qakbot | 1419ea24a80726cf8a5ff762f57be4cad2c8adc1711ea4868370b65fd191c80c

Analysis

max time kernel
133s
max time network
116s
platform
windows10_x64
resource
win10v20210410
submitted
07-05-2021 12:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d60ef2d7cb084878cdcccd63b4df50b.exe
Size

4.1MB
MD5

5d60ef2d7cb084878cdcccd63b4df50b
SHA1

afff6fe7ebe180d393355ba9cd23a1f3a61efbc0
SHA256

daa9ddf216de176801e3a77b3f7a33691d92e2ab70e9f1c1aecebab6d21b1192
SHA512

232cec403902ffcc3078aedc65777adb8e6baea4dad099515ddd069bf1a7f479fcd9cf209dcd335a16d0e0a1e181e12e3c3462de3872a4011f93132ddac2f2eb

Score

10^/10

qakbot domain01 1602007616 banker persistence stealer trojan

Malware Config

Extracted

Family

qakbot

Version

325.43

Botnet

domain01

Campaign

1602007616

77.27.174.49:995

68.14.210.246:22

208.93.202.49:443

50.244.112.106:443

173.44.112.112:443

184.98.103.204:995

72.204.242.138:20

96.18.240.158:443

93.149.253.201:2222

72.186.1.237:443

89.176.37.202:995

5.12.255.109:443

75.136.40.155:443

23.240.70.80:443

67.170.137.8:443

173.22.125.129:2222

71.80.66.107:443

189.222.203.96:443

96.243.35.201:443

201.103.0.150:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5d60ef2d7cb084878cdcccd63b4df50b.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\wtzzxsi = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Cxyquk\\oflvikl.exe\""	5d60ef2d7cb084878cdcccd63b4df50b.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

5d60ef2d7cb084878cdcccd63b4df50b.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service	5d60ef2d7cb084878cdcccd63b4df50b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	5d60ef2d7cb084878cdcccd63b4df50b.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	5d60ef2d7cb084878cdcccd63b4df50b.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service	5d60ef2d7cb084878cdcccd63b4df50b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	5d60ef2d7cb084878cdcccd63b4df50b.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	5d60ef2d7cb084878cdcccd63b4df50b.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4036 schtasks.exe

pid	process
4036	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

5d60ef2d7cb084878cdcccd63b4df50b.exe5d60ef2d7cb084878cdcccd63b4df50b.exe

pid	process
416	5d60ef2d7cb084878cdcccd63b4df50b.exe
416	5d60ef2d7cb084878cdcccd63b4df50b.exe
1296	5d60ef2d7cb084878cdcccd63b4df50b.exe
1296	5d60ef2d7cb084878cdcccd63b4df50b.exe
1296	5d60ef2d7cb084878cdcccd63b4df50b.exe
1296	5d60ef2d7cb084878cdcccd63b4df50b.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

5d60ef2d7cb084878cdcccd63b4df50b.exe

description	pid	process	target process
PID 416 wrote to memory of 1296	416	5d60ef2d7cb084878cdcccd63b4df50b.exe	5d60ef2d7cb084878cdcccd63b4df50b.exe
PID 416 wrote to memory of 1296	416	5d60ef2d7cb084878cdcccd63b4df50b.exe	5d60ef2d7cb084878cdcccd63b4df50b.exe
PID 416 wrote to memory of 1296	416	5d60ef2d7cb084878cdcccd63b4df50b.exe	5d60ef2d7cb084878cdcccd63b4df50b.exe
PID 416 wrote to memory of 4036	416	5d60ef2d7cb084878cdcccd63b4df50b.exe	schtasks.exe
PID 416 wrote to memory of 4036	416	5d60ef2d7cb084878cdcccd63b4df50b.exe	schtasks.exe
PID 416 wrote to memory of 4036	416	5d60ef2d7cb084878cdcccd63b4df50b.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\5d60ef2d7cb084878cdcccd63b4df50b.exe
"C:\Users\Admin\AppData\Local\Temp\5d60ef2d7cb084878cdcccd63b4df50b.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:416

C:\Users\Admin\AppData\Local\Temp\5d60ef2d7cb084878cdcccd63b4df50b.exe
C:\Users\Admin\AppData\Local\Temp\5d60ef2d7cb084878cdcccd63b4df50b.exe /C
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:1296

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn xljuvbmivq /tr "\"C:\Users\Admin\AppData\Local\Temp\5d60ef2d7cb084878cdcccd63b4df50b.exe\" /I xljuvbmivq" /SC ONCE /Z /ST 12:33 /ET 12:45
2⤵
- Creates scheduled task(s)
PID:4036

C:\Users\Admin\AppData\Local\Temp\5d60ef2d7cb084878cdcccd63b4df50b.exe
C:\Users\Admin\AppData\Local\Temp\5d60ef2d7cb084878cdcccd63b4df50b.exe /I xljuvbmivq
1⤵
PID:3516

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/416-114-0x0000000000940000-0x0000000000A8A000-memory.dmp

Filesize
1.3MB

Download
memory/416-115-0x0000000000400000-0x0000000000819000-memory.dmp

Filesize
4.1MB

Download
memory/1296-116-0x0000000000000000-mapping.dmp

Download
memory/1296-118-0x0000000000400000-0x0000000000819000-memory.dmp

Filesize
4.1MB

Download
memory/1296-117-0x0000000002450000-0x00000000024CC000-memory.dmp

Filesize
496KB

Download
memory/4036-119-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads