qakbot | 1442744d1980ad214b64c152b482c9f82e869cb4540495df5bb2248de0cbad74

General

Target

1442744d1980ad214b64c152b482c9f82e869cb4540495df5bb2248de0cbad74.exe
Size

2.3MB
MD5

5456ec2fa2f4a0c63df8111e41cf3462
SHA1

d9784a94b622e7d481f2787605ca3c569eb73b31
SHA256

1442744d1980ad214b64c152b482c9f82e869cb4540495df5bb2248de0cbad74
SHA512

ab6b22e74a51b747ab93192e6af985c025b03be3283e49a676d76ddc6fd17d5ed079707744627a1954c46ab2d4e0fc9355750c6f437c0016be296d99662ae801

Score

10^/10

qakbot spx96 1586873043 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

324.127

Botnet

spx96

Campaign

1586873043

C2

72.209.191.27:443

173.22.120.11:2222

108.227.161.27:995

172.87.134.226:443

181.197.195.138:995

98.21.52.194:443

76.180.69.236:443

68.98.142.248:443

68.52.164.175:443

39.59.63.142:995

35.142.126.181:443

96.35.170.82:2222

75.111.145.5:443

47.214.144.253:443

74.105.139.160:443

67.8.103.21:443

50.108.212.180:443

83.25.7.201:2222

188.25.237.208:443

184.167.2.251:2222

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1442744d1980ad214b64c152b482c9f82e869cb4540495df5bb2248de0cbad74.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	1442744d1980ad214b64c152b482c9f82e869cb4540495df5bb2248de0cbad74.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	1442744d1980ad214b64c152b482c9f82e869cb4540495df5bb2248de0cbad74.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service	1442744d1980ad214b64c152b482c9f82e869cb4540495df5bb2248de0cbad74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	1442744d1980ad214b64c152b482c9f82e869cb4540495df5bb2248de0cbad74.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	1442744d1980ad214b64c152b482c9f82e869cb4540495df5bb2248de0cbad74.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service	1442744d1980ad214b64c152b482c9f82e869cb4540495df5bb2248de0cbad74.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

360 PING.EXE

pid	process
360	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

1442744d1980ad214b64c152b482c9f82e869cb4540495df5bb2248de0cbad74.exe1442744d1980ad214b64c152b482c9f82e869cb4540495df5bb2248de0cbad74.exe

pid	process
4056	1442744d1980ad214b64c152b482c9f82e869cb4540495df5bb2248de0cbad74.exe
4056	1442744d1980ad214b64c152b482c9f82e869cb4540495df5bb2248de0cbad74.exe
768	1442744d1980ad214b64c152b482c9f82e869cb4540495df5bb2248de0cbad74.exe
768	1442744d1980ad214b64c152b482c9f82e869cb4540495df5bb2248de0cbad74.exe
768	1442744d1980ad214b64c152b482c9f82e869cb4540495df5bb2248de0cbad74.exe
768	1442744d1980ad214b64c152b482c9f82e869cb4540495df5bb2248de0cbad74.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

1442744d1980ad214b64c152b482c9f82e869cb4540495df5bb2248de0cbad74.execmd.exe

description	pid	process	target process
PID 4056 wrote to memory of 768	4056	1442744d1980ad214b64c152b482c9f82e869cb4540495df5bb2248de0cbad74.exe	1442744d1980ad214b64c152b482c9f82e869cb4540495df5bb2248de0cbad74.exe
PID 4056 wrote to memory of 768	4056	1442744d1980ad214b64c152b482c9f82e869cb4540495df5bb2248de0cbad74.exe	1442744d1980ad214b64c152b482c9f82e869cb4540495df5bb2248de0cbad74.exe
PID 4056 wrote to memory of 768	4056	1442744d1980ad214b64c152b482c9f82e869cb4540495df5bb2248de0cbad74.exe	1442744d1980ad214b64c152b482c9f82e869cb4540495df5bb2248de0cbad74.exe
PID 4056 wrote to memory of 2744	4056	1442744d1980ad214b64c152b482c9f82e869cb4540495df5bb2248de0cbad74.exe	cmd.exe
PID 4056 wrote to memory of 2744	4056	1442744d1980ad214b64c152b482c9f82e869cb4540495df5bb2248de0cbad74.exe	cmd.exe
PID 4056 wrote to memory of 2744	4056	1442744d1980ad214b64c152b482c9f82e869cb4540495df5bb2248de0cbad74.exe	cmd.exe
PID 2744 wrote to memory of 360	2744	cmd.exe	PING.EXE
PID 2744 wrote to memory of 360	2744	cmd.exe	PING.EXE
PID 2744 wrote to memory of 360	2744	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\1442744d1980ad214b64c152b482c9f82e869cb4540495df5bb2248de0cbad74.exe
"C:\Users\Admin\AppData\Local\Temp\1442744d1980ad214b64c152b482c9f82e869cb4540495df5bb2248de0cbad74.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4056
- C:\Users\Admin\AppData\Local\Temp\1442744d1980ad214b64c152b482c9f82e869cb4540495df5bb2248de0cbad74.exe
  C:\Users\Admin\AppData\Local\Temp\1442744d1980ad214b64c152b482c9f82e869cb4540495df5bb2248de0cbad74.exe /C
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  PID:768
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\1442744d1980ad214b64c152b482c9f82e869cb4540495df5bb2248de0cbad74.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\SysWOW64\PING.EXE
    ping.exe -n 6 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/360-120-0x0000000000000000-mapping.dmp

Download
memory/768-116-0x0000000000000000-mapping.dmp

Download
memory/768-118-0x0000000000400000-0x0000000000649000-memory.dmp

Filesize
2.3MB

Download
memory/2744-119-0x0000000000000000-mapping.dmp

Download
memory/4056-114-0x0000000002230000-0x0000000002269000-memory.dmp

Filesize
228KB

Download
memory/4056-115-0x0000000000400000-0x0000000000649000-memory.dmp

Filesize
2.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads