qakbot | 1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702

General

Target

1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe
Size

821KB
MD5

7b92d9b8da680f686a1a8c3b06cdc936
SHA1

aaecc58409d6c60ba4ee83c4446f2082814e2aed
SHA256

1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702
SHA512

c1de52fd6abb96d69d315f5c1761f534004191f4563e3e9c9b5127142b8758fb110409002a988602e6641123f8bab6fb9589b5f58e444ea4b726dd88355267ec

Score

10^/10

qakbot spx82 1584449336 banker persistence stealer trojan

Malware Config

Extracted

Family

qakbot

Version

324.65

Botnet

spx82

Campaign

1584449336

C2

98.213.28.175:443

72.209.191.27:443

100.37.33.10:443

70.62.160.186:6883

104.152.16.45:995

68.174.15.223:443

24.99.180.247:443

72.218.167.183:995

71.77.252.14:2222

104.34.122.18:443

176.205.145.81:995

73.163.242.114:443

73.214.231.2:443

83.66.111.85:443

35.142.24.147:2222

67.250.184.157:443

41.228.55.118:443

65.131.79.162:995

137.99.224.198:443

100.33.132.135:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service	1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe

Modifies data under HKEY_USERS 41 IoCs

Processes:

WaaSMedicAgent.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1760 PING.EXE

pid	process
1760	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe

pid	process
3828	1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe
3828	1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe
1460	1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe
1460	1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe
1460	1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe
1460	1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.execmd.exe

description	pid	process	target process
PID 3828 wrote to memory of 1460	3828	1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe	1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe
PID 3828 wrote to memory of 1460	3828	1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe	1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe
PID 3828 wrote to memory of 1460	3828	1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe	1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe
PID 3828 wrote to memory of 3288	3828	1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe	cmd.exe
PID 3828 wrote to memory of 3288	3828	1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe	cmd.exe
PID 3828 wrote to memory of 3288	3828	1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe	cmd.exe
PID 3288 wrote to memory of 1760	3288	cmd.exe	PING.EXE
PID 3288 wrote to memory of 1760	3288	cmd.exe	PING.EXE
PID 3288 wrote to memory of 1760	3288	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe
"C:\Users\Admin\AppData\Local\Temp\1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3828

C:\Users\Admin\AppData\Local\Temp\1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe
C:\Users\Admin\AppData\Local\Temp\1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe /C
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:1460

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\1755e3f11115ab622f5f791a7e9edd84db4a99ce8f4eb76eb3e3ece910c6f702.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3288

C:\Windows\SysWOW64\PING.EXE
ping.exe -n 6 127.0.0.1
3⤵
- Runs ping.exe
PID:1760

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 4c39fea2df10d319a2fb03aa4328f384 6Eo/quQvI0GfXKhB/KjJeQ.0.1.0.0.0
1⤵
- Modifies data under HKEY_USERS
PID:1868

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1460-132-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/3828-130-0x00000000020C0000-0x00000000020F9000-memory.dmp

Filesize
228KB

Download
memory/3828-131-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads