qakbot | 7d0c24f18bca32543e2cc64b352c7e3e74ec77b2922b66a006ae92238cd01bca

General

Target

7d0c24f18bca32543e2cc64b352c7e3e74ec77b2922b66a006ae92238cd01bca.exe
Size

2.6MB
MD5

14c29c6a94f9b6aa43bbcf586dec1fb9
SHA1

449f2b10320115e98b182204a4376ddc669e1369
SHA256

7d0c24f18bca32543e2cc64b352c7e3e74ec77b2922b66a006ae92238cd01bca
SHA512

9b8be89d317e023705f5264b4abe9736ab49c61da12beed65b5e897c6e673b713e1e7980026d670f23e75a6a356bde786df3531b69dc0ccaa2585c0ed04fc0b1

Score

10^/10

qakbot spx145 1592822522 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

324.142

Botnet

spx145

Campaign

1592822522

C2

79.115.207.120:443

156.213.80.140:443

189.160.203.110:443

71.114.39.220:443

189.236.166.167:443

193.248.44.2:2222

206.51.202.106:50003

24.152.219.253:995

2.50.47.97:2222

108.49.221.180:443

207.246.75.201:443

80.240.26.178:443

199.247.16.80:443

207.255.161.8:2222

69.92.54.95:995

199.247.22.145:443

2.50.171.142:443

24.110.14.40:3389

79.101.130.104:995

94.52.160.116:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

1648 PING.EXE
1092 PING.EXE

pid	process
1648	PING.EXE
1092	PING.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

7d0c24f18bca32543e2cc64b352c7e3e74ec77b2922b66a006ae92238cd01bca.exe7d0c24f18bca32543e2cc64b352c7e3e74ec77b2922b66a006ae92238cd01bca.exe

pid	process
2008	7d0c24f18bca32543e2cc64b352c7e3e74ec77b2922b66a006ae92238cd01bca.exe
572	7d0c24f18bca32543e2cc64b352c7e3e74ec77b2922b66a006ae92238cd01bca.exe
572	7d0c24f18bca32543e2cc64b352c7e3e74ec77b2922b66a006ae92238cd01bca.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

7d0c24f18bca32543e2cc64b352c7e3e74ec77b2922b66a006ae92238cd01bca.execmd.execmd.exe

description	pid	process	target process
PID 2008 wrote to memory of 572	2008	7d0c24f18bca32543e2cc64b352c7e3e74ec77b2922b66a006ae92238cd01bca.exe	7d0c24f18bca32543e2cc64b352c7e3e74ec77b2922b66a006ae92238cd01bca.exe
PID 2008 wrote to memory of 572	2008	7d0c24f18bca32543e2cc64b352c7e3e74ec77b2922b66a006ae92238cd01bca.exe	7d0c24f18bca32543e2cc64b352c7e3e74ec77b2922b66a006ae92238cd01bca.exe
PID 2008 wrote to memory of 572	2008	7d0c24f18bca32543e2cc64b352c7e3e74ec77b2922b66a006ae92238cd01bca.exe	7d0c24f18bca32543e2cc64b352c7e3e74ec77b2922b66a006ae92238cd01bca.exe
PID 2008 wrote to memory of 572	2008	7d0c24f18bca32543e2cc64b352c7e3e74ec77b2922b66a006ae92238cd01bca.exe	7d0c24f18bca32543e2cc64b352c7e3e74ec77b2922b66a006ae92238cd01bca.exe
PID 2008 wrote to memory of 1340	2008	7d0c24f18bca32543e2cc64b352c7e3e74ec77b2922b66a006ae92238cd01bca.exe	cmd.exe
PID 2008 wrote to memory of 1340	2008	7d0c24f18bca32543e2cc64b352c7e3e74ec77b2922b66a006ae92238cd01bca.exe	cmd.exe
PID 2008 wrote to memory of 1340	2008	7d0c24f18bca32543e2cc64b352c7e3e74ec77b2922b66a006ae92238cd01bca.exe	cmd.exe
PID 2008 wrote to memory of 1340	2008	7d0c24f18bca32543e2cc64b352c7e3e74ec77b2922b66a006ae92238cd01bca.exe	cmd.exe
PID 1340 wrote to memory of 1648	1340	cmd.exe	PING.EXE
PID 1340 wrote to memory of 1648	1340	cmd.exe	PING.EXE
PID 1340 wrote to memory of 1648	1340	cmd.exe	PING.EXE
PID 1340 wrote to memory of 1648	1340	cmd.exe	PING.EXE
PID 1832 wrote to memory of 1092	1832	cmd.exe	PING.EXE
PID 1832 wrote to memory of 1092	1832	cmd.exe	PING.EXE
PID 1832 wrote to memory of 1092	1832	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\7d0c24f18bca32543e2cc64b352c7e3e74ec77b2922b66a006ae92238cd01bca.exe
"C:\Users\Admin\AppData\Local\Temp\7d0c24f18bca32543e2cc64b352c7e3e74ec77b2922b66a006ae92238cd01bca.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2008

C:\Users\Admin\AppData\Local\Temp\7d0c24f18bca32543e2cc64b352c7e3e74ec77b2922b66a006ae92238cd01bca.exe
C:\Users\Admin\AppData\Local\Temp\7d0c24f18bca32543e2cc64b352c7e3e74ec77b2922b66a006ae92238cd01bca.exe /C
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:572

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\7d0c24f18bca32543e2cc64b352c7e3e74ec77b2922b66a006ae92238cd01bca.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\SysWOW64\PING.EXE
ping.exe -n 6 127.0.0.1
3⤵
- Runs ping.exe
PID:1648

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
1⤵
PID:608

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\system32\PING.EXE
ping 8.8.8.8
2⤵
- Runs ping.exe
PID:1092

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/572-58-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/608-59-0x000007FEFBF81000-0x000007FEFBF83000-memory.dmp

Filesize
8KB

Download
memory/2008-54-0x00000000760F1000-0x00000000760F3000-memory.dmp

Filesize
8KB

Download
memory/2008-55-0x0000000000220000-0x0000000000257000-memory.dmp

Filesize
220KB

Download
memory/2008-57-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing