qakbot | 1419ea24a80726cf8a5ff762f57be4cad2c8adc1711ea4868370b65fd191c80c

Analysis

max time kernel
133s
max time network
115s
platform
windows10_x64
resource
win10v20210410
submitted
07-05-2021 12:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5aa990d7864b3bd6c80718c7e86e00ba.exe
Size

4.0MB
MD5

5aa990d7864b3bd6c80718c7e86e00ba
SHA1

862091d41bb5ecbba19b9d657811254e322a4825
SHA256

88d89e9a3eb88b44e9109185f880eccc5ecb2ed1df906db25677e18ebaff1f47
SHA512

0055808e6d742825edc96114fa91162b0d068de859b1d98f30a480f43f380e93a3a0ddc1ae19b4958a7be6a365b632d4ed81b2725992934b8fdf3bedcf99ddc1

Score

10^/10

qakbot domain01 1597161528 banker persistence stealer trojan

Malware Config

Extracted

Family

qakbot

Version

325.43

Botnet

domain01

Campaign

1597161528

96.227.127.13:443

197.37.252.37:993

95.221.48.169:2222

72.190.101.70:443

47.39.76.74:443

207.255.18.67:443

108.46.145.30:443

142.117.109.129:2222

176.205.255.97:443

2.89.74.34:995

98.219.77.197:443

75.110.250.89:995

47.28.131.209:443

47.18.252.135:2222

66.30.92.147:443

188.51.3.210:995

83.110.92.29:443

68.225.56.31:443

189.183.72.138:995

98.121.187.78:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5aa990d7864b3bd6c80718c7e86e00ba.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\bkcejrs = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Eovre\\sxbglh.exe\""	5aa990d7864b3bd6c80718c7e86e00ba.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

5aa990d7864b3bd6c80718c7e86e00ba.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	5aa990d7864b3bd6c80718c7e86e00ba.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	5aa990d7864b3bd6c80718c7e86e00ba.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service	5aa990d7864b3bd6c80718c7e86e00ba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	5aa990d7864b3bd6c80718c7e86e00ba.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	5aa990d7864b3bd6c80718c7e86e00ba.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service	5aa990d7864b3bd6c80718c7e86e00ba.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4044 schtasks.exe

pid	process
4044	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

5aa990d7864b3bd6c80718c7e86e00ba.exe5aa990d7864b3bd6c80718c7e86e00ba.exe

pid	process
1016	5aa990d7864b3bd6c80718c7e86e00ba.exe
1016	5aa990d7864b3bd6c80718c7e86e00ba.exe
2152	5aa990d7864b3bd6c80718c7e86e00ba.exe
2152	5aa990d7864b3bd6c80718c7e86e00ba.exe
2152	5aa990d7864b3bd6c80718c7e86e00ba.exe
2152	5aa990d7864b3bd6c80718c7e86e00ba.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

5aa990d7864b3bd6c80718c7e86e00ba.exe

description	pid	process	target process
PID 1016 wrote to memory of 2152	1016	5aa990d7864b3bd6c80718c7e86e00ba.exe	5aa990d7864b3bd6c80718c7e86e00ba.exe
PID 1016 wrote to memory of 2152	1016	5aa990d7864b3bd6c80718c7e86e00ba.exe	5aa990d7864b3bd6c80718c7e86e00ba.exe
PID 1016 wrote to memory of 2152	1016	5aa990d7864b3bd6c80718c7e86e00ba.exe	5aa990d7864b3bd6c80718c7e86e00ba.exe
PID 1016 wrote to memory of 4044	1016	5aa990d7864b3bd6c80718c7e86e00ba.exe	schtasks.exe
PID 1016 wrote to memory of 4044	1016	5aa990d7864b3bd6c80718c7e86e00ba.exe	schtasks.exe
PID 1016 wrote to memory of 4044	1016	5aa990d7864b3bd6c80718c7e86e00ba.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\5aa990d7864b3bd6c80718c7e86e00ba.exe
"C:\Users\Admin\AppData\Local\Temp\5aa990d7864b3bd6c80718c7e86e00ba.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1016

C:\Users\Admin\AppData\Local\Temp\5aa990d7864b3bd6c80718c7e86e00ba.exe
C:\Users\Admin\AppData\Local\Temp\5aa990d7864b3bd6c80718c7e86e00ba.exe /C
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:2152

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn snriofidiu /tr "\"C:\Users\Admin\AppData\Local\Temp\5aa990d7864b3bd6c80718c7e86e00ba.exe\" /I snriofidiu" /SC ONCE /Z /ST 12:33 /ET 12:45
2⤵
- Creates scheduled task(s)
PID:4044

C:\Users\Admin\AppData\Local\Temp\5aa990d7864b3bd6c80718c7e86e00ba.exe
C:\Users\Admin\AppData\Local\Temp\5aa990d7864b3bd6c80718c7e86e00ba.exe /I snriofidiu
1⤵
PID:1240

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1016-114-0x00000000024A0000-0x000000000251C000-memory.dmp

Filesize
496KB

Download
memory/1016-115-0x0000000000400000-0x0000000000800000-memory.dmp

Filesize
4.0MB

Download
memory/2152-116-0x0000000000000000-mapping.dmp

Download
memory/2152-118-0x0000000000400000-0x0000000000800000-memory.dmp

Filesize
4.0MB

Download
memory/4044-119-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads