qakbot | bc91eab98bfd4e2f78ff2e7e28a7d2d6ef9049cb99325063b41653c5e1a3534f

General

Target

kbjilz.exe
Size

1.0MB
MD5

a330db4586985e36ecb5b54f6732a030
SHA1

f63427e93339a020f1eb54c998758e0330f30271
SHA256

bc91eab98bfd4e2f78ff2e7e28a7d2d6ef9049cb99325063b41653c5e1a3534f
SHA512

a73fe60a52b1f519213b8a41a034290d647dc6280b216e0adae2e2cc59a20aa60baf06e2e1830a9a009c57cfc40d30bfc6896d3f5f418ba49de202d42f71d49e

Score

10^/10

qakbot notset 1604404534 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

notset

Campaign

1604404534

Credentials

Protocol: ftp
Host:
192.185.5.208
Port:
21
Username:
logger@dustinkeeling.com
Password:
NxdkxAp4dUsY

Protocol: ftp
Host:
162.241.218.118
Port:
21
Username:
logger@misterexterior.com
Password:
EcOV0DyGVgVN

Protocol: ftp
Host:
69.89.31.139
Port:
21
Username:
cpanel@vivekharris-architects.com
Password:
fcR7OvyLrMW6!

Protocol: ftp
Host:
169.207.67.14
Port:
21
Username:
cpanel@dovetailsolar.com
Password:
eQyicNLzzqPN

C2

67.6.55.77:443

89.136.39.108:443

2.50.58.76:443

188.25.158.61:443

45.63.107.192:995

45.32.154.10:443

94.52.160.116:443

45.63.107.192:2222

45.63.107.192:443

72.204.242.138:465

84.117.176.32:443

95.77.223.148:443

47.146.39.147:443

41.225.13.128:8443

80.14.209.42:2222

190.220.8.10:995

66.76.105.194:443

105.101.69.242:443

89.33.87.107:443

75.136.40.155:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Executes dropped EXE 2 IoCs

Processes:

fesgrqpn.exefesgrqpn.exe

pid process

1248 fesgrqpn.exe
412 fesgrqpn.exe
Loads dropped DLL 2 IoCs

Processes:

kbjilz.exe

pid process

1704 kbjilz.exe
1704 kbjilz.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1388 schtasks.exe
Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

kbjilz.exekbjilz.exefesgrqpn.exefesgrqpn.exeexplorer.exekbjilz.exe

pid process

1704 kbjilz.exe
1240 kbjilz.exe
1240 kbjilz.exe
1248 fesgrqpn.exe
412 fesgrqpn.exe
412 fesgrqpn.exe
584 explorer.exe
584 explorer.exe
564 kbjilz.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

fesgrqpn.exe

pid process

1248 fesgrqpn.exe

pid	process
1248	fesgrqpn.exe
412	fesgrqpn.exe

pid	process
1704	kbjilz.exe
1704	kbjilz.exe

pid	process
1388	schtasks.exe

pid	process
1704	kbjilz.exe
1240	kbjilz.exe
1240	kbjilz.exe
1248	fesgrqpn.exe
412	fesgrqpn.exe
412	fesgrqpn.exe
584	explorer.exe
584	explorer.exe
564	kbjilz.exe

pid	process
1248	fesgrqpn.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

kbjilz.exefesgrqpn.exetaskeng.exe

description	pid	process	target process
PID 1704 wrote to memory of 1240	1704	kbjilz.exe	kbjilz.exe
PID 1704 wrote to memory of 1240	1704	kbjilz.exe	kbjilz.exe
PID 1704 wrote to memory of 1240	1704	kbjilz.exe	kbjilz.exe
PID 1704 wrote to memory of 1240	1704	kbjilz.exe	kbjilz.exe
PID 1704 wrote to memory of 1248	1704	kbjilz.exe	fesgrqpn.exe
PID 1704 wrote to memory of 1248	1704	kbjilz.exe	fesgrqpn.exe
PID 1704 wrote to memory of 1248	1704	kbjilz.exe	fesgrqpn.exe
PID 1704 wrote to memory of 1248	1704	kbjilz.exe	fesgrqpn.exe
PID 1704 wrote to memory of 1388	1704	kbjilz.exe	schtasks.exe
PID 1704 wrote to memory of 1388	1704	kbjilz.exe	schtasks.exe
PID 1704 wrote to memory of 1388	1704	kbjilz.exe	schtasks.exe
PID 1704 wrote to memory of 1388	1704	kbjilz.exe	schtasks.exe
PID 1248 wrote to memory of 412	1248	fesgrqpn.exe	fesgrqpn.exe
PID 1248 wrote to memory of 412	1248	fesgrqpn.exe	fesgrqpn.exe
PID 1248 wrote to memory of 412	1248	fesgrqpn.exe	fesgrqpn.exe
PID 1248 wrote to memory of 412	1248	fesgrqpn.exe	fesgrqpn.exe
PID 1248 wrote to memory of 584	1248	fesgrqpn.exe	explorer.exe
PID 1248 wrote to memory of 584	1248	fesgrqpn.exe	explorer.exe
PID 1248 wrote to memory of 584	1248	fesgrqpn.exe	explorer.exe
PID 1248 wrote to memory of 584	1248	fesgrqpn.exe	explorer.exe
PID 1248 wrote to memory of 584	1248	fesgrqpn.exe	explorer.exe
PID 1184 wrote to memory of 564	1184	taskeng.exe	kbjilz.exe
PID 1184 wrote to memory of 564	1184	taskeng.exe	kbjilz.exe
PID 1184 wrote to memory of 564	1184	taskeng.exe	kbjilz.exe
PID 1184 wrote to memory of 564	1184	taskeng.exe	kbjilz.exe

C:\Users\Admin\AppData\Local\Temp\kbjilz.exe
"C:\Users\Admin\AppData\Local\Temp\kbjilz.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1704

C:\Users\Admin\AppData\Local\Temp\kbjilz.exe
C:\Users\Admin\AppData\Local\Temp\kbjilz.exe /C
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1240

C:\Users\Admin\AppData\Roaming\Microsoft\Upvuyq\fesgrqpn.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Upvuyq\fesgrqpn.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1248

C:\Users\Admin\AppData\Roaming\Microsoft\Upvuyq\fesgrqpn.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Upvuyq\fesgrqpn.exe /C
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:412

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:584

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn ssifppqik /tr "\"C:\Users\Admin\AppData\Local\Temp\kbjilz.exe\" /I ssifppqik" /SC ONCE /Z /ST 14:40 /ET 14:52
2⤵
- Creates scheduled task(s)
PID:1388

C:\Windows\system32\taskeng.exe
taskeng.exe {0E957DEC-4EC3-4A58-88A0-C52B8AF5C348} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1184

C:\Users\Admin\AppData\Local\Temp\kbjilz.exe
C:\Users\Admin\AppData\Local\Temp\kbjilz.exe /I ssifppqik
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:564

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Upvuyq\fesgrqpn.dat
MD5
89ff9881e4280095066f703175505dd4

SHA1
9b1452a9884c5fb7b18a3c773407a28514d565b4

SHA256
5a3fbdeb6c9d9024144ef625ad775d5f6e8f6e0d3770ba3e4f591ed43c797756

SHA512
247fb5883a11dac312b99b7777d167bb7883f9ee86e19d6c15ea6148870ee3e029bbeed8a2d3cfd1d675f58afd01f99ce32eeab67533145d59d15972b2d7a3d9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Upvuyq\fesgrqpn.exe
MD5
a330db4586985e36ecb5b54f6732a030

SHA1
f63427e93339a020f1eb54c998758e0330f30271

SHA256
bc91eab98bfd4e2f78ff2e7e28a7d2d6ef9049cb99325063b41653c5e1a3534f

SHA512
a73fe60a52b1f519213b8a41a034290d647dc6280b216e0adae2e2cc59a20aa60baf06e2e1830a9a009c57cfc40d30bfc6896d3f5f418ba49de202d42f71d49e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Upvuyq\fesgrqpn.exe
MD5
a330db4586985e36ecb5b54f6732a030

SHA1
f63427e93339a020f1eb54c998758e0330f30271

SHA256
bc91eab98bfd4e2f78ff2e7e28a7d2d6ef9049cb99325063b41653c5e1a3534f

SHA512
a73fe60a52b1f519213b8a41a034290d647dc6280b216e0adae2e2cc59a20aa60baf06e2e1830a9a009c57cfc40d30bfc6896d3f5f418ba49de202d42f71d49e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Upvuyq\fesgrqpn.exe
MD5
a330db4586985e36ecb5b54f6732a030

SHA1
f63427e93339a020f1eb54c998758e0330f30271

SHA256
bc91eab98bfd4e2f78ff2e7e28a7d2d6ef9049cb99325063b41653c5e1a3534f

SHA512
a73fe60a52b1f519213b8a41a034290d647dc6280b216e0adae2e2cc59a20aa60baf06e2e1830a9a009c57cfc40d30bfc6896d3f5f418ba49de202d42f71d49e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Upvuyq\fesgrqpn.exe
MD5
a330db4586985e36ecb5b54f6732a030

SHA1
f63427e93339a020f1eb54c998758e0330f30271

SHA256
bc91eab98bfd4e2f78ff2e7e28a7d2d6ef9049cb99325063b41653c5e1a3534f

SHA512
a73fe60a52b1f519213b8a41a034290d647dc6280b216e0adae2e2cc59a20aa60baf06e2e1830a9a009c57cfc40d30bfc6896d3f5f418ba49de202d42f71d49e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Upvuyq\fesgrqpn.exe
MD5
a330db4586985e36ecb5b54f6732a030

SHA1
f63427e93339a020f1eb54c998758e0330f30271

SHA256
bc91eab98bfd4e2f78ff2e7e28a7d2d6ef9049cb99325063b41653c5e1a3534f

SHA512
a73fe60a52b1f519213b8a41a034290d647dc6280b216e0adae2e2cc59a20aa60baf06e2e1830a9a009c57cfc40d30bfc6896d3f5f418ba49de202d42f71d49e

Download Submit
memory/412-8-0x0000000000000000-mapping.dmp

Download
memory/412-10-0x00000000025D0000-0x00000000025E1000-memory.dmp

Filesize
68KB

Download
memory/564-14-0x0000000000000000-mapping.dmp

Download
memory/584-12-0x0000000000000000-mapping.dmp

Download
memory/1240-1-0x0000000002680000-0x0000000002691000-memory.dmp

Filesize
68KB

Download
memory/1240-0-0x0000000000000000-mapping.dmp

Download
memory/1248-4-0x0000000000000000-mapping.dmp

Download
memory/1248-11-0x0000000000340000-0x000000000037A000-memory.dmp

Filesize
232KB

Download
memory/1388-6-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads