qakbot | 6ba5e92feaecf649febb0490b9db3ccd78f0460c306b635ba10a4f19a84c0062

General

Target

6ba5e92feaecf649febb0490b9db3ccd78f0460c306b635ba10a4f19a84c0062.exe
Size

292KB
MD5

2c16d6151ed74fb8373332f46cd662f3
SHA1

1c2c141e1f03602532c5645cfa1b52415cf86f0f
SHA256

6ba5e92feaecf649febb0490b9db3ccd78f0460c306b635ba10a4f19a84c0062
SHA512

f70e5d46dee197ad7c1a78bf58aa22ebd4a566560a569772994c538d3b751042502676c8b20b738b67fbe750409d68c99dc581a7bce3639739cc6ae667d01671

Score

10^/10

qakbot banker stealer trojan

Malware Config

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

576 PING.EXE

pid	process
576	PING.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

6ba5e92feaecf649febb0490b9db3ccd78f0460c306b635ba10a4f19a84c0062.exe6ba5e92feaecf649febb0490b9db3ccd78f0460c306b635ba10a4f19a84c0062.exe

pid	process
980	6ba5e92feaecf649febb0490b9db3ccd78f0460c306b635ba10a4f19a84c0062.exe
1180	6ba5e92feaecf649febb0490b9db3ccd78f0460c306b635ba10a4f19a84c0062.exe
1180	6ba5e92feaecf649febb0490b9db3ccd78f0460c306b635ba10a4f19a84c0062.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

6ba5e92feaecf649febb0490b9db3ccd78f0460c306b635ba10a4f19a84c0062.execmd.exe

description	pid	process	target process
PID 980 wrote to memory of 1180	980	6ba5e92feaecf649febb0490b9db3ccd78f0460c306b635ba10a4f19a84c0062.exe	6ba5e92feaecf649febb0490b9db3ccd78f0460c306b635ba10a4f19a84c0062.exe
PID 980 wrote to memory of 1180	980	6ba5e92feaecf649febb0490b9db3ccd78f0460c306b635ba10a4f19a84c0062.exe	6ba5e92feaecf649febb0490b9db3ccd78f0460c306b635ba10a4f19a84c0062.exe
PID 980 wrote to memory of 1180	980	6ba5e92feaecf649febb0490b9db3ccd78f0460c306b635ba10a4f19a84c0062.exe	6ba5e92feaecf649febb0490b9db3ccd78f0460c306b635ba10a4f19a84c0062.exe
PID 980 wrote to memory of 1180	980	6ba5e92feaecf649febb0490b9db3ccd78f0460c306b635ba10a4f19a84c0062.exe	6ba5e92feaecf649febb0490b9db3ccd78f0460c306b635ba10a4f19a84c0062.exe
PID 980 wrote to memory of 268	980	6ba5e92feaecf649febb0490b9db3ccd78f0460c306b635ba10a4f19a84c0062.exe	cmd.exe
PID 980 wrote to memory of 268	980	6ba5e92feaecf649febb0490b9db3ccd78f0460c306b635ba10a4f19a84c0062.exe	cmd.exe
PID 980 wrote to memory of 268	980	6ba5e92feaecf649febb0490b9db3ccd78f0460c306b635ba10a4f19a84c0062.exe	cmd.exe
PID 980 wrote to memory of 268	980	6ba5e92feaecf649febb0490b9db3ccd78f0460c306b635ba10a4f19a84c0062.exe	cmd.exe
PID 268 wrote to memory of 576	268	cmd.exe	PING.EXE
PID 268 wrote to memory of 576	268	cmd.exe	PING.EXE
PID 268 wrote to memory of 576	268	cmd.exe	PING.EXE
PID 268 wrote to memory of 576	268	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\6ba5e92feaecf649febb0490b9db3ccd78f0460c306b635ba10a4f19a84c0062.exe
"C:\Users\Admin\AppData\Local\Temp\6ba5e92feaecf649febb0490b9db3ccd78f0460c306b635ba10a4f19a84c0062.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:980

C:\Users\Admin\AppData\Local\Temp\6ba5e92feaecf649febb0490b9db3ccd78f0460c306b635ba10a4f19a84c0062.exe
C:\Users\Admin\AppData\Local\Temp\6ba5e92feaecf649febb0490b9db3ccd78f0460c306b635ba10a4f19a84c0062.exe /C
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1180

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\6ba5e92feaecf649febb0490b9db3ccd78f0460c306b635ba10a4f19a84c0062.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\SysWOW64\PING.EXE
ping.exe -n 6 127.0.0.1
3⤵
- Runs ping.exe
PID:576

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/980-53-0x0000000075F21000-0x0000000075F23000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing