qakbot | 99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39

General

Target

99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exe
Size

1.0MB
MD5

b4c4124ef49eef7085d34ddab3b4ae9f
SHA1

87e3ffc0b6274a3084d1b0f97af29037bcc317bf
SHA256

99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39
SHA512

20e0c48b4ada8916ef03cb92b92a9c3557327feaacb409bac648b8d50f1c7ae9d2ddc89ad931bfebaf5af8ac16b1a8a2012d2832facb015379748ad8d6946955

Score

10^/10

qakbot banker stealer trojan

Malware Config

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1604 PING.EXE

pid	process
1604	PING.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exe99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exe

pid	process
684	99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exe
1316	99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exe
1316	99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.execmd.exe

description	pid	process	target process
PID 684 wrote to memory of 1316	684	99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exe	99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exe
PID 684 wrote to memory of 1316	684	99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exe	99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exe
PID 684 wrote to memory of 1316	684	99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exe	99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exe
PID 684 wrote to memory of 1316	684	99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exe	99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exe
PID 684 wrote to memory of 1352	684	99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exe	cmd.exe
PID 684 wrote to memory of 1352	684	99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exe	cmd.exe
PID 684 wrote to memory of 1352	684	99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exe	cmd.exe
PID 684 wrote to memory of 1352	684	99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exe	cmd.exe
PID 1352 wrote to memory of 1604	1352	cmd.exe	PING.EXE
PID 1352 wrote to memory of 1604	1352	cmd.exe	PING.EXE
PID 1352 wrote to memory of 1604	1352	cmd.exe	PING.EXE
PID 1352 wrote to memory of 1604	1352	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exe
"C:\Users\Admin\AppData\Local\Temp\99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:684

C:\Users\Admin\AppData\Local\Temp\99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exe
C:\Users\Admin\AppData\Local\Temp\99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exe /C
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1316

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\SysWOW64\PING.EXE
ping.exe -n 6 127.0.0.1
3⤵
- Runs ping.exe
PID:1604

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1316-0-0x0000000000000000-mapping.dmp

Download
memory/1316-1-0x0000000002500000-0x0000000002511000-memory.dmp

Filesize
68KB

Download
memory/1352-2-0x0000000000000000-mapping.dmp

Download
memory/1604-3-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing