qakbot | 7d6abea1558c05f9be789478d9c4ae54507ce48cb748c887dc260c29194faad3

General

Target

7d6abea1558c05f9be789478d9c4ae54507ce48cb748c887dc260c29194faad3.exe
Size

2.3MB
MD5

887ed3aea3e86ac235bcf263a521d35c
SHA1

a18256191236cfa1b2030554aeb9ad563ac0b427
SHA256

7d6abea1558c05f9be789478d9c4ae54507ce48cb748c887dc260c29194faad3
SHA512

11610f66a64f8e0d480aa3d15f902519a8fc610d98d13cb971cce42b9da209ce455b38713263b840b8b24f66c53d16dd0f2d9cf2497fe768aac8af0032c0a4b6

Score

10^/10

qakbot spx96 1586873043 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

324.127

Botnet

spx96

Campaign

1586873043

C2

72.209.191.27:443

173.22.120.11:2222

108.227.161.27:995

172.87.134.226:443

181.197.195.138:995

98.21.52.194:443

76.180.69.236:443

68.98.142.248:443

68.52.164.175:443

39.59.63.142:995

35.142.126.181:443

96.35.170.82:2222

75.111.145.5:443

47.214.144.253:443

74.105.139.160:443

67.8.103.21:443

50.108.212.180:443

83.25.7.201:2222

188.25.237.208:443

184.167.2.251:2222

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

7d6abea1558c05f9be789478d9c4ae54507ce48cb748c887dc260c29194faad3.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	7d6abea1558c05f9be789478d9c4ae54507ce48cb748c887dc260c29194faad3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	7d6abea1558c05f9be789478d9c4ae54507ce48cb748c887dc260c29194faad3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service	7d6abea1558c05f9be789478d9c4ae54507ce48cb748c887dc260c29194faad3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	7d6abea1558c05f9be789478d9c4ae54507ce48cb748c887dc260c29194faad3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	7d6abea1558c05f9be789478d9c4ae54507ce48cb748c887dc260c29194faad3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service	7d6abea1558c05f9be789478d9c4ae54507ce48cb748c887dc260c29194faad3.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2880 PING.EXE

pid	process
2880	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

7d6abea1558c05f9be789478d9c4ae54507ce48cb748c887dc260c29194faad3.exe7d6abea1558c05f9be789478d9c4ae54507ce48cb748c887dc260c29194faad3.exe

pid	process
620	7d6abea1558c05f9be789478d9c4ae54507ce48cb748c887dc260c29194faad3.exe
620	7d6abea1558c05f9be789478d9c4ae54507ce48cb748c887dc260c29194faad3.exe
3132	7d6abea1558c05f9be789478d9c4ae54507ce48cb748c887dc260c29194faad3.exe
3132	7d6abea1558c05f9be789478d9c4ae54507ce48cb748c887dc260c29194faad3.exe
3132	7d6abea1558c05f9be789478d9c4ae54507ce48cb748c887dc260c29194faad3.exe
3132	7d6abea1558c05f9be789478d9c4ae54507ce48cb748c887dc260c29194faad3.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

7d6abea1558c05f9be789478d9c4ae54507ce48cb748c887dc260c29194faad3.execmd.exe

description	pid	process	target process
PID 620 wrote to memory of 3132	620	7d6abea1558c05f9be789478d9c4ae54507ce48cb748c887dc260c29194faad3.exe	7d6abea1558c05f9be789478d9c4ae54507ce48cb748c887dc260c29194faad3.exe
PID 620 wrote to memory of 3132	620	7d6abea1558c05f9be789478d9c4ae54507ce48cb748c887dc260c29194faad3.exe	7d6abea1558c05f9be789478d9c4ae54507ce48cb748c887dc260c29194faad3.exe
PID 620 wrote to memory of 3132	620	7d6abea1558c05f9be789478d9c4ae54507ce48cb748c887dc260c29194faad3.exe	7d6abea1558c05f9be789478d9c4ae54507ce48cb748c887dc260c29194faad3.exe
PID 620 wrote to memory of 980	620	7d6abea1558c05f9be789478d9c4ae54507ce48cb748c887dc260c29194faad3.exe	cmd.exe
PID 620 wrote to memory of 980	620	7d6abea1558c05f9be789478d9c4ae54507ce48cb748c887dc260c29194faad3.exe	cmd.exe
PID 620 wrote to memory of 980	620	7d6abea1558c05f9be789478d9c4ae54507ce48cb748c887dc260c29194faad3.exe	cmd.exe
PID 980 wrote to memory of 2880	980	cmd.exe	PING.EXE
PID 980 wrote to memory of 2880	980	cmd.exe	PING.EXE
PID 980 wrote to memory of 2880	980	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\7d6abea1558c05f9be789478d9c4ae54507ce48cb748c887dc260c29194faad3.exe
"C:\Users\Admin\AppData\Local\Temp\7d6abea1558c05f9be789478d9c4ae54507ce48cb748c887dc260c29194faad3.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:620

C:\Users\Admin\AppData\Local\Temp\7d6abea1558c05f9be789478d9c4ae54507ce48cb748c887dc260c29194faad3.exe
C:\Users\Admin\AppData\Local\Temp\7d6abea1558c05f9be789478d9c4ae54507ce48cb748c887dc260c29194faad3.exe /C
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:3132

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\7d6abea1558c05f9be789478d9c4ae54507ce48cb748c887dc260c29194faad3.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:980

C:\Windows\SysWOW64\PING.EXE
ping.exe -n 6 127.0.0.1
3⤵
- Runs ping.exe
PID:2880

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/620-114-0x0000000000700000-0x000000000084A000-memory.dmp

Filesize
1.3MB

Download
memory/620-115-0x0000000000400000-0x0000000000649000-memory.dmp

Filesize
2.3MB

Download
memory/980-119-0x0000000000000000-mapping.dmp

Download
memory/2880-120-0x0000000000000000-mapping.dmp

Download
memory/3132-116-0x0000000000000000-mapping.dmp

Download
memory/3132-118-0x0000000000400000-0x0000000000649000-memory.dmp

Filesize
2.3MB

Download
memory/3132-117-0x0000000000980000-0x00000000009B9000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads