qakbot | 73ae67036a0d291c18208037010de359520cd613dda2f9eabfde3fec5558324f

Target

update2.exe
Size

746KB
MD5

0bfb4a1efbb20a7291fcc022dec7d58b
SHA1

faec2a0afe296224f980ac059cf63f18eba800ce
SHA256

73ae67036a0d291c18208037010de359520cd613dda2f9eabfde3fec5558324f
SHA512

eae0e585ef29f56f27da897783ec582b228124437a6355cfd7b56be229558913dfd87d3005482c0fe54ba8f5e79fb1d50f869bd0e619b0ca7318ac055c62b425

Score

10^/10

qakbot 1572863946 banker evasion persistence stealer trojan

Malware Config

Extracted

Family

qakbot

Campaign

1572863946

Credentials

Protocol: ftp
Host:
192.185.5.208
Port:
21
Username:
[email protected]
Password:
NxdkxAp4dUsY

Protocol: ftp
Host:
162.241.218.118
Port:
21
Username:
[email protected]
Password:
EcOV0DyGVgVN

Protocol: ftp
Host:
69.89.31.139
Port:
21
Username:
[email protected]
Password:
fcR7OvyLrMW6!

Protocol: ftp
Host:
169.207.67.14
Port:
21
Username:
[email protected]
Password:
eQyicNLzzqPN

112.171.126.153:443

67.200.146.98:2222

174.16.234.171:993

71.30.56.170:443

71.77.231.251:443

72.213.98.233:443

2.50.170.151:443

184.180.157.203:2222

96.35.170.82:2222

64.19.74.29:995

104.32.185.213:2222

104.3.91.20:995

173.22.120.11:2222

173.3.132.17:995

74.194.4.181:443

75.131.72.82:443

68.238.144.55:443

100.4.185.8:443

104.34.122.18:443

65.30.12.240:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Executes dropped EXE 4 IoCs

pid	Process
1468	icfjslh.exe
1020	icfjslh.exe
1328	icfjslh.exe
1468	icfjslh.exe

Loads dropped DLL 18 IoCs

pid	Process
1824	update2.exe
1824	update2.exe
1468	icfjslh.exe
1468	icfjslh.exe
1468	icfjslh.exe
1468	icfjslh.exe
1020	icfjslh.exe
1020	icfjslh.exe
1020	icfjslh.exe
1888	update2.exe
1888	update2.exe
1328	icfjslh.exe
1328	icfjslh.exe
1328	icfjslh.exe
1328	icfjslh.exe
1468	icfjslh.exe
1468	icfjslh.exe
1468	icfjslh.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\zcchijxq = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Xfzezfol\\icfjslh.exe\""	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1496	schtasks.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	update2.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	update2.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	update2.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
548	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1824	update2.exe
1684	update2.exe
1684	update2.exe
1468	icfjslh.exe
1020	icfjslh.exe
1020	icfjslh.exe
1000	explorer.exe
1000	explorer.exe
1888	update2.exe
1328	icfjslh.exe
1468	icfjslh.exe
1468	icfjslh.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1468	icfjslh.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1824 wrote to memory of 1684	1824	update2.exe	29
PID 1824 wrote to memory of 1684	1824	update2.exe	29
PID 1824 wrote to memory of 1684	1824	update2.exe	29
PID 1824 wrote to memory of 1684	1824	update2.exe	29
PID 1824 wrote to memory of 1684	1824	update2.exe	29
PID 1824 wrote to memory of 1684	1824	update2.exe	29
PID 1824 wrote to memory of 1684	1824	update2.exe	29
PID 1824 wrote to memory of 1468	1824	update2.exe	30
PID 1824 wrote to memory of 1468	1824	update2.exe	30
PID 1824 wrote to memory of 1468	1824	update2.exe	30
PID 1824 wrote to memory of 1468	1824	update2.exe	30
PID 1824 wrote to memory of 1468	1824	update2.exe	30
PID 1824 wrote to memory of 1468	1824	update2.exe	30
PID 1824 wrote to memory of 1468	1824	update2.exe	30
PID 1824 wrote to memory of 1496	1824	update2.exe	31
PID 1824 wrote to memory of 1496	1824	update2.exe	31
PID 1824 wrote to memory of 1496	1824	update2.exe	31
PID 1824 wrote to memory of 1496	1824	update2.exe	31
PID 1824 wrote to memory of 1496	1824	update2.exe	31
PID 1824 wrote to memory of 1496	1824	update2.exe	31
PID 1824 wrote to memory of 1496	1824	update2.exe	31
PID 1468 wrote to memory of 1020	1468	icfjslh.exe	33
PID 1468 wrote to memory of 1020	1468	icfjslh.exe	33
PID 1468 wrote to memory of 1020	1468	icfjslh.exe	33
PID 1468 wrote to memory of 1020	1468	icfjslh.exe	33
PID 1468 wrote to memory of 1020	1468	icfjslh.exe	33
PID 1468 wrote to memory of 1020	1468	icfjslh.exe	33
PID 1468 wrote to memory of 1020	1468	icfjslh.exe	33
PID 1468 wrote to memory of 1000	1468	icfjslh.exe	34
PID 1468 wrote to memory of 1000	1468	icfjslh.exe	34
PID 1468 wrote to memory of 1000	1468	icfjslh.exe	34
PID 1468 wrote to memory of 1000	1468	icfjslh.exe	34
PID 1468 wrote to memory of 1000	1468	icfjslh.exe	34
PID 1468 wrote to memory of 1000	1468	icfjslh.exe	34
PID 1468 wrote to memory of 1000	1468	icfjslh.exe	34
PID 1468 wrote to memory of 1000	1468	icfjslh.exe	34
PID 1268 wrote to memory of 1888	1268	taskeng.exe	36
PID 1268 wrote to memory of 1888	1268	taskeng.exe	36
PID 1268 wrote to memory of 1888	1268	taskeng.exe	36
PID 1268 wrote to memory of 1888	1268	taskeng.exe	36
PID 1268 wrote to memory of 1888	1268	taskeng.exe	36
PID 1268 wrote to memory of 1888	1268	taskeng.exe	36
PID 1268 wrote to memory of 1888	1268	taskeng.exe	36
PID 1888 wrote to memory of 1016	1888	update2.exe	37
PID 1888 wrote to memory of 1016	1888	update2.exe	37
PID 1888 wrote to memory of 1016	1888	update2.exe	37
PID 1888 wrote to memory of 1016	1888	update2.exe	37
PID 1888 wrote to memory of 1160	1888	update2.exe	39
PID 1888 wrote to memory of 1160	1888	update2.exe	39
PID 1888 wrote to memory of 1160	1888	update2.exe	39
PID 1888 wrote to memory of 1160	1888	update2.exe	39
PID 1888 wrote to memory of 1828	1888	update2.exe	41
PID 1888 wrote to memory of 1828	1888	update2.exe	41
PID 1888 wrote to memory of 1828	1888	update2.exe	41
PID 1888 wrote to memory of 1828	1888	update2.exe	41
PID 1888 wrote to memory of 1704	1888	update2.exe	43
PID 1888 wrote to memory of 1704	1888	update2.exe	43
PID 1888 wrote to memory of 1704	1888	update2.exe	43
PID 1888 wrote to memory of 1704	1888	update2.exe	43
PID 1888 wrote to memory of 964	1888	update2.exe	45
PID 1888 wrote to memory of 964	1888	update2.exe	45
PID 1888 wrote to memory of 964	1888	update2.exe	45
PID 1888 wrote to memory of 964	1888	update2.exe	45
PID 1888 wrote to memory of 936	1888	update2.exe	47

C:\Users\Admin\AppData\Local\Temp\update2.exe
"C:\Users\Admin\AppData\Local\Temp\update2.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Users\Admin\AppData\Local\Temp\update2.exe
  C:\Users\Admin\AppData\Local\Temp\update2.exe /C
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1684
- C:\Users\Admin\AppData\Roaming\Microsoft\Xfzezfol\icfjslh.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Xfzezfol\icfjslh.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\Users\Admin\AppData\Roaming\Microsoft\Xfzezfol\icfjslh.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Xfzezfol\icfjslh.exe /C
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:1020
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:1000
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn rvpxkzlv /tr "\"C:\Users\Admin\AppData\Local\Temp\update2.exe\" /I rvpxkzlv" /SC ONCE /Z /ST 07:54 /ET 08:06
  2⤵
  - Creates scheduled task(s)
  PID:1496

C:\Windows\system32\taskeng.exe
taskeng.exe {719C4B59-D72A-4328-A346-44DA80DB9F19} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Users\Admin\AppData\Local\Temp\update2.exe
  C:\Users\Admin\AppData\Local\Temp\update2.exe /I rvpxkzlv
  2⤵
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
    3⤵
    PID:1016
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
    3⤵
    PID:1160
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
    3⤵
    PID:1828
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
    3⤵
    PID:1704
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
    3⤵
    PID:964
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
    3⤵
    PID:936
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
    3⤵
    PID:520
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
    3⤵
    PID:1900
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Xfzezfol" /d "0"
    3⤵
    PID:1312
- - C:\Users\Admin\AppData\Roaming\Microsoft\Xfzezfol\icfjslh.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Xfzezfol\icfjslh.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:1328
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Xfzezfol\icfjslh.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Xfzezfol\icfjslh.exe /C
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:1468
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\update2.exe"
    3⤵
    PID:1848
  - - C:\Windows\system32\PING.EXE
      ping.exe -n 6 127.0.0.1
      4⤵
      Runs ping.exe
      PID:548
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /DELETE /F /TN rvpxkzlv
    3⤵
    PID:744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1000-38-0x0000000000430000-0x0000000000471000-memory.dmp

Filesize
260KB

Download
memory/1000-35-0x0000000074E41000-0x0000000074E43000-memory.dmp

Filesize
8KB

Download
memory/1000-37-0x00000000000D0000-0x0000000000162000-memory.dmp

Filesize
584KB

Download
memory/1020-32-0x00000000026D0000-0x00000000026E1000-memory.dmp

Filesize
68KB

Download
memory/1468-74-0x0000000002660000-0x0000000002671000-memory.dmp

Filesize
68KB

Download
memory/1684-9-0x0000000002620000-0x0000000002631000-memory.dmp

Filesize
68KB

Download
memory/1824-4-0x0000000001F50000-0x0000000001FE2000-memory.dmp

Filesize
584KB

Download
memory/1824-3-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1824-2-0x00000000760F1000-0x00000000760F3000-memory.dmp

Filesize
8KB

Download
memory/1888-41-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download