qakbot | eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa

General

Target

eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.exe
Size

502KB
MD5

98ae6e7fbcd391e42a2a36b7bd53f99e
SHA1

9bf453f13814727bb17a3fe2e33de9886c059135
SHA256

eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa
SHA512

ff23798583f689fc0a94409ef9fa87447e26f39570a32df2c02cb390ef2828269f9b6bf2a46fb0a8a0f809344d2955a0143ce3776d852282ab8c85b385e4f89e

Score

10^/10

qakbot hhh07 1552409511 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

322.731

Botnet

hhh07

Campaign

1552409511

Credentials

Protocol: ftp
Host:
192.185.5.208
Port:
21
Username:
logger@dustinkeeling.com
Password:
NxdkxAp4dUsY

Protocol: ftp
Host:
162.241.218.118
Port:
21
Username:
logger@misterexterior.com
Password:
EcOV0DyGVgVN

Protocol: ftp
Host:
69.89.31.139
Port:
21
Username:
cpanel@vivekharris-architects.com
Password:
fcR7OvyLrMW6!

Protocol: ftp
Host:
169.207.67.14
Port:
21
Username:
cpanel@dovetailsolar.com
Password:
eQyicNLzzqPN

C2

71.80.84.55:443

70.25.63.178:2222

190.120.196.18:443

192.226.157.108:993

76.122.104.20:443

50.247.230.33:443

69.249.141.152:443

69.70.37.246:465

45.50.227.169:995

199.36.199.104:443

66.171.24.252:443

96.20.84.208:443

24.200.91.146:2222

98.225.141.232:443

76.98.158.47:443

74.68.50.163:443

68.59.209.183:995

69.254.30.75:443

78.94.55.26:50003

216.221.73.45:993

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Suspicious use of SetThreadContext 2 IoCs

Processes:

eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.exeeeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.exe

description	pid	process
PID 788 set thread context of 0	788	eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.exe
PID 520 set thread context of 0	520	eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

676 PING.EXE

pid	process
676	PING.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.exeeeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.exe

pid	process
788	eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.exe
520	eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.exe
520	eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.execmd.exe

description	pid	process	target process
PID 788 wrote to memory of 520	788	eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.exe	eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.exe
PID 788 wrote to memory of 520	788	eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.exe	eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.exe
PID 788 wrote to memory of 520	788	eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.exe	eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.exe
PID 788 wrote to memory of 520	788	eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.exe	eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.exe
PID 788 wrote to memory of 1344	788	eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.exe	cmd.exe
PID 788 wrote to memory of 1344	788	eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.exe	cmd.exe
PID 788 wrote to memory of 1344	788	eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.exe	cmd.exe
PID 788 wrote to memory of 1344	788	eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.exe	cmd.exe
PID 1344 wrote to memory of 676	1344	cmd.exe	PING.EXE
PID 1344 wrote to memory of 676	1344	cmd.exe	PING.EXE
PID 1344 wrote to memory of 676	1344	cmd.exe	PING.EXE
PID 1344 wrote to memory of 676	1344	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.exe
"C:\Users\Admin\AppData\Local\Temp\eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:788

C:\Users\Admin\AppData\Local\Temp\eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.exe
C:\Users\Admin\AppData\Local\Temp\eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.exe /C
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:520

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1344

C:\Windows\SysWOW64\PING.EXE
ping.exe -n 6 127.0.0.1
3⤵
- Runs ping.exe
PID:676

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/788-55-0x0000000000220000-0x0000000000227000-memory.dmp

Filesize
28KB

Download
memory/788-56-0x0000000076B81000-0x0000000076B83000-memory.dmp

Filesize
8KB

Download
memory/788-57-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads