qakbot | 18df034ee69d675ce1b04b95569154f0e3fe41c8bd6a00e59e8dae24b41ed7f7

Resubmissions

31-10-2023 16:23

231031-tvvw9sba41 10

25-10-2023 22:14

231025-15mf7sha9z 10

Analysis

max time kernel
39s
max time network
18s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
25-10-2023 22:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

old_unpacked_qbot.dll
Size

120KB
MD5

35927b301d9cd6c33a927b97dccf6266
SHA1

1ccb9ec68f0fd685a58b1b6d2e78ba3b878783da
SHA256

18df034ee69d675ce1b04b95569154f0e3fe41c8bd6a00e59e8dae24b41ed7f7
SHA512

0cbbe3dbc6fea05760801bb812a8eac2b981f55a45aa994112e822e9f8f6741ae5052bab25dd1ab29d65e4b05fe353a0c796b9f8c0ddc4d89a03c13da69e081b
SSDEEP

1536:DCEh82pWrjickOZol59ZJkCZuH6cYTUk8JrNZmwmIOvnToIfwsbuYkR:WH5r+ckl57J4HpYTaJBZfE/TBfwkuYk

Score

10^/10

qakbot obama125 1636625439 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.2

Botnet

obama125

Campaign

1636625439

117.198.155.237:443

190.73.3.148:2222

63.143.92.99:995

216.238.71.31:443

216.238.72.121:995

216.238.71.31:995

216.238.72.121:443

105.198.236.99:995

136.232.34.70:443

41.37.243.129:443

140.82.49.12:443

71.13.93.154:2222

96.246.158.154:995

102.65.38.57:443

71.13.93.154:6881

123.252.190.14:443

45.9.20.200:2211

136.143.11.232:443

103.143.8.71:995

103.142.10.177:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2096 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

regsvr32.exe

pid process

2024 regsvr32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

regsvr32.exe

pid process

2024 regsvr32.exe

pid	process
2096	schtasks.exe

pid	process
2024	regsvr32.exe

pid	process
2024	regsvr32.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

regsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 1956 wrote to memory of 2024	1956	regsvr32.exe	regsvr32.exe
PID 1956 wrote to memory of 2024	1956	regsvr32.exe	regsvr32.exe
PID 1956 wrote to memory of 2024	1956	regsvr32.exe	regsvr32.exe
PID 1956 wrote to memory of 2024	1956	regsvr32.exe	regsvr32.exe
PID 1956 wrote to memory of 2024	1956	regsvr32.exe	regsvr32.exe
PID 1956 wrote to memory of 2024	1956	regsvr32.exe	regsvr32.exe
PID 1956 wrote to memory of 2024	1956	regsvr32.exe	regsvr32.exe
PID 2024 wrote to memory of 280	2024	regsvr32.exe	explorer.exe
PID 2024 wrote to memory of 280	2024	regsvr32.exe	explorer.exe
PID 2024 wrote to memory of 280	2024	regsvr32.exe	explorer.exe
PID 2024 wrote to memory of 280	2024	regsvr32.exe	explorer.exe
PID 2024 wrote to memory of 280	2024	regsvr32.exe	explorer.exe
PID 2024 wrote to memory of 280	2024	regsvr32.exe	explorer.exe
PID 280 wrote to memory of 2096	280	explorer.exe	schtasks.exe
PID 280 wrote to memory of 2096	280	explorer.exe	schtasks.exe
PID 280 wrote to memory of 2096	280	explorer.exe	schtasks.exe
PID 280 wrote to memory of 2096	280	explorer.exe	schtasks.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\old_unpacked_qbot.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\old_unpacked_qbot.dll
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:280

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn qkrunxexxa /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\old_unpacked_qbot.dll\"" /SC ONCE /Z /ST 22:16 /ET 22:28
4⤵
- Creates scheduled task(s)
PID:2096

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/280-0-0x00000000000B0000-0x00000000000B2000-memory.dmp

Filesize
8KB

Download
memory/280-2-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/280-5-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/280-6-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/280-7-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/280-9-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads