qakbot | 81343a9be0c301685f76fa2185dc8b28c0e8aebdca6f23ba12a4412685e286f6

General

Target

50600999_420925.img
Size

2.6MB
MD5

5531d308f169eb4387f80202b68333a0
SHA1

bac447aa3281946bca9c501d8c18fcf2f5a1c0d1
SHA256

81343a9be0c301685f76fa2185dc8b28c0e8aebdca6f23ba12a4412685e286f6
SHA512

75ef718691db75eebc044590c499982acd1a83e9986eb0be15a951ed5ccc7401a58a5d7a146989977bb32180e4a2f0c44913b1adc54641e50a4bbb3d9b0e85ad

Score

10^/10

qakbot obama186 1654596660 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.694

Botnet

obama186

Campaign

1654596660

C2

67.165.206.193:993

63.143.92.99:995

74.14.5.179:2222

182.191.92.203:995

197.89.8.51:443

89.101.97.139:443

86.97.9.190:443

124.40.244.115:2222

80.11.74.81:2222

41.215.153.104:995

179.100.20.32:32101

31.35.28.29:443

202.134.152.2:2222

109.12.111.14:443

93.48.80.198:995

120.150.218.241:995

41.38.167.179:995

177.94.57.126:32101

173.174.216.62:443

1.161.101.20:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Rqbkqlurta = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Axwio = "0"	reg.exe

Loads dropped DLL 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

2324 rundll32.exe
1172 regsvr32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5116 956 WerFault.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

5048 schtasks.exe

pid	pid_target	process	target process
5116	956	WerFault.exe

pid	process
5048	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Bughxibz	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Bughxibz\22881d5 = 183f10cce4bc34c5ca3a8dd1d922b7711d4c60ac79e9b6f4e42224a665737b205f2facd40639c2719b7c1392d23da45c684268511b40904ca179fad2de86edc56b695d8e022a035f4867cb57bc	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Bughxibz\b8d5c6cc = ebcaabc091de3fc8a414f9aef3645a1a9fa5145e6b0c6552908a3a3b144234eb98b1bcd4feaf4eac38eb253403552678d3b1bd90e1480105bc6587b9094db1f5d58213b82679a5a768c1655a4c26b33a67940ebce9e0c7f8	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Bughxibz\4abf1e11 = 925912cdece84806305f5c94d23d092d2000a2cf26c2183795e23fa45d434124b5ea868de21f1415e6e6200028e4cfa708f424ce51d7f09d1a44d1188b7a1e0d	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Bughxibz\35f671e7 = 2c63f2a8adfb70186d2f199e8ba94abf33efaed447fd0a2fbfa30ca3c576e6dc7014d1b3b70870628fb23f469e5809c6ee249750b5dcf13c0c5f709ccc3365c9e4a177	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Bughxibz\69a1a9 = 593196bee9d4c06443cd56589e64c02cfdfe17c79549b0e0796cbdc9063a30b6a7033a3b2ed7ff51ebbb718c6f2ad2d5e20bccb7d60002be942cb3cc58a1f3e64225925add47857f43be4ea18467f75bc0d3957ce5a3f0c4660df9ec8b791c0a639576c03a21f0727889cf50d40675	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Bughxibz\ba94e6b0 = 16f4acf33deec759bfec70b28a779e962042506e0ed37bf424e58f2b64de462aeeba402c79adee236b2d741060edc88296b58b68262e4043f9d46e41b4aa634a90f4185cf44dde54288efa25bf20	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Bughxibz\c79ca93a = 85039612eebf12dedff316fc0d4ef106cf8bc7ba07d734cad259cd13d1bdd9ac	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Bughxibz\7f20ce5f = 41cba79a86b833bd377a868188f2cb3360198774e26e7378853f0c5e66c42cfbbfb49f9a9226e2a40dc0097e6e7071387e9b0ba55823667ebef3f220fdcf16ad2603be1b8e7d7720f62ee3598af1ae36da38cda7ae6fcdfdb4c15d1b36a6a4235a58f6c437ed61ddb0222c59dbcf2f342e	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Bughxibz\35f671e7 = 2c63e5a8adfb45c99e49cedc6d728c82d8387931a9809a8a0b265247f23706ac89145ae6a5713627828b7da13121271e6f86a2c2ef023d530925507d15fd46e9dd75b3516745a78d2d96898878701a9548cfa5c6fefb8487	explorer.exe

Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeexplorer.exe

pid	process
2324	rundll32.exe
2324	rundll32.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

2324 rundll32.exe
1172 regsvr32.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

cmd.exe7zG.exe

description	pid	process
Token: SeManageVolumePrivilege	4596	cmd.exe
Token: SeManageVolumePrivilege	4596	cmd.exe
Token: SeRestorePrivilege	2532	7zG.exe
Token: 35	2532	7zG.exe
Token: SeSecurityPrivilege	2532	7zG.exe
Token: SeSecurityPrivilege	2532	7zG.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

7zG.exe

pid process

2532 7zG.exe

pid	process
2532	7zG.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 2664 wrote to memory of 2324	2664	rundll32.exe	rundll32.exe
PID 2664 wrote to memory of 2324	2664	rundll32.exe	rundll32.exe
PID 2664 wrote to memory of 2324	2664	rundll32.exe	rundll32.exe
PID 2324 wrote to memory of 2464	2324	rundll32.exe	explorer.exe
PID 2324 wrote to memory of 2464	2324	rundll32.exe	explorer.exe
PID 2324 wrote to memory of 2464	2324	rundll32.exe	explorer.exe
PID 2324 wrote to memory of 2464	2324	rundll32.exe	explorer.exe
PID 2324 wrote to memory of 2464	2324	rundll32.exe	explorer.exe
PID 2464 wrote to memory of 5048	2464	explorer.exe	schtasks.exe
PID 2464 wrote to memory of 5048	2464	explorer.exe	schtasks.exe
PID 2464 wrote to memory of 5048	2464	explorer.exe	schtasks.exe
PID 2752 wrote to memory of 1172	2752	regsvr32.exe	regsvr32.exe
PID 2752 wrote to memory of 1172	2752	regsvr32.exe	regsvr32.exe
PID 2752 wrote to memory of 1172	2752	regsvr32.exe	regsvr32.exe
PID 1172 wrote to memory of 712	1172	regsvr32.exe	explorer.exe
PID 1172 wrote to memory of 712	1172	regsvr32.exe	explorer.exe
PID 1172 wrote to memory of 712	1172	regsvr32.exe	explorer.exe
PID 1172 wrote to memory of 712	1172	regsvr32.exe	explorer.exe
PID 1172 wrote to memory of 712	1172	regsvr32.exe	explorer.exe
PID 712 wrote to memory of 408	712	explorer.exe	reg.exe
PID 712 wrote to memory of 408	712	explorer.exe	reg.exe
PID 712 wrote to memory of 2620	712	explorer.exe	reg.exe
PID 712 wrote to memory of 2620	712	explorer.exe	reg.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\50600999_420925.img
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4596

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2008

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\50600999_420925\" -spe -an -ai#7zMap12315:110:7zEvent11240
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2532

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" 019338921.dll,DllInstall
1⤵
- Suspicious use of WriteProcessMemory
PID:2664

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" 019338921.dll,DllInstall
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2324

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2464

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn mpxtvtt /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\50600999_420925\019338921.dll\"" /SC ONCE /Z /ST 10:20 /ET 10:32
4⤵
- Creates scheduled task(s)
PID:5048

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 440 -p 956 -ip 956
1⤵
PID:2752

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 956 -s 1764
1⤵
- Program crash
PID:5116

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\50600999_420925\019338921.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:2752

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\50600999_420925\019338921.dll"
2⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1172

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:712

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Rqbkqlurta" /d "0"
4⤵
- Windows security bypass
PID:408

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Axwio" /d "0"
4⤵
- Windows security bypass
PID:2620

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\50600999_420925\019338921.dll
Filesize
1.4MB

MD5
889de0fcbdf800a0732d5909c5b16057

SHA1
925b2fa5fdd084651f84f3b3c4381b0a10ef3ad3

SHA256
f9d073248e84c44c6130c379cf845290b701dd9312e4114caf4b3a99f70e3e8e

SHA512
303911ea66cca532b57b5acd3565f13d3500760eda42bf90653154f482e7d640d0cd318c1f9fd97570dbe7b18cd533deee34b3d2416d4c588a9cabfe47d99777

Download Submit
C:\Users\Admin\AppData\Local\Temp\50600999_420925\019338921.dll
Filesize
1.4MB

MD5
889de0fcbdf800a0732d5909c5b16057

SHA1
925b2fa5fdd084651f84f3b3c4381b0a10ef3ad3

SHA256
f9d073248e84c44c6130c379cf845290b701dd9312e4114caf4b3a99f70e3e8e

SHA512
303911ea66cca532b57b5acd3565f13d3500760eda42bf90653154f482e7d640d0cd318c1f9fd97570dbe7b18cd533deee34b3d2416d4c588a9cabfe47d99777

Download Submit
C:\Users\Admin\AppData\Local\Temp\50600999_420925\019338921.dll
Filesize
1.4MB

MD5
889de0fcbdf800a0732d5909c5b16057

SHA1
925b2fa5fdd084651f84f3b3c4381b0a10ef3ad3

SHA256
f9d073248e84c44c6130c379cf845290b701dd9312e4114caf4b3a99f70e3e8e

SHA512
303911ea66cca532b57b5acd3565f13d3500760eda42bf90653154f482e7d640d0cd318c1f9fd97570dbe7b18cd533deee34b3d2416d4c588a9cabfe47d99777

Download Submit
C:\Users\Admin\AppData\Local\Temp\50600999_420925\019338921.dll
Filesize
1.4MB

MD5
889de0fcbdf800a0732d5909c5b16057

SHA1
925b2fa5fdd084651f84f3b3c4381b0a10ef3ad3

SHA256
f9d073248e84c44c6130c379cf845290b701dd9312e4114caf4b3a99f70e3e8e

SHA512
303911ea66cca532b57b5acd3565f13d3500760eda42bf90653154f482e7d640d0cd318c1f9fd97570dbe7b18cd533deee34b3d2416d4c588a9cabfe47d99777

Download Submit
memory/408-151-0x0000000000000000-mapping.dmp

Download
memory/712-154-0x0000000000C60000-0x0000000000C82000-memory.dmp

Filesize
136KB

Download
memory/712-153-0x0000000000C60000-0x0000000000C82000-memory.dmp

Filesize
136KB

Download
memory/712-149-0x0000000000000000-mapping.dmp

Download
memory/1172-150-0x0000000002B20000-0x0000000002B42000-memory.dmp

Filesize
136KB

Download
memory/1172-147-0x0000000001860000-0x000000000188D000-memory.dmp

Filesize
180KB

Download
memory/1172-146-0x0000000002B20000-0x0000000002B42000-memory.dmp

Filesize
136KB

Download
memory/1172-148-0x0000000002B20000-0x0000000002B42000-memory.dmp

Filesize
136KB

Download
memory/1172-144-0x0000000000000000-mapping.dmp

Download
memory/2324-137-0x0000000002AF0000-0x0000000002B12000-memory.dmp

Filesize
136KB

Download
memory/2324-139-0x0000000002AF0000-0x0000000002B12000-memory.dmp

Filesize
136KB

Download
memory/2324-136-0x0000000002AA0000-0x0000000002ACD000-memory.dmp

Filesize
180KB

Download
memory/2324-135-0x0000000002AF0000-0x0000000002B12000-memory.dmp

Filesize
136KB

Download
memory/2324-133-0x0000000000000000-mapping.dmp

Download
memory/2464-142-0x00000000012D0000-0x00000000012F2000-memory.dmp

Filesize
136KB

Download
memory/2464-141-0x00000000012D0000-0x00000000012F2000-memory.dmp

Filesize
136KB

Download
memory/2464-138-0x0000000000000000-mapping.dmp

Download
memory/2620-152-0x0000000000000000-mapping.dmp

Download
memory/5048-140-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads