qakbot | d5b58d2e0b7c815277c77ff4fc59122bdb6c592f855259b551dea1c811a89526

Analysis

max time kernel
139s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
31/08/2024, 14:09 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0def0284732d41ec83ce66364d566b6aa3d914d5e0d7c4dff68eae15df5d557b.dll
Size

689KB
MD5

fce20c78174b38ef7491e97461efce9e
SHA1

594a74c8197228ac25eafd058ade9ec40533aad7
SHA256

0def0284732d41ec83ce66364d566b6aa3d914d5e0d7c4dff68eae15df5d557b
SHA512

84a1bcfad2fbac58d733cb43945309921e89272ea47030d9e9cc9b17813279e26e0410e65296065e3f825de3a47b7486cf65e07e62dfd1ccd63cede744b83833
SSDEEP

12288:BrI0bPKn8p/S0jXgfFWVkMXl2xAgwFX2ddG83tNzZ0XssC82H6/vLyWMAy:pI0bP1XWMXsAZX6JcTLdMN

Score

10^/10

qakbot obama117 1634545803 banker discovery evasion stealer trojan

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

obama117

Campaign

1634545803

176.45.53.222:443

220.255.25.28:2222

91.178.126.51:995

2.222.167.138:443

65.100.174.110:995

105.198.236.99:995

115.96.64.9:995

196.207.140.40:995

24.231.209.2:2222

146.66.238.74:443

103.82.211.39:995

65.100.174.110:443

103.142.10.177:443

140.82.49.12:443

78.105.213.151:995

41.86.42.158:995

89.101.97.139:443

120.150.218.241:995

24.119.214.7:443

103.143.8.71:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Iotryushig = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Rdbuqoizpbbn = "0"	reg.exe

Loads dropped DLL 1 IoCs

pid	Process
2132	regsvr32.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Bxptmnqjx\66c07be5 = 6189ef01c15e029a3df7264e6a6b43c999c41c7e2d01bb	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Bxptmnqjx\a374530a = 37924268f19522a983377d1677a7254aab4f490532c5b77181a2c476bf4c204b	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Bxptmnqjx\1bc8346f = d23d7d0c17c72a33c8edf60a0e8c	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Bxptmnqjx\dc3d3cfc = 05d5f11aa39e0ab4562bd2ba284f45c91a905ba40724f11cfe7bdaf6e48cd79c11b882a2d62b37e5d568378bf1bda8a3251f420964b5e66fc3308047ef1fdca123babb4fa9d74be4e22c5dc9c130530d0b697970795711b2105a3f24920b32	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Bxptmnqjx\2e57e421 = 6f9fa67909d7b349443a0f457c4f0c7061812dc7aaaeda6476fd24a5a89da1178297965a4815e7a39a95d8318901b6640d1c45b454be3c1d6170f7a0bebe60458f4aa04830b54183c3e1f283a46e3555a88b65f6767e46bde66d32779bede4f645523b4d1ec5	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Bxptmnqjx\511e8bd7 = de53c2f778e795840706af96ee423cd837ffe2c53fe0feee5350292e	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Bxptmnqjx	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Bxptmnqjx\511e8bd7 = de53d5f778e7a0	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Bxptmnqjx\64815b99 = 03a0c82381066607eba2cfe90b4f2298f0842e7ca99368949b028efc16f10f83bb8aa2741d2ab7bd5b589af2b2b5a963408ea240a8d629ac43fdefd4eabec31b5bdc01b6993d09625fe6136982b13cc6ed4d1931e9eafaa81cdca332eb45d6569e08386a73b9a79462a5e4b39e34fbe77509db093943621eafd94ef96eb292474976f13b579fd17224758c648b1a9c053f1092448b4cb82544b9befdd506d8f461fde4830f1a3f500d2e3f1f2c490e75928be542d1e96bf5f543	explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Bxptmnqjx\de7c1c80 = ac048f5b3d71573f7f6443d615ecca2b59a2f67ed86c3e76eeeea209ec20b71154eec0cb14fc3b2d0dca1962ed3ee0db8e23cf5fdba955baefc5c853f9e90cc8898418f29990cdc61ddada3d7d5a3fa965a8d32a029138a2d5154776	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2976	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1172	rundll32.exe
2132	regsvr32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1172	rundll32.exe
2132	regsvr32.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 1172	2004	rundll32.exe	30
PID 2004 wrote to memory of 1172	2004	rundll32.exe	30
PID 2004 wrote to memory of 1172	2004	rundll32.exe	30
PID 2004 wrote to memory of 1172	2004	rundll32.exe	30
PID 2004 wrote to memory of 1172	2004	rundll32.exe	30
PID 2004 wrote to memory of 1172	2004	rundll32.exe	30
PID 2004 wrote to memory of 1172	2004	rundll32.exe	30
PID 1172 wrote to memory of 2332	1172	rundll32.exe	31
PID 1172 wrote to memory of 2332	1172	rundll32.exe	31
PID 1172 wrote to memory of 2332	1172	rundll32.exe	31
PID 1172 wrote to memory of 2332	1172	rundll32.exe	31
PID 1172 wrote to memory of 2332	1172	rundll32.exe	31
PID 1172 wrote to memory of 2332	1172	rundll32.exe	31
PID 2332 wrote to memory of 2976	2332	explorer.exe	32
PID 2332 wrote to memory of 2976	2332	explorer.exe	32
PID 2332 wrote to memory of 2976	2332	explorer.exe	32
PID 2332 wrote to memory of 2976	2332	explorer.exe	32
PID 636 wrote to memory of 1952	636	taskeng.exe	36
PID 636 wrote to memory of 1952	636	taskeng.exe	36
PID 636 wrote to memory of 1952	636	taskeng.exe	36
PID 636 wrote to memory of 1952	636	taskeng.exe	36
PID 636 wrote to memory of 1952	636	taskeng.exe	36
PID 1952 wrote to memory of 2132	1952	regsvr32.exe	37
PID 1952 wrote to memory of 2132	1952	regsvr32.exe	37
PID 1952 wrote to memory of 2132	1952	regsvr32.exe	37
PID 1952 wrote to memory of 2132	1952	regsvr32.exe	37
PID 1952 wrote to memory of 2132	1952	regsvr32.exe	37
PID 1952 wrote to memory of 2132	1952	regsvr32.exe	37
PID 1952 wrote to memory of 2132	1952	regsvr32.exe	37
PID 2132 wrote to memory of 2916	2132	regsvr32.exe	38
PID 2132 wrote to memory of 2916	2132	regsvr32.exe	38
PID 2132 wrote to memory of 2916	2132	regsvr32.exe	38
PID 2132 wrote to memory of 2916	2132	regsvr32.exe	38
PID 2132 wrote to memory of 2916	2132	regsvr32.exe	38
PID 2132 wrote to memory of 2916	2132	regsvr32.exe	38
PID 2916 wrote to memory of 1948	2916	explorer.exe	39
PID 2916 wrote to memory of 1948	2916	explorer.exe	39
PID 2916 wrote to memory of 1948	2916	explorer.exe	39
PID 2916 wrote to memory of 1948	2916	explorer.exe	39
PID 2916 wrote to memory of 1292	2916	explorer.exe	41
PID 2916 wrote to memory of 1292	2916	explorer.exe	41
PID 2916 wrote to memory of 1292	2916	explorer.exe	41
PID 2916 wrote to memory of 1292	2916	explorer.exe	41

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0def0284732d41ec83ce66364d566b6aa3d914d5e0d7c4dff68eae15df5d557b.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\0def0284732d41ec83ce66364d566b6aa3d914d5e0d7c4dff68eae15df5d557b.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1172
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn gjdjvswtv /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\0def0284732d41ec83ce66364d566b6aa3d914d5e0d7c4dff68eae15df5d557b.dll\"" /SC ONCE /Z /ST 14:11 /ET 14:23
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2976

C:\Windows\system32\taskeng.exe
taskeng.exe {42541169-1E51-4193-BE63-3E21DED17309} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:636
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\0def0284732d41ec83ce66364d566b6aa3d914d5e0d7c4dff68eae15df5d557b.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Windows\SysWOW64\regsvr32.exe
    -s "C:\Users\Admin\AppData\Local\Temp\0def0284732d41ec83ce66364d566b6aa3d914d5e0d7c4dff68eae15df5d557b.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2132
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious use of WriteProcessMemory
      PID:2916
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Iotryushig" /d "0"
        5⤵
        Windows security bypass
        
        PID:1948
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Rdbuqoizpbbn" /d "0"
        5⤵
        Windows security bypass
        
        PID:1292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0def0284732d41ec83ce66364d566b6aa3d914d5e0d7c4dff68eae15df5d557b.dll

Filesize
689KB

MD5
fce20c78174b38ef7491e97461efce9e

SHA1
594a74c8197228ac25eafd058ade9ec40533aad7

SHA256
0def0284732d41ec83ce66364d566b6aa3d914d5e0d7c4dff68eae15df5d557b

SHA512
84a1bcfad2fbac58d733cb43945309921e89272ea47030d9e9cc9b17813279e26e0410e65296065e3f825de3a47b7486cf65e07e62dfd1ccd63cede744b83833

Download Submit
memory/1172-4-0x0000000074530000-0x00000000745ED000-memory.dmp

Filesize
756KB

Download
memory/1172-3-0x00000000745DC000-0x00000000745E2000-memory.dmp

Filesize
24KB

Download
memory/1172-0-0x0000000074530000-0x00000000745ED000-memory.dmp

Filesize
756KB

Download
memory/1172-1-0x0000000074530000-0x00000000745ED000-memory.dmp

Filesize
756KB

Download
memory/1172-8-0x0000000074530000-0x00000000745ED000-memory.dmp

Filesize
756KB

Download
memory/2132-25-0x0000000073B30000-0x0000000073BED000-memory.dmp

Filesize
756KB

Download
memory/2132-20-0x0000000073B30000-0x0000000073BED000-memory.dmp

Filesize
756KB

Download
memory/2132-21-0x0000000073B30000-0x0000000073BED000-memory.dmp

Filesize
756KB

Download
memory/2332-5-0x0000000000380000-0x0000000000382000-memory.dmp

Filesize
8KB

Download
memory/2332-15-0x0000000000350000-0x0000000000371000-memory.dmp

Filesize
132KB

Download
memory/2332-12-0x0000000000350000-0x0000000000371000-memory.dmp

Filesize
132KB

Download
memory/2332-13-0x0000000000350000-0x0000000000371000-memory.dmp

Filesize
132KB

Download
memory/2332-11-0x0000000000350000-0x0000000000371000-memory.dmp

Filesize
132KB

Download
memory/2332-7-0x0000000000350000-0x0000000000371000-memory.dmp

Filesize
132KB

Download
memory/2916-27-0x0000000000320000-0x0000000000341000-memory.dmp

Filesize
132KB

Download
memory/2916-29-0x0000000000320000-0x0000000000341000-memory.dmp

Filesize
132KB

Download
memory/2916-28-0x0000000000320000-0x0000000000341000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.