qakbot | ec38eb6ee133958ef6cc3bfa257d9368c615b3182d22282f63d12ca7f2b2c5be

General

Target

444444.png.exe
Size

2.3MB
MD5

f8849261a9db65164958d8c99ebc1f13
SHA1

004818f4c927ba99a0694fd94cc754dd4df731fd
SHA256

ec38eb6ee133958ef6cc3bfa257d9368c615b3182d22282f63d12ca7f2b2c5be
SHA512

7532e2943353bc7c38b54c7c128f27cccc41cfc2e5dfc86cd899de5c50b1af102f2dbd6648086a9d2d8b38797c27b6555fb2803594e2b7d1de266418e0b86bde

Score

10^/10

evasion trojan persistence banker stealer qakbot

Malware Config

Extracted

Family

qakbot

Botnet

spx96

Campaign

1586873043

C2

72.209.191.27:443

173.22.120.11:2222

108.227.161.27:995

172.87.134.226:443

181.197.195.138:995

98.21.52.194:443

76.180.69.236:443

68.98.142.248:443

68.52.164.175:443

39.59.63.142:995

35.142.126.181:443

96.35.170.82:2222

75.111.145.5:443

47.214.144.253:443

74.105.139.160:443

67.8.103.21:443

50.108.212.180:443

83.25.7.201:2222

188.25.237.208:443

184.167.2.251:2222

Signatures

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

wbtdi.exe

pid process

1048 wbtdi.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1488 PING.EXE
Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

pid	process
1048	wbtdi.exe

pid	process
1488	PING.EXE

Suspicious use of WriteProcessMemory 77 IoCs

Processes:

444444.png.exewbtdi.exetaskeng.exe444444.png.exe

description	pid	process	target process
PID 272 wrote to memory of 824	272	444444.png.exe	444444.png.exe
PID 272 wrote to memory of 824	272	444444.png.exe	444444.png.exe
PID 272 wrote to memory of 824	272	444444.png.exe	444444.png.exe
PID 272 wrote to memory of 824	272	444444.png.exe	444444.png.exe
PID 272 wrote to memory of 1048	272	444444.png.exe	wbtdi.exe
PID 272 wrote to memory of 1048	272	444444.png.exe	wbtdi.exe
PID 272 wrote to memory of 1048	272	444444.png.exe	wbtdi.exe
PID 272 wrote to memory of 1048	272	444444.png.exe	wbtdi.exe
PID 1048 wrote to memory of 1028	1048	wbtdi.exe	wbtdi.exe
PID 1048 wrote to memory of 1028	1048	wbtdi.exe	wbtdi.exe
PID 1048 wrote to memory of 1028	1048	wbtdi.exe	wbtdi.exe
PID 1048 wrote to memory of 1028	1048	wbtdi.exe	wbtdi.exe
PID 272 wrote to memory of 1512	272	444444.png.exe	schtasks.exe
PID 272 wrote to memory of 1512	272	444444.png.exe	schtasks.exe
PID 272 wrote to memory of 1512	272	444444.png.exe	schtasks.exe
PID 272 wrote to memory of 1512	272	444444.png.exe	schtasks.exe
PID 1048 wrote to memory of 1764	1048	wbtdi.exe	explorer.exe
PID 1048 wrote to memory of 1764	1048	wbtdi.exe	explorer.exe
PID 1048 wrote to memory of 1764	1048	wbtdi.exe	explorer.exe
PID 1048 wrote to memory of 1764	1048	wbtdi.exe	explorer.exe
PID 1048 wrote to memory of 1764	1048	wbtdi.exe	explorer.exe
PID 480 wrote to memory of 1516	480	taskeng.exe	444444.png.exe
PID 480 wrote to memory of 1516	480	taskeng.exe	444444.png.exe
PID 480 wrote to memory of 1516	480	taskeng.exe	444444.png.exe
PID 480 wrote to memory of 1516	480	taskeng.exe	444444.png.exe
PID 1516 wrote to memory of 1656	1516	444444.png.exe	reg.exe
PID 1516 wrote to memory of 1656	1516	444444.png.exe	reg.exe
PID 1516 wrote to memory of 1656	1516	444444.png.exe	reg.exe
PID 1516 wrote to memory of 1656	1516	444444.png.exe	reg.exe
PID 1516 wrote to memory of 1608	1516	444444.png.exe	reg.exe
PID 1516 wrote to memory of 1608	1516	444444.png.exe	reg.exe
PID 1516 wrote to memory of 1608	1516	444444.png.exe	reg.exe
PID 1516 wrote to memory of 1608	1516	444444.png.exe	reg.exe
PID 1516 wrote to memory of 1644	1516	444444.png.exe	reg.exe
PID 1516 wrote to memory of 1644	1516	444444.png.exe	reg.exe
PID 1516 wrote to memory of 1644	1516	444444.png.exe	reg.exe
PID 1516 wrote to memory of 1644	1516	444444.png.exe	reg.exe
PID 1516 wrote to memory of 1588	1516	444444.png.exe	reg.exe
PID 1516 wrote to memory of 1588	1516	444444.png.exe	reg.exe
PID 1516 wrote to memory of 1588	1516	444444.png.exe	reg.exe
PID 1516 wrote to memory of 1588	1516	444444.png.exe	reg.exe
PID 1516 wrote to memory of 1008	1516	444444.png.exe	reg.exe
PID 1516 wrote to memory of 1008	1516	444444.png.exe	reg.exe
PID 1516 wrote to memory of 1008	1516	444444.png.exe	reg.exe
PID 1516 wrote to memory of 1008	1516	444444.png.exe	reg.exe
PID 1516 wrote to memory of 2024	1516	444444.png.exe	reg.exe
PID 1516 wrote to memory of 2024	1516	444444.png.exe	reg.exe
PID 1516 wrote to memory of 2024	1516	444444.png.exe	reg.exe
PID 1516 wrote to memory of 2024	1516	444444.png.exe	reg.exe
PID 1516 wrote to memory of 1996	1516	444444.png.exe	reg.exe
PID 1516 wrote to memory of 1996	1516	444444.png.exe	reg.exe
PID 1516 wrote to memory of 1996	1516	444444.png.exe	reg.exe
PID 1516 wrote to memory of 1996	1516	444444.png.exe	reg.exe
PID 1516 wrote to memory of 1256	1516	444444.png.exe	reg.exe
PID 1516 wrote to memory of 1256	1516	444444.png.exe	reg.exe
PID 1516 wrote to memory of 1256	1516	444444.png.exe	reg.exe
PID 1516 wrote to memory of 1256	1516	444444.png.exe	reg.exe
PID 1516 wrote to memory of 2044	1516	444444.png.exe	reg.exe
PID 1516 wrote to memory of 2044	1516	444444.png.exe	reg.exe
PID 1516 wrote to memory of 2044	1516	444444.png.exe	reg.exe
PID 1516 wrote to memory of 2044	1516	444444.png.exe	reg.exe
PID 1516 wrote to memory of 836	1516	444444.png.exe	wbtdi.exe
PID 1516 wrote to memory of 836	1516	444444.png.exe	wbtdi.exe
PID 1516 wrote to memory of 836	1516	444444.png.exe	wbtdi.exe

Loads dropped DLL 3 IoCs

Processes:

444444.png.exe444444.png.exe

pid process

272 444444.png.exe
272 444444.png.exe
1516 444444.png.exe

Turns off Windows Defender SpyNet reporting 6 IoCs

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SpyNetReporting = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SubmitSamplesConsent = "2"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet\SpyNetReporting = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet\SubmitSamplesConsent = "2"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2"	reg.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Pwxnkejim = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

444444.png.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	444444.png.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	444444.png.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	444444.png.exe

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\mmpjxkrc = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Pwxnkejim\\wbtdi.exe\""	explorer.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1512 schtasks.exe

pid	process
1512	schtasks.exe

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet	reg.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

444444.png.exe444444.png.exewbtdi.exewbtdi.exeexplorer.exe444444.png.exewbtdi.exewbtdi.exe

pid	process
272	444444.png.exe
824	444444.png.exe
824	444444.png.exe
1048	wbtdi.exe
1028	wbtdi.exe
1028	wbtdi.exe
1764	explorer.exe
1764	explorer.exe
1516	444444.png.exe
836	wbtdi.exe
1432	wbtdi.exe
1432	wbtdi.exe

Executes dropped EXE 4 IoCs

Processes:

wbtdi.exewbtdi.exewbtdi.exewbtdi.exe

pid process

1048 wbtdi.exe
1028 wbtdi.exe
836 wbtdi.exe
1432 wbtdi.exe

pid	process
1048	wbtdi.exe
1028	wbtdi.exe
836	wbtdi.exe
1432	wbtdi.exe

C:\Users\Admin\AppData\Local\Temp\444444.png.exe
"C:\Users\Admin\AppData\Local\Temp\444444.png.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:272

C:\Users\Admin\AppData\Local\Temp\444444.png.exe
C:\Users\Admin\AppData\Local\Temp\444444.png.exe /C
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:824

C:\Users\Admin\AppData\Roaming\Microsoft\Pwxnkejim\wbtdi.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Pwxnkejim\wbtdi.exe
2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
PID:1048

C:\Users\Admin\AppData\Roaming\Microsoft\Pwxnkejim\wbtdi.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Pwxnkejim\wbtdi.exe /C
3⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
PID:1028

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Adds Run entry to start application
- Suspicious behavior: EnumeratesProcesses
PID:1764

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn nsvwuptm /tr "\"C:\Users\Admin\AppData\Local\Temp\444444.png.exe\" /I nsvwuptm" /SC ONCE /Z /ST 18:07 /ET 18:19
2⤵
- Creates scheduled task(s)
PID:1512

C:\Windows\system32\taskeng.exe
taskeng.exe {F5566AAA-8FDB-4FDC-86A7-70F89B5ACB48} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:480

C:\Users\Admin\AppData\Local\Temp\444444.png.exe
C:\Users\Admin\AppData\Local\Temp\444444.png.exe /I nsvwuptm
2⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1516

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
3⤵
- Turns off Windows Defender SpyNet reporting
- Windows security modification
PID:1656

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
3⤵
- Turns off Windows Defender SpyNet reporting
- Windows security modification
PID:1608

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
3⤵
PID:1644

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
3⤵
PID:1588

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
3⤵
- Turns off Windows Defender SpyNet reporting
- Windows security modification
PID:1008

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
3⤵
- Turns off Windows Defender SpyNet reporting
- Windows security modification
PID:2024

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
3⤵
- Turns off Windows Defender SpyNet reporting
- Windows security modification
PID:1996

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
3⤵
- Turns off Windows Defender SpyNet reporting
- Windows security modification
PID:1256

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Pwxnkejim" /d "0"
3⤵
- Windows security bypass
PID:2044

C:\Users\Admin\AppData\Roaming\Microsoft\Pwxnkejim\wbtdi.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Pwxnkejim\wbtdi.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
PID:836

C:\Users\Admin\AppData\Roaming\Microsoft\Pwxnkejim\wbtdi.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Pwxnkejim\wbtdi.exe /C
4⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
PID:1432

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\444444.png.exe"
3⤵
PID:1788

C:\Windows\system32\PING.EXE
ping.exe -n 6 127.0.0.1
4⤵
- Runs ping.exe
PID:1488

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /DELETE /F /TN nsvwuptm
3⤵
PID:1308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Pwxnkejim\wbtdi.dat

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Pwxnkejim\wbtdi.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Pwxnkejim\wbtdi.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Pwxnkejim\wbtdi.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Pwxnkejim\wbtdi.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Pwxnkejim\wbtdi.exe

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Pwxnkejim\wbtdi.exe

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Pwxnkejim\wbtdi.exe

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Pwxnkejim\wbtdi.exe

Download Submit
memory/824-0-0x0000000002490000-0x00000000024A1000-memory.dmp

Filesize
68KB

Download
memory/1028-6-0x0000000002510000-0x0000000002521000-memory.dmp

Filesize
68KB

Download
memory/1048-7-0x0000000000390000-0x00000000003CC000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads