qakbot | 6796b5e2c3c0bc4a0d2fb883a9fe67308331eec3f094bac676dbeecb1dcb2698

General

Target

ScannedDocuments_0289716.lnk
Size

1KB
MD5

f7581541da8f50b6e5c80d2ff42ee57b
SHA1

ea8d8e5b84fb388520e3ac422a222e39f6a21420
SHA256

8c1771c049cf36eecc7a37f207536a1a5fc2ca074c26e8c8c4e9dc167b8b3415
SHA512

ad87452fe5a2f808ebf2873cf8aa173a39fa1adc0d4294fbe8658a191177c0633cf55f07f7afc446f72073d412bc261611ae25150b01bab6487138a0ded084ba

Score

10^/10

qakbot obama187 1654695312 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.688

Botnet

obama187

Campaign

1654695312

C2

197.164.182.46:993

70.51.135.90:2222

187.251.132.144:22

37.186.54.254:995

80.11.74.81:2222

41.84.236.245:995

24.139.72.117:443

177.94.57.126:32101

37.34.253.233:443

186.90.153.162:2222

32.221.224.140:995

208.107.221.224:443

67.165.206.193:993

63.143.92.99:995

88.232.220.207:443

189.78.107.163:32101

74.14.5.179:2222

148.0.56.63:443

40.134.246.185:995

173.21.10.71:2222

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Pelkvwejhn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Iyamgweemys = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation cmd.exe
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

4948 regsvr32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3436 schtasks.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	cmd.exe

pid	process
4948	regsvr32.exe

pid	process
3436	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Vaprnrpyj\edb1b0fc = 550f7ee57f70ee3dc6723a5197577bbf91412aea873ccd84bdc00c53a49d6dd56f761234a1aa4c3d5e4989c73cab4295006eb57f50bbee6c25475d49634000d4dd225115da3954c39913d11112a0bde75d7faeb5	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Vaprnrpyj\609207d7 = 8ae242931bae13f46e51f5bc49004b	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Vaprnrpyj\1fdb6821 = 6f3fc00d8498b17ca15b72c5aba2fef7672e0456b72b73f8549af153b1190a46e46c5766fb81c8129af3fb76b0bc14f728d4a5db1f21f5e99d93b04d43a15c6b8bddbd7408b3c84c	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Vaprnrpyj\28059813 = 68ba847e5fc24861d1780b875db2811d59bfe7efaed373282a9873e39bdecd4a2aedc4244be595053e3c482eee075b10e3d8038870c7568b1224666f35905e2969c1093460a5e88b335b9ca7e50a30bcbbf71f894be30ab52a479044aa6afa42	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Vaprnrpyj\1fdb6821 = 6f3fd70d8498840d39d5d320966ea3a065d600bb4ffad984837e68b9322d26af95da8748cc575706ffe7cbcfda29e6866c2d0c	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Vaprnrpyj\2a44b86f = 1e3ff6c3cdb753f3648c1257050e8dd87ce2e8585b7c6739c9eec50b77a6890a873c3f51f69d4c1cf153fd5ca2a347e32cc53715ef18762fe4e37ceca258d3fcee205f432ba3f9d56e8bb12c3b26622f31524ec66e0d1029dedb726dba63200d6bd7536c25785f153393a1834f7f638220586e098a3943d377e5720e57934d944d09d9c4174667de983ff53b49bc223b75a15b2004233512451383a8766ac41b8679ea1b82d331bbaf35b0070f9895e8ee6cf9783a608c6a	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Vaprnrpyj\90b9ff76 = 670856fbc7e03270686f9e84f72ddfd601bce91ba633aa167ccc45c41121e6	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Vaprnrpyj\550dd799 = ac040971e162093cf710c936c76186db2815e2d7ef3617a1e98efc54ede5b68953de85a805a9b87eafc7296b2ba512	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Vaprnrpyj\92f8df0a = 39ba1a71968d330491e2d530b4be847ba723519fa14b2d4439b233834e5bb34edf6203783e6faf0546e03e893f6d638a07280ba3495d8fb0b312833605d3d27d5ab058c319084eec4e812fa8184f97ff87935501a8af5716d9bb541b306a9763de6dfc02f6fe0a9fe85a48733d33	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Vaprnrpyj	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeexplorer.exe

pid	process
2024	rundll32.exe
2024	rundll32.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe
4228	explorer.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

2024 rundll32.exe
4948 regsvr32.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

cmd.exerundll32.exerundll32.exeexplorer.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 3996 wrote to memory of 4128	3996	cmd.exe	rundll32.exe
PID 3996 wrote to memory of 4128	3996	cmd.exe	rundll32.exe
PID 4128 wrote to memory of 2024	4128	rundll32.exe	rundll32.exe
PID 4128 wrote to memory of 2024	4128	rundll32.exe	rundll32.exe
PID 4128 wrote to memory of 2024	4128	rundll32.exe	rundll32.exe
PID 2024 wrote to memory of 4228	2024	rundll32.exe	explorer.exe
PID 2024 wrote to memory of 4228	2024	rundll32.exe	explorer.exe
PID 2024 wrote to memory of 4228	2024	rundll32.exe	explorer.exe
PID 2024 wrote to memory of 4228	2024	rundll32.exe	explorer.exe
PID 2024 wrote to memory of 4228	2024	rundll32.exe	explorer.exe
PID 4228 wrote to memory of 3436	4228	explorer.exe	schtasks.exe
PID 4228 wrote to memory of 3436	4228	explorer.exe	schtasks.exe
PID 4228 wrote to memory of 3436	4228	explorer.exe	schtasks.exe
PID 3344 wrote to memory of 4948	3344	regsvr32.exe	regsvr32.exe
PID 3344 wrote to memory of 4948	3344	regsvr32.exe	regsvr32.exe
PID 3344 wrote to memory of 4948	3344	regsvr32.exe	regsvr32.exe
PID 4948 wrote to memory of 4340	4948	regsvr32.exe	explorer.exe
PID 4948 wrote to memory of 4340	4948	regsvr32.exe	explorer.exe
PID 4948 wrote to memory of 4340	4948	regsvr32.exe	explorer.exe
PID 4948 wrote to memory of 4340	4948	regsvr32.exe	explorer.exe
PID 4948 wrote to memory of 4340	4948	regsvr32.exe	explorer.exe
PID 4340 wrote to memory of 2604	4340	explorer.exe	reg.exe
PID 4340 wrote to memory of 2604	4340	explorer.exe	reg.exe
PID 4340 wrote to memory of 1308	4340	explorer.exe	reg.exe
PID 4340 wrote to memory of 1308	4340	explorer.exe	reg.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\ScannedDocuments_0289716.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3996
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" local.dll,DllInstall
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4128
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" local.dll,DllInstall
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2024
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4228
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn sxxloxgxxw /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\local.dll\"" /SC ONCE /Z /ST 15:49 /ET 16:01
        5⤵
        Creates scheduled task(s)
        
        PID:3436

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\local.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:3344
- C:\Windows\SysWOW64\regsvr32.exe
  -s "C:\Users\Admin\AppData\Local\Temp\local.dll"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4948
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious use of WriteProcessMemory
    PID:4340
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Pelkvwejhn" /d "0"
      4⤵
      Windows security bypass
      PID:2604
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Iyamgweemys" /d "0"
      4⤵
      Windows security bypass
      PID:1308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\local.dll

Filesize
843KB

MD5
3bc34123feafc82ec82db6650b890763

SHA1
df2755125d32051b9beb38de38a9a960d2ae7b31

SHA256
1a1296b3063923647f59aedf3a12d8fccb700e4c5181c875b8622b7965cfb564

SHA512
518a7b443222c7119d66187ce09fdd80b2fba547f7be73b6448c412d2536499181105b5641bed9f65b505e783454f0d8f691ece0ddc0ceac2c3f515220105152

Download Submit
C:\Users\Admin\AppData\Local\Temp\local.dll

Filesize
843KB

MD5
3bc34123feafc82ec82db6650b890763

SHA1
df2755125d32051b9beb38de38a9a960d2ae7b31

SHA256
1a1296b3063923647f59aedf3a12d8fccb700e4c5181c875b8622b7965cfb564

SHA512
518a7b443222c7119d66187ce09fdd80b2fba547f7be73b6448c412d2536499181105b5641bed9f65b505e783454f0d8f691ece0ddc0ceac2c3f515220105152

Download Submit
memory/1308-150-0x0000000000000000-mapping.dmp

Download
memory/2024-131-0x0000000000000000-mapping.dmp

Download
memory/2024-132-0x0000000002120000-0x00000000021F7000-memory.dmp

Filesize
860KB

Download
memory/2024-133-0x0000000003F10000-0x0000000003F32000-memory.dmp

Filesize
136KB

Download
memory/2024-134-0x0000000003EB0000-0x0000000003EE2000-memory.dmp

Filesize
200KB

Download
memory/2024-135-0x0000000003F10000-0x0000000003F32000-memory.dmp

Filesize
136KB

Download
memory/2024-137-0x0000000003F10000-0x0000000003F32000-memory.dmp

Filesize
136KB

Download
memory/2604-149-0x0000000000000000-mapping.dmp

Download
memory/3436-139-0x0000000000000000-mapping.dmp

Download
memory/4128-130-0x0000000000000000-mapping.dmp

Download
memory/4228-140-0x0000000001300000-0x0000000001322000-memory.dmp

Filesize
136KB

Download
memory/4228-138-0x0000000001300000-0x0000000001322000-memory.dmp

Filesize
136KB

Download
memory/4228-136-0x0000000000000000-mapping.dmp

Download
memory/4340-147-0x0000000000000000-mapping.dmp

Download
memory/4340-151-0x00000000012E0000-0x0000000001302000-memory.dmp

Filesize
136KB

Download
memory/4340-152-0x00000000012E0000-0x0000000001302000-memory.dmp

Filesize
136KB

Download
memory/4948-142-0x0000000000000000-mapping.dmp

Download
memory/4948-144-0x0000000003020000-0x0000000003042000-memory.dmp

Filesize
136KB

Download
memory/4948-145-0x0000000002FC0000-0x0000000002FF2000-memory.dmp

Filesize
200KB

Download
memory/4948-146-0x0000000003020000-0x0000000003042000-memory.dmp

Filesize
136KB

Download
memory/4948-148-0x0000000003020000-0x0000000003042000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads