qakbot | 608a569b3caa54231e76b65fe3e1945a4c8af8a16eb1707a1ddb687fb3228495

General

Target

f4b4f95f4c8d9f32dcd54565a0626f6e.dll
Size

820KB
MD5

f4b4f95f4c8d9f32dcd54565a0626f6e
SHA1

c423b4ae7c02841400f29d16609131d333618a06
SHA256

608a569b3caa54231e76b65fe3e1945a4c8af8a16eb1707a1ddb687fb3228495
SHA512

66c164ed0fd57a8d59d42db3d5369f98432e327ee182af7f7f1fe20c486b27ce94ef1c79977ca9978a3a568d1d7cc54a3a1ef770f7d55815c207b73393cd5e1d
SSDEEP

24576:IO6c3oCrVA7bEK7mJaW2eX8TvE81oIzsk6EzCUfk7uu:GuVeEK7mmeX8TBoIzsk6hUf4B

Score

10^/10

qakbot obama112 1633682302 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

obama112

Campaign

1633682302

C2

98.157.235.126:443

124.123.42.115:2222

185.250.148.74:443

73.77.87.137:443

188.50.169.158:443

216.201.162.158:443

174.54.193.186:443

27.223.92.142:995

220.255.25.28:2222

103.142.10.177:443

2.222.167.138:443

66.177.215.152:0

122.11.220.212:2222

85.109.229.54:995

140.82.49.12:443

199.27.127.129:443

209.50.20.255:443

73.230.205.91:443

200.232.214.222:995

81.241.252.59:2078

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Zkwmvrwuro = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Eavgawkhr = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1644 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2212 schtasks.exe

pid	process
1644	regsvr32.exe

pid	process
2212	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Smlsuiigixz\ffcca912 = 8011e94c13d681e628e2362c7f0df4ee7d3a6a3c151d6245a2dfb711cfc9d59ebcfba3f765c27e3321fc137870b976f141de8d1fa718cb037057a04d4fc8003fcb1e872393eefb30f899cd0fd2e0a60726ac799da8262e9df39a2d4877fa8c305505fd2f7ff3107265ecd0	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Smlsuiigixz\4531ee0b = 8b7da503a7e6f697fd91a79d4c94f2039c36699ca4cea76e0f7c86ba0bbc5f160f9ec8ea0d974d5d1d0b8056a2e9a618935c97c53e514230c570ec44f1869e30bfae3f37ed948357820c5d9dbd	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Smlsuiigixz\3839a181 = 57905f515a688da19e7ab43b8ca628000d7cf3a3dccd7f9dc465604d1dadd56e93b0e5ceaae4e7e80d0b29955798	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Smlsuiigixz\ca53795c = 4ddb3568e7382dfa8a8d0e21c85d2b40736f4e701aa60fe6fb10f0114c2939fd9894b7a2238613e7aa5f1dedf8ff598b8de40505c9a2ccc56ce9ca7a7a177a446d2e77e368044c59698defb0a266e009b8e9131e4c1f93c94c26720871f326947d0adbaf1074d90ceab1	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Smlsuiigixz\b51a16aa = 3aaff3f6c4842135667f91ecaca2f3dff52ec793c01bbb371e932a185371d2bb2dc86fc278f0296f93e2a87dde0fa2438930c1bc1d95108ffde99fa4bf279ba41088ce	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Smlsuiigixz	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Smlsuiigixz\ca53795c = 4ddb2268e73818080578369518499c42068e145de80d95477ea10cfe23934e54de04138370c2fd19c9512f1a2376a8de03d393a434f1e2d95f6148448625d4c26a216cb6241624443ec7c319e0f4bc2eb8319c4eb8	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Smlsuiigixz\fd8d896e = 3aec43add7c11627c6a5415e43ed34a4ed0aa100562aae7980bd7c69e20b549b314a876cbc4dc1c643eaf80a5da6ac24deed1009f95fe34a04a352d797fb7782	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Smlsuiigixz\8085c6e4 = 98952cc8239c4b24e54c8c0ca5a1747bbaff83ce96c6c1d14d3452a044f8d7a83ee727782f004a0ce20d160bce4a57907d56996c53e505d5cb011868107784a416d2622ef7c6fba9506196a115a563b18fe077bc9c27	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Smlsuiigixz\4770ce77 = 7e3414d137fbc663d7ef365f13d624ab32879f7fffb88932f7b7e9f0e3ed4c69c85ed20796e927b28f5b4c81a1847567a4e27f6d8d62	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

3032 rundll32.exe
1644 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

3032 rundll32.exe
1644 regsvr32.exe

pid	process
3032	rundll32.exe
1644	regsvr32.exe

pid	process
3032	rundll32.exe
1644	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 2672 wrote to memory of 3032	2672	rundll32.exe	rundll32.exe
PID 2672 wrote to memory of 3032	2672	rundll32.exe	rundll32.exe
PID 2672 wrote to memory of 3032	2672	rundll32.exe	rundll32.exe
PID 2672 wrote to memory of 3032	2672	rundll32.exe	rundll32.exe
PID 2672 wrote to memory of 3032	2672	rundll32.exe	rundll32.exe
PID 2672 wrote to memory of 3032	2672	rundll32.exe	rundll32.exe
PID 2672 wrote to memory of 3032	2672	rundll32.exe	rundll32.exe
PID 3032 wrote to memory of 2052	3032	rundll32.exe	explorer.exe
PID 3032 wrote to memory of 2052	3032	rundll32.exe	explorer.exe
PID 3032 wrote to memory of 2052	3032	rundll32.exe	explorer.exe
PID 3032 wrote to memory of 2052	3032	rundll32.exe	explorer.exe
PID 3032 wrote to memory of 2052	3032	rundll32.exe	explorer.exe
PID 3032 wrote to memory of 2052	3032	rundll32.exe	explorer.exe
PID 2052 wrote to memory of 2212	2052	explorer.exe	schtasks.exe
PID 2052 wrote to memory of 2212	2052	explorer.exe	schtasks.exe
PID 2052 wrote to memory of 2212	2052	explorer.exe	schtasks.exe
PID 2052 wrote to memory of 2212	2052	explorer.exe	schtasks.exe
PID 2896 wrote to memory of 620	2896	taskeng.exe	regsvr32.exe
PID 2896 wrote to memory of 620	2896	taskeng.exe	regsvr32.exe
PID 2896 wrote to memory of 620	2896	taskeng.exe	regsvr32.exe
PID 2896 wrote to memory of 620	2896	taskeng.exe	regsvr32.exe
PID 2896 wrote to memory of 620	2896	taskeng.exe	regsvr32.exe
PID 620 wrote to memory of 1644	620	regsvr32.exe	regsvr32.exe
PID 620 wrote to memory of 1644	620	regsvr32.exe	regsvr32.exe
PID 620 wrote to memory of 1644	620	regsvr32.exe	regsvr32.exe
PID 620 wrote to memory of 1644	620	regsvr32.exe	regsvr32.exe
PID 620 wrote to memory of 1644	620	regsvr32.exe	regsvr32.exe
PID 620 wrote to memory of 1644	620	regsvr32.exe	regsvr32.exe
PID 620 wrote to memory of 1644	620	regsvr32.exe	regsvr32.exe
PID 1644 wrote to memory of 240	1644	regsvr32.exe	explorer.exe
PID 1644 wrote to memory of 240	1644	regsvr32.exe	explorer.exe
PID 1644 wrote to memory of 240	1644	regsvr32.exe	explorer.exe
PID 1644 wrote to memory of 240	1644	regsvr32.exe	explorer.exe
PID 1644 wrote to memory of 240	1644	regsvr32.exe	explorer.exe
PID 1644 wrote to memory of 240	1644	regsvr32.exe	explorer.exe
PID 240 wrote to memory of 2580	240	explorer.exe	reg.exe
PID 240 wrote to memory of 2580	240	explorer.exe	reg.exe
PID 240 wrote to memory of 2580	240	explorer.exe	reg.exe
PID 240 wrote to memory of 2580	240	explorer.exe	reg.exe
PID 240 wrote to memory of 1964	240	explorer.exe	reg.exe
PID 240 wrote to memory of 1964	240	explorer.exe	reg.exe
PID 240 wrote to memory of 1964	240	explorer.exe	reg.exe
PID 240 wrote to memory of 1964	240	explorer.exe	reg.exe

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f4b4f95f4c8d9f32dcd54565a0626f6e.dll,#1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2052

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn riscmddtj /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\f4b4f95f4c8d9f32dcd54565a0626f6e.dll\"" /SC ONCE /Z /ST 18:06 /ET 18:18
3⤵
- Creates scheduled task(s)
PID:2212

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f4b4f95f4c8d9f32dcd54565a0626f6e.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2672

C:\Windows\system32\taskeng.exe
taskeng.exe {8914BF12-E7CD-456C-B6AE-B6F25415D6A0} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2896

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\f4b4f95f4c8d9f32dcd54565a0626f6e.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:620

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\f4b4f95f4c8d9f32dcd54565a0626f6e.dll"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:240

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Zkwmvrwuro" /d "0"
5⤵
- Windows security bypass
PID:2580

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Eavgawkhr" /d "0"
5⤵
- Windows security bypass
PID:1964

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f4b4f95f4c8d9f32dcd54565a0626f6e.dll
Filesize
820KB

MD5
f4b4f95f4c8d9f32dcd54565a0626f6e

SHA1
c423b4ae7c02841400f29d16609131d333618a06

SHA256
608a569b3caa54231e76b65fe3e1945a4c8af8a16eb1707a1ddb687fb3228495

SHA512
66c164ed0fd57a8d59d42db3d5369f98432e327ee182af7f7f1fe20c486b27ce94ef1c79977ca9978a3a568d1d7cc54a3a1ef770f7d55815c207b73393cd5e1d

Download Submit
memory/240-32-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/240-29-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/240-30-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/240-28-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/240-25-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/1644-26-0x0000000074470000-0x00000000745D6000-memory.dmp

Filesize
1.4MB

Download
memory/1644-22-0x0000000074470000-0x00000000745D6000-memory.dmp

Filesize
1.4MB

Download
memory/1644-20-0x0000000074470000-0x00000000745D6000-memory.dmp

Filesize
1.4MB

Download
memory/1644-19-0x0000000074470000-0x00000000745D6000-memory.dmp

Filesize
1.4MB

Download
memory/2052-7-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2052-14-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2052-11-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2052-12-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2052-10-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2052-5-0x00000000000B0000-0x00000000000B2000-memory.dmp

Filesize
8KB

Download
memory/3032-6-0x0000000074FA0000-0x0000000075106000-memory.dmp

Filesize
1.4MB

Download
memory/3032-0-0x0000000074FA0000-0x0000000075106000-memory.dmp

Filesize
1.4MB

Download
memory/3032-1-0x0000000074FA0000-0x0000000075106000-memory.dmp

Filesize
1.4MB

Download
memory/3032-4-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/3032-2-0x0000000074FA0000-0x0000000075106000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads