qakbot | 9c3d3cd9b0fcb39117692600a7296b68dddf2995c6d302bc9d9c8b786780ba19

General

Target

qakbot_loader.dll
Size

1.0MB
MD5

433893e5a6e12aed9ec0400812690147
SHA1

4b4ca66c1818d2e5ff9f4ea2afb136af2bd96564
SHA256

9c3d3cd9b0fcb39117692600a7296b68dddf2995c6d302bc9d9c8b786780ba19
SHA512

3782c98a4ee96566b19577e586177f0d637e44c55a9072113035980cbbe02e524f9c7c6c8e5d06ee05a6e3f0875c6f8800ac120f02dd596c2d8f43ca9c7da435
SSDEEP

12288:PhelIk3mnXCDHlvxIDmgiSbqtAghJwznk9x5n52oyPzm0PosefMyvgulSMyvguln:8KkMilvxqm2G2W92/zJPXy5Hy579

Score

10^/10

qakbot obama189 1655107308 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.688

Botnet

obama189

Campaign

1655107308

C2

91.177.173.10:995

117.248.109.38:21

182.191.92.203:995

39.52.38.164:995

217.165.84.253:993

84.241.8.23:32103

82.152.39.39:443

202.134.152.2:2222

122.118.131.132:995

120.150.218.241:995

222.169.71.98:2222

37.34.253.233:443

93.48.80.198:995

148.0.55.173:443

175.145.235.37:443

41.130.140.32:993

120.61.0.71:443

89.101.97.139:443

62.204.41.187:443

62.204.41.187:2222

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Kzwnpnri = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Dtoagqalo = "0"	reg.exe

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1580 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

592 schtasks.exe

pid	process
1580	regsvr32.exe

pid	process
592	schtasks.exe

Modifies data under HKEY_USERS 7 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tyjoljx\e50eceae = 5796d176a7bbf3a50ac2a3df46446aacc63649011a82554dad3115d98d6faafb98b7241804f0fb99f9c4677ba3e5a3bd61d9b0c1c58e9ac346591e2f333f825f38cd8ff07e3ec6b2a3bba09f35e586571ba537027b5e9576c8f7cad1	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tyjoljx\98068124 = e3cfe4473c4336264619a9342c550710f6bf2faac983b74218b436d250497742753bdce5383bdc5ed6	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tyjoljx\20bae641 = 67fcd405296e6ef42cc5f5b9f51b06b544ae6d2c7e2fe2c5aeb52cde29600901ee083949d28110080c797d63023632f15029dfa395f7dc	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tyjoljx	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tyjoljx\6a6c59f9 = ba60a6efa71130c2e4767c7230d166c6b115414e6631d7af5e1a568bf8d6bc86b7e4e7e6ec69e8d91c900bdb2194d69c2c4a7a4e7ead1d0c8906	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tyjoljx\5ff389b7 = a604b2acf59687f8e4db69f982c0c0e8e2c2edda05b278a6ccacb401950ade12a19eda0c74b021ecd88f77b86254831ab91db9050a90e8f1385c62147a07e292dbed5ae8f299a2ab354201f8978758ece739d7bc64f21c7c1e003a02e299552f46990ebb1b64fac66e67637b32387000580a698f0bfadcf7699132dd05c4ae56a22af3c44f7b84a3380b12c27607cbcc9d397aa4e332086a6c42609ca591980e1db26f5274d4	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Tyjoljx\5db2a9cb = ba44dafc8cce158bf10ea79661207a3ecbda0bb0744ee8e66afb19046b80c15c2e299c3bbeb109aa1cae8bbbee87d018a6d09eaa9b2ae04bef3920eb2f67b206e1a249d79fd3c8ae617f9cfb531cbd6f2c27353b906b59ab445a1df7b8976b5c4624bb34bac545ffc72b87	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeexplorer.exeregsvr32.exe

pid	process
1564	rundll32.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
1580	regsvr32.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe
896	explorer.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

1564 rundll32.exe
1580 regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 1536 wrote to memory of 1564	1536	rundll32.exe	rundll32.exe
PID 1536 wrote to memory of 1564	1536	rundll32.exe	rundll32.exe
PID 1536 wrote to memory of 1564	1536	rundll32.exe	rundll32.exe
PID 1536 wrote to memory of 1564	1536	rundll32.exe	rundll32.exe
PID 1536 wrote to memory of 1564	1536	rundll32.exe	rundll32.exe
PID 1536 wrote to memory of 1564	1536	rundll32.exe	rundll32.exe
PID 1536 wrote to memory of 1564	1536	rundll32.exe	rundll32.exe
PID 1564 wrote to memory of 896	1564	rundll32.exe	explorer.exe
PID 1564 wrote to memory of 896	1564	rundll32.exe	explorer.exe
PID 1564 wrote to memory of 896	1564	rundll32.exe	explorer.exe
PID 1564 wrote to memory of 896	1564	rundll32.exe	explorer.exe
PID 1564 wrote to memory of 896	1564	rundll32.exe	explorer.exe
PID 1564 wrote to memory of 896	1564	rundll32.exe	explorer.exe
PID 896 wrote to memory of 592	896	explorer.exe	schtasks.exe
PID 896 wrote to memory of 592	896	explorer.exe	schtasks.exe
PID 896 wrote to memory of 592	896	explorer.exe	schtasks.exe
PID 896 wrote to memory of 592	896	explorer.exe	schtasks.exe
PID 1368 wrote to memory of 836	1368	taskeng.exe	regsvr32.exe
PID 1368 wrote to memory of 836	1368	taskeng.exe	regsvr32.exe
PID 1368 wrote to memory of 836	1368	taskeng.exe	regsvr32.exe
PID 1368 wrote to memory of 836	1368	taskeng.exe	regsvr32.exe
PID 1368 wrote to memory of 836	1368	taskeng.exe	regsvr32.exe
PID 836 wrote to memory of 1580	836	regsvr32.exe	regsvr32.exe
PID 836 wrote to memory of 1580	836	regsvr32.exe	regsvr32.exe
PID 836 wrote to memory of 1580	836	regsvr32.exe	regsvr32.exe
PID 836 wrote to memory of 1580	836	regsvr32.exe	regsvr32.exe
PID 836 wrote to memory of 1580	836	regsvr32.exe	regsvr32.exe
PID 836 wrote to memory of 1580	836	regsvr32.exe	regsvr32.exe
PID 836 wrote to memory of 1580	836	regsvr32.exe	regsvr32.exe
PID 1580 wrote to memory of 1320	1580	regsvr32.exe	explorer.exe
PID 1580 wrote to memory of 1320	1580	regsvr32.exe	explorer.exe
PID 1580 wrote to memory of 1320	1580	regsvr32.exe	explorer.exe
PID 1580 wrote to memory of 1320	1580	regsvr32.exe	explorer.exe
PID 1580 wrote to memory of 1320	1580	regsvr32.exe	explorer.exe
PID 1580 wrote to memory of 1320	1580	regsvr32.exe	explorer.exe
PID 1320 wrote to memory of 2008	1320	explorer.exe	reg.exe
PID 1320 wrote to memory of 2008	1320	explorer.exe	reg.exe
PID 1320 wrote to memory of 2008	1320	explorer.exe	reg.exe
PID 1320 wrote to memory of 2008	1320	explorer.exe	reg.exe
PID 1320 wrote to memory of 1976	1320	explorer.exe	reg.exe
PID 1320 wrote to memory of 1976	1320	explorer.exe	reg.exe
PID 1320 wrote to memory of 1976	1320	explorer.exe	reg.exe
PID 1320 wrote to memory of 1976	1320	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\qakbot_loader.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\qakbot_loader.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:896

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn frgpmxu /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\qakbot_loader.dll\"" /SC ONCE /Z /ST 14:27 /ET 14:39
4⤵
- Creates scheduled task(s)
PID:592

C:\Windows\system32\taskeng.exe
taskeng.exe {E7625356-1608-4C35-84DD-A75937E9A76F} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\qakbot_loader.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\qakbot_loader.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Kzwnpnri" /d "0"
5⤵
- Windows security bypass
PID:2008

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Dtoagqalo" /d "0"
5⤵
- Windows security bypass
PID:1976

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\qakbot_loader.dll
Filesize
1.0MB

MD5
433893e5a6e12aed9ec0400812690147

SHA1
4b4ca66c1818d2e5ff9f4ea2afb136af2bd96564

SHA256
9c3d3cd9b0fcb39117692600a7296b68dddf2995c6d302bc9d9c8b786780ba19

SHA512
3782c98a4ee96566b19577e586177f0d637e44c55a9072113035980cbbe02e524f9c7c6c8e5d06ee05a6e3f0875c6f8800ac120f02dd596c2d8f43ca9c7da435

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\qakbot_loader.dll
Filesize
1.0MB

MD5
433893e5a6e12aed9ec0400812690147

SHA1
4b4ca66c1818d2e5ff9f4ea2afb136af2bd96564

SHA256
9c3d3cd9b0fcb39117692600a7296b68dddf2995c6d302bc9d9c8b786780ba19

SHA512
3782c98a4ee96566b19577e586177f0d637e44c55a9072113035980cbbe02e524f9c7c6c8e5d06ee05a6e3f0875c6f8800ac120f02dd596c2d8f43ca9c7da435

Download Submit
memory/592-67-0x0000000000000000-mapping.dmp

Download
memory/836-70-0x000007FEFBB71000-0x000007FEFBB73000-memory.dmp

Filesize
8KB

Download
memory/836-69-0x0000000000000000-mapping.dmp

Download
memory/896-62-0x0000000000000000-mapping.dmp

Download
memory/896-64-0x0000000074681000-0x0000000074683000-memory.dmp

Filesize
8KB

Download
memory/896-68-0x0000000000080000-0x00000000000A2000-memory.dmp

Filesize
136KB

Download
memory/896-66-0x0000000000080000-0x00000000000A2000-memory.dmp

Filesize
136KB

Download
memory/1320-87-0x00000000000C0000-0x00000000000E2000-memory.dmp

Filesize
136KB

Download
memory/1320-81-0x0000000000000000-mapping.dmp

Download
memory/1564-61-0x0000000000960000-0x0000000000982000-memory.dmp

Filesize
136KB

Download
memory/1564-57-0x0000000000960000-0x0000000000982000-memory.dmp

Filesize
136KB

Download
memory/1564-54-0x0000000000000000-mapping.dmp

Download
memory/1564-60-0x0000000000900000-0x0000000000932000-memory.dmp

Filesize
200KB

Download
memory/1564-59-0x0000000000960000-0x0000000000982000-memory.dmp

Filesize
136KB

Download
memory/1564-65-0x0000000000960000-0x0000000000982000-memory.dmp

Filesize
136KB

Download
memory/1564-58-0x0000000000960000-0x0000000000982000-memory.dmp

Filesize
136KB

Download
memory/1564-55-0x0000000075681000-0x0000000075683000-memory.dmp

Filesize
8KB

Download
memory/1564-56-0x0000000000770000-0x000000000087C000-memory.dmp

Filesize
1.0MB

Download
memory/1580-72-0x0000000000000000-mapping.dmp

Download
memory/1580-77-0x00000000006F0000-0x0000000000712000-memory.dmp

Filesize
136KB

Download
memory/1580-79-0x00000000006B0000-0x00000000006E2000-memory.dmp

Filesize
200KB

Download
memory/1580-80-0x00000000006F0000-0x0000000000712000-memory.dmp

Filesize
136KB

Download
memory/1580-78-0x00000000006F0000-0x0000000000712000-memory.dmp

Filesize
136KB

Download
memory/1580-76-0x00000000006F0000-0x0000000000712000-memory.dmp

Filesize
136KB

Download
memory/1580-85-0x00000000006F0000-0x0000000000712000-memory.dmp

Filesize
136KB

Download
memory/1580-75-0x0000000000A60000-0x0000000000B6C000-memory.dmp

Filesize
1.0MB

Download
memory/1976-88-0x0000000000000000-mapping.dmp

Download
memory/2008-86-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads