qakbot | 1419ea24a80726cf8a5ff762f57be4cad2c8adc1711ea4868370b65fd191c80c

Analysis

max time kernel
123s
max time network
125s
platform
windows7_x64
resource
win7v20210410
submitted
07-05-2021 12:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4568b57ad46502fe4740a6ec3282a874.exe
Size

491KB
MD5

4568b57ad46502fe4740a6ec3282a874
SHA1

bed4802d8f6ec52c5e6a9215d78e0632d2ac11a0
SHA256

b5a90a7357ddd95c88a6f042f9a5b9d388ce936df393987a565209a140046905
SHA512

c704d8f493c653e6573172a3763a1186a30092e0534a677583b6b901d1599ed181c8c199e4a9f1e59bb82296ce8c9fa273df39ec819ba6da0e45dba508942a47

Score

10^/10

qakbot domain01 1591171636 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

324.142

Botnet

domain01

Campaign

1591171636

67.165.206.193:995

173.187.103.35:443

47.153.115.154:443

188.192.75.8:995

47.40.244.237:443

142.129.227.86:443

39.36.14.99:995

45.77.164.175:443

71.241.247.189:443

103.76.160.110:443

117.192.100.60:443

207.246.71.122:443

144.202.48.107:443

93.118.221.117:443

45.77.215.141:443

71.185.60.227:443

178.86.244.141:443

72.204.242.138:53

47.41.3.40:443

24.202.42.48:2222

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1676 PING.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

4568b57ad46502fe4740a6ec3282a874.exe4568b57ad46502fe4740a6ec3282a874.exe

pid process

1852 4568b57ad46502fe4740a6ec3282a874.exe
820 4568b57ad46502fe4740a6ec3282a874.exe
820 4568b57ad46502fe4740a6ec3282a874.exe

pid	process
1676	PING.EXE

pid	process
1852	4568b57ad46502fe4740a6ec3282a874.exe
820	4568b57ad46502fe4740a6ec3282a874.exe
820	4568b57ad46502fe4740a6ec3282a874.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

4568b57ad46502fe4740a6ec3282a874.execmd.exe

description	pid	process	target process
PID 1852 wrote to memory of 820	1852	4568b57ad46502fe4740a6ec3282a874.exe	4568b57ad46502fe4740a6ec3282a874.exe
PID 1852 wrote to memory of 820	1852	4568b57ad46502fe4740a6ec3282a874.exe	4568b57ad46502fe4740a6ec3282a874.exe
PID 1852 wrote to memory of 820	1852	4568b57ad46502fe4740a6ec3282a874.exe	4568b57ad46502fe4740a6ec3282a874.exe
PID 1852 wrote to memory of 820	1852	4568b57ad46502fe4740a6ec3282a874.exe	4568b57ad46502fe4740a6ec3282a874.exe
PID 1852 wrote to memory of 752	1852	4568b57ad46502fe4740a6ec3282a874.exe	cmd.exe
PID 1852 wrote to memory of 752	1852	4568b57ad46502fe4740a6ec3282a874.exe	cmd.exe
PID 1852 wrote to memory of 752	1852	4568b57ad46502fe4740a6ec3282a874.exe	cmd.exe
PID 1852 wrote to memory of 752	1852	4568b57ad46502fe4740a6ec3282a874.exe	cmd.exe
PID 752 wrote to memory of 1676	752	cmd.exe	PING.EXE
PID 752 wrote to memory of 1676	752	cmd.exe	PING.EXE
PID 752 wrote to memory of 1676	752	cmd.exe	PING.EXE
PID 752 wrote to memory of 1676	752	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\4568b57ad46502fe4740a6ec3282a874.exe
"C:\Users\Admin\AppData\Local\Temp\4568b57ad46502fe4740a6ec3282a874.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1852

C:\Users\Admin\AppData\Local\Temp\4568b57ad46502fe4740a6ec3282a874.exe
C:\Users\Admin\AppData\Local\Temp\4568b57ad46502fe4740a6ec3282a874.exe /C
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:820

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\4568b57ad46502fe4740a6ec3282a874.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\SysWOW64\PING.EXE
ping.exe -n 6 127.0.0.1
3⤵
- Runs ping.exe
PID:1676

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/752-67-0x0000000000000000-mapping.dmp

Download
memory/820-63-0x0000000000000000-mapping.dmp

Download
memory/820-66-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1676-68-0x0000000000000000-mapping.dmp

Download
memory/1852-60-0x0000000076A81000-0x0000000076A83000-memory.dmp

Filesize
8KB

Download
memory/1852-61-0x00000000001B0000-0x00000000001E7000-memory.dmp

Filesize
220KB

Download
memory/1852-62-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download