qakbot | dbe3468fbf17c02a99b49ee5fca4837811e4bf8e2877374423c2d4512f060569

Analysis

max time kernel
143s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
20-12-2023 17:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc77868aae55037dccd9e6734c0bda1f.dll
Size

820KB
MD5

fc77868aae55037dccd9e6734c0bda1f
SHA1

625c1d5de4fb7e5fae3440892e122685b004f88e
SHA256

dbe3468fbf17c02a99b49ee5fca4837811e4bf8e2877374423c2d4512f060569
SHA512

c494179fb0bd6cfc56e19795830c4ea1afdc1eda4c70ae0420c9e967a4d4c7425023efdb41d7e5bd8ac27b3ff0cb10e7212929d7d27794f2d0575316a9bea327
SSDEEP

24576:nO6c3oCrVA7bEK7mJaW2eX8TvE81gIzsk6EzCUfk7Ou:duVeEK7mmeX8TBgIzsk6hUf4h

Score

10^/10

qakbot obama112 1633682302 banker evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

obama112

Campaign

1633682302

98.157.235.126:443

124.123.42.115:2222

185.250.148.74:443

73.77.87.137:443

188.50.169.158:443

216.201.162.158:443

174.54.193.186:443

27.223.92.142:995

220.255.25.28:2222

103.142.10.177:443

2.222.167.138:443

66.177.215.152:0

122.11.220.212:2222

85.109.229.54:995

140.82.49.12:443

199.27.127.129:443

209.50.20.255:443

73.230.205.91:443

200.232.214.222:995

81.241.252.59:2078

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Ynntszayho = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Oiqnuyinyi = "0"	reg.exe

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid	Process
2456	regsvr32.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exe

pid	Process
2888	schtasks.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Gigtucgwzloe\542f823e = 8d8541737d4670768ba77f83f716c483cd5c22e976fe40a2f452c1dad68722f07d5001718df6f35219a55579a4174437aca63197f3bf	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Gigtucgwzloe\61b05270 = f0c758a3125b5c0b59ab6aeb9bc7171e3a243bfce558fd829fe5507ba8ace6f037fd9ccdd615c17b82b70b5a9575c5eb547e4e71d4ab4ba83ea2b871a52254a428914856b0a4e9fcd0392c5ad6145b19766c74d74c96c9a70aab51f164ab8d7b03ef91ad2b08b665defe785d60085ab4478d35d645fd7e6171b2f18d0377f8bb1725db7f0d0b2c604e293a166f850e88a333db6f	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Gigtucgwzloe\63f1720c = 727a85cbf95c47d4ac876ace0d90fac2ea54a8a96a5e12b58a2250dd5a9e87026ae78bc2fc	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Gigtucgwzloe\2b66edc8 = 3b3272c705184063be13b98d52e2d654fe37a5a2b5bd20247e9dbbf1f212e8	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Gigtucgwzloe\542f823e = 8d8556737d4645e2bd3c0b0b05813f12aee7f59bd7d68a40b1bb38a9644cd36f8863618232c9cd8be51f8dd32cd23af05b81b78f5a826fdcf3d6256a6b049fb73c04b2ba6b18879f412c6a	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Gigtucgwzloe	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Gigtucgwzloe\db4d1569 = 938260491b95ae7fe461415bf388146e0a43bb5a38adf8d43b5ddacd1ac67b389415827f6f5d735eb891e828be2a1fd08e8b48b44e1208150ee63d1b	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Gigtucgwzloe\a6455ae3 = 1023ef85c74ac099c5f080ed0876bc992785ffb7245f32269655c0649cd0f75c3a1ffe3ce459385a0d98663367a753fcdc172bac2443fad451cc093485	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Gigtucgwzloe\1ef93d86 = 23ef97233e7eb2d604765cbb9e68417d9b30c106376a51eebf26bdebdc5aa71fcb	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Gigtucgwzloe\d90c3515 = 43ed587c9952230a7de2f583f2d8d52abcb3d4f5d629958e10c48c02f8bed9e25f5c58a1e0dc1f3a392ff5c39b8098e84885fc80c268a58043340a7a2c0a78be603e52f18c62a324deeca3e68e9ea771a110c00a165777bd8b3c1dc4cd3a5df3	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid	Process
2856	rundll32.exe
2456	regsvr32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid	Process
2856	rundll32.exe
2456	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	Process	procid_target
PID 2852 wrote to memory of 2856	2852	rundll32.exe	17
PID 2852 wrote to memory of 2856	2852	rundll32.exe	17
PID 2852 wrote to memory of 2856	2852	rundll32.exe	17
PID 2852 wrote to memory of 2856	2852	rundll32.exe	17
PID 2852 wrote to memory of 2856	2852	rundll32.exe	17
PID 2852 wrote to memory of 2856	2852	rundll32.exe	17
PID 2852 wrote to memory of 2856	2852	rundll32.exe	17
PID 2856 wrote to memory of 2192	2856	rundll32.exe	29
PID 2856 wrote to memory of 2192	2856	rundll32.exe	29
PID 2856 wrote to memory of 2192	2856	rundll32.exe	29
PID 2856 wrote to memory of 2192	2856	rundll32.exe	29
PID 2856 wrote to memory of 2192	2856	rundll32.exe	29
PID 2856 wrote to memory of 2192	2856	rundll32.exe	29
PID 2192 wrote to memory of 2888	2192	explorer.exe	30
PID 2192 wrote to memory of 2888	2192	explorer.exe	30
PID 2192 wrote to memory of 2888	2192	explorer.exe	30
PID 2192 wrote to memory of 2888	2192	explorer.exe	30
PID 1604 wrote to memory of 2392	1604	taskeng.exe	35
PID 1604 wrote to memory of 2392	1604	taskeng.exe	35
PID 1604 wrote to memory of 2392	1604	taskeng.exe	35
PID 1604 wrote to memory of 2392	1604	taskeng.exe	35
PID 1604 wrote to memory of 2392	1604	taskeng.exe	35
PID 2392 wrote to memory of 2456	2392	regsvr32.exe	36
PID 2392 wrote to memory of 2456	2392	regsvr32.exe	36
PID 2392 wrote to memory of 2456	2392	regsvr32.exe	36
PID 2392 wrote to memory of 2456	2392	regsvr32.exe	36
PID 2392 wrote to memory of 2456	2392	regsvr32.exe	36
PID 2392 wrote to memory of 2456	2392	regsvr32.exe	36
PID 2392 wrote to memory of 2456	2392	regsvr32.exe	36
PID 2456 wrote to memory of 2816	2456	regsvr32.exe	41
PID 2456 wrote to memory of 2816	2456	regsvr32.exe	41
PID 2456 wrote to memory of 2816	2456	regsvr32.exe	41
PID 2456 wrote to memory of 2816	2456	regsvr32.exe	41
PID 2456 wrote to memory of 2816	2456	regsvr32.exe	41
PID 2456 wrote to memory of 2816	2456	regsvr32.exe	41
PID 2816 wrote to memory of 2492	2816	explorer.exe	38
PID 2816 wrote to memory of 2492	2816	explorer.exe	38
PID 2816 wrote to memory of 2492	2816	explorer.exe	38
PID 2816 wrote to memory of 2492	2816	explorer.exe	38
PID 2816 wrote to memory of 1992	2816	explorer.exe	40
PID 2816 wrote to memory of 1992	2816	explorer.exe	40
PID 2816 wrote to memory of 1992	2816	explorer.exe	40
PID 2816 wrote to memory of 1992	2816	explorer.exe	40

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fc77868aae55037dccd9e6734c0bda1f.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\fc77868aae55037dccd9e6734c0bda1f.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2192
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn fgmpbbke /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\fc77868aae55037dccd9e6734c0bda1f.dll\"" /SC ONCE /Z /ST 06:49 /ET 07:01
      4⤵
      Creates scheduled task(s)
      PID:2888

C:\Windows\system32\taskeng.exe
taskeng.exe {F81ACF88-994D-468E-A1AF-CABF332059A8} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\fc77868aae55037dccd9e6734c0bda1f.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Windows\SysWOW64\regsvr32.exe
    -s "C:\Users\Admin\AppData\Local\Temp\fc77868aae55037dccd9e6734c0bda1f.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2456
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      4⤵
      Modifies data under HKEY_USERS
      Suspicious use of WriteProcessMemory
      PID:2816

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Ynntszayho" /d "0"
1⤵
- Windows security bypass
PID:2492

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Oiqnuyinyi" /d "0"
1⤵
- Windows security bypass
PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fc77868aae55037dccd9e6734c0bda1f.dll

Filesize
286KB

MD5
f66a662db37858b85d0ad354419d6b21

SHA1
15146136f0405261be59ccccde94bac62d6ec25c

SHA256
e3e0b6219f2df10264d26ced50d1df3b55bfc8d2a73eb2d6439a02214cbd3601

SHA512
83b098295a7a96698efb84f9c2adfde9424a7fae88517239feccafb51f54184c2db210844e1cb922c807bdc32514f1aeb80e57453f5d677fbedacb74070b2ef1

Download Submit
\Users\Admin\AppData\Local\Temp\fc77868aae55037dccd9e6734c0bda1f.dll

Filesize
233KB

MD5
dfd95e6ca036f49affef22e0242888db

SHA1
6a2a9b68fc6aa6e4896941fb522b578623df4071

SHA256
04fe155f5ba4d99cea69aff270cce01a3ea3b64761a3f51612fbe2a24ef6478d

SHA512
6e37509c5ec51f56ed0aa09f21d81d645f35dd7e180c0609a9e683bbd83b0411a512c5e55746ce8c38fbf9743febdee36e567bb73e422a75411449ffebe53788

Download Submit
memory/2192-15-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2192-13-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2192-5-0x00000000000F0000-0x00000000000F2000-memory.dmp

Filesize
8KB

Download
memory/2192-8-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2192-12-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2192-11-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2456-21-0x0000000073910000-0x0000000073A76000-memory.dmp

Filesize
1.4MB

Download
memory/2456-20-0x0000000073910000-0x0000000073A76000-memory.dmp

Filesize
1.4MB

Download
memory/2456-22-0x0000000073910000-0x0000000073A76000-memory.dmp

Filesize
1.4MB

Download
memory/2456-26-0x0000000073910000-0x0000000073A76000-memory.dmp

Filesize
1.4MB

Download
memory/2816-25-0x00000000000D0000-0x00000000000F1000-memory.dmp

Filesize
132KB

Download
memory/2816-30-0x00000000000D0000-0x00000000000F1000-memory.dmp

Filesize
132KB

Download
memory/2816-29-0x00000000000D0000-0x00000000000F1000-memory.dmp

Filesize
132KB

Download
memory/2816-28-0x00000000000D0000-0x00000000000F1000-memory.dmp

Filesize
132KB

Download
memory/2856-7-0x0000000074420000-0x0000000074586000-memory.dmp

Filesize
1.4MB

Download
memory/2856-0-0x0000000074420000-0x0000000074586000-memory.dmp

Filesize
1.4MB

Download
memory/2856-4-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2856-2-0x0000000074420000-0x0000000074586000-memory.dmp

Filesize
1.4MB

Download
memory/2856-1-0x0000000074420000-0x0000000074586000-memory.dmp

Filesize
1.4MB

Download