qakbot | 1419ea24a80726cf8a5ff762f57be4cad2c8adc1711ea4868370b65fd191c80c

Analysis

max time kernel
42s
max time network
17s
platform
windows7_x64
resource
win7v20210408
submitted
07-05-2021 12:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5aa990d7864b3bd6c80718c7e86e00ba.exe
Size

4.0MB
MD5

5aa990d7864b3bd6c80718c7e86e00ba
SHA1

862091d41bb5ecbba19b9d657811254e322a4825
SHA256

88d89e9a3eb88b44e9109185f880eccc5ecb2ed1df906db25677e18ebaff1f47
SHA512

0055808e6d742825edc96114fa91162b0d068de859b1d98f30a480f43f380e93a3a0ddc1ae19b4958a7be6a365b632d4ed81b2725992934b8fdf3bedcf99ddc1

Score

10^/10

qakbot domain01 1597161528 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

325.43

Botnet

domain01

Campaign

1597161528

96.227.127.13:443

197.37.252.37:993

95.221.48.169:2222

72.190.101.70:443

47.39.76.74:443

207.255.18.67:443

108.46.145.30:443

142.117.109.129:2222

176.205.255.97:443

2.89.74.34:995

98.219.77.197:443

75.110.250.89:995

47.28.131.209:443

47.18.252.135:2222

66.30.92.147:443

188.51.3.210:995

83.110.92.29:443

68.225.56.31:443

189.183.72.138:995

98.121.187.78:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

552 PING.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

5aa990d7864b3bd6c80718c7e86e00ba.exe5aa990d7864b3bd6c80718c7e86e00ba.exe

pid process

2004 5aa990d7864b3bd6c80718c7e86e00ba.exe
296 5aa990d7864b3bd6c80718c7e86e00ba.exe
296 5aa990d7864b3bd6c80718c7e86e00ba.exe

pid	process
552	PING.EXE

pid	process
2004	5aa990d7864b3bd6c80718c7e86e00ba.exe
296	5aa990d7864b3bd6c80718c7e86e00ba.exe
296	5aa990d7864b3bd6c80718c7e86e00ba.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

5aa990d7864b3bd6c80718c7e86e00ba.execmd.exe

description	pid	process	target process
PID 2004 wrote to memory of 296	2004	5aa990d7864b3bd6c80718c7e86e00ba.exe	5aa990d7864b3bd6c80718c7e86e00ba.exe
PID 2004 wrote to memory of 296	2004	5aa990d7864b3bd6c80718c7e86e00ba.exe	5aa990d7864b3bd6c80718c7e86e00ba.exe
PID 2004 wrote to memory of 296	2004	5aa990d7864b3bd6c80718c7e86e00ba.exe	5aa990d7864b3bd6c80718c7e86e00ba.exe
PID 2004 wrote to memory of 296	2004	5aa990d7864b3bd6c80718c7e86e00ba.exe	5aa990d7864b3bd6c80718c7e86e00ba.exe
PID 2004 wrote to memory of 368	2004	5aa990d7864b3bd6c80718c7e86e00ba.exe	cmd.exe
PID 2004 wrote to memory of 368	2004	5aa990d7864b3bd6c80718c7e86e00ba.exe	cmd.exe
PID 2004 wrote to memory of 368	2004	5aa990d7864b3bd6c80718c7e86e00ba.exe	cmd.exe
PID 2004 wrote to memory of 368	2004	5aa990d7864b3bd6c80718c7e86e00ba.exe	cmd.exe
PID 368 wrote to memory of 552	368	cmd.exe	PING.EXE
PID 368 wrote to memory of 552	368	cmd.exe	PING.EXE
PID 368 wrote to memory of 552	368	cmd.exe	PING.EXE
PID 368 wrote to memory of 552	368	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\5aa990d7864b3bd6c80718c7e86e00ba.exe
"C:\Users\Admin\AppData\Local\Temp\5aa990d7864b3bd6c80718c7e86e00ba.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2004

C:\Users\Admin\AppData\Local\Temp\5aa990d7864b3bd6c80718c7e86e00ba.exe
C:\Users\Admin\AppData\Local\Temp\5aa990d7864b3bd6c80718c7e86e00ba.exe /C
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:296

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\5aa990d7864b3bd6c80718c7e86e00ba.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:368

C:\Windows\SysWOW64\PING.EXE
ping.exe -n 6 127.0.0.1
3⤵
- Runs ping.exe
PID:552

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/296-63-0x0000000000000000-mapping.dmp

Download
memory/368-67-0x0000000000000000-mapping.dmp

Download
memory/552-68-0x0000000000000000-mapping.dmp

Download
memory/2004-60-0x0000000075B31000-0x0000000075B33000-memory.dmp

Filesize
8KB

Download
memory/2004-62-0x0000000000400000-0x0000000000800000-memory.dmp

Filesize
4.0MB

Download
memory/2004-61-0x0000000000220000-0x000000000029C000-memory.dmp

Filesize
496KB

Download