qakbot | 238fa968ea18bf8ee6737880083f39c3b239c91084bbf6dafa23eb050f31b3f9

Analysis

max time kernel
137s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19-12-2023 11:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0fe8ae3cab77dc2e1e0f6bc47f9c94bc.dll
Size

1.0MB
MD5

0fe8ae3cab77dc2e1e0f6bc47f9c94bc
SHA1

b9860b8b36735fc0b37472ef4de0b1510fbb61b0
SHA256

238fa968ea18bf8ee6737880083f39c3b239c91084bbf6dafa23eb050f31b3f9
SHA512

8818f1a60d192384059e084206f95cabb06b186422c1dd1904b9b47ef7e5ae07729eceb70908fb9c4a4102a3597faad19d47451e3962a259b2727eae45a3e28a
SSDEEP

24576:vPmUt5u2f8THLYM2UGGcOzDDqkB02DRbNRYilN3xa0vvw6xPrvuygaPkbDf59cMZ:HmKutTHLYMXrDuwprRYilN3xa0vvw6lT

Score

10^/10

qakbot obama110 1633507384 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

obama110

Campaign

1633507384

96.57.188.174:2078

94.200.181.154:443

217.17.56.163:2222

122.11.220.212:2222

2.222.167.138:443

209.50.20.255:443

167.248.117.81:443

187.116.124.82:995

73.52.50.32:443

120.151.47.189:443

181.118.183.94:443

89.101.97.139:443

188.210.210.122:0

81.241.252.59:2078

202.134.178.157:443

75.75.179.226:443

120.150.218.241:995

185.250.148.74:443

81.250.153.227:2222

66.103.170.104:2222

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Vuzjh = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Fiecehn = "0"	reg.exe

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid	Process
2876	regsvr32.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exe

pid	Process
2484	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yzngfcmaeduqjo\7088212 = f84382f15f1ec49bdd63d158dc193e8798817fac5a89d09aa67b341d4b32e34f7093a5549dd2242dd3486f0d2642665fc590d199fe0109f642cfc5aa63981ac57734fec21ce472229ed9f6a7752417b6dce84a667d5da0c01717e38b3f138f5e6d2ad71345363773fae6d26dc0013e83e74a8f483b14554a73d04d6ac6c80576e1431511bf3e3357b5f3	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yzngfcmaeduqjo\7841ede4 = 9beb7c1290c1a80f817299630eb233f1ead6917d6a1cf49b67ba175bd71c9d2ce717c6337579eea91984c9a39dff9ce967ef4cc9ee0e390680ac20e054953f9615bbd0be62f5d5b6ecaf06e07080a7cf3495685cb621e0e4219244214de5492bbaa9fd	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yzngfcmaeduqjo\bfb4e577 = 142af0b7bcdfa6d22aade64faeb87e6d01026b3f10a78aabff40475cc10d0b066fe27b352632789cb86a640fce445eebecc05d	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yzngfcmaeduqjo\3297525c = da050ee753a12cea62234ca3288859823342322501af8e52fdcb367f8031d7cf9323cbe23a8379cbe89283e1fe7724f087977e539464cac5c786eb5b9d	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yzngfcmaeduqjo	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yzngfcmaeduqjo\3297525c = da0519e753a11983c552eaa716851c2543eb5414ae0f8997bdd829ecc3d511286f1e458d030eb820	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yzngfcmaeduqjo\549a26e = 229c5d7394bb0d30e1bd9c9027a4581c878160d15073d95ad4a4bd93d877daccbc374d80a529d4f269eb2bee942987aa16eb99a31c2e273aff5e318b7931332e8f51d003db69009206f51d1be9ea6ebe497393b4a846f1976b97df1cf9aee8d4a6f1f88ae8ffba2d5005ab556d	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yzngfcmaeduqjo\bdf5c50b = 647b53732a17883108e9a968a0c185972ad1e30b9414b98aad450252447fd661907b2e98b2fc3e721ce96f	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yzngfcmaeduqjo\c0fd8a81 = 97a8d7ec40581bc88045c7260ad5c5a5a51af8742b570465366bc569a7b9be18aca3728ff1ccf2834121894d213f36d9f47b745700b1e76da279ac4d9fff6ed3e855f2d28156543e9060ba05ba2e2357ef50f425219c784765777c93759638c76f39b6c3	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yzngfcmaeduqjo\4dde3daa = ff06256462e3c353f30bfa518241f2279129070fc0	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid	Process
1708	rundll32.exe
2876	regsvr32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid	Process
1708	rundll32.exe
2876	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	Process	procid_target
PID 1544 wrote to memory of 1708	1544	rundll32.exe	28
PID 1544 wrote to memory of 1708	1544	rundll32.exe	28
PID 1544 wrote to memory of 1708	1544	rundll32.exe	28
PID 1544 wrote to memory of 1708	1544	rundll32.exe	28
PID 1544 wrote to memory of 1708	1544	rundll32.exe	28
PID 1544 wrote to memory of 1708	1544	rundll32.exe	28
PID 1544 wrote to memory of 1708	1544	rundll32.exe	28
PID 1708 wrote to memory of 2784	1708	rundll32.exe	29
PID 1708 wrote to memory of 2784	1708	rundll32.exe	29
PID 1708 wrote to memory of 2784	1708	rundll32.exe	29
PID 1708 wrote to memory of 2784	1708	rundll32.exe	29
PID 1708 wrote to memory of 2784	1708	rundll32.exe	29
PID 1708 wrote to memory of 2784	1708	rundll32.exe	29
PID 2784 wrote to memory of 2484	2784	explorer.exe	30
PID 2784 wrote to memory of 2484	2784	explorer.exe	30
PID 2784 wrote to memory of 2484	2784	explorer.exe	30
PID 2784 wrote to memory of 2484	2784	explorer.exe	30
PID 3060 wrote to memory of 3064	3060	taskeng.exe	35
PID 3060 wrote to memory of 3064	3060	taskeng.exe	35
PID 3060 wrote to memory of 3064	3060	taskeng.exe	35
PID 3060 wrote to memory of 3064	3060	taskeng.exe	35
PID 3060 wrote to memory of 3064	3060	taskeng.exe	35
PID 3064 wrote to memory of 2876	3064	regsvr32.exe	36
PID 3064 wrote to memory of 2876	3064	regsvr32.exe	36
PID 3064 wrote to memory of 2876	3064	regsvr32.exe	36
PID 3064 wrote to memory of 2876	3064	regsvr32.exe	36
PID 3064 wrote to memory of 2876	3064	regsvr32.exe	36
PID 3064 wrote to memory of 2876	3064	regsvr32.exe	36
PID 3064 wrote to memory of 2876	3064	regsvr32.exe	36
PID 2876 wrote to memory of 2748	2876	regsvr32.exe	37
PID 2876 wrote to memory of 2748	2876	regsvr32.exe	37
PID 2876 wrote to memory of 2748	2876	regsvr32.exe	37
PID 2876 wrote to memory of 2748	2876	regsvr32.exe	37
PID 2876 wrote to memory of 2748	2876	regsvr32.exe	37
PID 2876 wrote to memory of 2748	2876	regsvr32.exe	37
PID 2748 wrote to memory of 2156	2748	explorer.exe	38
PID 2748 wrote to memory of 2156	2748	explorer.exe	38
PID 2748 wrote to memory of 2156	2748	explorer.exe	38
PID 2748 wrote to memory of 2156	2748	explorer.exe	38
PID 2748 wrote to memory of 2988	2748	explorer.exe	40
PID 2748 wrote to memory of 2988	2748	explorer.exe	40
PID 2748 wrote to memory of 2988	2748	explorer.exe	40
PID 2748 wrote to memory of 2988	2748	explorer.exe	40

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0fe8ae3cab77dc2e1e0f6bc47f9c94bc.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\0fe8ae3cab77dc2e1e0f6bc47f9c94bc.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn trwczcfg /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\0fe8ae3cab77dc2e1e0f6bc47f9c94bc.dll\"" /SC ONCE /Z /ST 14:50 /ET 15:02
      4⤵
      Creates scheduled task(s)
      PID:2484

C:\Windows\system32\taskeng.exe
taskeng.exe {3203A703-DA99-4B29-A5D6-3B4E8C1B2FC0} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\0fe8ae3cab77dc2e1e0f6bc47f9c94bc.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\SysWOW64\regsvr32.exe
    -s "C:\Users\Admin\AppData\Local\Temp\0fe8ae3cab77dc2e1e0f6bc47f9c94bc.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      4⤵
      Modifies data under HKEY_USERS
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Vuzjh" /d "0"
        5⤵
        Windows security bypass
        
        PID:2156
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Fiecehn" /d "0"
        5⤵
        Windows security bypass
        
        PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0fe8ae3cab77dc2e1e0f6bc47f9c94bc.dll

Filesize
1.0MB

MD5
0fe8ae3cab77dc2e1e0f6bc47f9c94bc

SHA1
b9860b8b36735fc0b37472ef4de0b1510fbb61b0

SHA256
238fa968ea18bf8ee6737880083f39c3b239c91084bbf6dafa23eb050f31b3f9

SHA512
8818f1a60d192384059e084206f95cabb06b186422c1dd1904b9b47ef7e5ae07729eceb70908fb9c4a4102a3597faad19d47451e3962a259b2727eae45a3e28a

Download Submit
memory/1708-2-0x00000000747F0000-0x000000007499D000-memory.dmp

Filesize
1.7MB

Download
memory/1708-1-0x00000000747F0000-0x000000007499D000-memory.dmp

Filesize
1.7MB

Download
memory/1708-4-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/1708-8-0x00000000747F0000-0x000000007499D000-memory.dmp

Filesize
1.7MB

Download
memory/1708-0-0x00000000747F0000-0x000000007499D000-memory.dmp

Filesize
1.7MB

Download
memory/2748-32-0x0000000000310000-0x0000000000331000-memory.dmp

Filesize
132KB

Download
memory/2748-29-0x0000000000310000-0x0000000000331000-memory.dmp

Filesize
132KB

Download
memory/2748-30-0x0000000000310000-0x0000000000331000-memory.dmp

Filesize
132KB

Download
memory/2748-28-0x0000000000310000-0x0000000000331000-memory.dmp

Filesize
132KB

Download
memory/2748-25-0x0000000000310000-0x0000000000331000-memory.dmp

Filesize
132KB

Download
memory/2784-15-0x0000000000310000-0x0000000000331000-memory.dmp

Filesize
132KB

Download
memory/2784-13-0x0000000000310000-0x0000000000331000-memory.dmp

Filesize
132KB

Download
memory/2784-12-0x0000000000310000-0x0000000000331000-memory.dmp

Filesize
132KB

Download
memory/2784-11-0x0000000000310000-0x0000000000331000-memory.dmp

Filesize
132KB

Download
memory/2784-7-0x0000000000310000-0x0000000000331000-memory.dmp

Filesize
132KB

Download
memory/2784-5-0x0000000000340000-0x0000000000342000-memory.dmp

Filesize
8KB

Download
memory/2876-20-0x0000000074650000-0x00000000747FD000-memory.dmp

Filesize
1.7MB

Download
memory/2876-22-0x0000000074650000-0x00000000747FD000-memory.dmp

Filesize
1.7MB

Download
memory/2876-21-0x0000000074650000-0x00000000747FD000-memory.dmp

Filesize
1.7MB

Download
memory/2876-26-0x0000000074650000-0x00000000747FD000-memory.dmp

Filesize
1.7MB

Download