Overview

overview

10

Static

static

Pipap/dfoeyne.exe

windows7_x64

10

Pipap/dfoeyne.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    05-05-2021 08:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Pipap/dfoeyne.exe

  • Size

    311KB

  • MD5

    d6bdce5cef1aa129eda14c94dcb4e3b6

  • SHA1

    f929e983199ed7c920a1d3379fa8035c8ca97d4d

  • SHA256

    ca0b7d370f816b72123306c076bf9dead8038918391e53549877324218e6a1e7

  • SHA512

    817e5adb7c2058c6ff060615d85d377e978ece689f7756d5b9fe43db38bfb18eb8fd06be4f770d486e5beb1f379ccc14ccd9612b200c3341cdf06fa057505da0

Score
10/10
qakbotnotset1596817234bankerpersistencestealertrojan

Malware Config

Extracted

Family

qakbot

Version

325.42

Botnet

notset

Campaign

1596817234

Credentials

  • Protocol:     ftp
  • Host:
    192.185.5.208
  • Port:
    21
  • Username:
    logger@dustinkeeling.com
  • Password:
    NxdkxAp4dUsY

  • Protocol:     ftp
  • Host:
    162.241.218.118
  • Port:
    21
  • Username:
    logger@misterexterior.com
  • Password:
    EcOV0DyGVgVN

  • Protocol:     ftp
  • Host:
    69.89.31.139
  • Port:
    21
  • Username:
    cpanel@vivekharris-architects.com
  • Password:
    fcR7OvyLrMW6!

  • Protocol:     ftp
  • Host:
    169.207.67.14
  • Port:
    21
  • Username:
    cpanel@dovetailsolar.com
  • Password:
    eQyicNLzzqPN
C2

47.44.217.98:443

86.97.146.204:2222

65.60.228.130:443

216.201.162.158:443

94.59.24.79:995

108.46.145.30:443

24.139.132.70:443

47.206.174.82:443

188.52.106.206:20

72.204.242.138:6881

173.173.72.199:443

71.163.224.206:443

63.155.9.141:995

100.34.195.237:443

47.39.177.171:2222

96.20.108.17:2222

115.21.224.117:443

70.164.39.91:443

45.47.65.191:443

207.155.107.111:443

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Discovers systems in the same network 1 TTPs 1 IoCs
    discovery
  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1200
    • C:\Users\Admin\AppData\Local\Temp\Pipap\dfoeyne.exe
      "C:\Users\Admin\AppData\Local\Temp\Pipap\dfoeyne.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1080
      • C:\Users\Admin\AppData\Local\Temp\Pipap\dfoeyne.exe
        C:\Users\Admin\AppData\Local\Temp\Pipap\dfoeyne.exe /C
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1432
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        3⤵
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1576
        • C:\Windows\SysWOW64\explorer.exe
          C:\Windows\SysWOW64\explorer.exe
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:744
        • C:\Users\Admin\AppData\Local\Temp\Pipap\dfoeyne.exe
          "C:\Users\Admin\AppData\Local\Temp\Pipap\dfoeyne.exe" /W
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:472
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /create /tn {76C6BBEE-4267-4DC4-A8F1-DFF40E7AF71C} /tr "\"C:\Users\Admin\AppData\Local\Temp\Pipap\dfoeyne.exe\"" /sc HOURLY /mo 5 /F
          4⤵
          • Creates scheduled task(s)
          • Suspicious behavior: EnumeratesProcesses
          PID:1056
        • C:\Windows\SysWOW64\whoami.exe
          whoami /all
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:932
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c set
          4⤵
            PID:1016
          • C:\Windows\SysWOW64\arp.exe
            arp -a
            4⤵
              PID:1064
            • C:\Windows\SysWOW64\ipconfig.exe
              ipconfig /all
              4⤵
              • Gathers network information
              PID:972
            • C:\Windows\SysWOW64\net.exe
              net view /all
              4⤵
              • Discovers systems in the same network
              • Suspicious behavior: EnumeratesProcesses
              PID:1108
            • C:\Windows\SysWOW64\nslookup.exe
              nslookup -querytype=ALL -timeout=10 _ldap._tcp.dc._msdcs.WORKGROUP
              4⤵
                PID:1488
              • C:\Windows\SysWOW64\net.exe
                net share
                4⤵
                  PID:1324
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 share
                    5⤵
                      PID:1080
                  • C:\Windows\SysWOW64\route.exe
                    route print
                    4⤵
                      PID:1136
                    • C:\Windows\SysWOW64\netstat.exe
                      netstat -nao
                      4⤵
                      • Gathers network information
                      • Suspicious use of AdjustPrivilegeToken
                      PID:516
                    • C:\Windows\SysWOW64\net.exe
                      net localgroup
                      4⤵
                        PID:1724
                        • C:\Windows\SysWOW64\net1.exe
                          C:\Windows\system32\net1 localgroup
                          5⤵
                            PID:616
                  • C:\Windows\system32\Dwm.exe
                    "C:\Windows\system32\Dwm.exe"
                    1⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:1172
                  • C:\Windows\system32\taskhost.exe
                    "taskhost.exe"
                    1⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:1116
                  • C:\Windows\system32\DllHost.exe
                    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                    1⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:1660
                  • C:\Windows\system32\conhost.exe
                    \??\C:\Windows\system32\conhost.exe "384225671762752028-84317450116035134801799803185-1104674726-1943575862-233614963"
                    1⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:300
                  • C:\Windows\system32\DllHost.exe
                    C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
                    1⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:1596
                  • C:\Windows\system32\msiexec.exe
                    C:\Windows\system32\msiexec.exe /V
                    1⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:692
                  • C:\Windows\system32\DllHost.exe
                    C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
                    1⤵
                      PID:916

                    Network

                    MITRE ATT&CK Matrix ATT&CK v6

                    Initial Access

                    Execution

                    Scheduled Task

                    1
                    T1053

                    Command-Line Interface

                    1
                    T1059

                    Persistence

                    Registry Run Keys / Startup Folder

                    1
                    T1060

                    Scheduled Task

                    1
                    T1053

                    Privilege Escalation

                    Scheduled Task

                    1
                    T1053

                    Defense Evasion

                    Modify Registry

                    1
                    T1112

                    Credential Access

                    Discovery

                    Remote System Discovery

                    1
                    T1018

                    System Information Discovery

                    1
                    T1082

                    Lateral Movement

                    Collection

                    Exfiltration

                    Command and Control

                    Impact

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • \??\PIPE\wkssvc
                      MD5

                      d41d8cd98f00b204e9800998ecf8427e

                      SHA1

                      da39a3ee5e6b4b0d3255bfef95601890afd80709

                      SHA256

                      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                      SHA512

                      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                      Download Submit
                    • memory/300-126-0x00000000001D0000-0x0000000000205000-memory.dmp
                      Filesize

                      212KB

                      Download
                    • memory/300-127-0x00000000773A0000-0x00000000773A1000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/472-73-0x0000000000000000-mapping.dmp
                      Download
                    • memory/472-95-0x0000000000270000-0x000000000029C000-memory.dmp
                      Filesize

                      176KB

                      Download
                    • memory/472-99-0x00000000002B0000-0x00000000002B1000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/516-136-0x0000000000000000-mapping.dmp
                      Download
                    • memory/616-138-0x0000000000000000-mapping.dmp
                      Download
                    • memory/692-139-0x000007FEFBFF1000-0x000007FEFBFF3000-memory.dmp
                      Filesize

                      8KB

                      Download
                    • memory/744-77-0x00000000000E0000-0x0000000000117000-memory.dmp
                      Filesize

                      220KB

                      Download
                    • memory/744-86-0x0000000000380000-0x0000000000381000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/744-141-0x00000000020B0000-0x0000000002130000-memory.dmp
                      Filesize

                      512KB

                      Download
                    • memory/744-109-0x0000000000420000-0x0000000000421000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/744-79-0x0000000000630000-0x0000000000690000-memory.dmp
                      Filesize

                      384KB

                      Download
                    • memory/744-129-0x00000000020B0000-0x0000000002130000-memory.dmp
                      Filesize

                      512KB

                      Download
                    • memory/744-83-0x0000000000290000-0x0000000000291000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/744-142-0x00000000020B0000-0x0000000002130000-memory.dmp
                      Filesize

                      512KB

                      Download
                    • memory/744-80-0x0000000000280000-0x0000000000281000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/744-71-0x0000000000000000-mapping.dmp
                      Download
                    • memory/744-125-0x0000000002050000-0x0000000002051000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/744-93-0x0000000000270000-0x0000000000271000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/916-144-0x00000000773A0000-0x00000000773A1000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/916-143-0x0000000000310000-0x0000000000345000-memory.dmp
                      Filesize

                      212KB

                      Download
                    • memory/932-112-0x0000000000000000-mapping.dmp
                      Download
                    • memory/972-115-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1016-113-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1056-105-0x0000000000250000-0x000000000027C000-memory.dmp
                      Filesize

                      176KB

                      Download
                    • memory/1056-106-0x0000000000450000-0x0000000000451000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/1056-102-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1064-114-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1080-134-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1080-59-0x00000000766D1000-0x00000000766D3000-memory.dmp
                      Filesize

                      8KB

                      Download
                    • memory/1080-61-0x0000000000400000-0x0000000000450000-memory.dmp
                      Filesize

                      320KB

                      Download
                    • memory/1080-60-0x00000000003A0000-0x00000000003E4000-memory.dmp
                      Filesize

                      272KB

                      Download
                    • memory/1108-117-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1108-123-0x0000000000240000-0x0000000000241000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/1108-122-0x0000000000210000-0x000000000023C000-memory.dmp
                      Filesize

                      176KB

                      Download
                    • memory/1116-96-0x0000000000230000-0x0000000000265000-memory.dmp
                      Filesize

                      212KB

                      Download
                    • memory/1116-97-0x00000000773A0000-0x00000000773A1000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/1116-76-0x0000000000150000-0x0000000000151000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/1136-135-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1172-89-0x00000000773A0000-0x00000000773A1000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/1172-81-0x0000000001C80000-0x0000000001CB5000-memory.dmp
                      Filesize

                      212KB

                      Download
                    • memory/1200-85-0x0000000003B20000-0x0000000003B55000-memory.dmp
                      Filesize

                      212KB

                      Download
                    • memory/1200-87-0x00000000773A0000-0x00000000773A1000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/1324-133-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1432-62-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1488-132-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1576-69-0x0000000000080000-0x00000000000C7000-memory.dmp
                      Filesize

                      284KB

                      Download
                    • memory/1576-91-0x0000000000660000-0x000000000068C000-memory.dmp
                      Filesize

                      176KB

                      Download
                    • memory/1576-70-0x00000000001F0000-0x0000000000227000-memory.dmp
                      Filesize

                      220KB

                      Download
                    • memory/1576-68-0x0000000074DF1000-0x0000000074DF3000-memory.dmp
                      Filesize

                      8KB

                      Download
                    • memory/1576-66-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1576-88-0x00000000001D0000-0x00000000001D1000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/1576-98-0x0000000000270000-0x0000000000271000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/1596-131-0x00000000773A0000-0x00000000773A1000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/1596-130-0x0000000000210000-0x0000000000245000-memory.dmp
                      Filesize

                      212KB

                      Download
                    • memory/1660-111-0x00000000773A0000-0x00000000773A1000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/1660-110-0x0000000002A00000-0x0000000002A35000-memory.dmp
                      Filesize

                      212KB

                      Download
                    • memory/1724-137-0x0000000000000000-mapping.dmp
                      Download