qakbot | 357225bfe5e097f7dbbbe58e76eb396aed159ee54494bcd24bc01a52c36b832d

General

Target

kgwlrl.exe
Size

1.9MB
MD5

59ac77320f3c775bdeab0d7693a4f633
SHA1

fabc8ca07d4b8f5ea8b2a01f2d6ae0d66d133302
SHA256

357225bfe5e097f7dbbbe58e76eb396aed159ee54494bcd24bc01a52c36b832d
SHA512

d379d0d86391e31d5a5023e813e2fcf4655e16ce628a5f2693951311de82689471a2731a1e67aec0a18b2d18e1943e9bba644b534f17b5ff6a1a405854f1adbb

Score

10^/10

qakbot notset 1604404534 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

notset

Campaign

1604404534

Credentials

Protocol: ftp
Host:
192.185.5.208
Port:
21
Username:
logger@dustinkeeling.com
Password:
NxdkxAp4dUsY

Protocol: ftp
Host:
162.241.218.118
Port:
21
Username:
logger@misterexterior.com
Password:
EcOV0DyGVgVN

Protocol: ftp
Host:
69.89.31.139
Port:
21
Username:
cpanel@vivekharris-architects.com
Password:
fcR7OvyLrMW6!

Protocol: ftp
Host:
169.207.67.14
Port:
21
Username:
cpanel@dovetailsolar.com
Password:
eQyicNLzzqPN

C2

67.6.55.77:443

89.136.39.108:443

2.50.58.76:443

188.25.158.61:443

45.63.107.192:995

45.32.154.10:443

94.52.160.116:443

45.63.107.192:2222

45.63.107.192:443

72.204.242.138:465

84.117.176.32:443

95.77.223.148:443

47.146.39.147:443

41.225.13.128:8443

80.14.209.42:2222

190.220.8.10:995

66.76.105.194:443

105.101.69.242:443

89.33.87.107:443

75.136.40.155:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Executes dropped EXE 2 IoCs

Processes:

wmqqolih.exewmqqolih.exe

pid process

968 wmqqolih.exe
488 wmqqolih.exe

pid	process
968	wmqqolih.exe
488	wmqqolih.exe

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

wmqqolih.exekgwlrl.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service	wmqqolih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	wmqqolih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	kgwlrl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	kgwlrl.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	kgwlrl.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service	kgwlrl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	wmqqolih.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	wmqqolih.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	kgwlrl.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service	kgwlrl.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	wmqqolih.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service	wmqqolih.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1520 schtasks.exe

pid	process
1520	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

kgwlrl.exekgwlrl.exewmqqolih.exewmqqolih.exeexplorer.exekgwlrl.exe

pid	process
428	kgwlrl.exe
428	kgwlrl.exe
804	kgwlrl.exe
804	kgwlrl.exe
804	kgwlrl.exe
804	kgwlrl.exe
968	wmqqolih.exe
968	wmqqolih.exe
488	wmqqolih.exe
488	wmqqolih.exe
488	wmqqolih.exe
488	wmqqolih.exe
3624	explorer.exe
3624	explorer.exe
3624	explorer.exe
3624	explorer.exe
3520	kgwlrl.exe
3520	kgwlrl.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

wmqqolih.exe

pid process

968 wmqqolih.exe

pid	process
968	wmqqolih.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

kgwlrl.exewmqqolih.exe

description	pid	process	target process
PID 428 wrote to memory of 804	428	kgwlrl.exe	kgwlrl.exe
PID 428 wrote to memory of 804	428	kgwlrl.exe	kgwlrl.exe
PID 428 wrote to memory of 804	428	kgwlrl.exe	kgwlrl.exe
PID 428 wrote to memory of 968	428	kgwlrl.exe	wmqqolih.exe
PID 428 wrote to memory of 968	428	kgwlrl.exe	wmqqolih.exe
PID 428 wrote to memory of 968	428	kgwlrl.exe	wmqqolih.exe
PID 428 wrote to memory of 1520	428	kgwlrl.exe	schtasks.exe
PID 428 wrote to memory of 1520	428	kgwlrl.exe	schtasks.exe
PID 428 wrote to memory of 1520	428	kgwlrl.exe	schtasks.exe
PID 968 wrote to memory of 488	968	wmqqolih.exe	wmqqolih.exe
PID 968 wrote to memory of 488	968	wmqqolih.exe	wmqqolih.exe
PID 968 wrote to memory of 488	968	wmqqolih.exe	wmqqolih.exe
PID 968 wrote to memory of 3624	968	wmqqolih.exe	explorer.exe
PID 968 wrote to memory of 3624	968	wmqqolih.exe	explorer.exe
PID 968 wrote to memory of 3624	968	wmqqolih.exe	explorer.exe
PID 968 wrote to memory of 3624	968	wmqqolih.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\kgwlrl.exe
"C:\Users\Admin\AppData\Local\Temp\kgwlrl.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:428

C:\Users\Admin\AppData\Local\Temp\kgwlrl.exe
C:\Users\Admin\AppData\Local\Temp\kgwlrl.exe /C
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:804

C:\Users\Admin\AppData\Roaming\Microsoft\Sekyrrrowooi\wmqqolih.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Sekyrrrowooi\wmqqolih.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:968

C:\Users\Admin\AppData\Roaming\Microsoft\Sekyrrrowooi\wmqqolih.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Sekyrrrowooi\wmqqolih.exe /C
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:488

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3624

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn ptrrrbb /tr "\"C:\Users\Admin\AppData\Local\Temp\kgwlrl.exe\" /I ptrrrbb" /SC ONCE /Z /ST 15:39 /ET 15:51
2⤵
- Creates scheduled task(s)
PID:1520

C:\Users\Admin\AppData\Local\Temp\kgwlrl.exe
C:\Users\Admin\AppData\Local\Temp\kgwlrl.exe /I ptrrrbb
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3520

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Sekyrrrowooi\wmqqolih.dat
MD5
904b1d4786bb6fae47905c696fd19688

SHA1
4873d71426d3d3a713c4d3e8d16766a84a74e1f6

SHA256
e61d13cdb351367a4c1ed7148449f297d7ee0da9869035f6b8d09af1b896a8ba

SHA512
6fbc1ed1351435c876ff8c4b8656b8140f27e7f34628cff21d9243ae6a5d2df971e1a58e14700435fa14af5dcceb51fe4942aa3d6d7d50d3bc87bd59dcee47a0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Sekyrrrowooi\wmqqolih.exe
MD5
59ac77320f3c775bdeab0d7693a4f633

SHA1
fabc8ca07d4b8f5ea8b2a01f2d6ae0d66d133302

SHA256
357225bfe5e097f7dbbbe58e76eb396aed159ee54494bcd24bc01a52c36b832d

SHA512
d379d0d86391e31d5a5023e813e2fcf4655e16ce628a5f2693951311de82689471a2731a1e67aec0a18b2d18e1943e9bba644b534f17b5ff6a1a405854f1adbb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Sekyrrrowooi\wmqqolih.exe
MD5
59ac77320f3c775bdeab0d7693a4f633

SHA1
fabc8ca07d4b8f5ea8b2a01f2d6ae0d66d133302

SHA256
357225bfe5e097f7dbbbe58e76eb396aed159ee54494bcd24bc01a52c36b832d

SHA512
d379d0d86391e31d5a5023e813e2fcf4655e16ce628a5f2693951311de82689471a2731a1e67aec0a18b2d18e1943e9bba644b534f17b5ff6a1a405854f1adbb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Sekyrrrowooi\wmqqolih.exe
MD5
59ac77320f3c775bdeab0d7693a4f633

SHA1
fabc8ca07d4b8f5ea8b2a01f2d6ae0d66d133302

SHA256
357225bfe5e097f7dbbbe58e76eb396aed159ee54494bcd24bc01a52c36b832d

SHA512
d379d0d86391e31d5a5023e813e2fcf4655e16ce628a5f2693951311de82689471a2731a1e67aec0a18b2d18e1943e9bba644b534f17b5ff6a1a405854f1adbb

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/488-6-0x0000000000000000-mapping.dmp

Download
memory/488-8-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/804-1-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/804-0-0x0000000000000000-mapping.dmp

Download
memory/968-2-0x0000000000000000-mapping.dmp

Download
memory/968-9-0x00000000021C0000-0x00000000021FA000-memory.dmp

Filesize
232KB

Download
memory/1520-5-0x0000000000000000-mapping.dmp

Download
memory/3624-10-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads