Overview

overview

10

Static

static

Basic

windows7_x64

10

Analysis

  • max time kernel
    118s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    03-11-2020 08:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ufctqm.exe

  • Size

    288KB

  • MD5

    6a4ac643acc40f5c9bf45f6b66c98747

  • SHA1

    196715f3b45aab4894651b0cdb9bd811f203cc7b

  • SHA256

    a7d481c0f6ec7902ac7af13a9195ba6743c8baea25fabe3c206b743eb4dd39ab

  • SHA512

    6a662d702a44ab26500b3d0ca1fe38d3ca1d4819b047e74363d54109537a77a002cd694b5172fae20f33a60fc2d6a06082f6e568e279d310056bebbf1838df7e

Score
10/10
qakbotnotset1596817234bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Botnet

notset

Campaign

1596817234

Credentials

  • Protocol:     ftp
  • Host:
    192.185.5.208
  • Port:
    21
  • Username:
    logger@dustinkeeling.com
  • Password:
    NxdkxAp4dUsY

  • Protocol:     ftp
  • Host:
    162.241.218.118
  • Port:
    21
  • Username:
    logger@misterexterior.com
  • Password:
    EcOV0DyGVgVN

  • Protocol:     ftp
  • Host:
    69.89.31.139
  • Port:
    21
  • Username:
    cpanel@vivekharris-architects.com
  • Password:
    fcR7OvyLrMW6!

  • Protocol:     ftp
  • Host:
    169.207.67.14
  • Port:
    21
  • Username:
    cpanel@dovetailsolar.com
  • Password:
    eQyicNLzzqPN
C2

47.44.217.98:443

86.97.146.204:2222

65.60.228.130:443

216.201.162.158:443

94.59.24.79:995

108.46.145.30:443

24.139.132.70:443

47.206.174.82:443

188.52.106.206:20

72.204.242.138:6881

173.173.72.199:443

71.163.224.206:443

63.155.9.141:995

100.34.195.237:443

47.39.177.171:2222

96.20.108.17:2222

115.21.224.117:443

70.164.39.91:443

45.47.65.191:443

207.155.107.111:443

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ufctqm.exe
    "C:\Users\Admin\AppData\Local\Temp\ufctqm.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2028
    • C:\Users\Admin\AppData\Local\Temp\ufctqm.exe
      C:\Users\Admin\AppData\Local\Temp\ufctqm.exe /C
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:792
    • C:\Users\Admin\AppData\Roaming\Microsoft\Uptruhaver\cqxigki.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Uptruhaver\cqxigki.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1640
      • C:\Users\Admin\AppData\Roaming\Microsoft\Uptruhaver\cqxigki.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Uptruhaver\cqxigki.exe /C
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:2000
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:436
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn ogdigeuas /tr "\"C:\Users\Admin\AppData\Local\Temp\ufctqm.exe\" /I ogdigeuas" /SC ONCE /Z /ST 08:25 /ET 08:37
      2⤵
      • Creates scheduled task(s)
      PID:1664
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {D8453CC5-715A-44A4-8F32-474258DA9F3C} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1192
    • C:\Users\Admin\AppData\Local\Temp\ufctqm.exe
      C:\Users\Admin\AppData\Local\Temp\ufctqm.exe /I ogdigeuas
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1120

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Uptruhaver\cqxigki.dat
    MD5

    2cff3d0f4560a6e9769baef5cbea7e8d

    SHA1

    ab8892b1a3243b827b1183911d5b7cc62c177704

    SHA256

    766a84dacbdc9e6d3825785f5d4dcc0c605c43eb0792e2df5813409ab34ae526

    SHA512

    a587a015148f8c5fa2c2d6bcc57c541205715210c146b46af972b4c159fefc3214636a184fb7915894f60ea9f8e3d1f58dde520ec65cd15d11294b682e634a97

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Uptruhaver\cqxigki.exe
    MD5

    6a4ac643acc40f5c9bf45f6b66c98747

    SHA1

    196715f3b45aab4894651b0cdb9bd811f203cc7b

    SHA256

    a7d481c0f6ec7902ac7af13a9195ba6743c8baea25fabe3c206b743eb4dd39ab

    SHA512

    6a662d702a44ab26500b3d0ca1fe38d3ca1d4819b047e74363d54109537a77a002cd694b5172fae20f33a60fc2d6a06082f6e568e279d310056bebbf1838df7e

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Uptruhaver\cqxigki.exe
    MD5

    6a4ac643acc40f5c9bf45f6b66c98747

    SHA1

    196715f3b45aab4894651b0cdb9bd811f203cc7b

    SHA256

    a7d481c0f6ec7902ac7af13a9195ba6743c8baea25fabe3c206b743eb4dd39ab

    SHA512

    6a662d702a44ab26500b3d0ca1fe38d3ca1d4819b047e74363d54109537a77a002cd694b5172fae20f33a60fc2d6a06082f6e568e279d310056bebbf1838df7e

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Uptruhaver\cqxigki.exe
    MD5

    6a4ac643acc40f5c9bf45f6b66c98747

    SHA1

    196715f3b45aab4894651b0cdb9bd811f203cc7b

    SHA256

    a7d481c0f6ec7902ac7af13a9195ba6743c8baea25fabe3c206b743eb4dd39ab

    SHA512

    6a662d702a44ab26500b3d0ca1fe38d3ca1d4819b047e74363d54109537a77a002cd694b5172fae20f33a60fc2d6a06082f6e568e279d310056bebbf1838df7e

    Download Submit
  • \??\PIPE\wkssvc
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit
  • \??\PIPE\wkssvc
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit
  • \Users\Admin\AppData\Roaming\Microsoft\Uptruhaver\cqxigki.exe
    MD5

    6a4ac643acc40f5c9bf45f6b66c98747

    SHA1

    196715f3b45aab4894651b0cdb9bd811f203cc7b

    SHA256

    a7d481c0f6ec7902ac7af13a9195ba6743c8baea25fabe3c206b743eb4dd39ab

    SHA512

    6a662d702a44ab26500b3d0ca1fe38d3ca1d4819b047e74363d54109537a77a002cd694b5172fae20f33a60fc2d6a06082f6e568e279d310056bebbf1838df7e

    Download Submit
  • \Users\Admin\AppData\Roaming\Microsoft\Uptruhaver\cqxigki.exe
    MD5

    6a4ac643acc40f5c9bf45f6b66c98747

    SHA1

    196715f3b45aab4894651b0cdb9bd811f203cc7b

    SHA256

    a7d481c0f6ec7902ac7af13a9195ba6743c8baea25fabe3c206b743eb4dd39ab

    SHA512

    6a662d702a44ab26500b3d0ca1fe38d3ca1d4819b047e74363d54109537a77a002cd694b5172fae20f33a60fc2d6a06082f6e568e279d310056bebbf1838df7e

    Download Submit
  • memory/436-13-0x0000000000000000-mapping.dmp
    Download
  • memory/792-0-0x0000000000000000-mapping.dmp
    Download
  • memory/792-1-0x0000000002580000-0x0000000002591000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1120-15-0x0000000000000000-mapping.dmp
    Download
  • memory/1640-12-0x0000000000750000-0x0000000000797000-memory.dmp
    Filesize

    284KB

    Download
  • memory/1640-4-0x0000000000000000-mapping.dmp
    Download
  • memory/1664-6-0x0000000000000000-mapping.dmp
    Download
  • memory/2000-11-0x0000000002490000-0x00000000024A1000-memory.dmp
    Filesize

    68KB

    Download
  • memory/2000-8-0x0000000000000000-mapping.dmp
    Download