qakbot | c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56

General

Target

c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe
Size

2.3MB
MD5

a3e677d1495f9e379a2cfc313be21440
SHA1

881a9bf890d9a9e4ce838220afce3bba95ad561f
SHA256

c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56
SHA512

c3a1d5770fd8d301928bfc61e0bfb2a55cd37c5a12d192a3dc384ba215502a192eec2b192382e04dc2179a772916c39d8fe18a70ef7a9a909a29027429856d25

Score

10^/10

qakbot spx102 1587561129 banker cryptone evasion packer stealer trojan

Malware Config

Extracted

Family

qakbot

Version

324.127

Botnet

spx102

Campaign

1587561129

C2

68.1.171.93:443

98.213.28.175:443

31.5.189.71:443

75.81.25.223:995

86.106.126.91:443

216.201.162.158:443

80.14.209.42:2222

86.122.254.67:2222

98.26.50.62:995

197.166.90.151:443

71.58.21.235:443

78.96.177.188:443

73.137.187.150:443

188.173.185.139:443

46.214.136.6:443

86.124.227.238:443

104.36.135.227:443

76.111.128.194:443

81.245.66.237:995

71.220.222.169:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112

CryptOne packer 1 IoCs

Detects CryptOne packer defined in NCC blogpost.

cryptone packer

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Microsoft\Cknptpxzmvh\qeciaa.exe	cryptone

Drops startup file 1 IoCs

Processes:

c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\qeciaa.lnk	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe

Loads dropped DLL 1 IoCs

Processes:

c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe

pid process

1200 c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1664 schtasks.exe

pid	process
1664	schtasks.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

856 PING.EXE

pid	process
856	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exec40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exec40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe

pid	process
1200	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe
1080	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe
1080	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe
1408	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exetaskeng.exec40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.execmd.exe

description	pid	process	target process
PID 1200 wrote to memory of 1080	1200	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe
PID 1200 wrote to memory of 1080	1200	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe
PID 1200 wrote to memory of 1080	1200	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe
PID 1200 wrote to memory of 1080	1200	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe
PID 1200 wrote to memory of 1664	1200	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe	schtasks.exe
PID 1200 wrote to memory of 1664	1200	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe	schtasks.exe
PID 1200 wrote to memory of 1664	1200	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe	schtasks.exe
PID 1200 wrote to memory of 1664	1200	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe	schtasks.exe
PID 556 wrote to memory of 1408	556	taskeng.exe	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe
PID 556 wrote to memory of 1408	556	taskeng.exe	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe
PID 556 wrote to memory of 1408	556	taskeng.exe	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe
PID 556 wrote to memory of 1408	556	taskeng.exe	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe
PID 1408 wrote to memory of 1552	1408	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe	reg.exe
PID 1408 wrote to memory of 1552	1408	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe	reg.exe
PID 1408 wrote to memory of 1552	1408	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe	reg.exe
PID 1408 wrote to memory of 1552	1408	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe	reg.exe
PID 1408 wrote to memory of 812	1408	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe	reg.exe
PID 1408 wrote to memory of 812	1408	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe	reg.exe
PID 1408 wrote to memory of 812	1408	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe	reg.exe
PID 1408 wrote to memory of 812	1408	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe	reg.exe
PID 1408 wrote to memory of 1484	1408	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe	reg.exe
PID 1408 wrote to memory of 1484	1408	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe	reg.exe
PID 1408 wrote to memory of 1484	1408	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe	reg.exe
PID 1408 wrote to memory of 1484	1408	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe	reg.exe
PID 1408 wrote to memory of 392	1408	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe	reg.exe
PID 1408 wrote to memory of 392	1408	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe	reg.exe
PID 1408 wrote to memory of 392	1408	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe	reg.exe
PID 1408 wrote to memory of 392	1408	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe	reg.exe
PID 1408 wrote to memory of 1604	1408	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe	reg.exe
PID 1408 wrote to memory of 1604	1408	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe	reg.exe
PID 1408 wrote to memory of 1604	1408	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe	reg.exe
PID 1408 wrote to memory of 1604	1408	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe	reg.exe
PID 1408 wrote to memory of 1640	1408	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe	reg.exe
PID 1408 wrote to memory of 1640	1408	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe	reg.exe
PID 1408 wrote to memory of 1640	1408	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe	reg.exe
PID 1408 wrote to memory of 1640	1408	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe	reg.exe
PID 1408 wrote to memory of 1044	1408	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe	reg.exe
PID 1408 wrote to memory of 1044	1408	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe	reg.exe
PID 1408 wrote to memory of 1044	1408	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe	reg.exe
PID 1408 wrote to memory of 1044	1408	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe	reg.exe
PID 1408 wrote to memory of 276	1408	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe	reg.exe
PID 1408 wrote to memory of 276	1408	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe	reg.exe
PID 1408 wrote to memory of 276	1408	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe	reg.exe
PID 1408 wrote to memory of 276	1408	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe	reg.exe
PID 1408 wrote to memory of 1448	1408	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe	cmd.exe
PID 1408 wrote to memory of 1448	1408	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe	cmd.exe
PID 1408 wrote to memory of 1448	1408	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe	cmd.exe
PID 1408 wrote to memory of 1448	1408	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe	cmd.exe
PID 1408 wrote to memory of 1304	1408	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe	schtasks.exe
PID 1408 wrote to memory of 1304	1408	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe	schtasks.exe
PID 1408 wrote to memory of 1304	1408	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe	schtasks.exe
PID 1408 wrote to memory of 1304	1408	c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe	schtasks.exe
PID 1448 wrote to memory of 856	1448	cmd.exe	PING.EXE
PID 1448 wrote to memory of 856	1448	cmd.exe	PING.EXE
PID 1448 wrote to memory of 856	1448	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe
"C:\Users\Admin\AppData\Local\Temp\c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1200

C:\Users\Admin\AppData\Local\Temp\c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe
C:\Users\Admin\AppData\Local\Temp\c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe /C
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1080

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn xrnaszjeb /tr "\"C:\Users\Admin\AppData\Local\Temp\c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe\" /I xrnaszjeb" /SC ONCE /Z /ST 10:28 /ET 10:40
2⤵
- Creates scheduled task(s)
PID:1664

C:\Windows\system32\taskeng.exe
taskeng.exe {55F40939-8A92-4D82-9635-5FC837D12662} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:556

C:\Users\Admin\AppData\Local\Temp\c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe
C:\Users\Admin\AppData\Local\Temp\c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe /I xrnaszjeb
2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1408

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
3⤵
PID:1552

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
3⤵
PID:812

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
3⤵
PID:1484

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
3⤵
PID:392

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
3⤵
PID:1604

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
3⤵
PID:1640

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
3⤵
PID:1044

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
3⤵
PID:276

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /DELETE /F /TN xrnaszjeb
3⤵
PID:1304

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\system32\PING.EXE
ping.exe -n 6 127.0.0.1
4⤵
- Runs ping.exe
PID:856

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Microsoft\Cknptpxzmvh\qeciaa.exe
MD5
a3e677d1495f9e379a2cfc313be21440

SHA1
881a9bf890d9a9e4ce838220afce3bba95ad561f

SHA256
c40644540e6a8fa57f5c4d2c0fadc246cfe30d42cfe090effeb4999210c18d56

SHA512
c3a1d5770fd8d301928bfc61e0bfb2a55cd37c5a12d192a3dc384ba215502a192eec2b192382e04dc2179a772916c39d8fe18a70ef7a9a909a29027429856d25

Download Submit
memory/1080-58-0x0000000000400000-0x0000000000646000-memory.dmp

Filesize
2.3MB

Download
memory/1200-54-0x0000000076121000-0x0000000076123000-memory.dmp

Filesize
8KB

Download
memory/1200-55-0x0000000000290000-0x00000000002C9000-memory.dmp

Filesize
228KB

Download
memory/1200-56-0x0000000000400000-0x0000000000646000-memory.dmp

Filesize
2.3MB

Download
memory/1408-61-0x0000000000400000-0x0000000000646000-memory.dmp

Filesize
2.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads