qakbot | ba7e19741fdd2bc1562f7be45830906c2dc2310720afb17b7c435b0197bffa5d

General

Target

ec5702b803de813dbbcae69a2427d1fc.dll
Size

573KB
MD5

ec5702b803de813dbbcae69a2427d1fc
SHA1

e8a74a8db218b06dc1ecfce0147ef46deebd558f
SHA256

ba7e19741fdd2bc1562f7be45830906c2dc2310720afb17b7c435b0197bffa5d
SHA512

b7e987afcfebaed5c22915b4c3c454190d55515ba6ca613dd5e1c4bfd7d8c3cabc84aff26da5f7de98127b4514fcb2b4ac7e17f1d7d028e2f09e518d124944b9
SSDEEP

12288:e87H3sH2k/e09A9tqKsuud0fl0pT7fEztxG9HBMbVNAfirS:eSs7/nYtqoE3MzO9HoHks

Score

10^/10

qakbot obama107 1633078880 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

obama107

Campaign

1633078880

C2

140.82.49.12:443

41.250.143.109:995

216.201.162.158:443

86.8.177.143:443

105.198.236.99:443

124.123.42.115:2222

217.17.56.163:443

37.210.152.224:995

190.198.206.189:2222

75.89.195.186:995

78.191.44.76:995

122.11.220.212:2222

68.186.192.69:443

159.2.51.200:2222

217.17.56.163:2222

217.17.56.163:2078

41.228.22.180:443

120.151.47.189:443

47.22.148.6:443

94.200.181.154:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Cpsevaevetwk = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Ctqbhoxne = "0"	reg.exe

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1376 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2560 schtasks.exe

pid	process
1376	regsvr32.exe

pid	process
2560	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Sqjziqu\d484009c = 3ab7bfeea290d035131236f0f4ecd96accb278ea9882d31b743d58adaf5d83d75f6653ef7351627720c65b638ea7c9ba3c53518706d89931807934e1597695d6edb566de8d652edd	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Sqjziqu\5be697cb = 6fc73bd825bf94c70da78a4e95de8e9a1bdbf8b86c895a3a9ed2a60eeda434e33eeff2fa1d301569166129b15ee73b6c8be467aaef6d2e5e3b00a5ee62b0c5f49553f3dc33e58f6209d1209b0de1407566623c18a32bff7e86feda7d	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Sqjziqu\59a7b7b7 = 9c694449dc23aaaeb733c989526453dea08cea86b7b2d469f4ff0c0045555a931fed925f5e6787affd84a53cf9e1	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Sqjziqu\abcd6f6a = bdab855f5e47533c50cc660ba6f533daad3205edd644c1a4651853b80ef8ebaa9cd351e866fdc5af482e0a425d939311bc5de3621361	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Sqjziqu\d484009c = 3ab7a8eea290e59fa209673f6caced900546ff5a1518e5faa02eb60772b41e9460c1210e562c0432277b6cdea7bf9156c30313aea9ae1961fc604a3c3c780ac741261b10b303f29fe6d32fa328ade89ef8b51d9aac9cf314281aa494eb	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Sqjziqu	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Sqjziqu\e11bd0d2 = 4819e0cedc25ecc90bee1bd464645238a6964fe29619449f1da405e8ba450f0409162264317b04340462871582741377c76cebd8d8c68dd1c9bee8e0945a8cf53d1d44802cac2d76d8be0a437090980309fc7e47badf2397a311529149e6e88917f278d80d34e2df1abcae77a66501882a5506f511b19290ace9b184a58d9b28	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Sqjziqu\e35af0ae = 722714dd0058bbbad0a852d3b997b900d7c208a80133783187dd2332e8422fdde20fe5cc7550df450636f759899429dd186f93ac4c15ea9094d395d770020d1ce52d0d1451020c3da759cbb88119ebd48579ea209ead306bcc	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Sqjziqu\26eed841 = 2e5bc4347ba8ac049e0fbcc4f8e766e448677e33f796f47010b5b7e63add42d65baab128941b54bb1c761602cba987b31fd0d21859caabe0b3ee04f3a1f153fbc4851f5a97fe04ac0b0597cbcc37219187196f11dc27580bf5	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Sqjziqu\9e52bf24 = d1f0f8c35f03a44ca717c1329ed38d280e955a064e94b32842d428feca84878012d3075ead3466fd75400e76187247ccfd319db61bd91ea715fde639a734854a71fa497b7aa83ea78b50ec8f4a34dad34f760189f573b747650a3aaeec83a6d75ab995524d19cb88a1b21f	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

2328 rundll32.exe
1376 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

2328 rundll32.exe
1376 regsvr32.exe

pid	process
2328	rundll32.exe
1376	regsvr32.exe

pid	process
2328	rundll32.exe
1376	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 1064 wrote to memory of 2328	1064	rundll32.exe	rundll32.exe
PID 1064 wrote to memory of 2328	1064	rundll32.exe	rundll32.exe
PID 1064 wrote to memory of 2328	1064	rundll32.exe	rundll32.exe
PID 1064 wrote to memory of 2328	1064	rundll32.exe	rundll32.exe
PID 1064 wrote to memory of 2328	1064	rundll32.exe	rundll32.exe
PID 1064 wrote to memory of 2328	1064	rundll32.exe	rundll32.exe
PID 1064 wrote to memory of 2328	1064	rundll32.exe	rundll32.exe
PID 2328 wrote to memory of 768	2328	rundll32.exe	explorer.exe
PID 2328 wrote to memory of 768	2328	rundll32.exe	explorer.exe
PID 2328 wrote to memory of 768	2328	rundll32.exe	explorer.exe
PID 2328 wrote to memory of 768	2328	rundll32.exe	explorer.exe
PID 2328 wrote to memory of 768	2328	rundll32.exe	explorer.exe
PID 2328 wrote to memory of 768	2328	rundll32.exe	explorer.exe
PID 768 wrote to memory of 2560	768	explorer.exe	schtasks.exe
PID 768 wrote to memory of 2560	768	explorer.exe	schtasks.exe
PID 768 wrote to memory of 2560	768	explorer.exe	schtasks.exe
PID 768 wrote to memory of 2560	768	explorer.exe	schtasks.exe
PID 2404 wrote to memory of 2216	2404	taskeng.exe	regsvr32.exe
PID 2404 wrote to memory of 2216	2404	taskeng.exe	regsvr32.exe
PID 2404 wrote to memory of 2216	2404	taskeng.exe	regsvr32.exe
PID 2404 wrote to memory of 2216	2404	taskeng.exe	regsvr32.exe
PID 2404 wrote to memory of 2216	2404	taskeng.exe	regsvr32.exe
PID 2216 wrote to memory of 1376	2216	regsvr32.exe	regsvr32.exe
PID 2216 wrote to memory of 1376	2216	regsvr32.exe	regsvr32.exe
PID 2216 wrote to memory of 1376	2216	regsvr32.exe	regsvr32.exe
PID 2216 wrote to memory of 1376	2216	regsvr32.exe	regsvr32.exe
PID 2216 wrote to memory of 1376	2216	regsvr32.exe	regsvr32.exe
PID 2216 wrote to memory of 1376	2216	regsvr32.exe	regsvr32.exe
PID 2216 wrote to memory of 1376	2216	regsvr32.exe	regsvr32.exe
PID 1376 wrote to memory of 2020	1376	regsvr32.exe	explorer.exe
PID 1376 wrote to memory of 2020	1376	regsvr32.exe	explorer.exe
PID 1376 wrote to memory of 2020	1376	regsvr32.exe	explorer.exe
PID 1376 wrote to memory of 2020	1376	regsvr32.exe	explorer.exe
PID 1376 wrote to memory of 2020	1376	regsvr32.exe	explorer.exe
PID 1376 wrote to memory of 2020	1376	regsvr32.exe	explorer.exe
PID 2020 wrote to memory of 1836	2020	explorer.exe	reg.exe
PID 2020 wrote to memory of 1836	2020	explorer.exe	reg.exe
PID 2020 wrote to memory of 1836	2020	explorer.exe	reg.exe
PID 2020 wrote to memory of 1836	2020	explorer.exe	reg.exe
PID 2020 wrote to memory of 2252	2020	explorer.exe	reg.exe
PID 2020 wrote to memory of 2252	2020	explorer.exe	reg.exe
PID 2020 wrote to memory of 2252	2020	explorer.exe	reg.exe
PID 2020 wrote to memory of 2252	2020	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ec5702b803de813dbbcae69a2427d1fc.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ec5702b803de813dbbcae69a2427d1fc.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2328

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:768

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn yorbugg /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\ec5702b803de813dbbcae69a2427d1fc.dll\"" /SC ONCE /Z /ST 13:38 /ET 13:50
4⤵
- Creates scheduled task(s)
PID:2560

C:\Windows\system32\taskeng.exe
taskeng.exe {90579455-4040-4769-BCF8-1C6A0AC61081} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2404

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\ec5702b803de813dbbcae69a2427d1fc.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:2216

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\ec5702b803de813dbbcae69a2427d1fc.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Cpsevaevetwk" /d "0"
5⤵
- Windows security bypass
PID:1836

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Ctqbhoxne" /d "0"
5⤵
- Windows security bypass
PID:2252

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ec5702b803de813dbbcae69a2427d1fc.dll
Filesize
573KB

MD5
ec5702b803de813dbbcae69a2427d1fc

SHA1
e8a74a8db218b06dc1ecfce0147ef46deebd558f

SHA256
ba7e19741fdd2bc1562f7be45830906c2dc2310720afb17b7c435b0197bffa5d

SHA512
b7e987afcfebaed5c22915b4c3c454190d55515ba6ca613dd5e1c4bfd7d8c3cabc84aff26da5f7de98127b4514fcb2b4ac7e17f1d7d028e2f09e518d124944b9

Download Submit
memory/768-12-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/768-4-0x00000000000B0000-0x00000000000B2000-memory.dmp

Filesize
8KB

Download
memory/768-6-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/768-14-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/768-10-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/768-11-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1376-21-0x0000000074F60000-0x0000000075000000-memory.dmp

Filesize
640KB

Download
memory/1376-19-0x0000000074F60000-0x0000000075000000-memory.dmp

Filesize
640KB

Download
memory/1376-20-0x0000000074F60000-0x0000000075000000-memory.dmp

Filesize
640KB

Download
memory/1376-26-0x0000000074F60000-0x0000000075000000-memory.dmp

Filesize
640KB

Download
memory/2020-25-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2020-28-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2020-29-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2020-30-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2328-7-0x0000000075170000-0x0000000075210000-memory.dmp

Filesize
640KB

Download
memory/2328-1-0x0000000075170000-0x0000000075210000-memory.dmp

Filesize
640KB

Download
memory/2328-0-0x0000000075170000-0x0000000075210000-memory.dmp

Filesize
640KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads