qakbot | 4bd9bde3970fb7ae3fefb0c70d36a4e1da7ef94b4fb0cb7b867835bbc7373d98

General

Target

Darlehensvertrag_237886470423_19052020.vbs
Size

36.3MB
MD5

a6eb9d904fc5eddda76ad4f9cf678e03
SHA1

c370a3c9e108ae2452dfdedc91a2aa04634c7002
SHA256

dfacae17a54e54e9b25d77399619859ed6b196318bd06341c22c7a8b4a090254
SHA512

c00ac4ecaf2623ac4eb4d47191b3b0608d80bd3da552310652a2ccbc306b408f8c0d6d9e3f35208e2ad93b0c7a872ff8c055db7f2a3ecbb259ae639b55d780fb

Score

10^/10

trojan banker stealer qakbot

Malware Config

Extracted

Family

qakbot

Botnet

spx123

Campaign

1589977350

C2

71.77.252.14:2222

174.130.225.61:443

76.187.97.98:2222

187.19.151.218:995

82.127.193.151:2222

72.204.242.138:993

66.208.105.6:443

24.183.39.93:443

98.243.187.85:443

68.49.120.179:443

72.204.242.138:995

72.29.181.77:2078

72.204.242.138:443

24.136.33.120:2222

96.56.237.174:990

107.2.148.99:443

216.201.162.158:443

71.213.29.14:995

84.247.55.190:443

Signatures

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

PicturesViewer.exeffovc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	PicturesViewer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	PicturesViewer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service	PicturesViewer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	ffovc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service	ffovc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	ffovc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	PicturesViewer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	PicturesViewer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service	ffovc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	ffovc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service	PicturesViewer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	ffovc.exe

Blacklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

4 3656 WScript.exe

flow	pid	process
4	3656	WScript.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

WScript.exePicturesViewer.exeffovc.exe

description	pid	process	target process
PID 3656 wrote to memory of 3936	3656	WScript.exe	PicturesViewer.exe
PID 3656 wrote to memory of 3936	3656	WScript.exe	PicturesViewer.exe
PID 3656 wrote to memory of 3936	3656	WScript.exe	PicturesViewer.exe
PID 3936 wrote to memory of 3956	3936	PicturesViewer.exe	PicturesViewer.exe
PID 3936 wrote to memory of 3956	3936	PicturesViewer.exe	PicturesViewer.exe
PID 3936 wrote to memory of 3956	3936	PicturesViewer.exe	PicturesViewer.exe
PID 3936 wrote to memory of 3940	3936	PicturesViewer.exe	ffovc.exe
PID 3936 wrote to memory of 3940	3936	PicturesViewer.exe	ffovc.exe
PID 3936 wrote to memory of 3940	3936	PicturesViewer.exe	ffovc.exe
PID 3936 wrote to memory of 3976	3936	PicturesViewer.exe	schtasks.exe
PID 3936 wrote to memory of 3976	3936	PicturesViewer.exe	schtasks.exe
PID 3936 wrote to memory of 3976	3936	PicturesViewer.exe	schtasks.exe
PID 3940 wrote to memory of 3008	3940	ffovc.exe	ffovc.exe
PID 3940 wrote to memory of 3008	3940	ffovc.exe	ffovc.exe
PID 3940 wrote to memory of 3008	3940	ffovc.exe	ffovc.exe
PID 3940 wrote to memory of 700	3940	ffovc.exe	explorer.exe
PID 3940 wrote to memory of 700	3940	ffovc.exe	explorer.exe
PID 3940 wrote to memory of 700	3940	ffovc.exe	explorer.exe
PID 3940 wrote to memory of 700	3940	ffovc.exe	explorer.exe

Executes dropped EXE 4 IoCs

Processes:

PicturesViewer.exePicturesViewer.exeffovc.exeffovc.exe

pid process

3936 PicturesViewer.exe
3956 PicturesViewer.exe
3940 ffovc.exe
3008 ffovc.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

PicturesViewer.exePicturesViewer.exeffovc.exeffovc.exeexplorer.exe

pid	process
3936	PicturesViewer.exe
3936	PicturesViewer.exe
3956	PicturesViewer.exe
3956	PicturesViewer.exe
3956	PicturesViewer.exe
3956	PicturesViewer.exe
3940	ffovc.exe
3940	ffovc.exe
3008	ffovc.exe
3008	ffovc.exe
3008	ffovc.exe
3008	ffovc.exe
700	explorer.exe
700	explorer.exe
700	explorer.exe
700	explorer.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

ffovc.exe

pid process

3940 ffovc.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3976 schtasks.exe
Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

pid	process
3940	ffovc.exe

pid	process
3976	schtasks.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Darlehensvertrag_237886470423_19052020.vbs"
1⤵
- Blacklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:3656
- C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe
  C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3936
- - C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe
    C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe /C
    3⤵
    - Checks SCSI registry key(s)
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3956
- - C:\Users\Admin\AppData\Roaming\Microsoft\Luolyfxaj\ffovc.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Luolyfxaj\ffovc.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:3940
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Luolyfxaj\ffovc.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Luolyfxaj\ffovc.exe /C
      4⤵
      Checks SCSI registry key(s)
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3008
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:700
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn nwaiuqck /tr "\"C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe\" /I nwaiuqck" /SC ONCE /Z /ST 17:18 /ET 17:30
    3⤵
    - Creates scheduled task(s)
    PID:3976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Luolyfxaj\ffovc.dat

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Luolyfxaj\ffovc.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Luolyfxaj\ffovc.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Luolyfxaj\ffovc.exe

Download Submit
memory/3008-7-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download
memory/3940-8-0x0000000002030000-0x000000000206A000-memory.dmp

Filesize
232KB

Download
memory/3956-3-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads