qakbot | 238fa968ea18bf8ee6737880083f39c3b239c91084bbf6dafa23eb050f31b3f9

General

Target

0fe8ae3cab77dc2e1e0f6bc47f9c94bc.dll
Size

1.0MB
MD5

0fe8ae3cab77dc2e1e0f6bc47f9c94bc
SHA1

b9860b8b36735fc0b37472ef4de0b1510fbb61b0
SHA256

238fa968ea18bf8ee6737880083f39c3b239c91084bbf6dafa23eb050f31b3f9
SHA512

8818f1a60d192384059e084206f95cabb06b186422c1dd1904b9b47ef7e5ae07729eceb70908fb9c4a4102a3597faad19d47451e3962a259b2727eae45a3e28a
SSDEEP

24576:vPmUt5u2f8THLYM2UGGcOzDDqkB02DRbNRYilN3xa0vvw6xPrvuygaPkbDf59cMZ:HmKutTHLYMXrDuwprRYilN3xa0vvw6lT

Score

10^/10

qakbot obama110 1633507384 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

obama110

Campaign

1633507384

C2

96.57.188.174:2078

94.200.181.154:443

217.17.56.163:2222

122.11.220.212:2222

2.222.167.138:443

209.50.20.255:443

167.248.117.81:443

187.116.124.82:995

73.52.50.32:443

120.151.47.189:443

181.118.183.94:443

89.101.97.139:443

188.210.210.122:0

81.241.252.59:2078

202.134.178.157:443

75.75.179.226:443

120.150.218.241:995

185.250.148.74:443

81.250.153.227:2222

66.103.170.104:2222

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Ojaoii = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Ccuvyi = "0"	reg.exe

Loads dropped DLL 1 IoCs

pid	Process
4712	regsvr32.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4256	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yhymieufoyizh\f62de10a = d12dc2fbd0e799dcffe49831f38dc292f3a6c2636b547080fc19	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yhymieufoyizh\31d8e999 = 5bbd9aa53352cf6341d9da1b147065185fd2ba3fa8f741ddd227b88585aa7eff7e419ff8e5ce06a8c7c9a201d85bbb5864258182ba721d129e6d1abca797d47bd18f5d15c25cb2350b1a	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yhymieufoyizh\bcfb5eb2 = b719c9f3324b741cff335552bdba2fb6e3d6398b2d88ad98dc4057540e2262a78c240e318adf13485c27dd05684dcb80cb8d1824404fb82eb20c207e5169bf1c226b7a037e4f091baaba2e39b896e5ac78928c5bdf16ab3dfc261eb415258699ba7a9c6da4e452bb20b52cbe06bdd4	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yhymieufoyizh	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yhymieufoyizh\bcfb5eb2 = b719def3324b41ffd264559a6d5043187da094ca0717868449067863590ad00b3b1de80d506b9e59e541a8a48dbec52ac568884de9e81d91bae9d1025c9659841e4f90ae52ce2d73ad34dc0b3c58f81bdcd0625f075459579a71	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yhymieufoyizh\8b25ae80 = 375108cd17584db748a4d7ae6cad7faedf42842f96f10e412ac8ebb2ccac7d3af53c46fb2568048cae728fa5d4137dc25f1eec4a5aaf319b527398e9d7fd0a55a8ff296d77b4e05a2ddab4f2bb7027165bd891e25bcbff05f70d165f71e94d8bccaa5b794787f0d56ac2b94af25708	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yhymieufoyizh\c3b23144 = f73b3b8eb776c865c023cf3fd5180d90874c2f10fe7adbfb184ebd2f897889e736edded6cccacf95e8f02a2f94a3b3335fa901b097a1210658bc6fcd9677cfa49eb3bd13d5133fbdfe3e01e96f53272b4d31d07c1ebdbbe17882739dd1edf3b78cbff40ec1bc	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yhymieufoyizh\89648efc = 2f122e09ada4ef55956fd95ffe37586e8522b42111738c6dd03aee85f413759dcacfaddc37340ad6963613d456158cd2aa77830725c4e055c30ca504816e115120d7dc06856b65c7f7cff92b222006f1972448a439b2681e352896dc9b2e4cc93475b4ff53297d5e20241379b337351c6e754a170922a361ac42fc0bb2ab654c7abc8da1989d68c4e98d944d77112f86616ccdf7ebde3ab2d950e37e9c2a18d28bceeaf3851ed6e94b295fba7f7dd25ea2c6ed68fc9e647d9b3e	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yhymieufoyizh\3399c9e5 = dbbbc133aecf6be7909da71662b7905d67964831cac24b59ab64a4e812cf84eee41c0a90ec5038df9bbb	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yhymieufoyizh\4e91866f = 0d06058fc080c5a0228fcaba0fed82e8a319295d3648a3d625100167d113af5a5c883676de2df15d02142d2211ed00da5441e55ce19abc78eba74eba9c20d60ff60a69a635a50f45c35fa3da252e	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4912	rundll32.exe
4912	rundll32.exe
4712	regsvr32.exe
4712	regsvr32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4912	rundll32.exe
4712	regsvr32.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1440 wrote to memory of 4912	1440	rundll32.exe	19
PID 1440 wrote to memory of 4912	1440	rundll32.exe	19
PID 1440 wrote to memory of 4912	1440	rundll32.exe	19
PID 4912 wrote to memory of 2672	4912	rundll32.exe	94
PID 4912 wrote to memory of 2672	4912	rundll32.exe	94
PID 4912 wrote to memory of 2672	4912	rundll32.exe	94
PID 4912 wrote to memory of 2672	4912	rundll32.exe	94
PID 4912 wrote to memory of 2672	4912	rundll32.exe	94
PID 2672 wrote to memory of 4256	2672	explorer.exe	96
PID 2672 wrote to memory of 4256	2672	explorer.exe	96
PID 2672 wrote to memory of 4256	2672	explorer.exe	96
PID 3172 wrote to memory of 4712	3172	regsvr32.exe	102
PID 3172 wrote to memory of 4712	3172	regsvr32.exe	102
PID 3172 wrote to memory of 4712	3172	regsvr32.exe	102
PID 4712 wrote to memory of 2608	4712	regsvr32.exe	103
PID 4712 wrote to memory of 2608	4712	regsvr32.exe	103
PID 4712 wrote to memory of 2608	4712	regsvr32.exe	103
PID 4712 wrote to memory of 2608	4712	regsvr32.exe	103
PID 4712 wrote to memory of 2608	4712	regsvr32.exe	103
PID 2608 wrote to memory of 4524	2608	explorer.exe	104
PID 2608 wrote to memory of 4524	2608	explorer.exe	104
PID 2608 wrote to memory of 2012	2608	explorer.exe	107
PID 2608 wrote to memory of 2012	2608	explorer.exe	107

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0fe8ae3cab77dc2e1e0f6bc47f9c94bc.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1440
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\0fe8ae3cab77dc2e1e0f6bc47f9c94bc.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4912
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn bdpfilunfg /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\0fe8ae3cab77dc2e1e0f6bc47f9c94bc.dll\"" /SC ONCE /Z /ST 14:50 /ET 15:02
      4⤵
      Creates scheduled task(s)
      PID:4256

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\0fe8ae3cab77dc2e1e0f6bc47f9c94bc.dll"
1⤵
- Suspicious use of WriteProcessMemory
PID:3172
- C:\Windows\SysWOW64\regsvr32.exe
  -s "C:\Users\Admin\AppData\Local\Temp\0fe8ae3cab77dc2e1e0f6bc47f9c94bc.dll"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4712
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Ojaoii" /d "0"
      4⤵
      Windows security bypass
      PID:4524
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Ccuvyi" /d "0"
      4⤵
      Windows security bypass
      PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0fe8ae3cab77dc2e1e0f6bc47f9c94bc.dll

Filesize
136KB

MD5
d0510d1699a089ccb2e9a86f130a1f2c

SHA1
5a2fa2234f47e1ae09830439d2b7a92d25dd1019

SHA256
74af3863322b592fbe0752b0a3cd842234fc9fff27ae453b5ba0727dcd806ac0

SHA512
96a554141344a60a6a9ebd55582262c37e6e096715400295d7f19484f359c970693e269a93f912b0b82698d5835b7b31884df03ca51fd4beeafd7ba3a9cf3809

Download Submit
C:\Users\Admin\AppData\Local\Temp\0fe8ae3cab77dc2e1e0f6bc47f9c94bc.dll

Filesize
1.0MB

MD5
0fe8ae3cab77dc2e1e0f6bc47f9c94bc

SHA1
b9860b8b36735fc0b37472ef4de0b1510fbb61b0

SHA256
238fa968ea18bf8ee6737880083f39c3b239c91084bbf6dafa23eb050f31b3f9

SHA512
8818f1a60d192384059e084206f95cabb06b186422c1dd1904b9b47ef7e5ae07729eceb70908fb9c4a4102a3597faad19d47451e3962a259b2727eae45a3e28a

Download Submit
memory/2608-22-0x0000000000C50000-0x0000000000C71000-memory.dmp

Filesize
132KB

Download
memory/2608-26-0x0000000000C50000-0x0000000000C71000-memory.dmp

Filesize
132KB

Download
memory/2608-25-0x0000000000C50000-0x0000000000C71000-memory.dmp

Filesize
132KB

Download
memory/2608-27-0x0000000000C50000-0x0000000000C71000-memory.dmp

Filesize
132KB

Download
memory/2672-13-0x0000000000780000-0x00000000007A1000-memory.dmp

Filesize
132KB

Download
memory/2672-9-0x0000000000780000-0x00000000007A1000-memory.dmp

Filesize
132KB

Download
memory/2672-11-0x0000000000780000-0x00000000007A1000-memory.dmp

Filesize
132KB

Download
memory/2672-10-0x0000000000780000-0x00000000007A1000-memory.dmp

Filesize
132KB

Download
memory/2672-5-0x0000000000780000-0x00000000007A1000-memory.dmp

Filesize
132KB

Download
memory/4712-17-0x00000000755C0000-0x000000007576D000-memory.dmp

Filesize
1.7MB

Download
memory/4712-18-0x00000000755C0000-0x000000007576D000-memory.dmp

Filesize
1.7MB

Download
memory/4712-20-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/4712-23-0x00000000755C0000-0x000000007576D000-memory.dmp

Filesize
1.7MB

Download
memory/4912-4-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/4912-0-0x0000000075650000-0x00000000757FD000-memory.dmp

Filesize
1.7MB

Download
memory/4912-1-0x0000000075650000-0x00000000757FD000-memory.dmp

Filesize
1.7MB

Download
memory/4912-2-0x0000000075650000-0x00000000757FD000-memory.dmp

Filesize
1.7MB

Download
memory/4912-6-0x0000000075650000-0x00000000757FD000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads