qakbot | ac11418eab2ce452eee06a6fc218716ded1748ad0a94a7e28e2454544a80e094

General

Target

4574557[1].png.exe
Size

1.0MB
MD5

8f84a75f05de69afb3326e24318117a2
SHA1

b96e0de50f0215d6b07095a89e93f56aa83fde2b
SHA256

ac11418eab2ce452eee06a6fc218716ded1748ad0a94a7e28e2454544a80e094
SHA512

35159cb15ea90bf47c4bcad4518e972b9b7be1c2c000d73f9a1dacd76590a42d0df9a684793a703765f3c56879e03a9208b39061ba41a9c5d08963f4d79527b0

Score

10^/10

qakbot abc030 1605174628 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

abc030

Campaign

1605174628

C2

203.198.96.163:443

78.125.133.231:443

37.105.231.62:443

173.245.152.231:443

85.60.132.8:2078

47.44.217.98:443

24.55.66.125:443

73.166.10.38:995

85.105.29.218:443

92.154.83.96:1194

72.179.13.59:443

86.97.191.98:2222

78.101.234.58:443

108.160.123.244:443

90.148.201.218:995

46.53.21.97:443

90.53.103.157:2222

2.50.169.188:443

173.197.22.90:2222

217.165.2.92:995

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Executes dropped EXE 2 IoCs

Processes:

qaabplkn.exeqaabplkn.exe

pid process

1660 qaabplkn.exe
436 qaabplkn.exe
Loads dropped DLL 2 IoCs

Processes:

4574557[1].png.exe

pid process

2028 4574557[1].png.exe
2028 4574557[1].png.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2000 schtasks.exe

pid	process
1660	qaabplkn.exe
436	qaabplkn.exe

pid	process
2000	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

4574557[1].png.exe4574557[1].png.exeqaabplkn.exeqaabplkn.exeexplorer.exe4574557[1].png.exe

pid	process
2028	4574557[1].png.exe
1220	4574557[1].png.exe
1220	4574557[1].png.exe
1660	qaabplkn.exe
436	qaabplkn.exe
436	qaabplkn.exe
580	explorer.exe
580	explorer.exe
1120	4574557[1].png.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

qaabplkn.exe

pid process

1660 qaabplkn.exe

pid	process
1660	qaabplkn.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

4574557[1].png.exeqaabplkn.exetaskeng.exe

description	pid	process	target process
PID 2028 wrote to memory of 1220	2028	4574557[1].png.exe	4574557[1].png.exe
PID 2028 wrote to memory of 1220	2028	4574557[1].png.exe	4574557[1].png.exe
PID 2028 wrote to memory of 1220	2028	4574557[1].png.exe	4574557[1].png.exe
PID 2028 wrote to memory of 1220	2028	4574557[1].png.exe	4574557[1].png.exe
PID 2028 wrote to memory of 1660	2028	4574557[1].png.exe	qaabplkn.exe
PID 2028 wrote to memory of 1660	2028	4574557[1].png.exe	qaabplkn.exe
PID 2028 wrote to memory of 1660	2028	4574557[1].png.exe	qaabplkn.exe
PID 2028 wrote to memory of 1660	2028	4574557[1].png.exe	qaabplkn.exe
PID 2028 wrote to memory of 2000	2028	4574557[1].png.exe	schtasks.exe
PID 2028 wrote to memory of 2000	2028	4574557[1].png.exe	schtasks.exe
PID 2028 wrote to memory of 2000	2028	4574557[1].png.exe	schtasks.exe
PID 2028 wrote to memory of 2000	2028	4574557[1].png.exe	schtasks.exe
PID 1660 wrote to memory of 436	1660	qaabplkn.exe	qaabplkn.exe
PID 1660 wrote to memory of 436	1660	qaabplkn.exe	qaabplkn.exe
PID 1660 wrote to memory of 436	1660	qaabplkn.exe	qaabplkn.exe
PID 1660 wrote to memory of 436	1660	qaabplkn.exe	qaabplkn.exe
PID 1660 wrote to memory of 580	1660	qaabplkn.exe	explorer.exe
PID 1660 wrote to memory of 580	1660	qaabplkn.exe	explorer.exe
PID 1660 wrote to memory of 580	1660	qaabplkn.exe	explorer.exe
PID 1660 wrote to memory of 580	1660	qaabplkn.exe	explorer.exe
PID 1660 wrote to memory of 580	1660	qaabplkn.exe	explorer.exe
PID 1464 wrote to memory of 1120	1464	taskeng.exe	4574557[1].png.exe
PID 1464 wrote to memory of 1120	1464	taskeng.exe	4574557[1].png.exe
PID 1464 wrote to memory of 1120	1464	taskeng.exe	4574557[1].png.exe
PID 1464 wrote to memory of 1120	1464	taskeng.exe	4574557[1].png.exe

C:\Users\Admin\AppData\Local\Temp\4574557[1].png.exe
"C:\Users\Admin\AppData\Local\Temp\4574557[1].png.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Local\Temp\4574557[1].png.exe
C:\Users\Admin\AppData\Local\Temp\4574557[1].png.exe /C
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1220

C:\Users\Admin\AppData\Roaming\Microsoft\Rehakwj\qaabplkn.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Rehakwj\qaabplkn.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1660

C:\Users\Admin\AppData\Roaming\Microsoft\Rehakwj\qaabplkn.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Rehakwj\qaabplkn.exe /C
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:436

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:580

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn ynhchqptl /tr "\"C:\Users\Admin\AppData\Local\Temp\4574557[1].png.exe\" /I ynhchqptl" /SC ONCE /Z /ST 18:29 /ET 18:41
2⤵
- Creates scheduled task(s)
PID:2000

C:\Windows\system32\taskeng.exe
taskeng.exe {105CB81B-282E-4616-A859-E2B481E35E25} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1464

C:\Users\Admin\AppData\Local\Temp\4574557[1].png.exe
C:\Users\Admin\AppData\Local\Temp\4574557[1].png.exe /I ynhchqptl
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1120

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Rehakwj\qaabplkn.dat
MD5
04140fcb203ee87a55e3373915a7d945

SHA1
80d743a56600751c6cc1940afe0bd44493ef6bde

SHA256
3e17ef73d27cb0b936cd2cdd263ea8bfa3a1214c4595a11ed56fff5003df931b

SHA512
062f911c9ac5d703b2ad631b7be967e3389c968b57c682de0955a870b56b8d621af4fcfd606303a2a4f0550f5b92654226c91df082ce70a709ed0b792d7448bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Rehakwj\qaabplkn.exe
MD5
8f84a75f05de69afb3326e24318117a2

SHA1
b96e0de50f0215d6b07095a89e93f56aa83fde2b

SHA256
ac11418eab2ce452eee06a6fc218716ded1748ad0a94a7e28e2454544a80e094

SHA512
35159cb15ea90bf47c4bcad4518e972b9b7be1c2c000d73f9a1dacd76590a42d0df9a684793a703765f3c56879e03a9208b39061ba41a9c5d08963f4d79527b0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Rehakwj\qaabplkn.exe
MD5
8f84a75f05de69afb3326e24318117a2

SHA1
b96e0de50f0215d6b07095a89e93f56aa83fde2b

SHA256
ac11418eab2ce452eee06a6fc218716ded1748ad0a94a7e28e2454544a80e094

SHA512
35159cb15ea90bf47c4bcad4518e972b9b7be1c2c000d73f9a1dacd76590a42d0df9a684793a703765f3c56879e03a9208b39061ba41a9c5d08963f4d79527b0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Rehakwj\qaabplkn.exe
MD5
8f84a75f05de69afb3326e24318117a2

SHA1
b96e0de50f0215d6b07095a89e93f56aa83fde2b

SHA256
ac11418eab2ce452eee06a6fc218716ded1748ad0a94a7e28e2454544a80e094

SHA512
35159cb15ea90bf47c4bcad4518e972b9b7be1c2c000d73f9a1dacd76590a42d0df9a684793a703765f3c56879e03a9208b39061ba41a9c5d08963f4d79527b0

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Rehakwj\qaabplkn.exe
MD5
8f84a75f05de69afb3326e24318117a2

SHA1
b96e0de50f0215d6b07095a89e93f56aa83fde2b

SHA256
ac11418eab2ce452eee06a6fc218716ded1748ad0a94a7e28e2454544a80e094

SHA512
35159cb15ea90bf47c4bcad4518e972b9b7be1c2c000d73f9a1dacd76590a42d0df9a684793a703765f3c56879e03a9208b39061ba41a9c5d08963f4d79527b0

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Rehakwj\qaabplkn.exe
MD5
8f84a75f05de69afb3326e24318117a2

SHA1
b96e0de50f0215d6b07095a89e93f56aa83fde2b

SHA256
ac11418eab2ce452eee06a6fc218716ded1748ad0a94a7e28e2454544a80e094

SHA512
35159cb15ea90bf47c4bcad4518e972b9b7be1c2c000d73f9a1dacd76590a42d0df9a684793a703765f3c56879e03a9208b39061ba41a9c5d08963f4d79527b0

Download Submit
memory/436-8-0x0000000000000000-mapping.dmp

Download
memory/436-10-0x0000000002660000-0x0000000002671000-memory.dmp

Filesize
68KB

Download
memory/580-12-0x0000000000000000-mapping.dmp

Download
memory/1120-14-0x0000000000000000-mapping.dmp

Download
memory/1220-1-0x0000000002500000-0x0000000002511000-memory.dmp

Filesize
68KB

Download
memory/1220-0-0x0000000000000000-mapping.dmp

Download
memory/1660-4-0x0000000000000000-mapping.dmp

Download
memory/1660-11-0x00000000024B0000-0x00000000024EA000-memory.dmp

Filesize
232KB

Download
memory/2000-6-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads