qakbot | 5182762d20edf7e1d4f4ef56f19efeb6ecdbad6ca41c352f3bec47b584b0683c

General

Target

hlsyro.exe
Size

1.0MB
MD5

5ba4e87c65ca68df74d9b04f0c1c914d
SHA1

97f6dd6b6c79e2552ab773893fe0762532f7aa7b
SHA256

5182762d20edf7e1d4f4ef56f19efeb6ecdbad6ca41c352f3bec47b584b0683c
SHA512

ad096ad947c42c713d43251fca278fc66d4f247dabe5fcae963c45c09d321e1cc7bdad01ef29fdab121dddb9533663492633f57f72c42cf91e536efba07ae9a3

Score

10^/10

qakbot notset 1604404534 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

notset

Campaign

1604404534

Credentials

Protocol: ftp
Host:
192.185.5.208
Port:
21
Username:
logger@dustinkeeling.com
Password:
NxdkxAp4dUsY

Protocol: ftp
Host:
162.241.218.118
Port:
21
Username:
logger@misterexterior.com
Password:
EcOV0DyGVgVN

Protocol: ftp
Host:
69.89.31.139
Port:
21
Username:
cpanel@vivekharris-architects.com
Password:
fcR7OvyLrMW6!

Protocol: ftp
Host:
169.207.67.14
Port:
21
Username:
cpanel@dovetailsolar.com
Password:
eQyicNLzzqPN

C2

67.6.55.77:443

89.136.39.108:443

2.50.58.76:443

188.25.158.61:443

45.63.107.192:995

45.32.154.10:443

94.52.160.116:443

45.63.107.192:2222

45.63.107.192:443

72.204.242.138:465

84.117.176.32:443

95.77.223.148:443

47.146.39.147:443

41.225.13.128:8443

80.14.209.42:2222

190.220.8.10:995

66.76.105.194:443

105.101.69.242:443

89.33.87.107:443

75.136.40.155:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Executes dropped EXE 2 IoCs

Processes:

leaeye.exeleaeye.exe

pid process

1588 leaeye.exe
432 leaeye.exe
Loads dropped DLL 2 IoCs

Processes:

hlsyro.exe

pid process

1068 hlsyro.exe
1068 hlsyro.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1652 schtasks.exe
Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

hlsyro.exehlsyro.exeleaeye.exeleaeye.exeexplorer.exehlsyro.exe

pid process

1068 hlsyro.exe
1572 hlsyro.exe
1572 hlsyro.exe
1588 leaeye.exe
432 leaeye.exe
432 leaeye.exe
572 explorer.exe
572 explorer.exe
928 hlsyro.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

leaeye.exe

pid process

1588 leaeye.exe

pid	process
1588	leaeye.exe
432	leaeye.exe

pid	process
1068	hlsyro.exe
1068	hlsyro.exe

pid	process
1652	schtasks.exe

pid	process
1068	hlsyro.exe
1572	hlsyro.exe
1572	hlsyro.exe
1588	leaeye.exe
432	leaeye.exe
432	leaeye.exe
572	explorer.exe
572	explorer.exe
928	hlsyro.exe

pid	process
1588	leaeye.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

hlsyro.exeleaeye.exetaskeng.exe

description	pid	process	target process
PID 1068 wrote to memory of 1572	1068	hlsyro.exe	hlsyro.exe
PID 1068 wrote to memory of 1572	1068	hlsyro.exe	hlsyro.exe
PID 1068 wrote to memory of 1572	1068	hlsyro.exe	hlsyro.exe
PID 1068 wrote to memory of 1572	1068	hlsyro.exe	hlsyro.exe
PID 1068 wrote to memory of 1588	1068	hlsyro.exe	leaeye.exe
PID 1068 wrote to memory of 1588	1068	hlsyro.exe	leaeye.exe
PID 1068 wrote to memory of 1588	1068	hlsyro.exe	leaeye.exe
PID 1068 wrote to memory of 1588	1068	hlsyro.exe	leaeye.exe
PID 1068 wrote to memory of 1652	1068	hlsyro.exe	schtasks.exe
PID 1068 wrote to memory of 1652	1068	hlsyro.exe	schtasks.exe
PID 1068 wrote to memory of 1652	1068	hlsyro.exe	schtasks.exe
PID 1068 wrote to memory of 1652	1068	hlsyro.exe	schtasks.exe
PID 1588 wrote to memory of 432	1588	leaeye.exe	leaeye.exe
PID 1588 wrote to memory of 432	1588	leaeye.exe	leaeye.exe
PID 1588 wrote to memory of 432	1588	leaeye.exe	leaeye.exe
PID 1588 wrote to memory of 432	1588	leaeye.exe	leaeye.exe
PID 1588 wrote to memory of 572	1588	leaeye.exe	explorer.exe
PID 1588 wrote to memory of 572	1588	leaeye.exe	explorer.exe
PID 1588 wrote to memory of 572	1588	leaeye.exe	explorer.exe
PID 1588 wrote to memory of 572	1588	leaeye.exe	explorer.exe
PID 1588 wrote to memory of 572	1588	leaeye.exe	explorer.exe
PID 1308 wrote to memory of 928	1308	taskeng.exe	hlsyro.exe
PID 1308 wrote to memory of 928	1308	taskeng.exe	hlsyro.exe
PID 1308 wrote to memory of 928	1308	taskeng.exe	hlsyro.exe
PID 1308 wrote to memory of 928	1308	taskeng.exe	hlsyro.exe

C:\Users\Admin\AppData\Local\Temp\hlsyro.exe
"C:\Users\Admin\AppData\Local\Temp\hlsyro.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1068

C:\Users\Admin\AppData\Local\Temp\hlsyro.exe
C:\Users\Admin\AppData\Local\Temp\hlsyro.exe /C
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1572

C:\Users\Admin\AppData\Roaming\Microsoft\Iyhpveej\leaeye.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Iyhpveej\leaeye.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1588

C:\Users\Admin\AppData\Roaming\Microsoft\Iyhpveej\leaeye.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Iyhpveej\leaeye.exe /C
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:432

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:572

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn nhyxqom /tr "\"C:\Users\Admin\AppData\Local\Temp\hlsyro.exe\" /I nhyxqom" /SC ONCE /Z /ST 14:38 /ET 14:50
2⤵
- Creates scheduled task(s)
PID:1652

C:\Windows\system32\taskeng.exe
taskeng.exe {4D381985-E6AC-461E-A3C4-D047ABDDC5C1} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1308

C:\Users\Admin\AppData\Local\Temp\hlsyro.exe
C:\Users\Admin\AppData\Local\Temp\hlsyro.exe /I nhyxqom
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:928

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Iyhpveej\leaeye.dat
MD5
1baf990dcfc7303217eae8237610a2ea

SHA1
1830862d31423610c2b182b9d27a9c688bdd78ca

SHA256
18192d022cf723b68d673ef73e4043dba98275d78028b15d3e331e15d2c332b8

SHA512
2c0bed55568149167a4a9aabe7762cf8fcd12db191933c5507587550f11cf3da591c1e05ddd09bb1f7285a356d41782def61616a9a3eceddbd7707d14cf4c282

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Iyhpveej\leaeye.exe
MD5
5ba4e87c65ca68df74d9b04f0c1c914d

SHA1
97f6dd6b6c79e2552ab773893fe0762532f7aa7b

SHA256
5182762d20edf7e1d4f4ef56f19efeb6ecdbad6ca41c352f3bec47b584b0683c

SHA512
ad096ad947c42c713d43251fca278fc66d4f247dabe5fcae963c45c09d321e1cc7bdad01ef29fdab121dddb9533663492633f57f72c42cf91e536efba07ae9a3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Iyhpveej\leaeye.exe
MD5
5ba4e87c65ca68df74d9b04f0c1c914d

SHA1
97f6dd6b6c79e2552ab773893fe0762532f7aa7b

SHA256
5182762d20edf7e1d4f4ef56f19efeb6ecdbad6ca41c352f3bec47b584b0683c

SHA512
ad096ad947c42c713d43251fca278fc66d4f247dabe5fcae963c45c09d321e1cc7bdad01ef29fdab121dddb9533663492633f57f72c42cf91e536efba07ae9a3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Iyhpveej\leaeye.exe
MD5
5ba4e87c65ca68df74d9b04f0c1c914d

SHA1
97f6dd6b6c79e2552ab773893fe0762532f7aa7b

SHA256
5182762d20edf7e1d4f4ef56f19efeb6ecdbad6ca41c352f3bec47b584b0683c

SHA512
ad096ad947c42c713d43251fca278fc66d4f247dabe5fcae963c45c09d321e1cc7bdad01ef29fdab121dddb9533663492633f57f72c42cf91e536efba07ae9a3

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Iyhpveej\leaeye.exe
MD5
5ba4e87c65ca68df74d9b04f0c1c914d

SHA1
97f6dd6b6c79e2552ab773893fe0762532f7aa7b

SHA256
5182762d20edf7e1d4f4ef56f19efeb6ecdbad6ca41c352f3bec47b584b0683c

SHA512
ad096ad947c42c713d43251fca278fc66d4f247dabe5fcae963c45c09d321e1cc7bdad01ef29fdab121dddb9533663492633f57f72c42cf91e536efba07ae9a3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Iyhpveej\leaeye.exe
MD5
5ba4e87c65ca68df74d9b04f0c1c914d

SHA1
97f6dd6b6c79e2552ab773893fe0762532f7aa7b

SHA256
5182762d20edf7e1d4f4ef56f19efeb6ecdbad6ca41c352f3bec47b584b0683c

SHA512
ad096ad947c42c713d43251fca278fc66d4f247dabe5fcae963c45c09d321e1cc7bdad01ef29fdab121dddb9533663492633f57f72c42cf91e536efba07ae9a3

Download Submit
memory/432-8-0x0000000000000000-mapping.dmp

Download
memory/432-11-0x0000000002490000-0x00000000024A1000-memory.dmp

Filesize
68KB

Download
memory/572-13-0x0000000000000000-mapping.dmp

Download
memory/928-15-0x0000000000000000-mapping.dmp

Download
memory/1572-0-0x0000000000000000-mapping.dmp

Download
memory/1572-1-0x00000000024E0000-0x00000000024F1000-memory.dmp

Filesize
68KB

Download
memory/1588-4-0x0000000000000000-mapping.dmp

Download
memory/1588-12-0x00000000003B0000-0x00000000003EA000-memory.dmp

Filesize
232KB

Download
memory/1652-6-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads