qakbot | 1419ea24a80726cf8a5ff762f57be4cad2c8adc1711ea4868370b65fd191c80c

Analysis

max time kernel
15s
max time network
13s
platform
windows7_x64
resource
win7v20210410
submitted
07-05-2021 12:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

005cdb34748048c41a3c57ba7358986d.exe
Size

269KB
MD5

005cdb34748048c41a3c57ba7358986d
SHA1

ec91c6e7952ae2c831f97da198f2dfbc6f9b3166
SHA256

9b40c9513cae3bebcbe6cf7e9c85a6c4d6986482a5f889f50c1e891e246bec8c
SHA512

0a689c270d45d9b978ae0ac4fd3d9349660295eb78b22205efd09097c82de2c8afd9b598ba3f0b9e65dfdef8c69eefb46a68d15f52d3159b538cdd7d03099027

Score

10^/10

qakbot domain01 1602007616 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

325.43

Botnet

domain01

Campaign

1602007616

77.27.174.49:995

68.14.210.246:22

208.93.202.49:443

50.244.112.106:443

173.44.112.112:443

184.98.103.204:995

72.204.242.138:20

96.18.240.158:443

93.149.253.201:2222

72.186.1.237:443

89.176.37.202:995

5.12.255.109:443

75.136.40.155:443

23.240.70.80:443

67.170.137.8:443

173.22.125.129:2222

71.80.66.107:443

189.222.203.96:443

96.243.35.201:443

201.103.0.150:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

772 PING.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

005cdb34748048c41a3c57ba7358986d.exe005cdb34748048c41a3c57ba7358986d.exe

pid process

2004 005cdb34748048c41a3c57ba7358986d.exe
1080 005cdb34748048c41a3c57ba7358986d.exe
1080 005cdb34748048c41a3c57ba7358986d.exe

pid	process
772	PING.EXE

pid	process
2004	005cdb34748048c41a3c57ba7358986d.exe
1080	005cdb34748048c41a3c57ba7358986d.exe
1080	005cdb34748048c41a3c57ba7358986d.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

005cdb34748048c41a3c57ba7358986d.execmd.exe

description	pid	process	target process
PID 2004 wrote to memory of 1080	2004	005cdb34748048c41a3c57ba7358986d.exe	005cdb34748048c41a3c57ba7358986d.exe
PID 2004 wrote to memory of 1080	2004	005cdb34748048c41a3c57ba7358986d.exe	005cdb34748048c41a3c57ba7358986d.exe
PID 2004 wrote to memory of 1080	2004	005cdb34748048c41a3c57ba7358986d.exe	005cdb34748048c41a3c57ba7358986d.exe
PID 2004 wrote to memory of 1080	2004	005cdb34748048c41a3c57ba7358986d.exe	005cdb34748048c41a3c57ba7358986d.exe
PID 2004 wrote to memory of 1920	2004	005cdb34748048c41a3c57ba7358986d.exe	cmd.exe
PID 2004 wrote to memory of 1920	2004	005cdb34748048c41a3c57ba7358986d.exe	cmd.exe
PID 2004 wrote to memory of 1920	2004	005cdb34748048c41a3c57ba7358986d.exe	cmd.exe
PID 2004 wrote to memory of 1920	2004	005cdb34748048c41a3c57ba7358986d.exe	cmd.exe
PID 1920 wrote to memory of 772	1920	cmd.exe	PING.EXE
PID 1920 wrote to memory of 772	1920	cmd.exe	PING.EXE
PID 1920 wrote to memory of 772	1920	cmd.exe	PING.EXE
PID 1920 wrote to memory of 772	1920	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\005cdb34748048c41a3c57ba7358986d.exe
"C:\Users\Admin\AppData\Local\Temp\005cdb34748048c41a3c57ba7358986d.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2004

C:\Users\Admin\AppData\Local\Temp\005cdb34748048c41a3c57ba7358986d.exe
C:\Users\Admin\AppData\Local\Temp\005cdb34748048c41a3c57ba7358986d.exe /C
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1080

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\005cdb34748048c41a3c57ba7358986d.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\SysWOW64\PING.EXE
ping.exe -n 6 127.0.0.1
3⤵
- Runs ping.exe
PID:772

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/772-68-0x0000000000000000-mapping.dmp

Download
memory/1080-63-0x0000000000000000-mapping.dmp

Download
memory/1920-67-0x0000000000000000-mapping.dmp

Download
memory/2004-60-0x00000000765F1000-0x00000000765F3000-memory.dmp

Filesize
8KB

Download
memory/2004-61-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2004-62-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download