qakbot | 83edda1d0bffaf8fabaa6863aaa48630661ba064b7e497a4f1f0c41b22982b9c

General

Target

83edda1d0bffaf8fabaa6863aaa48630661ba064b7e497a4f1f0c41b22982b9c.exe
Size

1.9MB
MD5

36b8590b8c9bf98ebed5d66094a2a627
SHA1

48a545da79bb4e166e28729c6658dc1e8cae1e9f
SHA256

83edda1d0bffaf8fabaa6863aaa48630661ba064b7e497a4f1f0c41b22982b9c
SHA512

3ad407dc6f9e52fbb28f60b8e848c1de060c67a96b046f4d16c743ae0d9cb37423fb3f9d2d5119344b18e18ae4a094fe7e9dd485183b80059f5209c2cb3fdb68

Score

10^/10

qakbot spx85 1585299593 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

324.70

Botnet

spx85

Campaign

1585299593

C2

185.219.83.73:443

199.241.223.66:443

79.113.219.121:443

35.142.24.147:2222

71.68.197.202:995

50.108.212.180:443

47.153.115.154:995

108.227.161.27:995

47.136.224.60:443

65.30.12.240:443

79.114.194.106:443

209.137.209.163:995

5.12.213.152:2222

187.155.57.154:443

173.184.96.161:443

174.82.131.155:995

81.135.233.169:8443

173.172.205.216:443

71.233.73.222:995

208.126.142.17:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1228 PING.EXE

pid	process
1228	PING.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

83edda1d0bffaf8fabaa6863aaa48630661ba064b7e497a4f1f0c41b22982b9c.exe83edda1d0bffaf8fabaa6863aaa48630661ba064b7e497a4f1f0c41b22982b9c.exe

pid	process
956	83edda1d0bffaf8fabaa6863aaa48630661ba064b7e497a4f1f0c41b22982b9c.exe
1744	83edda1d0bffaf8fabaa6863aaa48630661ba064b7e497a4f1f0c41b22982b9c.exe
1744	83edda1d0bffaf8fabaa6863aaa48630661ba064b7e497a4f1f0c41b22982b9c.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

83edda1d0bffaf8fabaa6863aaa48630661ba064b7e497a4f1f0c41b22982b9c.execmd.exe

description	pid	process	target process
PID 956 wrote to memory of 1744	956	83edda1d0bffaf8fabaa6863aaa48630661ba064b7e497a4f1f0c41b22982b9c.exe	83edda1d0bffaf8fabaa6863aaa48630661ba064b7e497a4f1f0c41b22982b9c.exe
PID 956 wrote to memory of 1744	956	83edda1d0bffaf8fabaa6863aaa48630661ba064b7e497a4f1f0c41b22982b9c.exe	83edda1d0bffaf8fabaa6863aaa48630661ba064b7e497a4f1f0c41b22982b9c.exe
PID 956 wrote to memory of 1744	956	83edda1d0bffaf8fabaa6863aaa48630661ba064b7e497a4f1f0c41b22982b9c.exe	83edda1d0bffaf8fabaa6863aaa48630661ba064b7e497a4f1f0c41b22982b9c.exe
PID 956 wrote to memory of 1744	956	83edda1d0bffaf8fabaa6863aaa48630661ba064b7e497a4f1f0c41b22982b9c.exe	83edda1d0bffaf8fabaa6863aaa48630661ba064b7e497a4f1f0c41b22982b9c.exe
PID 956 wrote to memory of 736	956	83edda1d0bffaf8fabaa6863aaa48630661ba064b7e497a4f1f0c41b22982b9c.exe	cmd.exe
PID 956 wrote to memory of 736	956	83edda1d0bffaf8fabaa6863aaa48630661ba064b7e497a4f1f0c41b22982b9c.exe	cmd.exe
PID 956 wrote to memory of 736	956	83edda1d0bffaf8fabaa6863aaa48630661ba064b7e497a4f1f0c41b22982b9c.exe	cmd.exe
PID 956 wrote to memory of 736	956	83edda1d0bffaf8fabaa6863aaa48630661ba064b7e497a4f1f0c41b22982b9c.exe	cmd.exe
PID 736 wrote to memory of 1228	736	cmd.exe	PING.EXE
PID 736 wrote to memory of 1228	736	cmd.exe	PING.EXE
PID 736 wrote to memory of 1228	736	cmd.exe	PING.EXE
PID 736 wrote to memory of 1228	736	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\83edda1d0bffaf8fabaa6863aaa48630661ba064b7e497a4f1f0c41b22982b9c.exe
"C:\Users\Admin\AppData\Local\Temp\83edda1d0bffaf8fabaa6863aaa48630661ba064b7e497a4f1f0c41b22982b9c.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:956

C:\Users\Admin\AppData\Local\Temp\83edda1d0bffaf8fabaa6863aaa48630661ba064b7e497a4f1f0c41b22982b9c.exe
C:\Users\Admin\AppData\Local\Temp\83edda1d0bffaf8fabaa6863aaa48630661ba064b7e497a4f1f0c41b22982b9c.exe /C
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1744

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\83edda1d0bffaf8fabaa6863aaa48630661ba064b7e497a4f1f0c41b22982b9c.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:736

C:\Windows\SysWOW64\PING.EXE
ping.exe -n 6 127.0.0.1
3⤵
- Runs ping.exe
PID:1228

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/956-55-0x00000000763B1000-0x00000000763B3000-memory.dmp

Filesize
8KB

Download
memory/956-56-0x0000000000310000-0x0000000000349000-memory.dmp

Filesize
228KB

Download
memory/956-58-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1744-59-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing