hlsyro.exe

General
Target

hlsyro.exe

Filesize

1MB

Completed

23-11-2020 14:42

Score
10 /10
MD5

5ba4e87c65ca68df74d9b04f0c1c914d

SHA1

97f6dd6b6c79e2552ab773893fe0762532f7aa7b

SHA256

5182762d20edf7e1d4f4ef56f19efeb6ecdbad6ca41c352f3bec47b584b0683c

Malware Config

Extracted

Family qakbot
Botnet notset
Campaign 1604404534
Credentials

Protocol: ftp

Host: 192.185.5.208

Port: 21

Username: logger@dustinkeeling.com

Password: NxdkxAp4dUsY

Protocol: ftp

Host: 162.241.218.118

Port: 21

Username: logger@misterexterior.com

Password: EcOV0DyGVgVN

Protocol: ftp

Host: 69.89.31.139

Port: 21

Username: cpanel@vivekharris-architects.com

Password: fcR7OvyLrMW6!

Protocol: ftp

Host: 169.207.67.14

Port: 21

Username: cpanel@dovetailsolar.com

Password: eQyicNLzzqPN

C2

67.6.55.77:443

89.136.39.108:443

2.50.58.76:443

188.25.158.61:443

45.63.107.192:995

45.32.154.10:443

94.52.160.116:443

45.63.107.192:2222

45.63.107.192:443

72.204.242.138:465

84.117.176.32:443

95.77.223.148:443

47.146.39.147:443

41.225.13.128:8443

80.14.209.42:2222

190.220.8.10:995

66.76.105.194:443

105.101.69.242:443

89.33.87.107:443

75.136.40.155:443

78.97.3.6:443

108.46.145.30:443

68.134.181.98:443

85.121.42.12:995

75.87.161.32:995

68.174.15.223:443

149.28.99.97:995

199.247.16.80:443

45.32.155.12:443

149.28.99.97:2222

149.28.99.97:443

70.168.130.172:995

93.86.252.177:995

50.244.112.10:995

59.99.36.238:443

185.246.9.69:995

208.99.100.129:443

41.97.25.63:443

72.186.1.237:443

59.99.36.241:443

45.32.155.12:2222

96.30.198.161:443

140.82.27.132:443

45.32.165.134:443

45.63.104.123:443

207.246.70.216:443

97.118.38.31:993

134.228.24.29:443

188.25.24.21:2222

2.89.17.127:995

Signatures 7

Filter: none

Persistence
  • Qakbot/Qbot

    Description

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

  • Executes dropped EXE
    leaeye.exeleaeye.exe

    Reported IOCs

    pidprocess
    1588leaeye.exe
    432leaeye.exe
  • Loads dropped DLL
    hlsyro.exe

    Reported IOCs

    pidprocess
    1068hlsyro.exe
    1068hlsyro.exe
  • Creates scheduled task(s)
    schtasks.exe

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    1652schtasks.exe
  • Suspicious behavior: EnumeratesProcesses
    hlsyro.exehlsyro.exeleaeye.exeleaeye.exeexplorer.exehlsyro.exe

    Reported IOCs

    pidprocess
    1068hlsyro.exe
    1572hlsyro.exe
    1572hlsyro.exe
    1588leaeye.exe
    432leaeye.exe
    432leaeye.exe
    572explorer.exe
    572explorer.exe
    928hlsyro.exe
  • Suspicious behavior: MapViewOfSection
    leaeye.exe

    Reported IOCs

    pidprocess
    1588leaeye.exe
  • Suspicious use of WriteProcessMemory
    hlsyro.exeleaeye.exetaskeng.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1068 wrote to memory of 15721068hlsyro.exehlsyro.exe
    PID 1068 wrote to memory of 15721068hlsyro.exehlsyro.exe
    PID 1068 wrote to memory of 15721068hlsyro.exehlsyro.exe
    PID 1068 wrote to memory of 15721068hlsyro.exehlsyro.exe
    PID 1068 wrote to memory of 15881068hlsyro.exeleaeye.exe
    PID 1068 wrote to memory of 15881068hlsyro.exeleaeye.exe
    PID 1068 wrote to memory of 15881068hlsyro.exeleaeye.exe
    PID 1068 wrote to memory of 15881068hlsyro.exeleaeye.exe
    PID 1068 wrote to memory of 16521068hlsyro.exeschtasks.exe
    PID 1068 wrote to memory of 16521068hlsyro.exeschtasks.exe
    PID 1068 wrote to memory of 16521068hlsyro.exeschtasks.exe
    PID 1068 wrote to memory of 16521068hlsyro.exeschtasks.exe
    PID 1588 wrote to memory of 4321588leaeye.exeleaeye.exe
    PID 1588 wrote to memory of 4321588leaeye.exeleaeye.exe
    PID 1588 wrote to memory of 4321588leaeye.exeleaeye.exe
    PID 1588 wrote to memory of 4321588leaeye.exeleaeye.exe
    PID 1588 wrote to memory of 5721588leaeye.exeexplorer.exe
    PID 1588 wrote to memory of 5721588leaeye.exeexplorer.exe
    PID 1588 wrote to memory of 5721588leaeye.exeexplorer.exe
    PID 1588 wrote to memory of 5721588leaeye.exeexplorer.exe
    PID 1588 wrote to memory of 5721588leaeye.exeexplorer.exe
    PID 1308 wrote to memory of 9281308taskeng.exehlsyro.exe
    PID 1308 wrote to memory of 9281308taskeng.exehlsyro.exe
    PID 1308 wrote to memory of 9281308taskeng.exehlsyro.exe
    PID 1308 wrote to memory of 9281308taskeng.exehlsyro.exe
Processes 8
  • C:\Users\Admin\AppData\Local\Temp\hlsyro.exe
    "C:\Users\Admin\AppData\Local\Temp\hlsyro.exe"
    Loads dropped DLL
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of WriteProcessMemory
    PID:1068
    • C:\Users\Admin\AppData\Local\Temp\hlsyro.exe
      C:\Users\Admin\AppData\Local\Temp\hlsyro.exe /C
      Suspicious behavior: EnumeratesProcesses
      PID:1572
    • C:\Users\Admin\AppData\Roaming\Microsoft\Iyhpveej\leaeye.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Iyhpveej\leaeye.exe
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:1588
      • C:\Users\Admin\AppData\Roaming\Microsoft\Iyhpveej\leaeye.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Iyhpveej\leaeye.exe /C
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        PID:432
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        Suspicious behavior: EnumeratesProcesses
        PID:572
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn nhyxqom /tr "\"C:\Users\Admin\AppData\Local\Temp\hlsyro.exe\" /I nhyxqom" /SC ONCE /Z /ST 14:38 /ET 14:50
      Creates scheduled task(s)
      PID:1652
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {4D381985-E6AC-461E-A3C4-D047ABDDC5C1} S-1-5-18:NT AUTHORITY\System:Service:
    Suspicious use of WriteProcessMemory
    PID:1308
    • C:\Users\Admin\AppData\Local\Temp\hlsyro.exe
      C:\Users\Admin\AppData\Local\Temp\hlsyro.exe /I nhyxqom
      Suspicious behavior: EnumeratesProcesses
      PID:928
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • C:\Users\Admin\AppData\Roaming\Microsoft\Iyhpveej\leaeye.dat

                          MD5

                          1baf990dcfc7303217eae8237610a2ea

                          SHA1

                          1830862d31423610c2b182b9d27a9c688bdd78ca

                          SHA256

                          18192d022cf723b68d673ef73e4043dba98275d78028b15d3e331e15d2c332b8

                          SHA512

                          2c0bed55568149167a4a9aabe7762cf8fcd12db191933c5507587550f11cf3da591c1e05ddd09bb1f7285a356d41782def61616a9a3eceddbd7707d14cf4c282

                        • C:\Users\Admin\AppData\Roaming\Microsoft\Iyhpveej\leaeye.exe

                          MD5

                          5ba4e87c65ca68df74d9b04f0c1c914d

                          SHA1

                          97f6dd6b6c79e2552ab773893fe0762532f7aa7b

                          SHA256

                          5182762d20edf7e1d4f4ef56f19efeb6ecdbad6ca41c352f3bec47b584b0683c

                          SHA512

                          ad096ad947c42c713d43251fca278fc66d4f247dabe5fcae963c45c09d321e1cc7bdad01ef29fdab121dddb9533663492633f57f72c42cf91e536efba07ae9a3

                        • C:\Users\Admin\AppData\Roaming\Microsoft\Iyhpveej\leaeye.exe

                          MD5

                          5ba4e87c65ca68df74d9b04f0c1c914d

                          SHA1

                          97f6dd6b6c79e2552ab773893fe0762532f7aa7b

                          SHA256

                          5182762d20edf7e1d4f4ef56f19efeb6ecdbad6ca41c352f3bec47b584b0683c

                          SHA512

                          ad096ad947c42c713d43251fca278fc66d4f247dabe5fcae963c45c09d321e1cc7bdad01ef29fdab121dddb9533663492633f57f72c42cf91e536efba07ae9a3

                        • C:\Users\Admin\AppData\Roaming\Microsoft\Iyhpveej\leaeye.exe

                          MD5

                          5ba4e87c65ca68df74d9b04f0c1c914d

                          SHA1

                          97f6dd6b6c79e2552ab773893fe0762532f7aa7b

                          SHA256

                          5182762d20edf7e1d4f4ef56f19efeb6ecdbad6ca41c352f3bec47b584b0683c

                          SHA512

                          ad096ad947c42c713d43251fca278fc66d4f247dabe5fcae963c45c09d321e1cc7bdad01ef29fdab121dddb9533663492633f57f72c42cf91e536efba07ae9a3

                        • \??\PIPE\wkssvc

                          MD5

                          d41d8cd98f00b204e9800998ecf8427e

                          SHA1

                          da39a3ee5e6b4b0d3255bfef95601890afd80709

                          SHA256

                          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                          SHA512

                          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                        • \Users\Admin\AppData\Roaming\Microsoft\Iyhpveej\leaeye.exe

                          MD5

                          5ba4e87c65ca68df74d9b04f0c1c914d

                          SHA1

                          97f6dd6b6c79e2552ab773893fe0762532f7aa7b

                          SHA256

                          5182762d20edf7e1d4f4ef56f19efeb6ecdbad6ca41c352f3bec47b584b0683c

                          SHA512

                          ad096ad947c42c713d43251fca278fc66d4f247dabe5fcae963c45c09d321e1cc7bdad01ef29fdab121dddb9533663492633f57f72c42cf91e536efba07ae9a3

                        • \Users\Admin\AppData\Roaming\Microsoft\Iyhpveej\leaeye.exe

                          MD5

                          5ba4e87c65ca68df74d9b04f0c1c914d

                          SHA1

                          97f6dd6b6c79e2552ab773893fe0762532f7aa7b

                          SHA256

                          5182762d20edf7e1d4f4ef56f19efeb6ecdbad6ca41c352f3bec47b584b0683c

                          SHA512

                          ad096ad947c42c713d43251fca278fc66d4f247dabe5fcae963c45c09d321e1cc7bdad01ef29fdab121dddb9533663492633f57f72c42cf91e536efba07ae9a3

                        • memory/432-11-0x0000000002490000-0x00000000024A1000-memory.dmp

                        • memory/432-8-0x0000000000000000-mapping.dmp

                        • memory/572-13-0x0000000000000000-mapping.dmp

                        • memory/928-15-0x0000000000000000-mapping.dmp

                        • memory/1572-1-0x00000000024E0000-0x00000000024F1000-memory.dmp

                        • memory/1572-0-0x0000000000000000-mapping.dmp

                        • memory/1588-12-0x00000000003B0000-0x00000000003EA000-memory.dmp

                        • memory/1588-4-0x0000000000000000-mapping.dmp

                        • memory/1652-6-0x0000000000000000-mapping.dmp