qakbot | 320e6d33a2a4c8c2cfc58e66dad781cfbd5ad664c70a6a6c7560092cac12990e

General

Target

jqsljk.exe
Size

1.9MB
MD5

0646a7de5133cb77a3512157ec4ee182
SHA1

0408103ba0fb0f31629c193af788387b2a7a2cbe
SHA256

320e6d33a2a4c8c2cfc58e66dad781cfbd5ad664c70a6a6c7560092cac12990e
SHA512

57a0348527999daf765795704e527ddeb425a9a7dcc79bf9061ef4a61b342a4ad7d5a625cf4c5345a0c120df7a0e25a4def482a20be84fd375f0a23b11e2131c

Score

10^/10

qakbot notset 1604404534 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

notset

Campaign

1604404534

Credentials

Protocol: ftp
Host:
192.185.5.208
Port:
21
Username:
logger@dustinkeeling.com
Password:
NxdkxAp4dUsY

Protocol: ftp
Host:
162.241.218.118
Port:
21
Username:
logger@misterexterior.com
Password:
EcOV0DyGVgVN

Protocol: ftp
Host:
69.89.31.139
Port:
21
Username:
cpanel@vivekharris-architects.com
Password:
fcR7OvyLrMW6!

Protocol: ftp
Host:
169.207.67.14
Port:
21
Username:
cpanel@dovetailsolar.com
Password:
eQyicNLzzqPN

C2

67.6.55.77:443

89.136.39.108:443

2.50.58.76:443

188.25.158.61:443

45.63.107.192:995

45.32.154.10:443

94.52.160.116:443

45.63.107.192:2222

45.63.107.192:443

72.204.242.138:465

84.117.176.32:443

95.77.223.148:443

47.146.39.147:443

41.225.13.128:8443

80.14.209.42:2222

190.220.8.10:995

66.76.105.194:443

105.101.69.242:443

89.33.87.107:443

75.136.40.155:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Executes dropped EXE 2 IoCs

Processes:

xmayca.exexmayca.exe

pid process

184 xmayca.exe
684 xmayca.exe

pid	process
184	xmayca.exe
684	xmayca.exe

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

jqsljk.exexmayca.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	jqsljk.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service	xmayca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	xmayca.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	xmayca.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service	xmayca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	jqsljk.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	jqsljk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	jqsljk.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	xmayca.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service	jqsljk.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service	jqsljk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	xmayca.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2312 schtasks.exe

pid	process
2312	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

jqsljk.exejqsljk.exexmayca.exexmayca.exeexplorer.exejqsljk.exe

pid	process
636	jqsljk.exe
636	jqsljk.exe
3052	jqsljk.exe
3052	jqsljk.exe
3052	jqsljk.exe
3052	jqsljk.exe
184	xmayca.exe
184	xmayca.exe
684	xmayca.exe
684	xmayca.exe
684	xmayca.exe
684	xmayca.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
2060	jqsljk.exe
2060	jqsljk.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

xmayca.exe

pid process

184 xmayca.exe

pid	process
184	xmayca.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

jqsljk.exexmayca.exe

description	pid	process	target process
PID 636 wrote to memory of 3052	636	jqsljk.exe	jqsljk.exe
PID 636 wrote to memory of 3052	636	jqsljk.exe	jqsljk.exe
PID 636 wrote to memory of 3052	636	jqsljk.exe	jqsljk.exe
PID 636 wrote to memory of 184	636	jqsljk.exe	xmayca.exe
PID 636 wrote to memory of 184	636	jqsljk.exe	xmayca.exe
PID 636 wrote to memory of 184	636	jqsljk.exe	xmayca.exe
PID 636 wrote to memory of 2312	636	jqsljk.exe	schtasks.exe
PID 636 wrote to memory of 2312	636	jqsljk.exe	schtasks.exe
PID 636 wrote to memory of 2312	636	jqsljk.exe	schtasks.exe
PID 184 wrote to memory of 684	184	xmayca.exe	xmayca.exe
PID 184 wrote to memory of 684	184	xmayca.exe	xmayca.exe
PID 184 wrote to memory of 684	184	xmayca.exe	xmayca.exe
PID 184 wrote to memory of 3200	184	xmayca.exe	explorer.exe
PID 184 wrote to memory of 3200	184	xmayca.exe	explorer.exe
PID 184 wrote to memory of 3200	184	xmayca.exe	explorer.exe
PID 184 wrote to memory of 3200	184	xmayca.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\jqsljk.exe
"C:\Users\Admin\AppData\Local\Temp\jqsljk.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:636

C:\Users\Admin\AppData\Local\Temp\jqsljk.exe
C:\Users\Admin\AppData\Local\Temp\jqsljk.exe /C
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:3052

C:\Users\Admin\AppData\Roaming\Microsoft\Mdtvurnvn\xmayca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Mdtvurnvn\xmayca.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:184

C:\Users\Admin\AppData\Roaming\Microsoft\Mdtvurnvn\xmayca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Mdtvurnvn\xmayca.exe /C
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:684

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3200

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn rdyjdsdsj /tr "\"C:\Users\Admin\AppData\Local\Temp\jqsljk.exe\" /I rdyjdsdsj" /SC ONCE /Z /ST 05:07 /ET 05:19
2⤵
- Creates scheduled task(s)
PID:2312

C:\Users\Admin\AppData\Local\Temp\jqsljk.exe
C:\Users\Admin\AppData\Local\Temp\jqsljk.exe /I rdyjdsdsj
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2060

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Mdtvurnvn\xmayca.dat
MD5
88c374c689fb8b225ae33b1182bdcd2e

SHA1
0995d9b18a3d698dc659d3aa73a9021446af3c86

SHA256
64471f54ce63ed7247510916f1b829e96e0822d8c3362d65f26476b5665b7361

SHA512
e07b387b977da154cecb9fc46319fb0b1d418ee12fe46a7e402daed0ad5abb35249d07410c8b9043c08bfc087fb96904912f14ca4d8cbecf2b7bd1af2ce4dc9f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Mdtvurnvn\xmayca.exe
MD5
0646a7de5133cb77a3512157ec4ee182

SHA1
0408103ba0fb0f31629c193af788387b2a7a2cbe

SHA256
320e6d33a2a4c8c2cfc58e66dad781cfbd5ad664c70a6a6c7560092cac12990e

SHA512
57a0348527999daf765795704e527ddeb425a9a7dcc79bf9061ef4a61b342a4ad7d5a625cf4c5345a0c120df7a0e25a4def482a20be84fd375f0a23b11e2131c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Mdtvurnvn\xmayca.exe
MD5
0646a7de5133cb77a3512157ec4ee182

SHA1
0408103ba0fb0f31629c193af788387b2a7a2cbe

SHA256
320e6d33a2a4c8c2cfc58e66dad781cfbd5ad664c70a6a6c7560092cac12990e

SHA512
57a0348527999daf765795704e527ddeb425a9a7dcc79bf9061ef4a61b342a4ad7d5a625cf4c5345a0c120df7a0e25a4def482a20be84fd375f0a23b11e2131c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Mdtvurnvn\xmayca.exe
MD5
0646a7de5133cb77a3512157ec4ee182

SHA1
0408103ba0fb0f31629c193af788387b2a7a2cbe

SHA256
320e6d33a2a4c8c2cfc58e66dad781cfbd5ad664c70a6a6c7560092cac12990e

SHA512
57a0348527999daf765795704e527ddeb425a9a7dcc79bf9061ef4a61b342a4ad7d5a625cf4c5345a0c120df7a0e25a4def482a20be84fd375f0a23b11e2131c

Download Submit
memory/184-2-0x0000000000000000-mapping.dmp

Download
memory/184-9-0x00000000008E0000-0x000000000091A000-memory.dmp

Filesize
232KB

Download
memory/684-6-0x0000000000000000-mapping.dmp

Download
memory/684-8-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/2312-5-0x0000000000000000-mapping.dmp

Download
memory/3052-0-0x0000000000000000-mapping.dmp

Download
memory/3052-1-0x0000000002970000-0x0000000002971000-memory.dmp

Filesize
4KB

Download
memory/3200-10-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads