qakbot | d3d024969e102aa98447050f0db324c22d6a67bbfafdfd26c1478d0f942933e1

General

Target

uavgmq.exe
Size

1.0MB
MD5

34f923e41d7da45ff5af8edb960a88eb
SHA1

0e29707a5261e82e87868bac2570e6c6ac2f04ab
SHA256

d3d024969e102aa98447050f0db324c22d6a67bbfafdfd26c1478d0f942933e1
SHA512

e0f6e31fb7d8ea312a0c3554b68c50d38f20c64d6af26d3809b2ac8944f180c68fc8806a1517d8fb2d780cb265326f63b1fdaf3c064d2bff76b7e96c6f0d8502

Score

10^/10

qakbot notset 1604404534 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

notset

Campaign

1604404534

Credentials

Protocol: ftp
Host:
192.185.5.208
Port:
21
Username:
logger@dustinkeeling.com
Password:
NxdkxAp4dUsY

Protocol: ftp
Host:
162.241.218.118
Port:
21
Username:
logger@misterexterior.com
Password:
EcOV0DyGVgVN

Protocol: ftp
Host:
69.89.31.139
Port:
21
Username:
cpanel@vivekharris-architects.com
Password:
fcR7OvyLrMW6!

Protocol: ftp
Host:
169.207.67.14
Port:
21
Username:
cpanel@dovetailsolar.com
Password:
eQyicNLzzqPN

C2

67.6.55.77:443

89.136.39.108:443

2.50.58.76:443

188.25.158.61:443

45.63.107.192:995

45.32.154.10:443

94.52.160.116:443

45.63.107.192:2222

45.63.107.192:443

72.204.242.138:465

84.117.176.32:443

95.77.223.148:443

47.146.39.147:443

41.225.13.128:8443

80.14.209.42:2222

190.220.8.10:995

66.76.105.194:443

105.101.69.242:443

89.33.87.107:443

75.136.40.155:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Executes dropped EXE 2 IoCs

Processes:

byabzee.exebyabzee.exe

pid process

1244 byabzee.exe
396 byabzee.exe
Loads dropped DLL 2 IoCs

Processes:

uavgmq.exe

pid process

1756 uavgmq.exe
1756 uavgmq.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1356 schtasks.exe
Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

uavgmq.exeuavgmq.exebyabzee.exebyabzee.exeexplorer.exeuavgmq.exe

pid process

1756 uavgmq.exe
1188 uavgmq.exe
1188 uavgmq.exe
1244 byabzee.exe
396 byabzee.exe
396 byabzee.exe
568 explorer.exe
568 explorer.exe
560 uavgmq.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

byabzee.exe

pid process

1244 byabzee.exe

pid	process
1244	byabzee.exe
396	byabzee.exe

pid	process
1756	uavgmq.exe
1756	uavgmq.exe

pid	process
1356	schtasks.exe

pid	process
1756	uavgmq.exe
1188	uavgmq.exe
1188	uavgmq.exe
1244	byabzee.exe
396	byabzee.exe
396	byabzee.exe
568	explorer.exe
568	explorer.exe
560	uavgmq.exe

pid	process
1244	byabzee.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

uavgmq.exebyabzee.exetaskeng.exe

description	pid	process	target process
PID 1756 wrote to memory of 1188	1756	uavgmq.exe	uavgmq.exe
PID 1756 wrote to memory of 1188	1756	uavgmq.exe	uavgmq.exe
PID 1756 wrote to memory of 1188	1756	uavgmq.exe	uavgmq.exe
PID 1756 wrote to memory of 1188	1756	uavgmq.exe	uavgmq.exe
PID 1756 wrote to memory of 1244	1756	uavgmq.exe	byabzee.exe
PID 1756 wrote to memory of 1244	1756	uavgmq.exe	byabzee.exe
PID 1756 wrote to memory of 1244	1756	uavgmq.exe	byabzee.exe
PID 1756 wrote to memory of 1244	1756	uavgmq.exe	byabzee.exe
PID 1756 wrote to memory of 1356	1756	uavgmq.exe	schtasks.exe
PID 1756 wrote to memory of 1356	1756	uavgmq.exe	schtasks.exe
PID 1756 wrote to memory of 1356	1756	uavgmq.exe	schtasks.exe
PID 1756 wrote to memory of 1356	1756	uavgmq.exe	schtasks.exe
PID 1244 wrote to memory of 396	1244	byabzee.exe	byabzee.exe
PID 1244 wrote to memory of 396	1244	byabzee.exe	byabzee.exe
PID 1244 wrote to memory of 396	1244	byabzee.exe	byabzee.exe
PID 1244 wrote to memory of 396	1244	byabzee.exe	byabzee.exe
PID 1244 wrote to memory of 568	1244	byabzee.exe	explorer.exe
PID 1244 wrote to memory of 568	1244	byabzee.exe	explorer.exe
PID 1244 wrote to memory of 568	1244	byabzee.exe	explorer.exe
PID 1244 wrote to memory of 568	1244	byabzee.exe	explorer.exe
PID 1244 wrote to memory of 568	1244	byabzee.exe	explorer.exe
PID 1620 wrote to memory of 560	1620	taskeng.exe	uavgmq.exe
PID 1620 wrote to memory of 560	1620	taskeng.exe	uavgmq.exe
PID 1620 wrote to memory of 560	1620	taskeng.exe	uavgmq.exe
PID 1620 wrote to memory of 560	1620	taskeng.exe	uavgmq.exe

C:\Users\Admin\AppData\Local\Temp\uavgmq.exe
"C:\Users\Admin\AppData\Local\Temp\uavgmq.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1756

C:\Users\Admin\AppData\Local\Temp\uavgmq.exe
C:\Users\Admin\AppData\Local\Temp\uavgmq.exe /C
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1188

C:\Users\Admin\AppData\Roaming\Microsoft\Sltqdatcyecb\byabzee.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Sltqdatcyecb\byabzee.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1244

C:\Users\Admin\AppData\Roaming\Microsoft\Sltqdatcyecb\byabzee.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Sltqdatcyecb\byabzee.exe /C
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:396

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:568

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn wtqespzl /tr "\"C:\Users\Admin\AppData\Local\Temp\uavgmq.exe\" /I wtqespzl" /SC ONCE /Z /ST 14:47 /ET 14:59
2⤵
- Creates scheduled task(s)
PID:1356

C:\Windows\system32\taskeng.exe
taskeng.exe {7D63C0B4-2EE4-49C2-A22B-99F58E76BB2E} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1620

C:\Users\Admin\AppData\Local\Temp\uavgmq.exe
C:\Users\Admin\AppData\Local\Temp\uavgmq.exe /I wtqespzl
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:560

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Sltqdatcyecb\byabzee.dat
MD5
a87a5325ee1bce0907f9da72c9d8e22e

SHA1
722e5fb04adef2dfbac2a5434b407b7890114e41

SHA256
c33ea6923a9e32d9e4c0626b677e8da7e66f3eac43930a9020cbba5c84645290

SHA512
ce5d3efa03f9571120aa573df1a01583b748e4d1939bf6e5e2f3963d2e695c268df2451541c6021896ecbbb9cc07050a0137dd78c9daca2a69eabe3d66667bee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Sltqdatcyecb\byabzee.exe
MD5
34f923e41d7da45ff5af8edb960a88eb

SHA1
0e29707a5261e82e87868bac2570e6c6ac2f04ab

SHA256
d3d024969e102aa98447050f0db324c22d6a67bbfafdfd26c1478d0f942933e1

SHA512
e0f6e31fb7d8ea312a0c3554b68c50d38f20c64d6af26d3809b2ac8944f180c68fc8806a1517d8fb2d780cb265326f63b1fdaf3c064d2bff76b7e96c6f0d8502

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Sltqdatcyecb\byabzee.exe
MD5
34f923e41d7da45ff5af8edb960a88eb

SHA1
0e29707a5261e82e87868bac2570e6c6ac2f04ab

SHA256
d3d024969e102aa98447050f0db324c22d6a67bbfafdfd26c1478d0f942933e1

SHA512
e0f6e31fb7d8ea312a0c3554b68c50d38f20c64d6af26d3809b2ac8944f180c68fc8806a1517d8fb2d780cb265326f63b1fdaf3c064d2bff76b7e96c6f0d8502

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Sltqdatcyecb\byabzee.exe
MD5
34f923e41d7da45ff5af8edb960a88eb

SHA1
0e29707a5261e82e87868bac2570e6c6ac2f04ab

SHA256
d3d024969e102aa98447050f0db324c22d6a67bbfafdfd26c1478d0f942933e1

SHA512
e0f6e31fb7d8ea312a0c3554b68c50d38f20c64d6af26d3809b2ac8944f180c68fc8806a1517d8fb2d780cb265326f63b1fdaf3c064d2bff76b7e96c6f0d8502

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Sltqdatcyecb\byabzee.exe
MD5
34f923e41d7da45ff5af8edb960a88eb

SHA1
0e29707a5261e82e87868bac2570e6c6ac2f04ab

SHA256
d3d024969e102aa98447050f0db324c22d6a67bbfafdfd26c1478d0f942933e1

SHA512
e0f6e31fb7d8ea312a0c3554b68c50d38f20c64d6af26d3809b2ac8944f180c68fc8806a1517d8fb2d780cb265326f63b1fdaf3c064d2bff76b7e96c6f0d8502

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Sltqdatcyecb\byabzee.exe
MD5
34f923e41d7da45ff5af8edb960a88eb

SHA1
0e29707a5261e82e87868bac2570e6c6ac2f04ab

SHA256
d3d024969e102aa98447050f0db324c22d6a67bbfafdfd26c1478d0f942933e1

SHA512
e0f6e31fb7d8ea312a0c3554b68c50d38f20c64d6af26d3809b2ac8944f180c68fc8806a1517d8fb2d780cb265326f63b1fdaf3c064d2bff76b7e96c6f0d8502

Download Submit
memory/396-8-0x0000000000000000-mapping.dmp

Download
memory/396-10-0x00000000025C0000-0x00000000025D1000-memory.dmp

Filesize
68KB

Download
memory/560-14-0x0000000000000000-mapping.dmp

Download
memory/568-12-0x0000000000000000-mapping.dmp

Download
memory/1188-1-0x00000000025D0000-0x00000000025E1000-memory.dmp

Filesize
68KB

Download
memory/1188-0-0x0000000000000000-mapping.dmp

Download
memory/1244-4-0x0000000000000000-mapping.dmp

Download
memory/1244-11-0x0000000000330000-0x000000000036A000-memory.dmp

Filesize
232KB

Download
memory/1356-6-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads