • Size

    758KB

  • MD5

    60b7c0fead45f2066e5b805a91f4f0fc

  • SHA1

    9018a7d6cdbe859a430e8794e73381f77c840be0

  • SHA256

    80c10ee5f21f92f89cbc293a59d2fd4c01c7958aacad15642558db700943fa22

  • SHA512

    68b9f9c00fc64df946684ce81a72a2624f0fc07e07c0c8b3db2fae8c9c0415bd1b4a03ad7ffa96985af0cc5e0410f6c5e29a30200efff21ab4b01369a3c59b58

Score
10/10
qakbotobama2001657548298bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

403.780

Botnet

obama200

Campaign

1657548298

C2

172.115.177.204:2222

89.101.97.139:443

186.90.153.162:2222

38.70.253.226:2222

120.150.218.241:995

72.252.157.93:995

72.252.157.93:993

94.36.193.176:2222

47.23.89.60:993

89.211.209.234:2222

76.25.142.196:443

46.100.25.239:61202

24.158.23.166:995

69.14.172.24:443

92.132.132.81:2222

37.34.253.233:443

93.48.80.198:995

174.80.15.101:2083

24.178.196.158:2222

197.89.20.137:443
Attributes
  • salt

    jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 52 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\QBot\calc.exe
    "C:\Users\Admin\AppData\Local\Temp\QBot\calc.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2012
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\SysWOW64\regsvr32.exe 102755.dll
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4520
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4896
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /Z /ST 15:14 /tn gtesdvb /ET 15:25 /tr "powershell.exe -encodedCommand cgBlAGcAcwB2AHIAMwAyAC4AZQB4AGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAUQBCAG8AdABcADEAMAAyADcANQA1AC4AZABsAGwAIgA=" /SC ONCE
          4⤵
          • Creates scheduled task(s)
          PID:4656
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -encodedCommand cgBlAGcAcwB2AHIAMwAyAC4AZQB4AGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAUQBCAG8AdABcADEAMAAyADcANQA1AC4AZABsAGwAIgA=
    1⤵
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2764
    • C:\Windows\system32\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" C:\Users\Admin\AppData\Local\Temp\QBot\102755.dll
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4044
      • C:\Windows\SysWOW64\regsvr32.exe
        C:\Users\Admin\AppData\Local\Temp\QBot\102755.dll
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:3164
        • C:\Windows\SysWOW64\explorer.exe
          C:\Windows\SysWOW64\explorer.exe
          4⤵
          • Modifies data under HKEY_USERS
          PID:4152

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\QBot\102755.dll
    Filesize

    686KB

    MD5

    eadf90733e12275a34e5f63548c79837

    SHA1

    dd267a5237bf39afc4cccaaa34d6869be22f3ec8

    SHA256

    019990dfdd8cc4aa751ba4ee0ffefc7f10fdd899ef2a75ef250c8b8f1b46a34d

    SHA512

    7cdeb363e83b9a82c7f9bad3f67ace3864a28b46d9219e4b2dd09ce864360c48d9222317932100b882b63db29d3ec094b4d2b0d5865e5a26d32cb6f9e97bfc8a

    Download Submit
  • \Users\Admin\AppData\Local\Temp\QBot\102755.dll
    Filesize

    686KB

    MD5

    eadf90733e12275a34e5f63548c79837

    SHA1

    dd267a5237bf39afc4cccaaa34d6869be22f3ec8

    SHA256

    019990dfdd8cc4aa751ba4ee0ffefc7f10fdd899ef2a75ef250c8b8f1b46a34d

    SHA512

    7cdeb363e83b9a82c7f9bad3f67ace3864a28b46d9219e4b2dd09ce864360c48d9222317932100b882b63db29d3ec094b4d2b0d5865e5a26d32cb6f9e97bfc8a

    Download Submit
  • \Users\Admin\AppData\Local\Temp\QBot\102755.dll
    Filesize

    686KB

    MD5

    eadf90733e12275a34e5f63548c79837

    SHA1

    dd267a5237bf39afc4cccaaa34d6869be22f3ec8

    SHA256

    019990dfdd8cc4aa751ba4ee0ffefc7f10fdd899ef2a75ef250c8b8f1b46a34d

    SHA512

    7cdeb363e83b9a82c7f9bad3f67ace3864a28b46d9219e4b2dd09ce864360c48d9222317932100b882b63db29d3ec094b4d2b0d5865e5a26d32cb6f9e97bfc8a

    Download Submit
  • memory/2012-143-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2012-126-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2012-122-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2012-123-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2012-124-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2012-125-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2012-145-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2012-127-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2012-128-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2012-129-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2012-130-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2012-146-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2012-132-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2012-133-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2012-134-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2012-135-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2012-136-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2012-137-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2012-138-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2012-139-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2012-144-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2012-142-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2012-141-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2012-120-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2012-140-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2012-121-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2012-131-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2012-147-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2012-148-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2012-149-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2012-150-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2012-151-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2012-152-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2012-153-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2012-154-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2012-155-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2012-118-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2012-119-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2012-117-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2764-312-0x0000027632270000-0x00000276322E6000-memory.dmp
    Filesize

    472KB

    Download
  • memory/2764-309-0x0000027631DB0000-0x0000027631DD2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/3164-433-0x00000000031B0000-0x00000000031D2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/3164-374-0x00000000031B0000-0x00000000031D2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/3164-373-0x0000000003140000-0x000000000317F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3164-318-0x0000000000000000-mapping.dmp
    Download
  • memory/4044-315-0x0000000000000000-mapping.dmp
    Download
  • memory/4152-444-0x0000000000450000-0x0000000000472000-memory.dmp
    Filesize

    136KB

    Download
  • memory/4152-434-0x0000000000450000-0x0000000000472000-memory.dmp
    Filesize

    136KB

    Download
  • memory/4152-375-0x0000000000000000-mapping.dmp
    Download
  • memory/4520-156-0x0000000000000000-mapping.dmp
    Download
  • memory/4520-213-0x0000000004910000-0x0000000004932000-memory.dmp
    Filesize

    136KB

    Download
  • memory/4520-168-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4520-169-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4520-170-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4520-171-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4520-172-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4520-173-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4520-174-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4520-175-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4520-176-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4520-177-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4520-178-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4520-179-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4520-180-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4520-181-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4520-212-0x00000000048B0000-0x00000000048EF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4520-167-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4520-274-0x0000000004910000-0x0000000004932000-memory.dmp
    Filesize

    136KB

    Download
  • memory/4520-157-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4520-165-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4520-166-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4520-164-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4520-163-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4520-162-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4520-161-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4520-160-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4520-159-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4520-158-0x0000000077E20000-0x0000000077FAE000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4656-277-0x0000000000000000-mapping.dmp
    Download
  • memory/4896-214-0x0000000000000000-mapping.dmp
    Download
  • memory/4896-269-0x0000000000130000-0x0000000000152000-memory.dmp
    Filesize

    136KB

    Download
  • memory/4896-304-0x0000000000130000-0x0000000000152000-memory.dmp
    Filesize

    136KB

    Download