qakbot | 18df034ee69d675ce1b04b95569154f0e3fe41c8bd6a00e59e8dae24b41ed7f7

General

Target

old_unpacked_qbot.dll
Size

120KB
MD5

35927b301d9cd6c33a927b97dccf6266
SHA1

1ccb9ec68f0fd685a58b1b6d2e78ba3b878783da
SHA256

18df034ee69d675ce1b04b95569154f0e3fe41c8bd6a00e59e8dae24b41ed7f7
SHA512

0cbbe3dbc6fea05760801bb812a8eac2b981f55a45aa994112e822e9f8f6741ae5052bab25dd1ab29d65e4b05fe353a0c796b9f8c0ddc4d89a03c13da69e081b
SSDEEP

1536:DCEh82pWrjickOZol59ZJkCZuH6cYTUk8JrNZmwmIOvnToIfwsbuYkR:WH5r+ckl57J4HpYTaJBZfE/TBfwkuYk

Score

10^/10

qakbot obama125 1636625439 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.2

Botnet

obama125

Campaign

1636625439

C2

117.198.155.237:443

190.73.3.148:2222

63.143.92.99:995

216.238.71.31:443

216.238.72.121:995

216.238.71.31:995

216.238.72.121:443

105.198.236.99:995

136.232.34.70:443

41.37.243.129:443

140.82.49.12:443

71.13.93.154:2222

96.246.158.154:995

102.65.38.57:443

71.13.93.154:6881

123.252.190.14:443

45.9.20.200:2211

136.143.11.232:443

103.143.8.71:995

103.142.10.177:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Ousyufhfuqx = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Vcobs = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid	Process
2992	regsvr32.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exe

pid	Process
3768	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Bkmiwznjwrkom\22d98f74 = 925ca8d6bdb89684e1f89ef409cc15132e7a0d5d8b671f	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Bkmiwznjwrkom\17465f3a = c64fd870c143550ac722289a0312001826b28e981ed6b8554cdf2d65ca332aa6188b448866f1f94934441954f9cec13f3e981ce49dab1352b820ef020cb20551dd4e686969a05595483378e679e7e268656a15b3fd79405fc240e28bbbda7598be282cad962bf1391ef68e3f27e2a8633277384770d5	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Bkmiwznjwrkom\affa385f = 0a189c55f8927ddc1dfdb4d52a3c433e320635b935	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Bkmiwznjwrkom\5d90e082 = 85c7ff860ba8a707c6797adc71c43bbf156dbbf5389cbe926aa0fd5514150943864f7d920aab65127aef7a7c337ef045833e191e5463284785539d88a7dbfc2f785316d010491e73982cd0d40001eec72dfd982f44c013c7	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Bkmiwznjwrkom	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Bkmiwznjwrkom\15077f46 = 66b8984dbb48ccb53254e747f64fd01736ee8abdd5cec03055e870f1bf270af510fb6209b9f0e2049a578cc932bc22b46b0224d69a6910689f40f7fe3c08719449af1d1d5f6a6eae54158334584f6ed15137b7c68c40cfc63a4caa9a38fc89d89b3e84b0fbe1c9bef6c2892f	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Bkmiwznjwrkom\adbb1823 = c9d8291a36b5d585b73d5833ef0556a2ec998304c35d5d8b8d7541d92964b813a050ed05f1be6332f81e8b11b38db3cc657590f2ee26a7964b34c1edf8d89a1b3e36f00b8ce1f158593aa7a5a24c9209c7fa5a9dc7	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Bkmiwznjwrkom\d0b357a9 = a5f48de65c14ca224612fb47e81b8bfc9148c4c2449c85ad08016c47ab0450a909ec01e374ee8932d357d33dccbec3b40e00d0522f1e0ec1c9235c99a54a86dc71	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Bkmiwznjwrkom\680f30cc = 4a8f7cb0caa874c3631941f74d1b064d937465aa7e201b8dcf7c7dbb0f42f10d49a0fd04631f6fcaada377aa4e65b0ce98bb458156956aa4e7321346415510970000696052ed6febd2a971baaf5ea9d8b7407d6a5e3a551c013317ffa0fb776736b31941491c848333	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Bkmiwznjwrkom\22d98f74 = 925cbfd6bdb8a3e1f07aa72ea0fbf0b5306ee4a7fe939651b854ece96f50a9f3c98aa1383abbc8c292be5f56	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid	Process
748	regsvr32.exe
748	regsvr32.exe
2992	regsvr32.exe
2992	regsvr32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid	Process
748	regsvr32.exe
2992	regsvr32.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

regsvr32.exeregsvr32.exeexplorer.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	Process	procid_target
PID 2260 wrote to memory of 748	2260	regsvr32.exe	85
PID 2260 wrote to memory of 748	2260	regsvr32.exe	85
PID 2260 wrote to memory of 748	2260	regsvr32.exe	85
PID 748 wrote to memory of 788	748	regsvr32.exe	89
PID 748 wrote to memory of 788	748	regsvr32.exe	89
PID 748 wrote to memory of 788	748	regsvr32.exe	89
PID 748 wrote to memory of 788	748	regsvr32.exe	89
PID 748 wrote to memory of 788	748	regsvr32.exe	89
PID 788 wrote to memory of 3768	788	explorer.exe	90
PID 788 wrote to memory of 3768	788	explorer.exe	90
PID 788 wrote to memory of 3768	788	explorer.exe	90
PID 3588 wrote to memory of 2992	3588	regsvr32.exe	99
PID 3588 wrote to memory of 2992	3588	regsvr32.exe	99
PID 3588 wrote to memory of 2992	3588	regsvr32.exe	99
PID 2992 wrote to memory of 2776	2992	regsvr32.exe	100
PID 2992 wrote to memory of 2776	2992	regsvr32.exe	100
PID 2992 wrote to memory of 2776	2992	regsvr32.exe	100
PID 2992 wrote to memory of 2776	2992	regsvr32.exe	100
PID 2992 wrote to memory of 2776	2992	regsvr32.exe	100
PID 2776 wrote to memory of 784	2776	explorer.exe	101
PID 2776 wrote to memory of 784	2776	explorer.exe	101
PID 2776 wrote to memory of 5072	2776	explorer.exe	103
PID 2776 wrote to memory of 5072	2776	explorer.exe	103

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\old_unpacked_qbot.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\old_unpacked_qbot.dll
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:748
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:788
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn khkisqzxnt /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\old_unpacked_qbot.dll\"" /SC ONCE /Z /ST 16:25 /ET 16:37
      4⤵
      Creates scheduled task(s)
      PID:3768

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\old_unpacked_qbot.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:3588
- C:\Windows\SysWOW64\regsvr32.exe
  -s "C:\Users\Admin\AppData\Local\Temp\old_unpacked_qbot.dll"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Ousyufhfuqx" /d "0"
      4⤵
      Windows security bypass
      PID:784
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Vcobs" /d "0"
      4⤵
      Windows security bypass
      PID:5072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\old_unpacked_qbot.dll

Filesize
120KB

MD5
35927b301d9cd6c33a927b97dccf6266

SHA1
1ccb9ec68f0fd685a58b1b6d2e78ba3b878783da

SHA256
18df034ee69d675ce1b04b95569154f0e3fe41c8bd6a00e59e8dae24b41ed7f7

SHA512
0cbbe3dbc6fea05760801bb812a8eac2b981f55a45aa994112e822e9f8f6741ae5052bab25dd1ab29d65e4b05fe353a0c796b9f8c0ddc4d89a03c13da69e081b

Download Submit
C:\Users\Admin\AppData\Local\Temp\old_unpacked_qbot.dll

Filesize
120KB

MD5
35927b301d9cd6c33a927b97dccf6266

SHA1
1ccb9ec68f0fd685a58b1b6d2e78ba3b878783da

SHA256
18df034ee69d675ce1b04b95569154f0e3fe41c8bd6a00e59e8dae24b41ed7f7

SHA512
0cbbe3dbc6fea05760801bb812a8eac2b981f55a45aa994112e822e9f8f6741ae5052bab25dd1ab29d65e4b05fe353a0c796b9f8c0ddc4d89a03c13da69e081b

Download Submit
memory/788-0-0x0000000000D30000-0x0000000000D51000-memory.dmp

Filesize
132KB

Download
memory/788-3-0x0000000000D30000-0x0000000000D51000-memory.dmp

Filesize
132KB

Download
memory/788-4-0x0000000000D30000-0x0000000000D51000-memory.dmp

Filesize
132KB

Download
memory/788-5-0x0000000000D30000-0x0000000000D51000-memory.dmp

Filesize
132KB

Download
memory/788-7-0x0000000000D30000-0x0000000000D51000-memory.dmp

Filesize
132KB

Download
memory/2776-11-0x0000000000670000-0x0000000000691000-memory.dmp

Filesize
132KB

Download
memory/2776-13-0x0000000000670000-0x0000000000691000-memory.dmp

Filesize
132KB

Download
memory/2776-14-0x0000000000670000-0x0000000000691000-memory.dmp

Filesize
132KB

Download
memory/2776-15-0x0000000000670000-0x0000000000691000-memory.dmp

Filesize
132KB

Download
memory/2776-17-0x0000000000670000-0x0000000000691000-memory.dmp

Filesize
132KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads