qakbot | d5b58d2e0b7c815277c77ff4fc59122bdb6c592f855259b551dea1c811a89526

General

Target

0def0284732d41ec83ce66364d566b6aa3d914d5e0d7c4dff68eae15df5d557b.dll
Size

689KB
MD5

fce20c78174b38ef7491e97461efce9e
SHA1

594a74c8197228ac25eafd058ade9ec40533aad7
SHA256

0def0284732d41ec83ce66364d566b6aa3d914d5e0d7c4dff68eae15df5d557b
SHA512

84a1bcfad2fbac58d733cb43945309921e89272ea47030d9e9cc9b17813279e26e0410e65296065e3f825de3a47b7486cf65e07e62dfd1ccd63cede744b83833
SSDEEP

12288:BrI0bPKn8p/S0jXgfFWVkMXl2xAgwFX2ddG83tNzZ0XssC82H6/vLyWMAy:pI0bP1XWMXsAZX6JcTLdMN

Score

10^/10

qakbot obama117 1634545803 banker discovery evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

obama117

Campaign

1634545803

C2

176.45.53.222:443

220.255.25.28:2222

91.178.126.51:995

2.222.167.138:443

65.100.174.110:995

105.198.236.99:995

115.96.64.9:995

196.207.140.40:995

24.231.209.2:2222

146.66.238.74:443

103.82.211.39:995

65.100.174.110:443

103.142.10.177:443

140.82.49.12:443

78.105.213.151:995

41.86.42.158:995

89.101.97.139:443

120.150.218.241:995

24.119.214.7:443

103.143.8.71:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Iotryushig = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Rdbuqoizpbbn = "0"	reg.exe

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

2132 regsvr32.exe

pid	process
2132	regsvr32.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

rundll32.exeexplorer.exeschtasks.exeregsvr32.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Bxptmnqjx\66c07be5 = 6189ef01c15e029a3df7264e6a6b43c999c41c7e2d01bb	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Bxptmnqjx\a374530a = 37924268f19522a983377d1677a7254aab4f490532c5b77181a2c476bf4c204b	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Bxptmnqjx\1bc8346f = d23d7d0c17c72a33c8edf60a0e8c	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Bxptmnqjx\dc3d3cfc = 05d5f11aa39e0ab4562bd2ba284f45c91a905ba40724f11cfe7bdaf6e48cd79c11b882a2d62b37e5d568378bf1bda8a3251f420964b5e66fc3308047ef1fdca123babb4fa9d74be4e22c5dc9c130530d0b697970795711b2105a3f24920b32	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Bxptmnqjx\2e57e421 = 6f9fa67909d7b349443a0f457c4f0c7061812dc7aaaeda6476fd24a5a89da1178297965a4815e7a39a95d8318901b6640d1c45b454be3c1d6170f7a0bebe60458f4aa04830b54183c3e1f283a46e3555a88b65f6767e46bde66d32779bede4f645523b4d1ec5	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Bxptmnqjx\511e8bd7 = de53c2f778e795840706af96ee423cd837ffe2c53fe0feee5350292e	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Bxptmnqjx	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Bxptmnqjx\511e8bd7 = de53d5f778e7a0	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Bxptmnqjx\64815b99 = 03a0c82381066607eba2cfe90b4f2298f0842e7ca99368949b028efc16f10f83bb8aa2741d2ab7bd5b589af2b2b5a963408ea240a8d629ac43fdefd4eabec31b5bdc01b6993d09625fe6136982b13cc6ed4d1931e9eafaa81cdca332eb45d6569e08386a73b9a79462a5e4b39e34fbe77509db093943621eafd94ef96eb292474976f13b579fd17224758c648b1a9c053f1092448b4cb82544b9befdd506d8f461fde4830f1a3f500d2e3f1f2c490e75928be542d1e96bf5f543	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Bxptmnqjx\de7c1c80 = ac048f5b3d71573f7f6443d615ecca2b59a2f67ed86c3e76eeeea209ec20b71154eec0cb14fc3b2d0dca1962ed3ee0db8e23cf5fdba955baefc5c853f9e90cc8898418f29990cdc61ddada3d7d5a3fa965a8d32a029138a2d5154776	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2976 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

1172 rundll32.exe
2132 regsvr32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exeregsvr32.exe

pid process

1172 rundll32.exe
2132 regsvr32.exe

pid	process
2976	schtasks.exe

pid	process
1172	rundll32.exe
2132	regsvr32.exe

pid	process
1172	rundll32.exe
2132	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 2004 wrote to memory of 1172	2004	rundll32.exe	rundll32.exe
PID 2004 wrote to memory of 1172	2004	rundll32.exe	rundll32.exe
PID 2004 wrote to memory of 1172	2004	rundll32.exe	rundll32.exe
PID 2004 wrote to memory of 1172	2004	rundll32.exe	rundll32.exe
PID 2004 wrote to memory of 1172	2004	rundll32.exe	rundll32.exe
PID 2004 wrote to memory of 1172	2004	rundll32.exe	rundll32.exe
PID 2004 wrote to memory of 1172	2004	rundll32.exe	rundll32.exe
PID 1172 wrote to memory of 2332	1172	rundll32.exe	explorer.exe
PID 1172 wrote to memory of 2332	1172	rundll32.exe	explorer.exe
PID 1172 wrote to memory of 2332	1172	rundll32.exe	explorer.exe
PID 1172 wrote to memory of 2332	1172	rundll32.exe	explorer.exe
PID 1172 wrote to memory of 2332	1172	rundll32.exe	explorer.exe
PID 1172 wrote to memory of 2332	1172	rundll32.exe	explorer.exe
PID 2332 wrote to memory of 2976	2332	explorer.exe	schtasks.exe
PID 2332 wrote to memory of 2976	2332	explorer.exe	schtasks.exe
PID 2332 wrote to memory of 2976	2332	explorer.exe	schtasks.exe
PID 2332 wrote to memory of 2976	2332	explorer.exe	schtasks.exe
PID 636 wrote to memory of 1952	636	taskeng.exe	regsvr32.exe
PID 636 wrote to memory of 1952	636	taskeng.exe	regsvr32.exe
PID 636 wrote to memory of 1952	636	taskeng.exe	regsvr32.exe
PID 636 wrote to memory of 1952	636	taskeng.exe	regsvr32.exe
PID 636 wrote to memory of 1952	636	taskeng.exe	regsvr32.exe
PID 1952 wrote to memory of 2132	1952	regsvr32.exe	regsvr32.exe
PID 1952 wrote to memory of 2132	1952	regsvr32.exe	regsvr32.exe
PID 1952 wrote to memory of 2132	1952	regsvr32.exe	regsvr32.exe
PID 1952 wrote to memory of 2132	1952	regsvr32.exe	regsvr32.exe
PID 1952 wrote to memory of 2132	1952	regsvr32.exe	regsvr32.exe
PID 1952 wrote to memory of 2132	1952	regsvr32.exe	regsvr32.exe
PID 1952 wrote to memory of 2132	1952	regsvr32.exe	regsvr32.exe
PID 2132 wrote to memory of 2916	2132	regsvr32.exe	explorer.exe
PID 2132 wrote to memory of 2916	2132	regsvr32.exe	explorer.exe
PID 2132 wrote to memory of 2916	2132	regsvr32.exe	explorer.exe
PID 2132 wrote to memory of 2916	2132	regsvr32.exe	explorer.exe
PID 2132 wrote to memory of 2916	2132	regsvr32.exe	explorer.exe
PID 2132 wrote to memory of 2916	2132	regsvr32.exe	explorer.exe
PID 2916 wrote to memory of 1948	2916	explorer.exe	reg.exe
PID 2916 wrote to memory of 1948	2916	explorer.exe	reg.exe
PID 2916 wrote to memory of 1948	2916	explorer.exe	reg.exe
PID 2916 wrote to memory of 1948	2916	explorer.exe	reg.exe
PID 2916 wrote to memory of 1292	2916	explorer.exe	reg.exe
PID 2916 wrote to memory of 1292	2916	explorer.exe	reg.exe
PID 2916 wrote to memory of 1292	2916	explorer.exe	reg.exe
PID 2916 wrote to memory of 1292	2916	explorer.exe	reg.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0def0284732d41ec83ce66364d566b6aa3d914d5e0d7c4dff68eae15df5d557b.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\0def0284732d41ec83ce66364d566b6aa3d914d5e0d7c4dff68eae15df5d557b.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1172
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn gjdjvswtv /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\0def0284732d41ec83ce66364d566b6aa3d914d5e0d7c4dff68eae15df5d557b.dll\"" /SC ONCE /Z /ST 14:11 /ET 14:23
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2976

C:\Windows\system32\taskeng.exe
taskeng.exe {42541169-1E51-4193-BE63-3E21DED17309} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:636
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\0def0284732d41ec83ce66364d566b6aa3d914d5e0d7c4dff68eae15df5d557b.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Windows\SysWOW64\regsvr32.exe
    -s "C:\Users\Admin\AppData\Local\Temp\0def0284732d41ec83ce66364d566b6aa3d914d5e0d7c4dff68eae15df5d557b.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2132
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious use of WriteProcessMemory
      PID:2916
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Iotryushig" /d "0"
        5⤵
        Windows security bypass
        
        PID:1948
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Rdbuqoizpbbn" /d "0"
        5⤵
        Windows security bypass
        
        PID:1292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0def0284732d41ec83ce66364d566b6aa3d914d5e0d7c4dff68eae15df5d557b.dll

Filesize
689KB

MD5
fce20c78174b38ef7491e97461efce9e

SHA1
594a74c8197228ac25eafd058ade9ec40533aad7

SHA256
0def0284732d41ec83ce66364d566b6aa3d914d5e0d7c4dff68eae15df5d557b

SHA512
84a1bcfad2fbac58d733cb43945309921e89272ea47030d9e9cc9b17813279e26e0410e65296065e3f825de3a47b7486cf65e07e62dfd1ccd63cede744b83833

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1172-4-0x0000000074530000-0x00000000745ED000-memory.dmp

Filesize
756KB

Download
memory/1172-3-0x00000000745DC000-0x00000000745E2000-memory.dmp

Filesize
24KB

Download
memory/1172-0-0x0000000074530000-0x00000000745ED000-memory.dmp

Filesize
756KB

Download
memory/1172-1-0x0000000074530000-0x00000000745ED000-memory.dmp

Filesize
756KB

Download
memory/1172-8-0x0000000074530000-0x00000000745ED000-memory.dmp

Filesize
756KB

Download
memory/2132-25-0x0000000073B30000-0x0000000073BED000-memory.dmp

Filesize
756KB

Download
memory/2132-20-0x0000000073B30000-0x0000000073BED000-memory.dmp

Filesize
756KB

Download
memory/2132-21-0x0000000073B30000-0x0000000073BED000-memory.dmp

Filesize
756KB

Download
memory/2332-5-0x0000000000380000-0x0000000000382000-memory.dmp

Filesize
8KB

Download
memory/2332-15-0x0000000000350000-0x0000000000371000-memory.dmp

Filesize
132KB

Download
memory/2332-12-0x0000000000350000-0x0000000000371000-memory.dmp

Filesize
132KB

Download
memory/2332-13-0x0000000000350000-0x0000000000371000-memory.dmp

Filesize
132KB

Download
memory/2332-11-0x0000000000350000-0x0000000000371000-memory.dmp

Filesize
132KB

Download
memory/2332-7-0x0000000000350000-0x0000000000371000-memory.dmp

Filesize
132KB

Download
memory/2916-27-0x0000000000320000-0x0000000000341000-memory.dmp

Filesize
132KB

Download
memory/2916-29-0x0000000000320000-0x0000000000341000-memory.dmp

Filesize
132KB

Download
memory/2916-28-0x0000000000320000-0x0000000000341000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads