qakbot | c2b98c07655ecdeede7c0d1076743727c8e79d3be267cd630e32ab8a4dc73e85

General

Target

hjfoze.exe
Size

1.0MB
MD5

6284a3b53e3c607d7718cc3de373fdee
SHA1

86442c4e5665fb66e5d0dc1c7277dd32b02883dd
SHA256

c2b98c07655ecdeede7c0d1076743727c8e79d3be267cd630e32ab8a4dc73e85
SHA512

1e8545ea734e58b4029e944de45326741843d5259bab2b917899110a93874a02158778bdf0ab1c1bf04fa1799cf346753a2478cbe5ab238d7878312c37f0b60e

Score

10^/10

qakbot notset 1604404534 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

notset

Campaign

1604404534

Credentials

Protocol: ftp
Host:
192.185.5.208
Port:
21
Username:
logger@dustinkeeling.com
Password:
NxdkxAp4dUsY

Protocol: ftp
Host:
162.241.218.118
Port:
21
Username:
logger@misterexterior.com
Password:
EcOV0DyGVgVN

Protocol: ftp
Host:
69.89.31.139
Port:
21
Username:
cpanel@vivekharris-architects.com
Password:
fcR7OvyLrMW6!

Protocol: ftp
Host:
169.207.67.14
Port:
21
Username:
cpanel@dovetailsolar.com
Password:
eQyicNLzzqPN

C2

67.6.55.77:443

89.136.39.108:443

2.50.58.76:443

188.25.158.61:443

45.63.107.192:995

45.32.154.10:443

94.52.160.116:443

45.63.107.192:2222

45.63.107.192:443

72.204.242.138:465

84.117.176.32:443

95.77.223.148:443

47.146.39.147:443

41.225.13.128:8443

80.14.209.42:2222

190.220.8.10:995

66.76.105.194:443

105.101.69.242:443

89.33.87.107:443

75.136.40.155:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Executes dropped EXE 2 IoCs

Processes:

dwadxe.exedwadxe.exe

pid process

1432 dwadxe.exe
1064 dwadxe.exe
Loads dropped DLL 2 IoCs

Processes:

hjfoze.exe

pid process

1688 hjfoze.exe
1688 hjfoze.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1700 schtasks.exe
Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

hjfoze.exehjfoze.exedwadxe.exedwadxe.exeexplorer.exehjfoze.exe

pid process

1688 hjfoze.exe
832 hjfoze.exe
832 hjfoze.exe
1432 dwadxe.exe
1064 dwadxe.exe
1064 dwadxe.exe
1124 explorer.exe
1124 explorer.exe
1548 hjfoze.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

dwadxe.exe

pid process

1432 dwadxe.exe

pid	process
1432	dwadxe.exe
1064	dwadxe.exe

pid	process
1688	hjfoze.exe
1688	hjfoze.exe

pid	process
1700	schtasks.exe

pid	process
1688	hjfoze.exe
832	hjfoze.exe
832	hjfoze.exe
1432	dwadxe.exe
1064	dwadxe.exe
1064	dwadxe.exe
1124	explorer.exe
1124	explorer.exe
1548	hjfoze.exe

pid	process
1432	dwadxe.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

hjfoze.exedwadxe.exetaskeng.exe

description	pid	process	target process
PID 1688 wrote to memory of 832	1688	hjfoze.exe	hjfoze.exe
PID 1688 wrote to memory of 832	1688	hjfoze.exe	hjfoze.exe
PID 1688 wrote to memory of 832	1688	hjfoze.exe	hjfoze.exe
PID 1688 wrote to memory of 832	1688	hjfoze.exe	hjfoze.exe
PID 1688 wrote to memory of 1432	1688	hjfoze.exe	dwadxe.exe
PID 1688 wrote to memory of 1432	1688	hjfoze.exe	dwadxe.exe
PID 1688 wrote to memory of 1432	1688	hjfoze.exe	dwadxe.exe
PID 1688 wrote to memory of 1432	1688	hjfoze.exe	dwadxe.exe
PID 1688 wrote to memory of 1700	1688	hjfoze.exe	schtasks.exe
PID 1688 wrote to memory of 1700	1688	hjfoze.exe	schtasks.exe
PID 1688 wrote to memory of 1700	1688	hjfoze.exe	schtasks.exe
PID 1688 wrote to memory of 1700	1688	hjfoze.exe	schtasks.exe
PID 1432 wrote to memory of 1064	1432	dwadxe.exe	dwadxe.exe
PID 1432 wrote to memory of 1064	1432	dwadxe.exe	dwadxe.exe
PID 1432 wrote to memory of 1064	1432	dwadxe.exe	dwadxe.exe
PID 1432 wrote to memory of 1064	1432	dwadxe.exe	dwadxe.exe
PID 1432 wrote to memory of 1124	1432	dwadxe.exe	explorer.exe
PID 1432 wrote to memory of 1124	1432	dwadxe.exe	explorer.exe
PID 1432 wrote to memory of 1124	1432	dwadxe.exe	explorer.exe
PID 1432 wrote to memory of 1124	1432	dwadxe.exe	explorer.exe
PID 1432 wrote to memory of 1124	1432	dwadxe.exe	explorer.exe
PID 576 wrote to memory of 1548	576	taskeng.exe	hjfoze.exe
PID 576 wrote to memory of 1548	576	taskeng.exe	hjfoze.exe
PID 576 wrote to memory of 1548	576	taskeng.exe	hjfoze.exe
PID 576 wrote to memory of 1548	576	taskeng.exe	hjfoze.exe

C:\Users\Admin\AppData\Local\Temp\hjfoze.exe
"C:\Users\Admin\AppData\Local\Temp\hjfoze.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1688

C:\Users\Admin\AppData\Local\Temp\hjfoze.exe
C:\Users\Admin\AppData\Local\Temp\hjfoze.exe /C
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:832

C:\Users\Admin\AppData\Roaming\Microsoft\Taisiiunsaba\dwadxe.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Taisiiunsaba\dwadxe.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1432

C:\Users\Admin\AppData\Roaming\Microsoft\Taisiiunsaba\dwadxe.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Taisiiunsaba\dwadxe.exe /C
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1064

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1124

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn jimufju /tr "\"C:\Users\Admin\AppData\Local\Temp\hjfoze.exe\" /I jimufju" /SC ONCE /Z /ST 15:39 /ET 15:51
2⤵
- Creates scheduled task(s)
PID:1700

C:\Windows\system32\taskeng.exe
taskeng.exe {17024778-9A5A-46B9-82DF-DFACE9499F05} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:576

C:\Users\Admin\AppData\Local\Temp\hjfoze.exe
C:\Users\Admin\AppData\Local\Temp\hjfoze.exe /I jimufju
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1548

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Taisiiunsaba\dwadxe.dat
MD5
ecc39332aa387982ac84711872d14a18

SHA1
55069dca17e2e93a8f1fed177e62e634a6cdbba5

SHA256
a2a3f3c5a30bec4517a62cb827bbee808fa1ad2d9492d79f981eeaa76b90bb73

SHA512
af9bb89fa635696a67023ce96169bf22996eed9c530594c3e548fa36c6870083ec120ab5c18b9f7106596c0c2b84645eaecf070b2f577ba44914ee8ee0c0d464

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Taisiiunsaba\dwadxe.exe
MD5
6284a3b53e3c607d7718cc3de373fdee

SHA1
86442c4e5665fb66e5d0dc1c7277dd32b02883dd

SHA256
c2b98c07655ecdeede7c0d1076743727c8e79d3be267cd630e32ab8a4dc73e85

SHA512
1e8545ea734e58b4029e944de45326741843d5259bab2b917899110a93874a02158778bdf0ab1c1bf04fa1799cf346753a2478cbe5ab238d7878312c37f0b60e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Taisiiunsaba\dwadxe.exe
MD5
6284a3b53e3c607d7718cc3de373fdee

SHA1
86442c4e5665fb66e5d0dc1c7277dd32b02883dd

SHA256
c2b98c07655ecdeede7c0d1076743727c8e79d3be267cd630e32ab8a4dc73e85

SHA512
1e8545ea734e58b4029e944de45326741843d5259bab2b917899110a93874a02158778bdf0ab1c1bf04fa1799cf346753a2478cbe5ab238d7878312c37f0b60e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Taisiiunsaba\dwadxe.exe
MD5
6284a3b53e3c607d7718cc3de373fdee

SHA1
86442c4e5665fb66e5d0dc1c7277dd32b02883dd

SHA256
c2b98c07655ecdeede7c0d1076743727c8e79d3be267cd630e32ab8a4dc73e85

SHA512
1e8545ea734e58b4029e944de45326741843d5259bab2b917899110a93874a02158778bdf0ab1c1bf04fa1799cf346753a2478cbe5ab238d7878312c37f0b60e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Taisiiunsaba\dwadxe.exe
MD5
6284a3b53e3c607d7718cc3de373fdee

SHA1
86442c4e5665fb66e5d0dc1c7277dd32b02883dd

SHA256
c2b98c07655ecdeede7c0d1076743727c8e79d3be267cd630e32ab8a4dc73e85

SHA512
1e8545ea734e58b4029e944de45326741843d5259bab2b917899110a93874a02158778bdf0ab1c1bf04fa1799cf346753a2478cbe5ab238d7878312c37f0b60e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Taisiiunsaba\dwadxe.exe
MD5
6284a3b53e3c607d7718cc3de373fdee

SHA1
86442c4e5665fb66e5d0dc1c7277dd32b02883dd

SHA256
c2b98c07655ecdeede7c0d1076743727c8e79d3be267cd630e32ab8a4dc73e85

SHA512
1e8545ea734e58b4029e944de45326741843d5259bab2b917899110a93874a02158778bdf0ab1c1bf04fa1799cf346753a2478cbe5ab238d7878312c37f0b60e

Download Submit
memory/832-0-0x0000000000000000-mapping.dmp

Download
memory/832-1-0x0000000002510000-0x0000000002521000-memory.dmp

Filesize
68KB

Download
memory/1064-8-0x0000000000000000-mapping.dmp

Download
memory/1064-10-0x0000000002500000-0x0000000002511000-memory.dmp

Filesize
68KB

Download
memory/1124-12-0x0000000000000000-mapping.dmp

Download
memory/1432-4-0x0000000000000000-mapping.dmp

Download
memory/1432-11-0x00000000024E0000-0x000000000251A000-memory.dmp

Filesize
232KB

Download
memory/1548-14-0x0000000000000000-mapping.dmp

Download
memory/1700-6-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads