qakbot | 6796b5e2c3c0bc4a0d2fb883a9fe67308331eec3f094bac676dbeecb1dcb2698

General

Target

local.dll
Size

843KB
MD5

3bc34123feafc82ec82db6650b890763
SHA1

df2755125d32051b9beb38de38a9a960d2ae7b31
SHA256

1a1296b3063923647f59aedf3a12d8fccb700e4c5181c875b8622b7965cfb564
SHA512

518a7b443222c7119d66187ce09fdd80b2fba547f7be73b6448c412d2536499181105b5641bed9f65b505e783454f0d8f691ece0ddc0ceac2c3f515220105152

Score

10^/10

qakbot obama187 1654695312 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.688

Botnet

obama187

Campaign

1654695312

C2

197.164.182.46:993

70.51.135.90:2222

187.251.132.144:22

37.186.54.254:995

80.11.74.81:2222

41.84.236.245:995

24.139.72.117:443

177.94.57.126:32101

37.34.253.233:443

186.90.153.162:2222

32.221.224.140:995

208.107.221.224:443

67.165.206.193:993

63.143.92.99:995

88.232.220.207:443

189.78.107.163:32101

74.14.5.179:2222

148.0.56.63:443

40.134.246.185:995

173.21.10.71:2222

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Pmfab = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Qsartpimkn = "0"	reg.exe

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1504 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1696 schtasks.exe

pid	process
1504	regsvr32.exe

pid	process
1696	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Leftoietpvau\b004f0bb = bb9afda547bbacd19bb545113947b8b08a52f7a1a4839da8d826d71a7e8d9dce6ad0fa201b18bc6106d30c91997255ce461a3d276a4d427e5193e977447a96ed510029d2f1974201f0ef2f4363a80702934d3f254b0929ebd053a07b44cd382077ee4160	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Leftoietpvau\cd0cbf31 = 9328b3fe68144d7e7cd4437850fe52a34589f0d5b99d685638ef9879261bce85cf00fac78d5d2c9c8ed5bb09f65abf2c7bf06b50686ccff282afd40db871ff7950c96372a8bcb03bbbd5a9	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Leftoietpvau\75b0d854 = 388a061575f98f521e3cfca9f3107b75da1ac7d6bf6d5440ee89408073b26901c160715876c86758a78925f8410ff454d53a33fa532eff61e3a1022e9a7a1b32b6060b5b74	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Leftoietpvau\3f6667ec = 10bc3a66a7f3af8facb6e3d7dffe85961e5890a7eef4937d5ed08d90bb	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Leftoietpvau\8b897de = 7745b9a03999acb1698815012a749c31db55c7ae13849d124a9713869597cda64b60af8b51e532ec3e4dca29ed514c89610ffb52c5a2	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Leftoietpvau\3f6667ec = 10bc2d66a7f39ae4	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Leftoietpvau\af9b7a2 = 70dd6a565f65c508103f3b92bb3d9e131b5b36e3f38f800b9b075253b27a39aa677666fe70bb63759743749d471677b619fbd75ba73be72306eb3e04de8c1d8c2e5f1a81c985cbc07f5d0f749c69c977d5bd9c772b6237ebb3090da4e45d2c74aff4e595587e4bf91b11ad5454b94e2777d6d14d026dd0e9ecfa0cc014c225cbce24675e9a742e74fbf17000c292931ecc58182c42aa1bfafdc135059376e73a83503516896ee326b9e2da2228d044c8fe	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Leftoietpvau\b245d0c7 = 7cebfd7722fa249f191654a0977d	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Leftoietpvau\402f081a = 37238d494eb1b6fb48458622b5d1b8b641e460c430179d4b22a2715d64c930f3813806640498c7573ac843	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Leftoietpvau	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeexplorer.exe

pid	process
1968	rundll32.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

1968 rundll32.exe
1504 regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 600 wrote to memory of 1968	600	rundll32.exe	rundll32.exe
PID 600 wrote to memory of 1968	600	rundll32.exe	rundll32.exe
PID 600 wrote to memory of 1968	600	rundll32.exe	rundll32.exe
PID 600 wrote to memory of 1968	600	rundll32.exe	rundll32.exe
PID 600 wrote to memory of 1968	600	rundll32.exe	rundll32.exe
PID 600 wrote to memory of 1968	600	rundll32.exe	rundll32.exe
PID 600 wrote to memory of 1968	600	rundll32.exe	rundll32.exe
PID 1968 wrote to memory of 1128	1968	rundll32.exe	explorer.exe
PID 1968 wrote to memory of 1128	1968	rundll32.exe	explorer.exe
PID 1968 wrote to memory of 1128	1968	rundll32.exe	explorer.exe
PID 1968 wrote to memory of 1128	1968	rundll32.exe	explorer.exe
PID 1968 wrote to memory of 1128	1968	rundll32.exe	explorer.exe
PID 1968 wrote to memory of 1128	1968	rundll32.exe	explorer.exe
PID 1128 wrote to memory of 1696	1128	explorer.exe	schtasks.exe
PID 1128 wrote to memory of 1696	1128	explorer.exe	schtasks.exe
PID 1128 wrote to memory of 1696	1128	explorer.exe	schtasks.exe
PID 1128 wrote to memory of 1696	1128	explorer.exe	schtasks.exe
PID 1324 wrote to memory of 1116	1324	taskeng.exe	regsvr32.exe
PID 1324 wrote to memory of 1116	1324	taskeng.exe	regsvr32.exe
PID 1324 wrote to memory of 1116	1324	taskeng.exe	regsvr32.exe
PID 1324 wrote to memory of 1116	1324	taskeng.exe	regsvr32.exe
PID 1324 wrote to memory of 1116	1324	taskeng.exe	regsvr32.exe
PID 1116 wrote to memory of 1504	1116	regsvr32.exe	regsvr32.exe
PID 1116 wrote to memory of 1504	1116	regsvr32.exe	regsvr32.exe
PID 1116 wrote to memory of 1504	1116	regsvr32.exe	regsvr32.exe
PID 1116 wrote to memory of 1504	1116	regsvr32.exe	regsvr32.exe
PID 1116 wrote to memory of 1504	1116	regsvr32.exe	regsvr32.exe
PID 1116 wrote to memory of 1504	1116	regsvr32.exe	regsvr32.exe
PID 1116 wrote to memory of 1504	1116	regsvr32.exe	regsvr32.exe
PID 1504 wrote to memory of 1512	1504	regsvr32.exe	explorer.exe
PID 1504 wrote to memory of 1512	1504	regsvr32.exe	explorer.exe
PID 1504 wrote to memory of 1512	1504	regsvr32.exe	explorer.exe
PID 1504 wrote to memory of 1512	1504	regsvr32.exe	explorer.exe
PID 1504 wrote to memory of 1512	1504	regsvr32.exe	explorer.exe
PID 1504 wrote to memory of 1512	1504	regsvr32.exe	explorer.exe
PID 1512 wrote to memory of 1508	1512	explorer.exe	reg.exe
PID 1512 wrote to memory of 1508	1512	explorer.exe	reg.exe
PID 1512 wrote to memory of 1508	1512	explorer.exe	reg.exe
PID 1512 wrote to memory of 1508	1512	explorer.exe	reg.exe
PID 1512 wrote to memory of 380	1512	explorer.exe	reg.exe
PID 1512 wrote to memory of 380	1512	explorer.exe	reg.exe
PID 1512 wrote to memory of 380	1512	explorer.exe	reg.exe
PID 1512 wrote to memory of 380	1512	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\local.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:600

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\local.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn hvfhrtxjvx /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\local.dll\"" /SC ONCE /Z /ST 15:49 /ET 16:01
4⤵
- Creates scheduled task(s)
PID:1696

C:\Windows\system32\taskeng.exe
taskeng.exe {151789F2-3B0D-4B03-9C3F-2C6CFE0C2854} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\local.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\local.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Pmfab" /d "0"
5⤵
- Windows security bypass
PID:1508

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Qsartpimkn" /d "0"
5⤵
- Windows security bypass
PID:380

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\local.dll
Filesize
843KB

MD5
3bc34123feafc82ec82db6650b890763

SHA1
df2755125d32051b9beb38de38a9a960d2ae7b31

SHA256
1a1296b3063923647f59aedf3a12d8fccb700e4c5181c875b8622b7965cfb564

SHA512
518a7b443222c7119d66187ce09fdd80b2fba547f7be73b6448c412d2536499181105b5641bed9f65b505e783454f0d8f691ece0ddc0ceac2c3f515220105152

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\local.dll
Filesize
843KB

MD5
3bc34123feafc82ec82db6650b890763

SHA1
df2755125d32051b9beb38de38a9a960d2ae7b31

SHA256
1a1296b3063923647f59aedf3a12d8fccb700e4c5181c875b8622b7965cfb564

SHA512
518a7b443222c7119d66187ce09fdd80b2fba547f7be73b6448c412d2536499181105b5641bed9f65b505e783454f0d8f691ece0ddc0ceac2c3f515220105152

Download Submit
memory/380-88-0x0000000000000000-mapping.dmp

Download
memory/1116-69-0x0000000000000000-mapping.dmp

Download
memory/1116-70-0x000007FEFBAA1000-0x000007FEFBAA3000-memory.dmp

Filesize
8KB

Download
memory/1128-62-0x0000000000000000-mapping.dmp

Download
memory/1128-66-0x0000000000080000-0x00000000000A2000-memory.dmp

Filesize
136KB

Download
memory/1128-68-0x0000000000080000-0x00000000000A2000-memory.dmp

Filesize
136KB

Download
memory/1128-64-0x00000000745C1000-0x00000000745C3000-memory.dmp

Filesize
8KB

Download
memory/1504-75-0x00000000009F0000-0x0000000000AC7000-memory.dmp

Filesize
860KB

Download
memory/1504-79-0x0000000000AD0000-0x0000000000B02000-memory.dmp

Filesize
200KB

Download
memory/1504-85-0x0000000000340000-0x0000000000362000-memory.dmp

Filesize
136KB

Download
memory/1504-72-0x0000000000000000-mapping.dmp

Download
memory/1504-80-0x0000000000340000-0x0000000000362000-memory.dmp

Filesize
136KB

Download
memory/1504-76-0x0000000000340000-0x0000000000362000-memory.dmp

Filesize
136KB

Download
memory/1504-78-0x0000000000340000-0x0000000000362000-memory.dmp

Filesize
136KB

Download
memory/1504-77-0x0000000000340000-0x0000000000362000-memory.dmp

Filesize
136KB

Download
memory/1508-86-0x0000000000000000-mapping.dmp

Download
memory/1512-89-0x0000000000080000-0x00000000000A2000-memory.dmp

Filesize
136KB

Download
memory/1512-87-0x0000000000080000-0x00000000000A2000-memory.dmp

Filesize
136KB

Download
memory/1512-81-0x0000000000000000-mapping.dmp

Download
memory/1696-67-0x0000000000000000-mapping.dmp

Download
memory/1968-58-0x0000000000330000-0x0000000000352000-memory.dmp

Filesize
136KB

Download
memory/1968-61-0x0000000000330000-0x0000000000352000-memory.dmp

Filesize
136KB

Download
memory/1968-57-0x0000000000330000-0x0000000000352000-memory.dmp

Filesize
136KB

Download
memory/1968-56-0x0000000000910000-0x00000000009E7000-memory.dmp

Filesize
860KB

Download
memory/1968-65-0x0000000000330000-0x0000000000352000-memory.dmp

Filesize
136KB

Download
memory/1968-59-0x0000000000330000-0x0000000000352000-memory.dmp

Filesize
136KB

Download
memory/1968-60-0x00000000002D0000-0x0000000000302000-memory.dmp

Filesize
200KB

Download
memory/1968-55-0x00000000756B1000-0x00000000756B3000-memory.dmp

Filesize
8KB

Download
memory/1968-54-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads