qakbot | 760e82acfcfdb3f7a2ea01cb32a21562bf98d4855cca19710aabd4af329aa809

General

Target

8888888.exe
Size

1.0MB
MD5

187f43c716b1f67efa2e3e98027f497e
SHA1

2076d9ecbcec60b0b4fc181917fd85246037f1cc
SHA256

760e82acfcfdb3f7a2ea01cb32a21562bf98d4855cca19710aabd4af329aa809
SHA512

ce53dc168c27f7359ba5f2fe14dd0852bb2dc7193dd1d8990cf42c22920253088d8ed0f0e0f314f6dc0bdbd0851826e30f9efdcd9eee4ba4afa8a20720ce0ee2

Score

10^/10

qakbot spx140 1592218484 banker cryptone packer stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

spx140

Campaign

1592218484

C2

141.126.10.226:443

96.35.170.82:2222

67.250.184.157:443

24.42.14.241:995

72.173.20.55:443

173.172.205.216:443

173.3.132.17:995

172.78.30.215:443

207.255.161.8:32103

206.51.202.106:50003

24.152.219.253:995

207.255.161.8:2222

80.14.209.42:2222

72.142.106.198:465

207.255.161.8:2087

142.129.227.86:443

98.219.77.197:443

166.62.180.194:2078

82.127.193.151:2222

24.229.245.124:995

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

CryptOne packer 5 IoCs

Detects CryptOne packer defined in NCC blogpost.

cryptone packer

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Microsoft\Lrepxyxrrah\tsaoo.exe	cryptone
\Users\Admin\AppData\Roaming\Microsoft\Lrepxyxrrah\tsaoo.exe	cryptone
C:\Users\Admin\AppData\Roaming\Microsoft\Lrepxyxrrah\tsaoo.exe	cryptone
C:\Users\Admin\AppData\Roaming\Microsoft\Lrepxyxrrah\tsaoo.exe	cryptone
C:\Users\Admin\AppData\Roaming\Microsoft\Lrepxyxrrah\tsaoo.exe	cryptone

Executes dropped EXE 2 IoCs

Processes:

tsaoo.exetsaoo.exe

pid process

792 tsaoo.exe
1184 tsaoo.exe
Loads dropped DLL 2 IoCs

Processes:

8888888.exe

pid process

1880 8888888.exe
1880 8888888.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

656 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

8888888.exe8888888.exetsaoo.exetsaoo.exeexplorer.exe

pid process

1880 8888888.exe
1700 8888888.exe
1700 8888888.exe
792 tsaoo.exe
1184 tsaoo.exe
1184 tsaoo.exe
968 explorer.exe
968 explorer.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

tsaoo.exe

pid process

792 tsaoo.exe

pid	process
792	tsaoo.exe
1184	tsaoo.exe

pid	process
1880	8888888.exe
1880	8888888.exe

pid	process
656	schtasks.exe

pid	process
1880	8888888.exe
1700	8888888.exe
1700	8888888.exe
792	tsaoo.exe
1184	tsaoo.exe
1184	tsaoo.exe
968	explorer.exe
968	explorer.exe

pid	process
792	tsaoo.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

8888888.exetsaoo.exetaskeng.exe

description	pid	process	target process
PID 1880 wrote to memory of 1700	1880	8888888.exe	8888888.exe
PID 1880 wrote to memory of 1700	1880	8888888.exe	8888888.exe
PID 1880 wrote to memory of 1700	1880	8888888.exe	8888888.exe
PID 1880 wrote to memory of 1700	1880	8888888.exe	8888888.exe
PID 1880 wrote to memory of 792	1880	8888888.exe	tsaoo.exe
PID 1880 wrote to memory of 792	1880	8888888.exe	tsaoo.exe
PID 1880 wrote to memory of 792	1880	8888888.exe	tsaoo.exe
PID 1880 wrote to memory of 792	1880	8888888.exe	tsaoo.exe
PID 1880 wrote to memory of 656	1880	8888888.exe	schtasks.exe
PID 1880 wrote to memory of 656	1880	8888888.exe	schtasks.exe
PID 1880 wrote to memory of 656	1880	8888888.exe	schtasks.exe
PID 1880 wrote to memory of 656	1880	8888888.exe	schtasks.exe
PID 792 wrote to memory of 1184	792	tsaoo.exe	tsaoo.exe
PID 792 wrote to memory of 1184	792	tsaoo.exe	tsaoo.exe
PID 792 wrote to memory of 1184	792	tsaoo.exe	tsaoo.exe
PID 792 wrote to memory of 1184	792	tsaoo.exe	tsaoo.exe
PID 792 wrote to memory of 968	792	tsaoo.exe	explorer.exe
PID 792 wrote to memory of 968	792	tsaoo.exe	explorer.exe
PID 792 wrote to memory of 968	792	tsaoo.exe	explorer.exe
PID 792 wrote to memory of 968	792	tsaoo.exe	explorer.exe
PID 792 wrote to memory of 968	792	tsaoo.exe	explorer.exe
PID 544 wrote to memory of 684	544	taskeng.exe	8888888.exe
PID 544 wrote to memory of 684	544	taskeng.exe	8888888.exe
PID 544 wrote to memory of 684	544	taskeng.exe	8888888.exe
PID 544 wrote to memory of 684	544	taskeng.exe	8888888.exe

C:\Users\Admin\AppData\Local\Temp\8888888.exe
"C:\Users\Admin\AppData\Local\Temp\8888888.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1880

C:\Users\Admin\AppData\Local\Temp\8888888.exe
C:\Users\Admin\AppData\Local\Temp\8888888.exe /C
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1700

C:\Users\Admin\AppData\Roaming\Microsoft\Lrepxyxrrah\tsaoo.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Lrepxyxrrah\tsaoo.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:792

C:\Users\Admin\AppData\Roaming\Microsoft\Lrepxyxrrah\tsaoo.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Lrepxyxrrah\tsaoo.exe /C
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1184

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:968

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn fssekdxd /tr "\"C:\Users\Admin\AppData\Local\Temp\8888888.exe\" /I fssekdxd" /SC ONCE /Z /ST 05:22 /ET 05:34
2⤵
- Creates scheduled task(s)
PID:656

C:\Windows\system32\taskeng.exe
taskeng.exe {5DA828A4-F8F3-49D8-8B25-77CD61B8436C} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:544

C:\Users\Admin\AppData\Local\Temp\8888888.exe
C:\Users\Admin\AppData\Local\Temp\8888888.exe /I fssekdxd
2⤵
PID:684

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Lrepxyxrrah\tsaoo.dat
MD5
95209c537b9159d49ef6fcceaf602fb8

SHA1
8651ad8676fd757f9ea161441087d2f2b1b4c550

SHA256
3afc39a1e8930f9b2637848bd1325bd7953b93e2975392ee1ee380a794b22328

SHA512
a5ed760e578882809942f006d1785dc2dcc5f4047a484bfce102c2456ca06f2c398fe524344f7530f839efc29994faf15c25057c84931b0feb970217caf64e71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Lrepxyxrrah\tsaoo.exe
MD5
187f43c716b1f67efa2e3e98027f497e

SHA1
2076d9ecbcec60b0b4fc181917fd85246037f1cc

SHA256
760e82acfcfdb3f7a2ea01cb32a21562bf98d4855cca19710aabd4af329aa809

SHA512
ce53dc168c27f7359ba5f2fe14dd0852bb2dc7193dd1d8990cf42c22920253088d8ed0f0e0f314f6dc0bdbd0851826e30f9efdcd9eee4ba4afa8a20720ce0ee2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Lrepxyxrrah\tsaoo.exe
MD5
187f43c716b1f67efa2e3e98027f497e

SHA1
2076d9ecbcec60b0b4fc181917fd85246037f1cc

SHA256
760e82acfcfdb3f7a2ea01cb32a21562bf98d4855cca19710aabd4af329aa809

SHA512
ce53dc168c27f7359ba5f2fe14dd0852bb2dc7193dd1d8990cf42c22920253088d8ed0f0e0f314f6dc0bdbd0851826e30f9efdcd9eee4ba4afa8a20720ce0ee2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Lrepxyxrrah\tsaoo.exe
MD5
187f43c716b1f67efa2e3e98027f497e

SHA1
2076d9ecbcec60b0b4fc181917fd85246037f1cc

SHA256
760e82acfcfdb3f7a2ea01cb32a21562bf98d4855cca19710aabd4af329aa809

SHA512
ce53dc168c27f7359ba5f2fe14dd0852bb2dc7193dd1d8990cf42c22920253088d8ed0f0e0f314f6dc0bdbd0851826e30f9efdcd9eee4ba4afa8a20720ce0ee2

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Lrepxyxrrah\tsaoo.exe
MD5
187f43c716b1f67efa2e3e98027f497e

SHA1
2076d9ecbcec60b0b4fc181917fd85246037f1cc

SHA256
760e82acfcfdb3f7a2ea01cb32a21562bf98d4855cca19710aabd4af329aa809

SHA512
ce53dc168c27f7359ba5f2fe14dd0852bb2dc7193dd1d8990cf42c22920253088d8ed0f0e0f314f6dc0bdbd0851826e30f9efdcd9eee4ba4afa8a20720ce0ee2

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Lrepxyxrrah\tsaoo.exe
MD5
187f43c716b1f67efa2e3e98027f497e

SHA1
2076d9ecbcec60b0b4fc181917fd85246037f1cc

SHA256
760e82acfcfdb3f7a2ea01cb32a21562bf98d4855cca19710aabd4af329aa809

SHA512
ce53dc168c27f7359ba5f2fe14dd0852bb2dc7193dd1d8990cf42c22920253088d8ed0f0e0f314f6dc0bdbd0851826e30f9efdcd9eee4ba4afa8a20720ce0ee2

Download Submit
memory/656-6-0x0000000000000000-mapping.dmp

Download
memory/684-14-0x0000000000000000-mapping.dmp

Download
memory/792-4-0x0000000000000000-mapping.dmp

Download
memory/792-11-0x0000000000380000-0x00000000003BA000-memory.dmp

Filesize
232KB

Download
memory/968-12-0x0000000000000000-mapping.dmp

Download
memory/1184-8-0x0000000000000000-mapping.dmp

Download
memory/1184-10-0x0000000002580000-0x0000000002591000-memory.dmp

Filesize
68KB

Download
memory/1700-0-0x0000000000000000-mapping.dmp

Download
memory/1700-1-0x0000000002380000-0x0000000002391000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads