qakbot | c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07

General

Target

c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe
Size

2.3MB
MD5

463a5753d69ef09b1cab76b94f0e4c38
SHA1

e09afac5154e6b42f037e2dab8fab5666eba9be4
SHA256

c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07
SHA512

076509e61b460e270bfd142bd5498cf594b393728eaa719f0dfbcb17ab05e55c0093c46017d91aa5582c067f0117ab63df600c41740f1c8bde9b1d3171492de5

Score

10^/10

qakbot spx97 1586971769 banker cryptone evasion packer stealer trojan

Malware Config

Extracted

Family

qakbot

Version

324.127

Botnet

spx97

Campaign

1586971769

C2

72.214.55.147:995

78.96.64.230:443

100.38.123.22:443

47.205.231.60:443

185.145.113.249:443

72.16.212.107:465

94.52.124.226:443

72.255.200.69:2222

73.56.2.167:443

67.249.222.14:443

71.58.21.235:443

79.113.193.29:443

96.35.170.82:2222

76.111.128.194:443

181.126.86.223:443

67.209.195.198:3389

47.146.169.85:443

47.39.76.74:443

67.131.59.17:443

71.11.209.101:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112

CryptOne packer 1 IoCs

Detects CryptOne packer defined in NCC blogpost.

cryptone packer

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Microsoft\Exbisaovli\pxucuapf.exe	cryptone

Drops startup file 1 IoCs

Processes:

c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\pxucuapf.lnk	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe

Loads dropped DLL 1 IoCs

Processes:

c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe

pid process

1628 c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1716 schtasks.exe

pid	process
1716	schtasks.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1680 PING.EXE

pid	process
1680	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exec20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exec20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe

pid	process
1628	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe
1252	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe
1252	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe
1388	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exetaskeng.exec20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.execmd.exe

description	pid	process	target process
PID 1628 wrote to memory of 1252	1628	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe
PID 1628 wrote to memory of 1252	1628	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe
PID 1628 wrote to memory of 1252	1628	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe
PID 1628 wrote to memory of 1252	1628	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe
PID 1628 wrote to memory of 1716	1628	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe	schtasks.exe
PID 1628 wrote to memory of 1716	1628	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe	schtasks.exe
PID 1628 wrote to memory of 1716	1628	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe	schtasks.exe
PID 1628 wrote to memory of 1716	1628	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe	schtasks.exe
PID 1408 wrote to memory of 1388	1408	taskeng.exe	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe
PID 1408 wrote to memory of 1388	1408	taskeng.exe	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe
PID 1408 wrote to memory of 1388	1408	taskeng.exe	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe
PID 1408 wrote to memory of 1388	1408	taskeng.exe	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe
PID 1388 wrote to memory of 628	1388	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe	reg.exe
PID 1388 wrote to memory of 628	1388	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe	reg.exe
PID 1388 wrote to memory of 628	1388	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe	reg.exe
PID 1388 wrote to memory of 628	1388	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe	reg.exe
PID 1388 wrote to memory of 1560	1388	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe	reg.exe
PID 1388 wrote to memory of 1560	1388	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe	reg.exe
PID 1388 wrote to memory of 1560	1388	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe	reg.exe
PID 1388 wrote to memory of 1560	1388	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe	reg.exe
PID 1388 wrote to memory of 2028	1388	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe	reg.exe
PID 1388 wrote to memory of 2028	1388	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe	reg.exe
PID 1388 wrote to memory of 2028	1388	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe	reg.exe
PID 1388 wrote to memory of 2028	1388	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe	reg.exe
PID 1388 wrote to memory of 1944	1388	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe	reg.exe
PID 1388 wrote to memory of 1944	1388	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe	reg.exe
PID 1388 wrote to memory of 1944	1388	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe	reg.exe
PID 1388 wrote to memory of 1944	1388	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe	reg.exe
PID 1388 wrote to memory of 1820	1388	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe	reg.exe
PID 1388 wrote to memory of 1820	1388	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe	reg.exe
PID 1388 wrote to memory of 1820	1388	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe	reg.exe
PID 1388 wrote to memory of 1820	1388	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe	reg.exe
PID 1388 wrote to memory of 1160	1388	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe	reg.exe
PID 1388 wrote to memory of 1160	1388	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe	reg.exe
PID 1388 wrote to memory of 1160	1388	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe	reg.exe
PID 1388 wrote to memory of 1160	1388	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe	reg.exe
PID 1388 wrote to memory of 1624	1388	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe	reg.exe
PID 1388 wrote to memory of 1624	1388	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe	reg.exe
PID 1388 wrote to memory of 1624	1388	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe	reg.exe
PID 1388 wrote to memory of 1624	1388	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe	reg.exe
PID 1388 wrote to memory of 1520	1388	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe	reg.exe
PID 1388 wrote to memory of 1520	1388	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe	reg.exe
PID 1388 wrote to memory of 1520	1388	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe	reg.exe
PID 1388 wrote to memory of 1520	1388	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe	reg.exe
PID 1388 wrote to memory of 1660	1388	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe	cmd.exe
PID 1388 wrote to memory of 1660	1388	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe	cmd.exe
PID 1388 wrote to memory of 1660	1388	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe	cmd.exe
PID 1388 wrote to memory of 1660	1388	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe	cmd.exe
PID 1388 wrote to memory of 304	1388	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe	schtasks.exe
PID 1388 wrote to memory of 304	1388	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe	schtasks.exe
PID 1388 wrote to memory of 304	1388	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe	schtasks.exe
PID 1388 wrote to memory of 304	1388	c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe	schtasks.exe
PID 1660 wrote to memory of 1680	1660	cmd.exe	PING.EXE
PID 1660 wrote to memory of 1680	1660	cmd.exe	PING.EXE
PID 1660 wrote to memory of 1680	1660	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe
"C:\Users\Admin\AppData\Local\Temp\c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1628

C:\Users\Admin\AppData\Local\Temp\c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe
C:\Users\Admin\AppData\Local\Temp\c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe /C
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1252

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn sbplkcan /tr "\"C:\Users\Admin\AppData\Local\Temp\c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe\" /I sbplkcan" /SC ONCE /Z /ST 10:34 /ET 10:46
2⤵
- Creates scheduled task(s)
PID:1716

C:\Windows\system32\taskeng.exe
taskeng.exe {BD421E51-0C8D-494B-B768-9C32509FAA31} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1408

C:\Users\Admin\AppData\Local\Temp\c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe
C:\Users\Admin\AppData\Local\Temp\c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe /I sbplkcan
2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1388

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
3⤵
PID:628

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
3⤵
PID:1560

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
3⤵
PID:2028

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
3⤵
PID:1944

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
3⤵
PID:1820

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
3⤵
PID:1160

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
3⤵
PID:1624

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
3⤵
PID:1520

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\system32\PING.EXE
ping.exe -n 6 127.0.0.1
4⤵
- Runs ping.exe
PID:1680

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /DELETE /F /TN sbplkcan
3⤵
PID:304

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Disabling Security Tools

1

T1089

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Microsoft\Exbisaovli\pxucuapf.exe
MD5
463a5753d69ef09b1cab76b94f0e4c38

SHA1
e09afac5154e6b42f037e2dab8fab5666eba9be4

SHA256
c20dc2c71d2e44b1a8f469fff690855fffb1c14092d383ce19eef8c8ae9eaa07

SHA512
076509e61b460e270bfd142bd5498cf594b393728eaa719f0dfbcb17ab05e55c0093c46017d91aa5582c067f0117ab63df600c41740f1c8bde9b1d3171492de5

Download Submit
memory/1252-57-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/1388-60-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/1628-53-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download
memory/1628-54-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/1628-56-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads