qakbot | 1a1a29fe0eac483a8290145a50aa875873cc51bf7928667b6f5f33a64b5f8cef

General

Target

tckkfl.exe
Size

1.0MB
MD5

124615ed2006110918b2de48e4122315
SHA1

4539552b63d1cab0492c8cdde93dbcffb13c5e43
SHA256

1a1a29fe0eac483a8290145a50aa875873cc51bf7928667b6f5f33a64b5f8cef
SHA512

238eb6615138cddcabf2141d40627718f3f618b080d789b573cb698f3651d07eb681af34850f2179526bdafd544136f0882bbda902cb6c7ac865378adaa31cb9

Score

10^/10

qakbot notset 1604404534 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

notset

Campaign

1604404534

Credentials

Protocol: ftp
Host:
192.185.5.208
Port:
21
Username:
logger@dustinkeeling.com
Password:
NxdkxAp4dUsY

Protocol: ftp
Host:
162.241.218.118
Port:
21
Username:
logger@misterexterior.com
Password:
EcOV0DyGVgVN

Protocol: ftp
Host:
69.89.31.139
Port:
21
Username:
cpanel@vivekharris-architects.com
Password:
fcR7OvyLrMW6!

Protocol: ftp
Host:
169.207.67.14
Port:
21
Username:
cpanel@dovetailsolar.com
Password:
eQyicNLzzqPN

C2

67.6.55.77:443

89.136.39.108:443

2.50.58.76:443

188.25.158.61:443

45.63.107.192:995

45.32.154.10:443

94.52.160.116:443

45.63.107.192:2222

45.63.107.192:443

72.204.242.138:465

84.117.176.32:443

95.77.223.148:443

47.146.39.147:443

41.225.13.128:8443

80.14.209.42:2222

190.220.8.10:995

66.76.105.194:443

105.101.69.242:443

89.33.87.107:443

75.136.40.155:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Executes dropped EXE 2 IoCs

Processes:

geychiw.exegeychiw.exe

pid process

1660 geychiw.exe
1704 geychiw.exe
Loads dropped DLL 2 IoCs

Processes:

tckkfl.exe

pid process

2028 tckkfl.exe
2028 tckkfl.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1932 schtasks.exe
Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

tckkfl.exetckkfl.exegeychiw.exegeychiw.exeexplorer.exetckkfl.exe

pid process

2028 tckkfl.exe
1728 tckkfl.exe
1728 tckkfl.exe
1660 geychiw.exe
1704 geychiw.exe
1704 geychiw.exe
240 explorer.exe
240 explorer.exe
1920 tckkfl.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

geychiw.exe

pid process

1660 geychiw.exe

pid	process
1660	geychiw.exe
1704	geychiw.exe

pid	process
2028	tckkfl.exe
2028	tckkfl.exe

pid	process
1932	schtasks.exe

pid	process
2028	tckkfl.exe
1728	tckkfl.exe
1728	tckkfl.exe
1660	geychiw.exe
1704	geychiw.exe
1704	geychiw.exe
240	explorer.exe
240	explorer.exe
1920	tckkfl.exe

pid	process
1660	geychiw.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

tckkfl.exegeychiw.exetaskeng.exe

description	pid	process	target process
PID 2028 wrote to memory of 1728	2028	tckkfl.exe	tckkfl.exe
PID 2028 wrote to memory of 1728	2028	tckkfl.exe	tckkfl.exe
PID 2028 wrote to memory of 1728	2028	tckkfl.exe	tckkfl.exe
PID 2028 wrote to memory of 1728	2028	tckkfl.exe	tckkfl.exe
PID 2028 wrote to memory of 1660	2028	tckkfl.exe	geychiw.exe
PID 2028 wrote to memory of 1660	2028	tckkfl.exe	geychiw.exe
PID 2028 wrote to memory of 1660	2028	tckkfl.exe	geychiw.exe
PID 2028 wrote to memory of 1660	2028	tckkfl.exe	geychiw.exe
PID 2028 wrote to memory of 1932	2028	tckkfl.exe	schtasks.exe
PID 2028 wrote to memory of 1932	2028	tckkfl.exe	schtasks.exe
PID 2028 wrote to memory of 1932	2028	tckkfl.exe	schtasks.exe
PID 2028 wrote to memory of 1932	2028	tckkfl.exe	schtasks.exe
PID 1660 wrote to memory of 1704	1660	geychiw.exe	geychiw.exe
PID 1660 wrote to memory of 1704	1660	geychiw.exe	geychiw.exe
PID 1660 wrote to memory of 1704	1660	geychiw.exe	geychiw.exe
PID 1660 wrote to memory of 1704	1660	geychiw.exe	geychiw.exe
PID 1660 wrote to memory of 240	1660	geychiw.exe	explorer.exe
PID 1660 wrote to memory of 240	1660	geychiw.exe	explorer.exe
PID 1660 wrote to memory of 240	1660	geychiw.exe	explorer.exe
PID 1660 wrote to memory of 240	1660	geychiw.exe	explorer.exe
PID 1660 wrote to memory of 240	1660	geychiw.exe	explorer.exe
PID 1464 wrote to memory of 1920	1464	taskeng.exe	tckkfl.exe
PID 1464 wrote to memory of 1920	1464	taskeng.exe	tckkfl.exe
PID 1464 wrote to memory of 1920	1464	taskeng.exe	tckkfl.exe
PID 1464 wrote to memory of 1920	1464	taskeng.exe	tckkfl.exe

C:\Users\Admin\AppData\Local\Temp\tckkfl.exe
"C:\Users\Admin\AppData\Local\Temp\tckkfl.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Local\Temp\tckkfl.exe
C:\Users\Admin\AppData\Local\Temp\tckkfl.exe /C
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1728

C:\Users\Admin\AppData\Roaming\Microsoft\Aadxeceile\geychiw.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Aadxeceile\geychiw.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1660

C:\Users\Admin\AppData\Roaming\Microsoft\Aadxeceile\geychiw.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Aadxeceile\geychiw.exe /C
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1704

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:240

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn fvhkpbjxly /tr "\"C:\Users\Admin\AppData\Local\Temp\tckkfl.exe\" /I fvhkpbjxly" /SC ONCE /Z /ST 14:45 /ET 14:57
2⤵
- Creates scheduled task(s)
PID:1932

C:\Windows\system32\taskeng.exe
taskeng.exe {C5DB33EE-7E1A-4FEC-B301-43F5E85CB54A} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1464

C:\Users\Admin\AppData\Local\Temp\tckkfl.exe
C:\Users\Admin\AppData\Local\Temp\tckkfl.exe /I fvhkpbjxly
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1920

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Aadxeceile\geychiw.dat
MD5
f20696ab98cdcdf3232b2c8a179b9fef

SHA1
08eef9538e195599b624b2f6ba1645fba59d04e1

SHA256
04cd691bebf7b55df9c60ab2789c28ccb45f53a3536fd0927ee9c89bae8d6c98

SHA512
f0c503ca84185e7052fb482170642eb582b5e1a63aff74500ad8988b4193ca3cc95acaf0a161976ded312c0d26e75a362402afaffc67527f7928a463c34e2a35

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Aadxeceile\geychiw.exe
MD5
124615ed2006110918b2de48e4122315

SHA1
4539552b63d1cab0492c8cdde93dbcffb13c5e43

SHA256
1a1a29fe0eac483a8290145a50aa875873cc51bf7928667b6f5f33a64b5f8cef

SHA512
238eb6615138cddcabf2141d40627718f3f618b080d789b573cb698f3651d07eb681af34850f2179526bdafd544136f0882bbda902cb6c7ac865378adaa31cb9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Aadxeceile\geychiw.exe
MD5
124615ed2006110918b2de48e4122315

SHA1
4539552b63d1cab0492c8cdde93dbcffb13c5e43

SHA256
1a1a29fe0eac483a8290145a50aa875873cc51bf7928667b6f5f33a64b5f8cef

SHA512
238eb6615138cddcabf2141d40627718f3f618b080d789b573cb698f3651d07eb681af34850f2179526bdafd544136f0882bbda902cb6c7ac865378adaa31cb9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Aadxeceile\geychiw.exe
MD5
124615ed2006110918b2de48e4122315

SHA1
4539552b63d1cab0492c8cdde93dbcffb13c5e43

SHA256
1a1a29fe0eac483a8290145a50aa875873cc51bf7928667b6f5f33a64b5f8cef

SHA512
238eb6615138cddcabf2141d40627718f3f618b080d789b573cb698f3651d07eb681af34850f2179526bdafd544136f0882bbda902cb6c7ac865378adaa31cb9

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Aadxeceile\geychiw.exe
MD5
124615ed2006110918b2de48e4122315

SHA1
4539552b63d1cab0492c8cdde93dbcffb13c5e43

SHA256
1a1a29fe0eac483a8290145a50aa875873cc51bf7928667b6f5f33a64b5f8cef

SHA512
238eb6615138cddcabf2141d40627718f3f618b080d789b573cb698f3651d07eb681af34850f2179526bdafd544136f0882bbda902cb6c7ac865378adaa31cb9

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Aadxeceile\geychiw.exe
MD5
124615ed2006110918b2de48e4122315

SHA1
4539552b63d1cab0492c8cdde93dbcffb13c5e43

SHA256
1a1a29fe0eac483a8290145a50aa875873cc51bf7928667b6f5f33a64b5f8cef

SHA512
238eb6615138cddcabf2141d40627718f3f618b080d789b573cb698f3651d07eb681af34850f2179526bdafd544136f0882bbda902cb6c7ac865378adaa31cb9

Download Submit
memory/240-12-0x0000000000000000-mapping.dmp

Download
memory/1660-11-0x00000000003C0000-0x00000000003FA000-memory.dmp

Filesize
232KB

Download
memory/1660-4-0x0000000000000000-mapping.dmp

Download
memory/1704-8-0x0000000000000000-mapping.dmp

Download
memory/1704-10-0x0000000002610000-0x0000000002621000-memory.dmp

Filesize
68KB

Download
memory/1728-0-0x0000000000000000-mapping.dmp

Download
memory/1728-1-0x0000000002630000-0x0000000002641000-memory.dmp

Filesize
68KB

Download
memory/1920-14-0x0000000000000000-mapping.dmp

Download
memory/1932-6-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads