qakbot | 9ceac97816e90e7c5922dce12954dcc9c34d6542dbe06cf766db55b366fefb43

General

Target

9ceac97816e90e7c5922dce12954dcc9c34d6542dbe06cf766db55b366fefb43.exe
Size

2.1MB
MD5

0c13ed40d1f23ab07e8e865ba5940a5c
SHA1

ddfa12a3e648dbd0fd60f60f0ff0f0d944308d92
SHA256

9ceac97816e90e7c5922dce12954dcc9c34d6542dbe06cf766db55b366fefb43
SHA512

146b060d9dc02c2b663aef39dd8384c5960fb9bfbceeb52b8921ff531975486dbdcd54baddcad55e9f901741c424aba90360401d8c91429906af36ac4f2eaebf

Score

10^/10

qakbot spx89 1585917777 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

324.75

Botnet

spx89

Campaign

1585917777

C2

66.44.96.184:443

185.145.113.249:443

87.65.204.240:995

68.174.9.179:443

97.127.144.203:2222

76.180.69.236:443

24.234.86.201:995

188.173.185.139:443

83.25.10.201:2222

93.114.115.146:443

24.201.79.208:2078

65.116.179.83:443

5.70.173.217:443

207.155.106.187:443

5.14.187.133:443

73.163.242.114:443

84.117.60.157:443

90.192.191.3:443

100.33.132.135:443

96.232.203.15:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1740 PING.EXE

pid	process
1740	PING.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

9ceac97816e90e7c5922dce12954dcc9c34d6542dbe06cf766db55b366fefb43.exe9ceac97816e90e7c5922dce12954dcc9c34d6542dbe06cf766db55b366fefb43.exe

pid	process
1216	9ceac97816e90e7c5922dce12954dcc9c34d6542dbe06cf766db55b366fefb43.exe
1396	9ceac97816e90e7c5922dce12954dcc9c34d6542dbe06cf766db55b366fefb43.exe
1396	9ceac97816e90e7c5922dce12954dcc9c34d6542dbe06cf766db55b366fefb43.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

9ceac97816e90e7c5922dce12954dcc9c34d6542dbe06cf766db55b366fefb43.execmd.exe

description	pid	process	target process
PID 1216 wrote to memory of 1396	1216	9ceac97816e90e7c5922dce12954dcc9c34d6542dbe06cf766db55b366fefb43.exe	9ceac97816e90e7c5922dce12954dcc9c34d6542dbe06cf766db55b366fefb43.exe
PID 1216 wrote to memory of 1396	1216	9ceac97816e90e7c5922dce12954dcc9c34d6542dbe06cf766db55b366fefb43.exe	9ceac97816e90e7c5922dce12954dcc9c34d6542dbe06cf766db55b366fefb43.exe
PID 1216 wrote to memory of 1396	1216	9ceac97816e90e7c5922dce12954dcc9c34d6542dbe06cf766db55b366fefb43.exe	9ceac97816e90e7c5922dce12954dcc9c34d6542dbe06cf766db55b366fefb43.exe
PID 1216 wrote to memory of 1396	1216	9ceac97816e90e7c5922dce12954dcc9c34d6542dbe06cf766db55b366fefb43.exe	9ceac97816e90e7c5922dce12954dcc9c34d6542dbe06cf766db55b366fefb43.exe
PID 1216 wrote to memory of 1548	1216	9ceac97816e90e7c5922dce12954dcc9c34d6542dbe06cf766db55b366fefb43.exe	cmd.exe
PID 1216 wrote to memory of 1548	1216	9ceac97816e90e7c5922dce12954dcc9c34d6542dbe06cf766db55b366fefb43.exe	cmd.exe
PID 1216 wrote to memory of 1548	1216	9ceac97816e90e7c5922dce12954dcc9c34d6542dbe06cf766db55b366fefb43.exe	cmd.exe
PID 1216 wrote to memory of 1548	1216	9ceac97816e90e7c5922dce12954dcc9c34d6542dbe06cf766db55b366fefb43.exe	cmd.exe
PID 1548 wrote to memory of 1740	1548	cmd.exe	PING.EXE
PID 1548 wrote to memory of 1740	1548	cmd.exe	PING.EXE
PID 1548 wrote to memory of 1740	1548	cmd.exe	PING.EXE
PID 1548 wrote to memory of 1740	1548	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\9ceac97816e90e7c5922dce12954dcc9c34d6542dbe06cf766db55b366fefb43.exe
"C:\Users\Admin\AppData\Local\Temp\9ceac97816e90e7c5922dce12954dcc9c34d6542dbe06cf766db55b366fefb43.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1216

C:\Users\Admin\AppData\Local\Temp\9ceac97816e90e7c5922dce12954dcc9c34d6542dbe06cf766db55b366fefb43.exe
C:\Users\Admin\AppData\Local\Temp\9ceac97816e90e7c5922dce12954dcc9c34d6542dbe06cf766db55b366fefb43.exe /C
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1396

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\9ceac97816e90e7c5922dce12954dcc9c34d6542dbe06cf766db55b366fefb43.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\SysWOW64\PING.EXE
ping.exe -n 6 127.0.0.1
3⤵
- Runs ping.exe
PID:1740

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1216-53-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/1216-54-0x00000000002D0000-0x0000000000309000-memory.dmp

Filesize
228KB

Download
memory/1216-56-0x0000000000400000-0x0000000000618000-memory.dmp

Filesize
2.1MB

Download
memory/1396-57-0x0000000000400000-0x0000000000618000-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing