qakbot | 78f357f61ed20344d27a1323e6a5a87e2f9ac140064d7e57a77d195e599f6e4b

General

Target

JVC_47247.vbs
Size

4.3MB
MD5

2e5d0c5ceac5c6111a9ec881f7e4f3f4
SHA1

ba8a9af53583a01a0c4c49bf827a3433c203a983
SHA256

78f357f61ed20344d27a1323e6a5a87e2f9ac140064d7e57a77d195e599f6e4b
SHA512

1097085efc7bb40e55c1095b7b5c4ed3aecb9ab7d803cc91e9e042efee2cecc896643823ed0ade4017a228805ce5ed11881506d3742fc89ed72e9b05acd32745

Score

10^/10

trojan banker stealer qakbot

Malware Config

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Blacklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

2 3560 WScript.exe

flow	pid	process
2	3560	WScript.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

WScript.exeColorPick.exelaede.exe

description	pid	process	target process
PID 3560 wrote to memory of 352	3560	WScript.exe	ColorPick.exe
PID 3560 wrote to memory of 352	3560	WScript.exe	ColorPick.exe
PID 3560 wrote to memory of 352	3560	WScript.exe	ColorPick.exe
PID 352 wrote to memory of 3932	352	ColorPick.exe	ColorPick.exe
PID 352 wrote to memory of 3932	352	ColorPick.exe	ColorPick.exe
PID 352 wrote to memory of 3932	352	ColorPick.exe	ColorPick.exe
PID 352 wrote to memory of 820	352	ColorPick.exe	laede.exe
PID 352 wrote to memory of 820	352	ColorPick.exe	laede.exe
PID 352 wrote to memory of 820	352	ColorPick.exe	laede.exe
PID 352 wrote to memory of 1016	352	ColorPick.exe	schtasks.exe
PID 352 wrote to memory of 1016	352	ColorPick.exe	schtasks.exe
PID 352 wrote to memory of 1016	352	ColorPick.exe	schtasks.exe
PID 820 wrote to memory of 960	820	laede.exe	laede.exe
PID 820 wrote to memory of 960	820	laede.exe	laede.exe
PID 820 wrote to memory of 960	820	laede.exe	laede.exe
PID 820 wrote to memory of 1172	820	laede.exe	explorer.exe
PID 820 wrote to memory of 1172	820	laede.exe	explorer.exe
PID 820 wrote to memory of 1172	820	laede.exe	explorer.exe
PID 820 wrote to memory of 1172	820	laede.exe	explorer.exe

Executes dropped EXE 4 IoCs

Processes:

ColorPick.exeColorPick.exelaede.exelaede.exe

pid process

352 ColorPick.exe
3932 ColorPick.exe
820 laede.exe
960 laede.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

ColorPick.exeColorPick.exelaede.exelaede.exeexplorer.exe

pid	process
352	ColorPick.exe
352	ColorPick.exe
3932	ColorPick.exe
3932	ColorPick.exe
3932	ColorPick.exe
3932	ColorPick.exe
820	laede.exe
820	laede.exe
960	laede.exe
960	laede.exe
960	laede.exe
960	laede.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

laede.exe

pid process

820 laede.exe

pid	process
820	laede.exe

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

laede.exeColorPick.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Service	laede.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\DeviceDesc	ColorPick.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000	ColorPick.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesc	ColorPick.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Service	ColorPick.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000	laede.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\DeviceDesc	laede.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000	ColorPick.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Service	ColorPick.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Service	laede.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000	laede.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesc	laede.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1016 schtasks.exe

pid	process
1016	schtasks.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\JVC_47247.vbs"
1⤵
- Blacklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:3560

C:\Users\Admin\AppData\Local\Temp\ColorPick.exe
C:\Users\Admin\AppData\Local\Temp\ColorPick.exe
2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:352

C:\Users\Admin\AppData\Local\Temp\ColorPick.exe
C:\Users\Admin\AppData\Local\Temp\ColorPick.exe /C
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Checks SCSI registry key(s)
PID:3932

C:\Users\Admin\AppData\Roaming\Microsoft\Yqesdkn\laede.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Yqesdkn\laede.exe
3⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:820

C:\Users\Admin\AppData\Roaming\Microsoft\Yqesdkn\laede.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Yqesdkn\laede.exe /C
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Checks SCSI registry key(s)
PID:960

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1172

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn aoawgxpxy /tr "\"C:\Users\Admin\AppData\Local\Temp\ColorPick.exe\" /I aoawgxpxy" /SC ONCE /Z /ST 21:15 /ET 21:27
3⤵
- Creates scheduled task(s)
PID:1016

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ColorPick.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ColorPick.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ColorPick.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Yqesdkn\laede.dat

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Yqesdkn\laede.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Yqesdkn\laede.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Yqesdkn\laede.exe

Download Submit
memory/820-8-0x00000000020D0000-0x000000000210B000-memory.dmp

Filesize
236KB

Download
memory/960-7-0x0000000002930000-0x0000000002931000-memory.dmp

Filesize
4KB

Download
memory/3932-3-0x0000000002900000-0x0000000002901000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads