qakbot | 253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147

General

Target

253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe
Size

2.0MB
MD5

cbb2e1d1db2a66b83c80dd88e6c99871
SHA1

0be82731d14ea5a78974a0ca2570e53e69422fc8
SHA256

253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147
SHA512

9ea53aa6638e9c221e7f46f9b28782819f3808571a4687335e7ae8494ae91daef9ddee485cdf5eee9456df9fd05d9960a35f1e988eb083c5b3308bbd129192bf

Score

10^/10

qakbot spx107 1588082813 banker cryptone evasion packer stealer trojan

Malware Config

Extracted

Family

qakbot

Version

324.127

Botnet

spx107

Campaign

1588082813

C2

97.81.255.189:443

67.8.103.21:443

47.232.26.181:443

50.104.67.101:443

173.172.205.216:443

108.188.46.240:995

96.35.170.82:2222

70.95.94.91:2222

72.204.242.138:6881

72.231.224.122:2222

73.137.187.150:443

73.123.16.215:443

71.213.29.14:995

209.182.121.133:2222

82.210.157.185:443

69.47.26.41:443

86.122.7.89:443

71.187.170.235:443

79.113.46.93:443

74.134.4.236:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

CryptOne packer 3 IoCs

Detects CryptOne packer defined in NCC blogpost.

cryptone packer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Udicgk\epebmrn.exe	cryptone
C:\Users\Admin\AppData\Roaming\Microsoft\Udicgk\epebmrn.exe	cryptone
C:\Users\Admin\AppData\Roaming\Microsoft\Udicgk\epebmrn.exe	cryptone

Executes dropped EXE 2 IoCs

Processes:

epebmrn.exeepebmrn.exe

pid process

2980 epebmrn.exe
1996 epebmrn.exe

pid	process
2980	epebmrn.exe
1996	epebmrn.exe

Drops startup file 1 IoCs

Processes:

253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\epebmrn.lnk	253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service	253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service	253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

928 schtasks.exe

pid	process
928	schtasks.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3596 PING.EXE

pid	process
3596	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exeepebmrn.exe

pid	process
3920	253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe
3920	253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe
3120	253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe
3120	253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe
3120	253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe
3120	253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe
1200	253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe
1200	253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe
2980	epebmrn.exe
2980	epebmrn.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.execmd.exeepebmrn.exe

description	pid	process	target process
PID 3920 wrote to memory of 3120	3920	253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe	253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe
PID 3920 wrote to memory of 3120	3920	253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe	253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe
PID 3920 wrote to memory of 3120	3920	253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe	253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe
PID 3920 wrote to memory of 928	3920	253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe	schtasks.exe
PID 3920 wrote to memory of 928	3920	253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe	schtasks.exe
PID 3920 wrote to memory of 928	3920	253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe	schtasks.exe
PID 1200 wrote to memory of 1496	1200	253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe	reg.exe
PID 1200 wrote to memory of 1496	1200	253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe	reg.exe
PID 1200 wrote to memory of 1540	1200	253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe	reg.exe
PID 1200 wrote to memory of 1540	1200	253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe	reg.exe
PID 1200 wrote to memory of 3832	1200	253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe	reg.exe
PID 1200 wrote to memory of 3832	1200	253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe	reg.exe
PID 1200 wrote to memory of 1536	1200	253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe	reg.exe
PID 1200 wrote to memory of 1536	1200	253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe	reg.exe
PID 1200 wrote to memory of 2136	1200	253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe	reg.exe
PID 1200 wrote to memory of 2136	1200	253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe	reg.exe
PID 1200 wrote to memory of 2872	1200	253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe	reg.exe
PID 1200 wrote to memory of 2872	1200	253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe	reg.exe
PID 1200 wrote to memory of 3108	1200	253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe	reg.exe
PID 1200 wrote to memory of 3108	1200	253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe	reg.exe
PID 1200 wrote to memory of 2212	1200	253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe	reg.exe
PID 1200 wrote to memory of 2212	1200	253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe	reg.exe
PID 1200 wrote to memory of 1892	1200	253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe	reg.exe
PID 1200 wrote to memory of 1892	1200	253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe	reg.exe
PID 1200 wrote to memory of 2980	1200	253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe	epebmrn.exe
PID 1200 wrote to memory of 2980	1200	253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe	epebmrn.exe
PID 1200 wrote to memory of 2980	1200	253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe	epebmrn.exe
PID 1200 wrote to memory of 496	1200	253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe	cmd.exe
PID 1200 wrote to memory of 496	1200	253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe	cmd.exe
PID 1200 wrote to memory of 3808	1200	253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe	schtasks.exe
PID 1200 wrote to memory of 3808	1200	253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe	schtasks.exe
PID 496 wrote to memory of 3596	496	cmd.exe	PING.EXE
PID 496 wrote to memory of 3596	496	cmd.exe	PING.EXE
PID 2980 wrote to memory of 1996	2980	epebmrn.exe	epebmrn.exe
PID 2980 wrote to memory of 1996	2980	epebmrn.exe	epebmrn.exe
PID 2980 wrote to memory of 1996	2980	epebmrn.exe	epebmrn.exe

C:\Users\Admin\AppData\Local\Temp\253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe
"C:\Users\Admin\AppData\Local\Temp\253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe"
1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3920

C:\Users\Admin\AppData\Local\Temp\253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe
C:\Users\Admin\AppData\Local\Temp\253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe /C
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:3120

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn ouoggut /tr "\"C:\Users\Admin\AppData\Local\Temp\253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe\" /I ouoggut" /SC ONCE /Z /ST 09:35 /ET 09:47
2⤵
- Creates scheduled task(s)
PID:928

C:\Users\Admin\AppData\Local\Temp\253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe
C:\Users\Admin\AppData\Local\Temp\253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe /I ouoggut
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
2⤵
PID:1496

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
2⤵
PID:1540

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
2⤵
PID:3832

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
2⤵
PID:1536

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
2⤵
PID:2136

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
2⤵
PID:2872

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
2⤵
PID:3108

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
2⤵
PID:2212

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Udicgk" /d "0"
2⤵
PID:1892

C:\Users\Admin\AppData\Roaming\Microsoft\Udicgk\epebmrn.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Udicgk\epebmrn.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2980

C:\Users\Admin\AppData\Roaming\Microsoft\Udicgk\epebmrn.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Udicgk\epebmrn.exe /C
3⤵
- Executes dropped EXE
PID:1996

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:496

C:\Windows\system32\PING.EXE
ping.exe -n 6 127.0.0.1
3⤵
- Runs ping.exe
PID:3596

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /DELETE /F /TN ouoggut
2⤵
PID:3808

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

2

T1089

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Udicgk\epebmrn.exe
MD5
cbb2e1d1db2a66b83c80dd88e6c99871

SHA1
0be82731d14ea5a78974a0ca2570e53e69422fc8

SHA256
253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147

SHA512
9ea53aa6638e9c221e7f46f9b28782819f3808571a4687335e7ae8494ae91daef9ddee485cdf5eee9456df9fd05d9960a35f1e988eb083c5b3308bbd129192bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Udicgk\epebmrn.exe
MD5
cbb2e1d1db2a66b83c80dd88e6c99871

SHA1
0be82731d14ea5a78974a0ca2570e53e69422fc8

SHA256
253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147

SHA512
9ea53aa6638e9c221e7f46f9b28782819f3808571a4687335e7ae8494ae91daef9ddee485cdf5eee9456df9fd05d9960a35f1e988eb083c5b3308bbd129192bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Udicgk\epebmrn.exe
MD5
cbb2e1d1db2a66b83c80dd88e6c99871

SHA1
0be82731d14ea5a78974a0ca2570e53e69422fc8

SHA256
253f2845c830412e00cda455fb9295454e2ecd414d671d937c042bd14ac81147

SHA512
9ea53aa6638e9c221e7f46f9b28782819f3808571a4687335e7ae8494ae91daef9ddee485cdf5eee9456df9fd05d9960a35f1e988eb083c5b3308bbd129192bf

Download Submit
memory/496-134-0x0000000000000000-mapping.dmp

Download
memory/928-119-0x0000000000000000-mapping.dmp

Download
memory/1200-120-0x0000000000730000-0x000000000087A000-memory.dmp

Filesize
1.3MB

Download
memory/1200-121-0x0000000000400000-0x00000000005FB000-memory.dmp

Filesize
2.0MB

Download
memory/1496-122-0x0000000000000000-mapping.dmp

Download
memory/1536-125-0x0000000000000000-mapping.dmp

Download
memory/1540-123-0x0000000000000000-mapping.dmp

Download
memory/1892-130-0x0000000000000000-mapping.dmp

Download
memory/1996-139-0x0000000000000000-mapping.dmp

Download
memory/2136-126-0x0000000000000000-mapping.dmp

Download
memory/2212-129-0x0000000000000000-mapping.dmp

Download
memory/2872-127-0x0000000000000000-mapping.dmp

Download
memory/2980-138-0x0000000000400000-0x00000000005FB000-memory.dmp

Filesize
2.0MB

Download
memory/2980-131-0x0000000000000000-mapping.dmp

Download
memory/3108-128-0x0000000000000000-mapping.dmp

Download
memory/3120-116-0x0000000000000000-mapping.dmp

Download
memory/3120-118-0x0000000000400000-0x00000000005FB000-memory.dmp

Filesize
2.0MB

Download
memory/3120-117-0x0000000000680000-0x000000000072E000-memory.dmp

Filesize
696KB

Download
memory/3596-136-0x0000000000000000-mapping.dmp

Download
memory/3808-135-0x0000000000000000-mapping.dmp

Download
memory/3832-124-0x0000000000000000-mapping.dmp

Download
memory/3920-115-0x0000000000400000-0x00000000005FB000-memory.dmp

Filesize
2.0MB

Download
memory/3920-114-0x0000000002330000-0x0000000002369000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads