qakbot | 00eb9e819548a07373a5f3aacc0f449171dc3e520cef7086fd7f47d9ad3fc5f3

Analysis

max time kernel
145s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19-12-2023 20:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9635dc7f7bc526b80b4fed8ddeeede37.dll
Size

820KB
MD5

9635dc7f7bc526b80b4fed8ddeeede37
SHA1

062ed276f7d55a4cf137441a437f9507dd787310
SHA256

00eb9e819548a07373a5f3aacc0f449171dc3e520cef7086fd7f47d9ad3fc5f3
SHA512

4517989bf5181842ae028787affa19a3f1d021eb4c75aa61f23123eeaf4fbe51c79a7a94829f35824b91c543f5b138cb1f3ad043c9081c613592cd378237289c
SSDEEP

24576:OO6c3oCrVA7bEK7mJaW2eX8TvE81cIzsk6EzCUfk7Gu:UuVeEK7mmeX8TBcIzsk6hUf4J

Score

10^/10

qakbot obama112 1633682302 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

obama112

Campaign

1633682302

98.157.235.126:443

124.123.42.115:2222

185.250.148.74:443

73.77.87.137:443

188.50.169.158:443

216.201.162.158:443

174.54.193.186:443

27.223.92.142:995

220.255.25.28:2222

103.142.10.177:443

2.222.167.138:443

66.177.215.152:0

122.11.220.212:2222

85.109.229.54:995

140.82.49.12:443

199.27.127.129:443

209.50.20.255:443

73.230.205.91:443

200.232.214.222:995

81.241.252.59:2078

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Ouauo = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Fugpuntcyk = "0"	reg.exe

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid	Process
2524	regsvr32.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exe

pid	Process
2792	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Yyjvmfopaikq	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Yyjvmfopaikq\32eda0b4 = 48c9d6e86cbc68988b037bf184df0f0d13ef0820fc5d79ee2f2cc8	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Yyjvmfopaikq\77270fa = aa02892854607765e5f802db3449c473113f27fb0a09518aa7fea786bfb0ab8546f2cdf6d0014b5e51c47944f8d7368bdf6dd748cc993ee4298325b0e35ae588fdd50f5afa95d10537161d55eeebae73ffc7fb49aa51a9116d7bfd2e6c912e9f21b5f5558129652a7bcd254d47624466079197f585c256b03395cad41bfafe46a87e913f5b03a789124441d0188a2a27205f6ed27fed0483e9e489aba62623c87c7222e9d6	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Yyjvmfopaikq\c0877869 = 4f3618d53c21605086a714a606b0584db06f277394d98b5af8b25df953e80925f8c255134a81f3cb097dd5a867759bba7bd4f7382c405d0781e88f3e8f629d4fd2fc0323e8eded119109991cc2d71f5401372207b424	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Yyjvmfopaikq\783b1f0c = 719fd249d842e7145fcd5d26dc47c6ecef8512f7a8d6dc533786c71d4110311532f0a4655a27ca6c7f3bf56c0e2d001e11d6d2ddc8af9e50f573d547	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Yyjvmfopaikq\bfce179f = 837bcafd03a6520e625c12ea0527ac3f702fe42b094b24d22866ac8c9fcfc4594f2a110c2be51c95fffff0cbd90de7fb2c6f3c950ce41345f6dcdaecc2bd	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Yyjvmfopaikq\5335086 = dcc0026e95189a78057398a8ba7556e744c54e23adc95f284cfa3ebc99c2dbb3b8c1ccd3d6590644f95d856eb467e7b28a0109fd69934e10ba8dcc9d449f96eba58b875a45f169a0c86e8c4371b44ee2b84082e8efd6614d8ee08cc68b92f0280b85973e	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Yyjvmfopaikq\bd8f37e3 = d48dd44e9cab25ed7e000d177ed9dc61a13b05a1e58e1e31606f0ec44002f494703efd0ee8cab10da3fbdec0e679c21107bc	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Yyjvmfopaikq\4da4cf42 = f74abe6bdf5570239eb9d2764e8f1361017130bf2614403c545c6d2b14b904937aab666e7368ceb451124c75b13a0187e9bd3419dcc6322f13cb2691d2c9681c93301181120140182d78e2880f	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Yyjvmfopaikq\32eda0b4 = 48c9c1e86cbc5d30f688a97387f64c7d51e9c20d639d79846ab98af02052c77c188d2c8d4a4fddc3fecf8c85af2af490	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid	Process
2064	rundll32.exe
2524	regsvr32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid	Process
2064	rundll32.exe
2524	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	Process	procid_target
PID 2220 wrote to memory of 2064	2220	rundll32.exe	28
PID 2220 wrote to memory of 2064	2220	rundll32.exe	28
PID 2220 wrote to memory of 2064	2220	rundll32.exe	28
PID 2220 wrote to memory of 2064	2220	rundll32.exe	28
PID 2220 wrote to memory of 2064	2220	rundll32.exe	28
PID 2220 wrote to memory of 2064	2220	rundll32.exe	28
PID 2220 wrote to memory of 2064	2220	rundll32.exe	28
PID 2064 wrote to memory of 2148	2064	rundll32.exe	29
PID 2064 wrote to memory of 2148	2064	rundll32.exe	29
PID 2064 wrote to memory of 2148	2064	rundll32.exe	29
PID 2064 wrote to memory of 2148	2064	rundll32.exe	29
PID 2064 wrote to memory of 2148	2064	rundll32.exe	29
PID 2064 wrote to memory of 2148	2064	rundll32.exe	29
PID 2148 wrote to memory of 2792	2148	explorer.exe	30
PID 2148 wrote to memory of 2792	2148	explorer.exe	30
PID 2148 wrote to memory of 2792	2148	explorer.exe	30
PID 2148 wrote to memory of 2792	2148	explorer.exe	30
PID 2940 wrote to memory of 844	2940	taskeng.exe	35
PID 2940 wrote to memory of 844	2940	taskeng.exe	35
PID 2940 wrote to memory of 844	2940	taskeng.exe	35
PID 2940 wrote to memory of 844	2940	taskeng.exe	35
PID 2940 wrote to memory of 844	2940	taskeng.exe	35
PID 844 wrote to memory of 2524	844	regsvr32.exe	36
PID 844 wrote to memory of 2524	844	regsvr32.exe	36
PID 844 wrote to memory of 2524	844	regsvr32.exe	36
PID 844 wrote to memory of 2524	844	regsvr32.exe	36
PID 844 wrote to memory of 2524	844	regsvr32.exe	36
PID 844 wrote to memory of 2524	844	regsvr32.exe	36
PID 844 wrote to memory of 2524	844	regsvr32.exe	36
PID 2524 wrote to memory of 1804	2524	regsvr32.exe	37
PID 2524 wrote to memory of 1804	2524	regsvr32.exe	37
PID 2524 wrote to memory of 1804	2524	regsvr32.exe	37
PID 2524 wrote to memory of 1804	2524	regsvr32.exe	37
PID 2524 wrote to memory of 1804	2524	regsvr32.exe	37
PID 2524 wrote to memory of 1804	2524	regsvr32.exe	37
PID 1804 wrote to memory of 564	1804	explorer.exe	38
PID 1804 wrote to memory of 564	1804	explorer.exe	38
PID 1804 wrote to memory of 564	1804	explorer.exe	38
PID 1804 wrote to memory of 564	1804	explorer.exe	38
PID 1804 wrote to memory of 764	1804	explorer.exe	40
PID 1804 wrote to memory of 764	1804	explorer.exe	40
PID 1804 wrote to memory of 764	1804	explorer.exe	40
PID 1804 wrote to memory of 764	1804	explorer.exe	40

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9635dc7f7bc526b80b4fed8ddeeede37.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\9635dc7f7bc526b80b4fed8ddeeede37.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2148
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn qnehsxpw /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\9635dc7f7bc526b80b4fed8ddeeede37.dll\"" /SC ONCE /Z /ST 02:47 /ET 02:59
      4⤵
      Creates scheduled task(s)
      PID:2792

C:\Windows\system32\taskeng.exe
taskeng.exe {5A679F41-29D3-4EFD-89D6-33325ABF2604} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\9635dc7f7bc526b80b4fed8ddeeede37.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:844
- - C:\Windows\SysWOW64\regsvr32.exe
    -s "C:\Users\Admin\AppData\Local\Temp\9635dc7f7bc526b80b4fed8ddeeede37.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      4⤵
      Modifies data under HKEY_USERS
      Suspicious use of WriteProcessMemory
      PID:1804
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Ouauo" /d "0"
        5⤵
        Windows security bypass
        
        PID:564
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Fugpuntcyk" /d "0"
        5⤵
        Windows security bypass
        
        PID:764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9635dc7f7bc526b80b4fed8ddeeede37.dll

Filesize
820KB

MD5
9635dc7f7bc526b80b4fed8ddeeede37

SHA1
062ed276f7d55a4cf137441a437f9507dd787310

SHA256
00eb9e819548a07373a5f3aacc0f449171dc3e520cef7086fd7f47d9ad3fc5f3

SHA512
4517989bf5181842ae028787affa19a3f1d021eb4c75aa61f23123eeaf4fbe51c79a7a94829f35824b91c543f5b138cb1f3ad043c9081c613592cd378237289c

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1804-34-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1804-31-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1804-32-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1804-30-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1804-27-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2064-8-0x0000000075120000-0x0000000075286000-memory.dmp

Filesize
1.4MB

Download
memory/2064-0-0x0000000075120000-0x0000000075286000-memory.dmp

Filesize
1.4MB

Download
memory/2064-4-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2064-2-0x0000000075120000-0x0000000075286000-memory.dmp

Filesize
1.4MB

Download
memory/2148-13-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2148-15-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2148-12-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2148-11-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2148-7-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2148-5-0x00000000000B0000-0x00000000000B2000-memory.dmp

Filesize
8KB

Download
memory/2524-20-0x0000000075120000-0x0000000075286000-memory.dmp

Filesize
1.4MB

Download
memory/2524-22-0x0000000075120000-0x0000000075286000-memory.dmp

Filesize
1.4MB

Download
memory/2524-28-0x0000000075120000-0x0000000075286000-memory.dmp

Filesize
1.4MB

Download