qakbot | 9668d6b2a50e0ae7476c325b09ad36a1d9284ece981f63cea884763e6cab468c

General

Target

11552-QA-F-CTI.exe
Size

560KB
MD5

10b77750d1d656f0e36f97b88a029c4b
SHA1

3999306417352fc9628d936f5061a37fc8432229
SHA256

9668d6b2a50e0ae7476c325b09ad36a1d9284ece981f63cea884763e6cab468c
SHA512

18d6062065b2c4c6408b323680e396063eb9e46463fdabedd8a2bc3b18d29c3e659d5ee6767ba0c367eea79ce94823ae273783076c1689b3e31d7d1bd81b3c3a

Score

10^/10

qakbot 1571042641 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

323.91

Campaign

1571042641

Credentials

Protocol: ftp
Host:
192.185.5.208
Port:
21
Username:
logger@dustinkeeling.com
Password:
NxdkxAp4dUsY

Protocol: ftp
Host:
162.241.218.118
Port:
21
Username:
logger@misterexterior.com
Password:
EcOV0DyGVgVN

Protocol: ftp
Host:
69.89.31.139
Port:
21
Username:
cpanel@vivekharris-architects.com
Password:
fcR7OvyLrMW6!

Protocol: ftp
Host:
169.207.67.14
Port:
21
Username:
cpanel@dovetailsolar.com
Password:
eQyicNLzzqPN

C2

98.186.90.192:995

2.50.170.151:443

74.194.4.181:443

70.74.159.126:2222

75.70.218.193:443

96.59.11.86:443

168.245.228.71:443

173.22.120.11:2222

71.77.231.251:443

24.184.6.58:2222

108.5.32.66:443

64.19.74.29:995

68.83.59.107:443

104.3.91.20:995

100.4.185.8:443

96.20.238.2:2087

99.228.242.183:995

206.255.212.179:443

50.247.230.33:443

108.55.23.221:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Executes dropped EXE 2 IoCs

Processes:

ohliabod.exeohliabod.exe

pid process

5032 ohliabod.exe
4252 ohliabod.exe

pid	process
5032	ohliabod.exe
4252	ohliabod.exe

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ohliabod.exe11552-QA-F-CTI.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	ohliabod.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service	ohliabod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	ohliabod.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	ohliabod.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	ohliabod.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	11552-QA-F-CTI.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service	11552-QA-F-CTI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	11552-QA-F-CTI.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	ohliabod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	11552-QA-F-CTI.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	11552-QA-F-CTI.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	11552-QA-F-CTI.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4412 schtasks.exe

pid	process
4412	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

11552-QA-F-CTI.exe11552-QA-F-CTI.exeohliabod.exeohliabod.exeexplorer.exe

pid	process
2140	11552-QA-F-CTI.exe
2140	11552-QA-F-CTI.exe
4220	11552-QA-F-CTI.exe
4220	11552-QA-F-CTI.exe
4220	11552-QA-F-CTI.exe
4220	11552-QA-F-CTI.exe
5032	ohliabod.exe
5032	ohliabod.exe
4252	ohliabod.exe
4252	ohliabod.exe
4252	ohliabod.exe
4252	ohliabod.exe
3496	explorer.exe
3496	explorer.exe
3496	explorer.exe
3496	explorer.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

ohliabod.exe

pid process

5032 ohliabod.exe

pid	process
5032	ohliabod.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

11552-QA-F-CTI.exeohliabod.exe

description	pid	process	target process
PID 2140 wrote to memory of 4220	2140	11552-QA-F-CTI.exe	11552-QA-F-CTI.exe
PID 2140 wrote to memory of 4220	2140	11552-QA-F-CTI.exe	11552-QA-F-CTI.exe
PID 2140 wrote to memory of 4220	2140	11552-QA-F-CTI.exe	11552-QA-F-CTI.exe
PID 2140 wrote to memory of 5032	2140	11552-QA-F-CTI.exe	ohliabod.exe
PID 2140 wrote to memory of 5032	2140	11552-QA-F-CTI.exe	ohliabod.exe
PID 2140 wrote to memory of 5032	2140	11552-QA-F-CTI.exe	ohliabod.exe
PID 2140 wrote to memory of 4412	2140	11552-QA-F-CTI.exe	schtasks.exe
PID 2140 wrote to memory of 4412	2140	11552-QA-F-CTI.exe	schtasks.exe
PID 2140 wrote to memory of 4412	2140	11552-QA-F-CTI.exe	schtasks.exe
PID 5032 wrote to memory of 4252	5032	ohliabod.exe	ohliabod.exe
PID 5032 wrote to memory of 4252	5032	ohliabod.exe	ohliabod.exe
PID 5032 wrote to memory of 4252	5032	ohliabod.exe	ohliabod.exe
PID 5032 wrote to memory of 3496	5032	ohliabod.exe	explorer.exe
PID 5032 wrote to memory of 3496	5032	ohliabod.exe	explorer.exe
PID 5032 wrote to memory of 3496	5032	ohliabod.exe	explorer.exe
PID 5032 wrote to memory of 3496	5032	ohliabod.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\11552-QA-F-CTI.exe
"C:\Users\Admin\AppData\Local\Temp\11552-QA-F-CTI.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2140

C:\Users\Admin\AppData\Local\Temp\11552-QA-F-CTI.exe
C:\Users\Admin\AppData\Local\Temp\11552-QA-F-CTI.exe /C
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:4220

C:\Users\Admin\AppData\Roaming\Microsoft\Klupefxunsuh\ohliabod.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Klupefxunsuh\ohliabod.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5032

C:\Users\Admin\AppData\Roaming\Microsoft\Klupefxunsuh\ohliabod.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Klupefxunsuh\ohliabod.exe /C
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:4252

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3496

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn rzzayfwojf /tr "\"C:\Users\Admin\AppData\Local\Temp\11552-QA-F-CTI.exe\" /I rzzayfwojf" /SC ONCE /Z /ST 08:48 /ET 09:00
2⤵
- Creates scheduled task(s)
PID:4412

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Klupefxunsuh\ohliabod.dat
MD5
31198963f8ea55cb2dcc2641fc758d62

SHA1
ec7804e484f654c09e9f10aaed26511ff7eba378

SHA256
470e745f83a989e8ce0a8ab05e5de9e2a716733ac0284f5617d5d089b5b26142

SHA512
15014ff3cd409bd1922a019de30aa2be5d7b9dd84fb769dc21d50f3b97404703cd21b8a4ff4db49a215aac0906f14709f07cda1a55c99919bb468d8063c30b11

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Klupefxunsuh\ohliabod.exe
MD5
10b77750d1d656f0e36f97b88a029c4b

SHA1
3999306417352fc9628d936f5061a37fc8432229

SHA256
9668d6b2a50e0ae7476c325b09ad36a1d9284ece981f63cea884763e6cab468c

SHA512
18d6062065b2c4c6408b323680e396063eb9e46463fdabedd8a2bc3b18d29c3e659d5ee6767ba0c367eea79ce94823ae273783076c1689b3e31d7d1bd81b3c3a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Klupefxunsuh\ohliabod.exe
MD5
10b77750d1d656f0e36f97b88a029c4b

SHA1
3999306417352fc9628d936f5061a37fc8432229

SHA256
9668d6b2a50e0ae7476c325b09ad36a1d9284ece981f63cea884763e6cab468c

SHA512
18d6062065b2c4c6408b323680e396063eb9e46463fdabedd8a2bc3b18d29c3e659d5ee6767ba0c367eea79ce94823ae273783076c1689b3e31d7d1bd81b3c3a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Klupefxunsuh\ohliabod.exe
MD5
10b77750d1d656f0e36f97b88a029c4b

SHA1
3999306417352fc9628d936f5061a37fc8432229

SHA256
9668d6b2a50e0ae7476c325b09ad36a1d9284ece981f63cea884763e6cab468c

SHA512
18d6062065b2c4c6408b323680e396063eb9e46463fdabedd8a2bc3b18d29c3e659d5ee6767ba0c367eea79ce94823ae273783076c1689b3e31d7d1bd81b3c3a

Download Submit
memory/3496-134-0x0000000001060000-0x00000000010F2000-memory.dmp

Filesize
584KB

Download
memory/3496-135-0x0000000002DA0000-0x0000000002DE1000-memory.dmp

Filesize
260KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads