qakbot | d9294f586f52e107f25cfe1061cc6272a82128a83f5c4a3cc95e925b5b6f1463

General

Target

88a64b448fee1f6067e4c22be41f2554.dll
Size

750KB
MD5

88a64b448fee1f6067e4c22be41f2554
SHA1

c83e65bf388ff98557d36d41cc8187d1f4291de0
SHA256

d9294f586f52e107f25cfe1061cc6272a82128a83f5c4a3cc95e925b5b6f1463
SHA512

352a7aeb9873edc63b193b44bcd07f9600c440ad701e73f135eda925b696f72b51796fbd2f0d81d496289788fde00f4aa6bbeec0c0ad7ec8e4bf8c43d24e026b
SSDEEP

12288:ZV75XRqXnVyGXpI7gFHpsqJtjA42je3kyS6wEB35cmCy:SXnVyy9WIkBy3kySqBpZV

Score

10^/10

qakbot obama105 1632821932 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

obama105

Campaign

1632821932

C2

120.151.47.189:443

41.228.22.180:443

39.52.241.3:995

199.27.127.129:443

216.201.162.158:443

136.232.34.70:443

196.217.156.63:995

120.150.218.241:995

95.77.223.148:443

185.250.148.74:443

181.118.183.94:443

105.198.236.99:443

140.82.49.12:443

37.210.152.224:995

89.101.97.139:443

81.241.252.59:2078

27.223.92.142:995

81.250.153.227:2222

73.151.236.31:443

47.22.148.6:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Jwqwakyemrmw = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Qcimssksmn = "0"	reg.exe

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1532 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3000 schtasks.exe

pid	process
1532	regsvr32.exe

pid	process
3000	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Fsywyyxo\ad389e66 = f4519b98cddaf2de9ba51baef9dbdde5423ef3159c4d65b50e1cdae8c06e477bd7732ede83a90c93b8aac40631c33902e9c658d85a7998393a39d157bed2bf6947c5e856ee692361509ef9f0e8f91430d2268183ac1099784ccdf49509c317a5c2be3da67c74bc9608a0d470683f9364dd50	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Fsywyyxo\98a74e28 = 60ef93f4aeb6af92b4a9539189a469e57190f4a8db44d168f3ae691bd1c211d97411ac896cbbbfb1ec368beb8e	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Fsywyyxo	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Fsywyyxo\e7ee21de = af4c3ff04c7dbce34c6fd971f531a72b228645b19e7ea0049d7b8c0753a32d5c778b652e1c0fc8014acf2cad3e618e7ab809229a75b75901a917bdbb111151501941e1	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Fsywyyxo\d271f190 = d6d3772d10c82e4f5182d2f80a8e55f0345ce35c20da73068b810d0e304721f93840dacc9697762a4107782eaef90f2ad4837607e7615907bf0ef1689b58e98c5c3348ac8c15976d048b99ce8eefad0fca0a0f50745596d39ecda427b5f019559ec286897a8adcf35624e33a10ee155bfc3332227498db4c873b758046e8d742da15f9456e44d15fbc6efb1c3c78c82a21276d32b2267897422b7745b916e88ccb43382073254f068dfa53b2ef4ca4207e8bdb3e0b93a7240609ad75e4d52359452a	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Fsywyyxo\d030d1ec = 01da38f5b79a5cec9dcf9f4ca7ef1bd8996dc2cb84a9cc230eca3ca2344ba1f7eebf28cfea23f8f0767973c0e16e01dd56e1672c3b5aa7d101c869d59583042c54d184a634338be86e57434473a5e64968f521cd8c46e1737e22ae	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Fsywyyxo\688cb689 = e395e55876af6f13c50a7888bfe39d7d20c1842094f232d324612b1e9b026ff243377bec	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Fsywyyxo\1584f903 = 078316a4f1bc0ad18a75b299d348657045ec6016e6a8a844445ef1a5308e6335debb02b3047344a412d4	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Fsywyyxo\6acd96f5 = 110d827484c3aa6fc6d6695ccd66b894d995b743a142f31f125b64147cbbe85fed78dc5471e5ceb48826be7fcd2c66e078e476789d8c79fba52816234ad6ceff54c14b393a9fe61bf641e43d1801a9e1	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Fsywyyxo\e7ee21de = af4c28f04c7d89872ce4aad68fddc34bbc551f4d5e9ba723a2fa6ec32e2b2ef46d4003bc8b3286623546ae0092541121d5b3da278a5cd20ce3de46d56daef44224018a11f0ff6b5a877e5e9904ce37507c86e762765b2eac	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

1736 rundll32.exe
1532 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

1736 rundll32.exe
1532 regsvr32.exe

pid	process
1736	rundll32.exe
1532	regsvr32.exe

pid	process
1736	rundll32.exe
1532	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 2232 wrote to memory of 1736	2232	rundll32.exe	rundll32.exe
PID 2232 wrote to memory of 1736	2232	rundll32.exe	rundll32.exe
PID 2232 wrote to memory of 1736	2232	rundll32.exe	rundll32.exe
PID 2232 wrote to memory of 1736	2232	rundll32.exe	rundll32.exe
PID 2232 wrote to memory of 1736	2232	rundll32.exe	rundll32.exe
PID 2232 wrote to memory of 1736	2232	rundll32.exe	rundll32.exe
PID 2232 wrote to memory of 1736	2232	rundll32.exe	rundll32.exe
PID 1736 wrote to memory of 2328	1736	rundll32.exe	explorer.exe
PID 1736 wrote to memory of 2328	1736	rundll32.exe	explorer.exe
PID 1736 wrote to memory of 2328	1736	rundll32.exe	explorer.exe
PID 1736 wrote to memory of 2328	1736	rundll32.exe	explorer.exe
PID 1736 wrote to memory of 2328	1736	rundll32.exe	explorer.exe
PID 1736 wrote to memory of 2328	1736	rundll32.exe	explorer.exe
PID 2328 wrote to memory of 3000	2328	explorer.exe	schtasks.exe
PID 2328 wrote to memory of 3000	2328	explorer.exe	schtasks.exe
PID 2328 wrote to memory of 3000	2328	explorer.exe	schtasks.exe
PID 2328 wrote to memory of 3000	2328	explorer.exe	schtasks.exe
PID 1896 wrote to memory of 2488	1896	taskeng.exe	regsvr32.exe
PID 1896 wrote to memory of 2488	1896	taskeng.exe	regsvr32.exe
PID 1896 wrote to memory of 2488	1896	taskeng.exe	regsvr32.exe
PID 1896 wrote to memory of 2488	1896	taskeng.exe	regsvr32.exe
PID 1896 wrote to memory of 2488	1896	taskeng.exe	regsvr32.exe
PID 2488 wrote to memory of 1532	2488	regsvr32.exe	regsvr32.exe
PID 2488 wrote to memory of 1532	2488	regsvr32.exe	regsvr32.exe
PID 2488 wrote to memory of 1532	2488	regsvr32.exe	regsvr32.exe
PID 2488 wrote to memory of 1532	2488	regsvr32.exe	regsvr32.exe
PID 2488 wrote to memory of 1532	2488	regsvr32.exe	regsvr32.exe
PID 2488 wrote to memory of 1532	2488	regsvr32.exe	regsvr32.exe
PID 2488 wrote to memory of 1532	2488	regsvr32.exe	regsvr32.exe
PID 1532 wrote to memory of 556	1532	regsvr32.exe	explorer.exe
PID 1532 wrote to memory of 556	1532	regsvr32.exe	explorer.exe
PID 1532 wrote to memory of 556	1532	regsvr32.exe	explorer.exe
PID 1532 wrote to memory of 556	1532	regsvr32.exe	explorer.exe
PID 1532 wrote to memory of 556	1532	regsvr32.exe	explorer.exe
PID 1532 wrote to memory of 556	1532	regsvr32.exe	explorer.exe
PID 556 wrote to memory of 848	556	explorer.exe	reg.exe
PID 556 wrote to memory of 848	556	explorer.exe	reg.exe
PID 556 wrote to memory of 848	556	explorer.exe	reg.exe
PID 556 wrote to memory of 848	556	explorer.exe	reg.exe
PID 556 wrote to memory of 1256	556	explorer.exe	reg.exe
PID 556 wrote to memory of 1256	556	explorer.exe	reg.exe
PID 556 wrote to memory of 1256	556	explorer.exe	reg.exe
PID 556 wrote to memory of 1256	556	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\88a64b448fee1f6067e4c22be41f2554.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2232

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\88a64b448fee1f6067e4c22be41f2554.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2328

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn ldhhoky /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\88a64b448fee1f6067e4c22be41f2554.dll\"" /SC ONCE /Z /ST 08:23 /ET 08:35
4⤵
- Creates scheduled task(s)
PID:3000

C:\Windows\system32\taskeng.exe
taskeng.exe {BD64C035-3983-4CFF-9B4B-786A56FAB69D} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\88a64b448fee1f6067e4c22be41f2554.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:2488

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\88a64b448fee1f6067e4c22be41f2554.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:556

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Jwqwakyemrmw" /d "0"
5⤵
- Windows security bypass
PID:848

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Qcimssksmn" /d "0"
5⤵
- Windows security bypass
PID:1256

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\88a64b448fee1f6067e4c22be41f2554.dll
Filesize
750KB

MD5
88a64b448fee1f6067e4c22be41f2554

SHA1
c83e65bf388ff98557d36d41cc8187d1f4291de0

SHA256
d9294f586f52e107f25cfe1061cc6272a82128a83f5c4a3cc95e925b5b6f1463

SHA512
352a7aeb9873edc63b193b44bcd07f9600c440ad701e73f135eda925b696f72b51796fbd2f0d81d496289788fde00f4aa6bbeec0c0ad7ec8e4bf8c43d24e026b

Download Submit
memory/556-33-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/556-31-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/556-30-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/556-29-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/556-26-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1532-27-0x00000000748E0000-0x00000000749B2000-memory.dmp

Filesize
840KB

Download
memory/1532-23-0x00000000748E0000-0x00000000749B2000-memory.dmp

Filesize
840KB

Download
memory/1532-21-0x00000000748E0000-0x00000000749B2000-memory.dmp

Filesize
840KB

Download
memory/1532-20-0x00000000748E0000-0x00000000749B2000-memory.dmp

Filesize
840KB

Download
memory/1736-8-0x0000000075320000-0x00000000753F2000-memory.dmp

Filesize
840KB

Download
memory/1736-0-0x0000000075320000-0x00000000753F2000-memory.dmp

Filesize
840KB

Download
memory/1736-1-0x0000000075320000-0x00000000753F2000-memory.dmp

Filesize
840KB

Download
memory/1736-4-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1736-2-0x0000000075320000-0x00000000753F2000-memory.dmp

Filesize
840KB

Download
memory/2328-15-0x00000000000D0000-0x00000000000F1000-memory.dmp

Filesize
132KB

Download
memory/2328-7-0x00000000000D0000-0x00000000000F1000-memory.dmp

Filesize
132KB

Download
memory/2328-11-0x00000000000D0000-0x00000000000F1000-memory.dmp

Filesize
132KB

Download
memory/2328-12-0x00000000000D0000-0x00000000000F1000-memory.dmp

Filesize
132KB

Download
memory/2328-13-0x00000000000D0000-0x00000000000F1000-memory.dmp

Filesize
132KB

Download
memory/2328-5-0x0000000000080000-0x0000000000082000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads