qakbot | e64e7761e85c14928ae398e2b27ec8db0ebcf8f8a6b5a48dcf46f42393121097

General

Target

8de512bd768a612f1f91f55718e0d53d.dll
Size

750KB
MD5

8de512bd768a612f1f91f55718e0d53d
SHA1

d2f0b77d4d5ffa23a1e3cd26d43d01c3bfa9dd09
SHA256

e64e7761e85c14928ae398e2b27ec8db0ebcf8f8a6b5a48dcf46f42393121097
SHA512

dba9f21ae79ddca811bfeecb5ca3181de8f4b381f9ae13e88fa39c883a1557c221d79825d7f9003b8c26c1ed86951a9907b2bbb4d67e4293dce47c35a80a96ed
SSDEEP

12288:8V75XRqXnVyGXpI7fFHpsqJtjA42je3kyS6wEB35cyCH:fXnVyy6WIkBy3kySqBpFA

Score

10^/10

qakbot obama105 1632821932 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

obama105

Campaign

1632821932

C2

120.151.47.189:443

41.228.22.180:443

39.52.241.3:995

199.27.127.129:443

216.201.162.158:443

136.232.34.70:443

196.217.156.63:995

120.150.218.241:995

95.77.223.148:443

185.250.148.74:443

181.118.183.94:443

105.198.236.99:443

140.82.49.12:443

37.210.152.224:995

89.101.97.139:443

81.241.252.59:2078

27.223.92.142:995

81.250.153.227:2222

73.151.236.31:443

47.22.148.6:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Isjku = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Csewsihunimv = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1720 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2140 schtasks.exe

pid	process
1720	regsvr32.exe

pid	process
2140	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Coeznbiobo\15636818 = 637fc982bdc9c40874bed24c60394b82dc21731e87aa11fd7dad8d2544642623404222b1b06e00c80f4fd2cce1f1a174abfc9cdd854bd425b5e6ef87	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Coeznbiobo\d296608b = 19428126fafea66c62c12b3428bac7fa16	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Coeznbiobo	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Coeznbiobo\686b2792 = 8027c7147198455ff72546a9f07980277b221bfdf9b5260d676921a45b72189f9eb1c7993ca6abc17536c7b8bc9ed18dc734f3eaedc6c6f42da4cf16e35bbe40227cbb9b4bbbc132fc85265f7296bbd87f858dace501f36bf8d6	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Coeznbiobo\d0d740f7 = b47a75d188de4c366129ff697ba90aefee75633bfbdf9b2ba43b653b408b34733c3bf256e15bae4e	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Coeznbiobo\addf0f7d = 5620bdfd50bec3c57057de2692c3fdbb9e996acfd650d6e27e21b488455f70693da0f641c6afbc4ea677fa25d49e1fb03236e3989b9bc919d50d6480edf527affc87fd91a686500684	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Coeznbiobo\5fb5d7a0 = b5ce5e87f0b6fd6afcb89a6700a51a9c201874ac478d7a40e8b032db6d67717328d368676ea6215f6d8929ae91235980	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Coeznbiobo\6a2a07ee = de80a51bd4d12443d6f0e17559e10335f505c29e40fd13d4ea1c50c80f4f04179da19f1fadc7a7cff135625aa4fb3ec615f0b78eb2f72094443d9b933b5aca0e8bfea7d64eaf9846c97341bc196b9e3c838ec92c260066022f7663568b6dda1b7a88b9f72ba99433564c1666eade5fcb20c2d67351c8ea2a9aa30b85f304329f6411482f8518f90be2796729793e8105b1a6da5b667a90b9fee2c8d69e9e1347ebee2c71c2430e3df59cc83601a372ddbc6c87b9c49f6399ee5bb482ff13959e7eb2	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Coeznbiobo\20fcb856 = 9301fec8f6653642274fea07035666001fe3861eb0a27e9907c9bd1a97ba5f830e1383b556f45c50c0fac7daf678b5d7c255e6509f9339a1db8aa9af79792862ccd792db3ef2ed951b6f	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Coeznbiobo\5fb5d7a0 = b5ce4987f0b6c89a584ac8513490b5a3dd15cea4f99c366b2ddde9bb9942f4ab44447e7392db416eba7fe50d628a7f0650613a3721f4ff775343c68890ffed5db3b7cf5f26	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

2088 rundll32.exe
1720 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

2088 rundll32.exe
1720 regsvr32.exe

pid	process
2088	rundll32.exe
1720	regsvr32.exe

pid	process
2088	rundll32.exe
1720	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 1156 wrote to memory of 2088	1156	rundll32.exe	rundll32.exe
PID 1156 wrote to memory of 2088	1156	rundll32.exe	rundll32.exe
PID 1156 wrote to memory of 2088	1156	rundll32.exe	rundll32.exe
PID 1156 wrote to memory of 2088	1156	rundll32.exe	rundll32.exe
PID 1156 wrote to memory of 2088	1156	rundll32.exe	rundll32.exe
PID 1156 wrote to memory of 2088	1156	rundll32.exe	rundll32.exe
PID 1156 wrote to memory of 2088	1156	rundll32.exe	rundll32.exe
PID 2088 wrote to memory of 2820	2088	rundll32.exe	explorer.exe
PID 2088 wrote to memory of 2820	2088	rundll32.exe	explorer.exe
PID 2088 wrote to memory of 2820	2088	rundll32.exe	explorer.exe
PID 2088 wrote to memory of 2820	2088	rundll32.exe	explorer.exe
PID 2088 wrote to memory of 2820	2088	rundll32.exe	explorer.exe
PID 2088 wrote to memory of 2820	2088	rundll32.exe	explorer.exe
PID 2820 wrote to memory of 2140	2820	explorer.exe	schtasks.exe
PID 2820 wrote to memory of 2140	2820	explorer.exe	schtasks.exe
PID 2820 wrote to memory of 2140	2820	explorer.exe	schtasks.exe
PID 2820 wrote to memory of 2140	2820	explorer.exe	schtasks.exe
PID 1524 wrote to memory of 1928	1524	taskeng.exe	regsvr32.exe
PID 1524 wrote to memory of 1928	1524	taskeng.exe	regsvr32.exe
PID 1524 wrote to memory of 1928	1524	taskeng.exe	regsvr32.exe
PID 1524 wrote to memory of 1928	1524	taskeng.exe	regsvr32.exe
PID 1524 wrote to memory of 1928	1524	taskeng.exe	regsvr32.exe
PID 1928 wrote to memory of 1720	1928	regsvr32.exe	regsvr32.exe
PID 1928 wrote to memory of 1720	1928	regsvr32.exe	regsvr32.exe
PID 1928 wrote to memory of 1720	1928	regsvr32.exe	regsvr32.exe
PID 1928 wrote to memory of 1720	1928	regsvr32.exe	regsvr32.exe
PID 1928 wrote to memory of 1720	1928	regsvr32.exe	regsvr32.exe
PID 1928 wrote to memory of 1720	1928	regsvr32.exe	regsvr32.exe
PID 1928 wrote to memory of 1720	1928	regsvr32.exe	regsvr32.exe
PID 1720 wrote to memory of 868	1720	regsvr32.exe	explorer.exe
PID 1720 wrote to memory of 868	1720	regsvr32.exe	explorer.exe
PID 1720 wrote to memory of 868	1720	regsvr32.exe	explorer.exe
PID 1720 wrote to memory of 868	1720	regsvr32.exe	explorer.exe
PID 1720 wrote to memory of 868	1720	regsvr32.exe	explorer.exe
PID 1720 wrote to memory of 868	1720	regsvr32.exe	explorer.exe
PID 868 wrote to memory of 1988	868	explorer.exe	reg.exe
PID 868 wrote to memory of 1988	868	explorer.exe	reg.exe
PID 868 wrote to memory of 1988	868	explorer.exe	reg.exe
PID 868 wrote to memory of 1988	868	explorer.exe	reg.exe
PID 868 wrote to memory of 2052	868	explorer.exe	reg.exe
PID 868 wrote to memory of 2052	868	explorer.exe	reg.exe
PID 868 wrote to memory of 2052	868	explorer.exe	reg.exe
PID 868 wrote to memory of 2052	868	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8de512bd768a612f1f91f55718e0d53d.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8de512bd768a612f1f91f55718e0d53d.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2088

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2820

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn sxpcerqsaw /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\8de512bd768a612f1f91f55718e0d53d.dll\"" /SC ONCE /Z /ST 01:23 /ET 01:35
4⤵
- Creates scheduled task(s)
PID:2140

C:\Windows\system32\taskeng.exe
taskeng.exe {F0A1EB7E-9853-4375-A1D6-B6DAA558E632} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\8de512bd768a612f1f91f55718e0d53d.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\8de512bd768a612f1f91f55718e0d53d.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:868

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Csewsihunimv" /d "0"
5⤵
- Windows security bypass
PID:1988

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Isjku" /d "0"
5⤵
- Windows security bypass
PID:2052

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8de512bd768a612f1f91f55718e0d53d.dll
Filesize
750KB

MD5
8de512bd768a612f1f91f55718e0d53d

SHA1
d2f0b77d4d5ffa23a1e3cd26d43d01c3bfa9dd09

SHA256
e64e7761e85c14928ae398e2b27ec8db0ebcf8f8a6b5a48dcf46f42393121097

SHA512
dba9f21ae79ddca811bfeecb5ca3181de8f4b381f9ae13e88fa39c883a1557c221d79825d7f9003b8c26c1ed86951a9907b2bbb4d67e4293dce47c35a80a96ed

Download Submit
memory/868-29-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/868-26-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/868-31-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/868-30-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1720-21-0x0000000074590000-0x0000000074662000-memory.dmp

Filesize
840KB

Download
memory/1720-22-0x0000000074590000-0x0000000074662000-memory.dmp

Filesize
840KB

Download
memory/1720-27-0x0000000074590000-0x0000000074662000-memory.dmp

Filesize
840KB

Download
memory/2088-5-0x0000000074FE0000-0x00000000750B2000-memory.dmp

Filesize
840KB

Download
memory/2088-9-0x0000000074FE0000-0x00000000750B2000-memory.dmp

Filesize
840KB

Download
memory/2088-0-0x0000000074FE0000-0x00000000750B2000-memory.dmp

Filesize
840KB

Download
memory/2088-4-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2088-2-0x0000000074FE0000-0x00000000750B2000-memory.dmp

Filesize
840KB

Download
memory/2820-6-0x00000000000F0000-0x00000000000F2000-memory.dmp

Filesize
8KB

Download
memory/2820-16-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2820-14-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2820-13-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2820-12-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2820-8-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads