qakbot | 868a3372ee60366584c1ea844afb1aa87e78ac8d6180cb1e53216cae27ec5910

General

Target

mdldwt.exe
Size

1.9MB
MD5

73f3a68f47be87ffb75b1c616bce1703
SHA1

d1b381741fd2320759d4d97b0d1cdbd9de18ff8a
SHA256

868a3372ee60366584c1ea844afb1aa87e78ac8d6180cb1e53216cae27ec5910
SHA512

2df41145d072c7b75116510d25218684f1741f64e845a264b7a89560d63551e1e909919d5ae36be56ee492b73446e72bbf83dfc6296183bfa8e3898e5a2ff2a2

Score

10^/10

qakbot notset 1604404534 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

notset

Campaign

1604404534

Credentials

Protocol: ftp
Host:
192.185.5.208
Port:
21
Username:
logger@dustinkeeling.com
Password:
NxdkxAp4dUsY

Protocol: ftp
Host:
162.241.218.118
Port:
21
Username:
logger@misterexterior.com
Password:
EcOV0DyGVgVN

Protocol: ftp
Host:
69.89.31.139
Port:
21
Username:
cpanel@vivekharris-architects.com
Password:
fcR7OvyLrMW6!

Protocol: ftp
Host:
169.207.67.14
Port:
21
Username:
cpanel@dovetailsolar.com
Password:
eQyicNLzzqPN

C2

67.6.55.77:443

89.136.39.108:443

2.50.58.76:443

188.25.158.61:443

45.63.107.192:995

45.32.154.10:443

94.52.160.116:443

45.63.107.192:2222

45.63.107.192:443

72.204.242.138:465

84.117.176.32:443

95.77.223.148:443

47.146.39.147:443

41.225.13.128:8443

80.14.209.42:2222

190.220.8.10:995

66.76.105.194:443

105.101.69.242:443

89.33.87.107:443

75.136.40.155:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Executes dropped EXE 2 IoCs

Processes:

busipeo.exebusipeo.exe

pid process

3632 busipeo.exe
992 busipeo.exe

pid	process
3632	busipeo.exe
992	busipeo.exe

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

busipeo.exemdldwt.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	busipeo.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	busipeo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	busipeo.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service	busipeo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	mdldwt.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service	mdldwt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	mdldwt.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	mdldwt.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service	mdldwt.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service	busipeo.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	busipeo.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	mdldwt.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3616 schtasks.exe

pid	process
3616	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

mdldwt.exemdldwt.exebusipeo.exebusipeo.exeexplorer.exemdldwt.exe

pid	process
1180	mdldwt.exe
1180	mdldwt.exe
196	mdldwt.exe
196	mdldwt.exe
196	mdldwt.exe
196	mdldwt.exe
3632	busipeo.exe
3632	busipeo.exe
992	busipeo.exe
992	busipeo.exe
992	busipeo.exe
992	busipeo.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
864	explorer.exe
3904	mdldwt.exe
3904	mdldwt.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

busipeo.exe

pid process

3632 busipeo.exe

pid	process
3632	busipeo.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

mdldwt.exebusipeo.exe

description	pid	process	target process
PID 1180 wrote to memory of 196	1180	mdldwt.exe	mdldwt.exe
PID 1180 wrote to memory of 196	1180	mdldwt.exe	mdldwt.exe
PID 1180 wrote to memory of 196	1180	mdldwt.exe	mdldwt.exe
PID 1180 wrote to memory of 3632	1180	mdldwt.exe	busipeo.exe
PID 1180 wrote to memory of 3632	1180	mdldwt.exe	busipeo.exe
PID 1180 wrote to memory of 3632	1180	mdldwt.exe	busipeo.exe
PID 1180 wrote to memory of 3616	1180	mdldwt.exe	schtasks.exe
PID 1180 wrote to memory of 3616	1180	mdldwt.exe	schtasks.exe
PID 1180 wrote to memory of 3616	1180	mdldwt.exe	schtasks.exe
PID 3632 wrote to memory of 992	3632	busipeo.exe	busipeo.exe
PID 3632 wrote to memory of 992	3632	busipeo.exe	busipeo.exe
PID 3632 wrote to memory of 992	3632	busipeo.exe	busipeo.exe
PID 3632 wrote to memory of 864	3632	busipeo.exe	explorer.exe
PID 3632 wrote to memory of 864	3632	busipeo.exe	explorer.exe
PID 3632 wrote to memory of 864	3632	busipeo.exe	explorer.exe
PID 3632 wrote to memory of 864	3632	busipeo.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\mdldwt.exe
"C:\Users\Admin\AppData\Local\Temp\mdldwt.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1180

C:\Users\Admin\AppData\Local\Temp\mdldwt.exe
C:\Users\Admin\AppData\Local\Temp\mdldwt.exe /C
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:196

C:\Users\Admin\AppData\Roaming\Microsoft\Aptyfp\busipeo.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Aptyfp\busipeo.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3632

C:\Users\Admin\AppData\Roaming\Microsoft\Aptyfp\busipeo.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Aptyfp\busipeo.exe /C
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:992

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:864

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn aixpyzmxva /tr "\"C:\Users\Admin\AppData\Local\Temp\mdldwt.exe\" /I aixpyzmxva" /SC ONCE /Z /ST 04:07 /ET 04:19
2⤵
- Creates scheduled task(s)
PID:3616

C:\Users\Admin\AppData\Local\Temp\mdldwt.exe
C:\Users\Admin\AppData\Local\Temp\mdldwt.exe /I aixpyzmxva
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3904

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Aptyfp\busipeo.dat
MD5
610634e6a785299ffa5085e1be279184

SHA1
b9d408cd5c8709a3b05a59a16cab31e89b4c3128

SHA256
35999495ffacf9e0df446241a87274da52f97211a2b68417e640c3510e3baae3

SHA512
4509de946859c41b81f4c835e9d0b0745422f6fab86631acc55bca14197ee45c34ea0ff0f2361c6ed31033113ba23b62e60eb779ca548a17560cd9c7c8999ee6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Aptyfp\busipeo.exe
MD5
73f3a68f47be87ffb75b1c616bce1703

SHA1
d1b381741fd2320759d4d97b0d1cdbd9de18ff8a

SHA256
868a3372ee60366584c1ea844afb1aa87e78ac8d6180cb1e53216cae27ec5910

SHA512
2df41145d072c7b75116510d25218684f1741f64e845a264b7a89560d63551e1e909919d5ae36be56ee492b73446e72bbf83dfc6296183bfa8e3898e5a2ff2a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Aptyfp\busipeo.exe
MD5
73f3a68f47be87ffb75b1c616bce1703

SHA1
d1b381741fd2320759d4d97b0d1cdbd9de18ff8a

SHA256
868a3372ee60366584c1ea844afb1aa87e78ac8d6180cb1e53216cae27ec5910

SHA512
2df41145d072c7b75116510d25218684f1741f64e845a264b7a89560d63551e1e909919d5ae36be56ee492b73446e72bbf83dfc6296183bfa8e3898e5a2ff2a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Aptyfp\busipeo.exe
MD5
73f3a68f47be87ffb75b1c616bce1703

SHA1
d1b381741fd2320759d4d97b0d1cdbd9de18ff8a

SHA256
868a3372ee60366584c1ea844afb1aa87e78ac8d6180cb1e53216cae27ec5910

SHA512
2df41145d072c7b75116510d25218684f1741f64e845a264b7a89560d63551e1e909919d5ae36be56ee492b73446e72bbf83dfc6296183bfa8e3898e5a2ff2a2

Download Submit
memory/196-0-0x0000000000000000-mapping.dmp

Download
memory/196-1-0x00000000028D0000-0x00000000028D1000-memory.dmp

Filesize
4KB

Download
memory/864-10-0x0000000000000000-mapping.dmp

Download
memory/992-6-0x0000000000000000-mapping.dmp

Download
memory/992-8-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/3616-5-0x0000000000000000-mapping.dmp

Download
memory/3632-2-0x0000000000000000-mapping.dmp

Download
memory/3632-9-0x00000000021B0000-0x00000000021EA000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads