qakbot | ac11418eab2ce452eee06a6fc218716ded1748ad0a94a7e28e2454544a80e094

General

Target

4574557[1].png.exe
Size

1.0MB
MD5

8f84a75f05de69afb3326e24318117a2
SHA1

b96e0de50f0215d6b07095a89e93f56aa83fde2b
SHA256

ac11418eab2ce452eee06a6fc218716ded1748ad0a94a7e28e2454544a80e094
SHA512

35159cb15ea90bf47c4bcad4518e972b9b7be1c2c000d73f9a1dacd76590a42d0df9a684793a703765f3c56879e03a9208b39061ba41a9c5d08963f4d79527b0

Score

10^/10

qakbot abc030 1605174628 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

abc030

Campaign

1605174628

C2

203.198.96.163:443

78.125.133.231:443

37.105.231.62:443

173.245.152.231:443

85.60.132.8:2078

47.44.217.98:443

24.55.66.125:443

73.166.10.38:995

85.105.29.218:443

92.154.83.96:1194

72.179.13.59:443

86.97.191.98:2222

78.101.234.58:443

108.160.123.244:443

90.148.201.218:995

46.53.21.97:443

90.53.103.157:2222

2.50.169.188:443

173.197.22.90:2222

217.165.2.92:995

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Executes dropped EXE 2 IoCs

Processes:

hutqy.exehutqy.exe

pid process

3944 hutqy.exe
2664 hutqy.exe

pid	process
3944	hutqy.exe
2664	hutqy.exe

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

hutqy.exe4574557[1].png.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	hutqy.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	hutqy.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service	hutqy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	4574557[1].png.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	4574557[1].png.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service	4574557[1].png.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	4574557[1].png.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service	4574557[1].png.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	hutqy.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service	hutqy.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	4574557[1].png.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	hutqy.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2328 schtasks.exe

pid	process
2328	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

4574557[1].png.exe4574557[1].png.exehutqy.exehutqy.exeexplorer.exe4574557[1].png.exe

pid	process
3084	4574557[1].png.exe
3084	4574557[1].png.exe
4068	4574557[1].png.exe
4068	4574557[1].png.exe
4068	4574557[1].png.exe
4068	4574557[1].png.exe
3944	hutqy.exe
3944	hutqy.exe
2664	hutqy.exe
2664	hutqy.exe
2664	hutqy.exe
2664	hutqy.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
3200	4574557[1].png.exe
3200	4574557[1].png.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

hutqy.exe

pid process

3944 hutqy.exe

pid	process
3944	hutqy.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

4574557[1].png.exehutqy.exe

description	pid	process	target process
PID 3084 wrote to memory of 4068	3084	4574557[1].png.exe	4574557[1].png.exe
PID 3084 wrote to memory of 4068	3084	4574557[1].png.exe	4574557[1].png.exe
PID 3084 wrote to memory of 4068	3084	4574557[1].png.exe	4574557[1].png.exe
PID 3084 wrote to memory of 3944	3084	4574557[1].png.exe	hutqy.exe
PID 3084 wrote to memory of 3944	3084	4574557[1].png.exe	hutqy.exe
PID 3084 wrote to memory of 3944	3084	4574557[1].png.exe	hutqy.exe
PID 3084 wrote to memory of 2328	3084	4574557[1].png.exe	schtasks.exe
PID 3084 wrote to memory of 2328	3084	4574557[1].png.exe	schtasks.exe
PID 3084 wrote to memory of 2328	3084	4574557[1].png.exe	schtasks.exe
PID 3944 wrote to memory of 2664	3944	hutqy.exe	hutqy.exe
PID 3944 wrote to memory of 2664	3944	hutqy.exe	hutqy.exe
PID 3944 wrote to memory of 2664	3944	hutqy.exe	hutqy.exe
PID 3944 wrote to memory of 1128	3944	hutqy.exe	explorer.exe
PID 3944 wrote to memory of 1128	3944	hutqy.exe	explorer.exe
PID 3944 wrote to memory of 1128	3944	hutqy.exe	explorer.exe
PID 3944 wrote to memory of 1128	3944	hutqy.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\4574557[1].png.exe
"C:\Users\Admin\AppData\Local\Temp\4574557[1].png.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3084

C:\Users\Admin\AppData\Local\Temp\4574557[1].png.exe
C:\Users\Admin\AppData\Local\Temp\4574557[1].png.exe /C
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:4068

C:\Users\Admin\AppData\Roaming\Microsoft\Vuoywf\hutqy.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Vuoywf\hutqy.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3944

C:\Users\Admin\AppData\Roaming\Microsoft\Vuoywf\hutqy.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Vuoywf\hutqy.exe /C
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:2664

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1128

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn tkzprhyv /tr "\"C:\Users\Admin\AppData\Local\Temp\4574557[1].png.exe\" /I tkzprhyv" /SC ONCE /Z /ST 19:37 /ET 19:49
2⤵
- Creates scheduled task(s)
PID:2328

C:\Users\Admin\AppData\Local\Temp\4574557[1].png.exe
C:\Users\Admin\AppData\Local\Temp\4574557[1].png.exe /I tkzprhyv
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3200

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Vuoywf\hutqy.dat
MD5
4e63a62a6eed61f43e998c1953f34aac

SHA1
b2b9aa391d46c5df404a679b35c7ee4b0e945598

SHA256
50fc2a60c66d3ac454b1b14a3943b94b714d8f4da865bef094ca6ba509374fd6

SHA512
a28ad22350b5fdeae338c038d15ab8a2c259fc9b740bc0e368556d90d741069f19422b8a2e27a2838dd665225db9b0f101f0d98f9e7c238fbb36021acd6d617f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Vuoywf\hutqy.exe
MD5
8f84a75f05de69afb3326e24318117a2

SHA1
b96e0de50f0215d6b07095a89e93f56aa83fde2b

SHA256
ac11418eab2ce452eee06a6fc218716ded1748ad0a94a7e28e2454544a80e094

SHA512
35159cb15ea90bf47c4bcad4518e972b9b7be1c2c000d73f9a1dacd76590a42d0df9a684793a703765f3c56879e03a9208b39061ba41a9c5d08963f4d79527b0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Vuoywf\hutqy.exe
MD5
8f84a75f05de69afb3326e24318117a2

SHA1
b96e0de50f0215d6b07095a89e93f56aa83fde2b

SHA256
ac11418eab2ce452eee06a6fc218716ded1748ad0a94a7e28e2454544a80e094

SHA512
35159cb15ea90bf47c4bcad4518e972b9b7be1c2c000d73f9a1dacd76590a42d0df9a684793a703765f3c56879e03a9208b39061ba41a9c5d08963f4d79527b0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Vuoywf\hutqy.exe
MD5
8f84a75f05de69afb3326e24318117a2

SHA1
b96e0de50f0215d6b07095a89e93f56aa83fde2b

SHA256
ac11418eab2ce452eee06a6fc218716ded1748ad0a94a7e28e2454544a80e094

SHA512
35159cb15ea90bf47c4bcad4518e972b9b7be1c2c000d73f9a1dacd76590a42d0df9a684793a703765f3c56879e03a9208b39061ba41a9c5d08963f4d79527b0

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1128-10-0x0000000000000000-mapping.dmp

Download
memory/2328-5-0x0000000000000000-mapping.dmp

Download
memory/2664-6-0x0000000000000000-mapping.dmp

Download
memory/2664-8-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/3944-9-0x00000000021F0000-0x000000000222A000-memory.dmp

Filesize
232KB

Download
memory/3944-2-0x0000000000000000-mapping.dmp

Download
memory/4068-0-0x0000000000000000-mapping.dmp

Download
memory/4068-1-0x0000000002940000-0x0000000002941000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads