qakbot | 67006bce79316e3747066ad5983b59a8a22ec836ee2f278e0d68addcc7f0e133

General

Target

ddttrz.exe
Size

1.0MB
MD5

ca40bcf823f1bb7182ba789508ee3506
SHA1

e942175926e0a42a94902a043727c4899cb5c564
SHA256

67006bce79316e3747066ad5983b59a8a22ec836ee2f278e0d68addcc7f0e133
SHA512

93b7a0e0a01fd545d43f333be0714966aae5fd564a846340cff6c2afff79e2fca6e7578be92d33625ef2a70a2d40043027ab2136611dbae7bcaeedef7e32461b

Score

10^/10

qakbot notset 1604404534 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

notset

Campaign

1604404534

Credentials

Protocol: ftp
Host:
192.185.5.208
Port:
21
Username:
logger@dustinkeeling.com
Password:
NxdkxAp4dUsY

Protocol: ftp
Host:
162.241.218.118
Port:
21
Username:
logger@misterexterior.com
Password:
EcOV0DyGVgVN

Protocol: ftp
Host:
69.89.31.139
Port:
21
Username:
cpanel@vivekharris-architects.com
Password:
fcR7OvyLrMW6!

Protocol: ftp
Host:
169.207.67.14
Port:
21
Username:
cpanel@dovetailsolar.com
Password:
eQyicNLzzqPN

C2

67.6.55.77:443

89.136.39.108:443

2.50.58.76:443

188.25.158.61:443

45.63.107.192:995

45.32.154.10:443

94.52.160.116:443

45.63.107.192:2222

45.63.107.192:443

72.204.242.138:465

84.117.176.32:443

95.77.223.148:443

47.146.39.147:443

41.225.13.128:8443

80.14.209.42:2222

190.220.8.10:995

66.76.105.194:443

105.101.69.242:443

89.33.87.107:443

75.136.40.155:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Executes dropped EXE 2 IoCs

Processes:

angdxyis.exeangdxyis.exe

pid process

1264 angdxyis.exe
1600 angdxyis.exe
Loads dropped DLL 2 IoCs

Processes:

ddttrz.exe

pid process

1732 ddttrz.exe
1732 ddttrz.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1376 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

ddttrz.exeddttrz.exeangdxyis.exeangdxyis.exeexplorer.exe

pid process

1732 ddttrz.exe
1308 ddttrz.exe
1308 ddttrz.exe
1264 angdxyis.exe
1600 angdxyis.exe
1600 angdxyis.exe
980 explorer.exe
980 explorer.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

angdxyis.exe

pid process

1264 angdxyis.exe

pid	process
1264	angdxyis.exe
1600	angdxyis.exe

pid	process
1732	ddttrz.exe
1732	ddttrz.exe

pid	process
1376	schtasks.exe

pid	process
1732	ddttrz.exe
1308	ddttrz.exe
1308	ddttrz.exe
1264	angdxyis.exe
1600	angdxyis.exe
1600	angdxyis.exe
980	explorer.exe
980	explorer.exe

pid	process
1264	angdxyis.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

ddttrz.exeangdxyis.exetaskeng.exe

description	pid	process	target process
PID 1732 wrote to memory of 1308	1732	ddttrz.exe	ddttrz.exe
PID 1732 wrote to memory of 1308	1732	ddttrz.exe	ddttrz.exe
PID 1732 wrote to memory of 1308	1732	ddttrz.exe	ddttrz.exe
PID 1732 wrote to memory of 1308	1732	ddttrz.exe	ddttrz.exe
PID 1732 wrote to memory of 1264	1732	ddttrz.exe	angdxyis.exe
PID 1732 wrote to memory of 1264	1732	ddttrz.exe	angdxyis.exe
PID 1732 wrote to memory of 1264	1732	ddttrz.exe	angdxyis.exe
PID 1732 wrote to memory of 1264	1732	ddttrz.exe	angdxyis.exe
PID 1732 wrote to memory of 1376	1732	ddttrz.exe	schtasks.exe
PID 1732 wrote to memory of 1376	1732	ddttrz.exe	schtasks.exe
PID 1732 wrote to memory of 1376	1732	ddttrz.exe	schtasks.exe
PID 1732 wrote to memory of 1376	1732	ddttrz.exe	schtasks.exe
PID 1264 wrote to memory of 1600	1264	angdxyis.exe	angdxyis.exe
PID 1264 wrote to memory of 1600	1264	angdxyis.exe	angdxyis.exe
PID 1264 wrote to memory of 1600	1264	angdxyis.exe	angdxyis.exe
PID 1264 wrote to memory of 1600	1264	angdxyis.exe	angdxyis.exe
PID 1264 wrote to memory of 980	1264	angdxyis.exe	explorer.exe
PID 1264 wrote to memory of 980	1264	angdxyis.exe	explorer.exe
PID 1264 wrote to memory of 980	1264	angdxyis.exe	explorer.exe
PID 1264 wrote to memory of 980	1264	angdxyis.exe	explorer.exe
PID 1264 wrote to memory of 980	1264	angdxyis.exe	explorer.exe
PID 1928 wrote to memory of 1120	1928	taskeng.exe	ddttrz.exe
PID 1928 wrote to memory of 1120	1928	taskeng.exe	ddttrz.exe
PID 1928 wrote to memory of 1120	1928	taskeng.exe	ddttrz.exe
PID 1928 wrote to memory of 1120	1928	taskeng.exe	ddttrz.exe

C:\Users\Admin\AppData\Local\Temp\ddttrz.exe
"C:\Users\Admin\AppData\Local\Temp\ddttrz.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1732

C:\Users\Admin\AppData\Local\Temp\ddttrz.exe
C:\Users\Admin\AppData\Local\Temp\ddttrz.exe /C
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1308

C:\Users\Admin\AppData\Roaming\Microsoft\Xgtibiynlxl\angdxyis.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Xgtibiynlxl\angdxyis.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1264

C:\Users\Admin\AppData\Roaming\Microsoft\Xgtibiynlxl\angdxyis.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Xgtibiynlxl\angdxyis.exe /C
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1600

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:980

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn bzttpxww /tr "\"C:\Users\Admin\AppData\Local\Temp\ddttrz.exe\" /I bzttpxww" /SC ONCE /Z /ST 14:40 /ET 14:52
2⤵
- Creates scheduled task(s)
PID:1376

C:\Windows\system32\taskeng.exe
taskeng.exe {18418DD5-F2BD-41F8-9F8E-697B1BCB89F5} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1928

C:\Users\Admin\AppData\Local\Temp\ddttrz.exe
C:\Users\Admin\AppData\Local\Temp\ddttrz.exe /I bzttpxww
2⤵
PID:1120

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Xgtibiynlxl\angdxyis.dat
MD5
27606761798b34580d8c4b1bc9f8bccc

SHA1
f1808e16463ab6b1c39c163dab2094ac270bc9ba

SHA256
662fea155c5eac1f8a4f749a2b349a18d227a8ac14c1ba403f6db4bd21dc676e

SHA512
b1d23cb2ff2fe2ed906ae037cf70dd2b218d7c0efba53858fea45919eca240c45e4f3f479d95767354c1aaf830533371ddc3aaf4b392c2f876757a687f078c7a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Xgtibiynlxl\angdxyis.exe
MD5
ca40bcf823f1bb7182ba789508ee3506

SHA1
e942175926e0a42a94902a043727c4899cb5c564

SHA256
67006bce79316e3747066ad5983b59a8a22ec836ee2f278e0d68addcc7f0e133

SHA512
93b7a0e0a01fd545d43f333be0714966aae5fd564a846340cff6c2afff79e2fca6e7578be92d33625ef2a70a2d40043027ab2136611dbae7bcaeedef7e32461b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Xgtibiynlxl\angdxyis.exe
MD5
ca40bcf823f1bb7182ba789508ee3506

SHA1
e942175926e0a42a94902a043727c4899cb5c564

SHA256
67006bce79316e3747066ad5983b59a8a22ec836ee2f278e0d68addcc7f0e133

SHA512
93b7a0e0a01fd545d43f333be0714966aae5fd564a846340cff6c2afff79e2fca6e7578be92d33625ef2a70a2d40043027ab2136611dbae7bcaeedef7e32461b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Xgtibiynlxl\angdxyis.exe
MD5
ca40bcf823f1bb7182ba789508ee3506

SHA1
e942175926e0a42a94902a043727c4899cb5c564

SHA256
67006bce79316e3747066ad5983b59a8a22ec836ee2f278e0d68addcc7f0e133

SHA512
93b7a0e0a01fd545d43f333be0714966aae5fd564a846340cff6c2afff79e2fca6e7578be92d33625ef2a70a2d40043027ab2136611dbae7bcaeedef7e32461b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Xgtibiynlxl\angdxyis.exe
MD5
ca40bcf823f1bb7182ba789508ee3506

SHA1
e942175926e0a42a94902a043727c4899cb5c564

SHA256
67006bce79316e3747066ad5983b59a8a22ec836ee2f278e0d68addcc7f0e133

SHA512
93b7a0e0a01fd545d43f333be0714966aae5fd564a846340cff6c2afff79e2fca6e7578be92d33625ef2a70a2d40043027ab2136611dbae7bcaeedef7e32461b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Xgtibiynlxl\angdxyis.exe
MD5
ca40bcf823f1bb7182ba789508ee3506

SHA1
e942175926e0a42a94902a043727c4899cb5c564

SHA256
67006bce79316e3747066ad5983b59a8a22ec836ee2f278e0d68addcc7f0e133

SHA512
93b7a0e0a01fd545d43f333be0714966aae5fd564a846340cff6c2afff79e2fca6e7578be92d33625ef2a70a2d40043027ab2136611dbae7bcaeedef7e32461b

Download Submit
memory/980-12-0x0000000000000000-mapping.dmp

Download
memory/1120-14-0x0000000000000000-mapping.dmp

Download
memory/1264-4-0x0000000000000000-mapping.dmp

Download
memory/1264-11-0x0000000002100000-0x000000000213A000-memory.dmp

Filesize
232KB

Download
memory/1308-0-0x0000000000000000-mapping.dmp

Download
memory/1308-1-0x00000000024F0000-0x0000000002501000-memory.dmp

Filesize
68KB

Download
memory/1376-6-0x0000000000000000-mapping.dmp

Download
memory/1600-8-0x0000000000000000-mapping.dmp

Download
memory/1600-10-0x00000000025E0000-0x00000000025F1000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads