qakbot | ba7e19741fdd2bc1562f7be45830906c2dc2310720afb17b7c435b0197bffa5d

Analysis

max time kernel
143s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
20-12-2023 16:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec5702b803de813dbbcae69a2427d1fc.dll
Size

573KB
MD5

ec5702b803de813dbbcae69a2427d1fc
SHA1

e8a74a8db218b06dc1ecfce0147ef46deebd558f
SHA256

ba7e19741fdd2bc1562f7be45830906c2dc2310720afb17b7c435b0197bffa5d
SHA512

b7e987afcfebaed5c22915b4c3c454190d55515ba6ca613dd5e1c4bfd7d8c3cabc84aff26da5f7de98127b4514fcb2b4ac7e17f1d7d028e2f09e518d124944b9
SSDEEP

12288:e87H3sH2k/e09A9tqKsuud0fl0pT7fEztxG9HBMbVNAfirS:eSs7/nYtqoE3MzO9HoHks

Score

10^/10

qakbot obama107 1633078880 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

obama107

Campaign

1633078880

140.82.49.12:443

41.250.143.109:995

216.201.162.158:443

86.8.177.143:443

105.198.236.99:443

124.123.42.115:2222

217.17.56.163:443

37.210.152.224:995

190.198.206.189:2222

75.89.195.186:995

78.191.44.76:995

122.11.220.212:2222

68.186.192.69:443

159.2.51.200:2222

217.17.56.163:2222

217.17.56.163:2078

41.228.22.180:443

120.151.47.189:443

47.22.148.6:443

94.200.181.154:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Cpsevaevetwk = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Ctqbhoxne = "0"	reg.exe

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid	Process
1376	regsvr32.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exe

pid	Process
2560	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Sqjziqu\d484009c = 3ab7bfeea290d035131236f0f4ecd96accb278ea9882d31b743d58adaf5d83d75f6653ef7351627720c65b638ea7c9ba3c53518706d89931807934e1597695d6edb566de8d652edd	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Sqjziqu\5be697cb = 6fc73bd825bf94c70da78a4e95de8e9a1bdbf8b86c895a3a9ed2a60eeda434e33eeff2fa1d301569166129b15ee73b6c8be467aaef6d2e5e3b00a5ee62b0c5f49553f3dc33e58f6209d1209b0de1407566623c18a32bff7e86feda7d	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Sqjziqu\59a7b7b7 = 9c694449dc23aaaeb733c989526453dea08cea86b7b2d469f4ff0c0045555a931fed925f5e6787affd84a53cf9e1	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Sqjziqu\abcd6f6a = bdab855f5e47533c50cc660ba6f533daad3205edd644c1a4651853b80ef8ebaa9cd351e866fdc5af482e0a425d939311bc5de3621361	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Sqjziqu\d484009c = 3ab7a8eea290e59fa209673f6caced900546ff5a1518e5faa02eb60772b41e9460c1210e562c0432277b6cdea7bf9156c30313aea9ae1961fc604a3c3c780ac741261b10b303f29fe6d32fa328ade89ef8b51d9aac9cf314281aa494eb	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Sqjziqu	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Sqjziqu\e11bd0d2 = 4819e0cedc25ecc90bee1bd464645238a6964fe29619449f1da405e8ba450f0409162264317b04340462871582741377c76cebd8d8c68dd1c9bee8e0945a8cf53d1d44802cac2d76d8be0a437090980309fc7e47badf2397a311529149e6e88917f278d80d34e2df1abcae77a66501882a5506f511b19290ace9b184a58d9b28	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Sqjziqu\e35af0ae = 722714dd0058bbbad0a852d3b997b900d7c208a80133783187dd2332e8422fdde20fe5cc7550df450636f759899429dd186f93ac4c15ea9094d395d770020d1ce52d0d1451020c3da759cbb88119ebd48579ea209ead306bcc	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Sqjziqu\26eed841 = 2e5bc4347ba8ac049e0fbcc4f8e766e448677e33f796f47010b5b7e63add42d65baab128941b54bb1c761602cba987b31fd0d21859caabe0b3ee04f3a1f153fbc4851f5a97fe04ac0b0597cbcc37219187196f11dc27580bf5	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Sqjziqu\9e52bf24 = d1f0f8c35f03a44ca717c1329ed38d280e955a064e94b32842d428feca84878012d3075ead3466fd75400e76187247ccfd319db61bd91ea715fde639a734854a71fa497b7aa83ea78b50ec8f4a34dad34f760189f573b747650a3aaeec83a6d75ab995524d19cb88a1b21f	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid	Process
2328	rundll32.exe
1376	regsvr32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid	Process
2328	rundll32.exe
1376	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	Process	procid_target
PID 1064 wrote to memory of 2328	1064	rundll32.exe	28
PID 1064 wrote to memory of 2328	1064	rundll32.exe	28
PID 1064 wrote to memory of 2328	1064	rundll32.exe	28
PID 1064 wrote to memory of 2328	1064	rundll32.exe	28
PID 1064 wrote to memory of 2328	1064	rundll32.exe	28
PID 1064 wrote to memory of 2328	1064	rundll32.exe	28
PID 1064 wrote to memory of 2328	1064	rundll32.exe	28
PID 2328 wrote to memory of 768	2328	rundll32.exe	31
PID 2328 wrote to memory of 768	2328	rundll32.exe	31
PID 2328 wrote to memory of 768	2328	rundll32.exe	31
PID 2328 wrote to memory of 768	2328	rundll32.exe	31
PID 2328 wrote to memory of 768	2328	rundll32.exe	31
PID 2328 wrote to memory of 768	2328	rundll32.exe	31
PID 768 wrote to memory of 2560	768	explorer.exe	32
PID 768 wrote to memory of 2560	768	explorer.exe	32
PID 768 wrote to memory of 2560	768	explorer.exe	32
PID 768 wrote to memory of 2560	768	explorer.exe	32
PID 2404 wrote to memory of 2216	2404	taskeng.exe	35
PID 2404 wrote to memory of 2216	2404	taskeng.exe	35
PID 2404 wrote to memory of 2216	2404	taskeng.exe	35
PID 2404 wrote to memory of 2216	2404	taskeng.exe	35
PID 2404 wrote to memory of 2216	2404	taskeng.exe	35
PID 2216 wrote to memory of 1376	2216	regsvr32.exe	36
PID 2216 wrote to memory of 1376	2216	regsvr32.exe	36
PID 2216 wrote to memory of 1376	2216	regsvr32.exe	36
PID 2216 wrote to memory of 1376	2216	regsvr32.exe	36
PID 2216 wrote to memory of 1376	2216	regsvr32.exe	36
PID 2216 wrote to memory of 1376	2216	regsvr32.exe	36
PID 2216 wrote to memory of 1376	2216	regsvr32.exe	36
PID 1376 wrote to memory of 2020	1376	regsvr32.exe	37
PID 1376 wrote to memory of 2020	1376	regsvr32.exe	37
PID 1376 wrote to memory of 2020	1376	regsvr32.exe	37
PID 1376 wrote to memory of 2020	1376	regsvr32.exe	37
PID 1376 wrote to memory of 2020	1376	regsvr32.exe	37
PID 1376 wrote to memory of 2020	1376	regsvr32.exe	37
PID 2020 wrote to memory of 1836	2020	explorer.exe	38
PID 2020 wrote to memory of 1836	2020	explorer.exe	38
PID 2020 wrote to memory of 1836	2020	explorer.exe	38
PID 2020 wrote to memory of 1836	2020	explorer.exe	38
PID 2020 wrote to memory of 2252	2020	explorer.exe	40
PID 2020 wrote to memory of 2252	2020	explorer.exe	40
PID 2020 wrote to memory of 2252	2020	explorer.exe	40
PID 2020 wrote to memory of 2252	2020	explorer.exe	40

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ec5702b803de813dbbcae69a2427d1fc.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\ec5702b803de813dbbcae69a2427d1fc.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:768
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn yorbugg /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\ec5702b803de813dbbcae69a2427d1fc.dll\"" /SC ONCE /Z /ST 13:38 /ET 13:50
      4⤵
      Creates scheduled task(s)
      PID:2560

C:\Windows\system32\taskeng.exe
taskeng.exe {90579455-4040-4769-BCF8-1C6A0AC61081} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\ec5702b803de813dbbcae69a2427d1fc.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\SysWOW64\regsvr32.exe
    -s "C:\Users\Admin\AppData\Local\Temp\ec5702b803de813dbbcae69a2427d1fc.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1376
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      4⤵
      Modifies data under HKEY_USERS
      Suspicious use of WriteProcessMemory
      PID:2020
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Cpsevaevetwk" /d "0"
        5⤵
        Windows security bypass
        
        PID:1836
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Ctqbhoxne" /d "0"
        5⤵
        Windows security bypass
        
        PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ec5702b803de813dbbcae69a2427d1fc.dll

Filesize
573KB

MD5
ec5702b803de813dbbcae69a2427d1fc

SHA1
e8a74a8db218b06dc1ecfce0147ef46deebd558f

SHA256
ba7e19741fdd2bc1562f7be45830906c2dc2310720afb17b7c435b0197bffa5d

SHA512
b7e987afcfebaed5c22915b4c3c454190d55515ba6ca613dd5e1c4bfd7d8c3cabc84aff26da5f7de98127b4514fcb2b4ac7e17f1d7d028e2f09e518d124944b9

Download Submit
memory/768-12-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/768-4-0x00000000000B0000-0x00000000000B2000-memory.dmp

Filesize
8KB

Download
memory/768-6-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/768-14-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/768-10-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/768-11-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1376-21-0x0000000074F60000-0x0000000075000000-memory.dmp

Filesize
640KB

Download
memory/1376-19-0x0000000074F60000-0x0000000075000000-memory.dmp

Filesize
640KB

Download
memory/1376-20-0x0000000074F60000-0x0000000075000000-memory.dmp

Filesize
640KB

Download
memory/1376-26-0x0000000074F60000-0x0000000075000000-memory.dmp

Filesize
640KB

Download
memory/2020-25-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2020-28-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2020-29-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2020-30-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2328-7-0x0000000075170000-0x0000000075210000-memory.dmp

Filesize
640KB

Download
memory/2328-1-0x0000000075170000-0x0000000075210000-memory.dmp

Filesize
640KB

Download
memory/2328-0-0x0000000075170000-0x0000000075210000-memory.dmp

Filesize
640KB

Download