qakbot | 84e9edf5d6623afd93780de33f70cec0d5b71c120c9c0bc450da91929ebded8e

General

Target

ervsaq.exe
Size

1.9MB
MD5

a5aa32b48d8ce38112fa1a50da6bc8e3
SHA1

e12ce4afeb7d675d037eae235cb5b5e5d45b5648
SHA256

84e9edf5d6623afd93780de33f70cec0d5b71c120c9c0bc450da91929ebded8e
SHA512

3f102c2392fd445430f7e322479482134f82bed1c71dde60ec67cde59cfb96ffe6bf3942f08674d9bd74fd881844bbea743ddffc52b2f4814dfbb8f19ac39842

Score

10^/10

qakbot notset 1604404534 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

notset

Campaign

1604404534

Credentials

Protocol: ftp
Host:
192.185.5.208
Port:
21
Username:
logger@dustinkeeling.com
Password:
NxdkxAp4dUsY

Protocol: ftp
Host:
162.241.218.118
Port:
21
Username:
logger@misterexterior.com
Password:
EcOV0DyGVgVN

Protocol: ftp
Host:
69.89.31.139
Port:
21
Username:
cpanel@vivekharris-architects.com
Password:
fcR7OvyLrMW6!

Protocol: ftp
Host:
169.207.67.14
Port:
21
Username:
cpanel@dovetailsolar.com
Password:
eQyicNLzzqPN

C2

67.6.55.77:443

89.136.39.108:443

2.50.58.76:443

188.25.158.61:443

45.63.107.192:995

45.32.154.10:443

94.52.160.116:443

45.63.107.192:2222

45.63.107.192:443

72.204.242.138:465

84.117.176.32:443

95.77.223.148:443

47.146.39.147:443

41.225.13.128:8443

80.14.209.42:2222

190.220.8.10:995

66.76.105.194:443

105.101.69.242:443

89.33.87.107:443

75.136.40.155:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Executes dropped EXE 2 IoCs

Processes:

cgoit.execgoit.exe

pid process

4280 cgoit.exe
588 cgoit.exe

pid	process
4280	cgoit.exe
588	cgoit.exe

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ervsaq.execgoit.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	ervsaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	ervsaq.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service	cgoit.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	cgoit.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service	cgoit.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	ervsaq.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service	ervsaq.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	ervsaq.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service	ervsaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	cgoit.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	cgoit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	cgoit.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4444 schtasks.exe

pid	process
4444	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

ervsaq.exeervsaq.execgoit.execgoit.exeexplorer.exeervsaq.exe

pid	process
4804	ervsaq.exe
4804	ervsaq.exe
4348	ervsaq.exe
4348	ervsaq.exe
4348	ervsaq.exe
4348	ervsaq.exe
4280	cgoit.exe
4280	cgoit.exe
588	cgoit.exe
588	cgoit.exe
588	cgoit.exe
588	cgoit.exe
940	explorer.exe
940	explorer.exe
940	explorer.exe
940	explorer.exe
2956	ervsaq.exe
2956	ervsaq.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

cgoit.exe

pid process

4280 cgoit.exe

pid	process
4280	cgoit.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

ervsaq.execgoit.exe

description	pid	process	target process
PID 4804 wrote to memory of 4348	4804	ervsaq.exe	ervsaq.exe
PID 4804 wrote to memory of 4348	4804	ervsaq.exe	ervsaq.exe
PID 4804 wrote to memory of 4348	4804	ervsaq.exe	ervsaq.exe
PID 4804 wrote to memory of 4280	4804	ervsaq.exe	cgoit.exe
PID 4804 wrote to memory of 4280	4804	ervsaq.exe	cgoit.exe
PID 4804 wrote to memory of 4280	4804	ervsaq.exe	cgoit.exe
PID 4804 wrote to memory of 4444	4804	ervsaq.exe	schtasks.exe
PID 4804 wrote to memory of 4444	4804	ervsaq.exe	schtasks.exe
PID 4804 wrote to memory of 4444	4804	ervsaq.exe	schtasks.exe
PID 4280 wrote to memory of 588	4280	cgoit.exe	cgoit.exe
PID 4280 wrote to memory of 588	4280	cgoit.exe	cgoit.exe
PID 4280 wrote to memory of 588	4280	cgoit.exe	cgoit.exe
PID 4280 wrote to memory of 940	4280	cgoit.exe	explorer.exe
PID 4280 wrote to memory of 940	4280	cgoit.exe	explorer.exe
PID 4280 wrote to memory of 940	4280	cgoit.exe	explorer.exe
PID 4280 wrote to memory of 940	4280	cgoit.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\ervsaq.exe
"C:\Users\Admin\AppData\Local\Temp\ervsaq.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4804

C:\Users\Admin\AppData\Local\Temp\ervsaq.exe
C:\Users\Admin\AppData\Local\Temp\ervsaq.exe /C
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:4348

C:\Users\Admin\AppData\Roaming\Microsoft\Ektzlwwyyhw\cgoit.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Ektzlwwyyhw\cgoit.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4280

C:\Users\Admin\AppData\Roaming\Microsoft\Ektzlwwyyhw\cgoit.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Ektzlwwyyhw\cgoit.exe /C
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:588

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:940

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn dctgblbys /tr "\"C:\Users\Admin\AppData\Local\Temp\ervsaq.exe\" /I dctgblbys" /SC ONCE /Z /ST 14:44 /ET 14:56
2⤵
- Creates scheduled task(s)
PID:4444

C:\Users\Admin\AppData\Local\Temp\ervsaq.exe
C:\Users\Admin\AppData\Local\Temp\ervsaq.exe /I dctgblbys
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2956

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Ektzlwwyyhw\cgoit.dat
MD5
fc2f6dff90d30a0ef0edb5aea47452bc

SHA1
8826c4d0cf17a1b89e0a68121bf540e4da8ee2d8

SHA256
440911a228d6c1124ce1756fddebcf6df3edd3c95c48dfeecb27f343a8231e0a

SHA512
e522f9bbcdf289cf53fc26e15a95905e4416ed0f8141c8e0818ecc87d7018cf4cf0e2281c7ca1dea0247ddfa70c7ec5f1e99a6a97f2e41f5febf685561abafdc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Ektzlwwyyhw\cgoit.exe
MD5
a5aa32b48d8ce38112fa1a50da6bc8e3

SHA1
e12ce4afeb7d675d037eae235cb5b5e5d45b5648

SHA256
84e9edf5d6623afd93780de33f70cec0d5b71c120c9c0bc450da91929ebded8e

SHA512
3f102c2392fd445430f7e322479482134f82bed1c71dde60ec67cde59cfb96ffe6bf3942f08674d9bd74fd881844bbea743ddffc52b2f4814dfbb8f19ac39842

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Ektzlwwyyhw\cgoit.exe
MD5
a5aa32b48d8ce38112fa1a50da6bc8e3

SHA1
e12ce4afeb7d675d037eae235cb5b5e5d45b5648

SHA256
84e9edf5d6623afd93780de33f70cec0d5b71c120c9c0bc450da91929ebded8e

SHA512
3f102c2392fd445430f7e322479482134f82bed1c71dde60ec67cde59cfb96ffe6bf3942f08674d9bd74fd881844bbea743ddffc52b2f4814dfbb8f19ac39842

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Ektzlwwyyhw\cgoit.exe
MD5
a5aa32b48d8ce38112fa1a50da6bc8e3

SHA1
e12ce4afeb7d675d037eae235cb5b5e5d45b5648

SHA256
84e9edf5d6623afd93780de33f70cec0d5b71c120c9c0bc450da91929ebded8e

SHA512
3f102c2392fd445430f7e322479482134f82bed1c71dde60ec67cde59cfb96ffe6bf3942f08674d9bd74fd881844bbea743ddffc52b2f4814dfbb8f19ac39842

Download Submit
memory/588-6-0x0000000000000000-mapping.dmp

Download
memory/588-8-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/940-10-0x0000000000000000-mapping.dmp

Download
memory/4280-2-0x0000000000000000-mapping.dmp

Download
memory/4280-9-0x0000000002180000-0x00000000021BA000-memory.dmp

Filesize
232KB

Download
memory/4348-0-0x0000000000000000-mapping.dmp

Download
memory/4348-1-0x0000000002980000-0x0000000002981000-memory.dmp

Filesize
4KB

Download
memory/4444-5-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads