qakbot | c9dd577ccbc7652b7c8bc5e20642ba758b262a906ba1e0fc60f8fafb696625bb

General

Target

c9dd577ccbc7652b7c8bc5e20642ba758b262a906ba1e0fc60f8fafb696625bb.exe
Size

339KB
MD5

a33f67b122a1492a5a4849ca59d5d8a9
SHA1

905617ad60f635ed917b0ce3bc286170c2fb953f
SHA256

c9dd577ccbc7652b7c8bc5e20642ba758b262a906ba1e0fc60f8fafb696625bb
SHA512

c141925f7632ae43d18489a77bd93888d820f7823be1ad0f0d00f34865f318bceddf6450af43696c97ef54979288281f050f81f006528e9806bc232c201e3a24

Score

10^/10

qakbot abc027 1604574287 banker persistence stealer trojan

Malware Config

Extracted

Family

qakbot

Version

325.59

Botnet

abc027

Campaign

1604574287

C2

93.86.252.177:995

184.98.97.227:995

188.25.24.21:2222

1.54.190.204:443

89.137.211.239:443

78.101.234.58:443

41.206.131.166:443

87.27.110.90:2222

47.44.217.98:443

197.45.110.165:995

217.133.54.140:32100

41.97.170.119:443

185.246.9.69:995

90.53.232.130:2222

72.186.1.237:443

144.139.230.139:443

86.164.27.33:2222

185.105.131.233:443

90.146.209.224:2222

108.46.145.30:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c9dd577ccbc7652b7c8bc5e20642ba758b262a906ba1e0fc60f8fafb696625bb.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tljpxsyk = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Eovogtu\\aeataxc.exe\""	c9dd577ccbc7652b7c8bc5e20642ba758b262a906ba1e0fc60f8fafb696625bb.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

c9dd577ccbc7652b7c8bc5e20642ba758b262a906ba1e0fc60f8fafb696625bb.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service	c9dd577ccbc7652b7c8bc5e20642ba758b262a906ba1e0fc60f8fafb696625bb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	c9dd577ccbc7652b7c8bc5e20642ba758b262a906ba1e0fc60f8fafb696625bb.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	c9dd577ccbc7652b7c8bc5e20642ba758b262a906ba1e0fc60f8fafb696625bb.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	c9dd577ccbc7652b7c8bc5e20642ba758b262a906ba1e0fc60f8fafb696625bb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	c9dd577ccbc7652b7c8bc5e20642ba758b262a906ba1e0fc60f8fafb696625bb.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	c9dd577ccbc7652b7c8bc5e20642ba758b262a906ba1e0fc60f8fafb696625bb.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3436 schtasks.exe

pid	process
3436	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

c9dd577ccbc7652b7c8bc5e20642ba758b262a906ba1e0fc60f8fafb696625bb.exec9dd577ccbc7652b7c8bc5e20642ba758b262a906ba1e0fc60f8fafb696625bb.exec9dd577ccbc7652b7c8bc5e20642ba758b262a906ba1e0fc60f8fafb696625bb.exe

pid	process
4144	c9dd577ccbc7652b7c8bc5e20642ba758b262a906ba1e0fc60f8fafb696625bb.exe
4144	c9dd577ccbc7652b7c8bc5e20642ba758b262a906ba1e0fc60f8fafb696625bb.exe
3292	c9dd577ccbc7652b7c8bc5e20642ba758b262a906ba1e0fc60f8fafb696625bb.exe
3292	c9dd577ccbc7652b7c8bc5e20642ba758b262a906ba1e0fc60f8fafb696625bb.exe
3292	c9dd577ccbc7652b7c8bc5e20642ba758b262a906ba1e0fc60f8fafb696625bb.exe
3292	c9dd577ccbc7652b7c8bc5e20642ba758b262a906ba1e0fc60f8fafb696625bb.exe
4604	c9dd577ccbc7652b7c8bc5e20642ba758b262a906ba1e0fc60f8fafb696625bb.exe
4604	c9dd577ccbc7652b7c8bc5e20642ba758b262a906ba1e0fc60f8fafb696625bb.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

c9dd577ccbc7652b7c8bc5e20642ba758b262a906ba1e0fc60f8fafb696625bb.exe

description	pid	process	target process
PID 4144 wrote to memory of 3292	4144	c9dd577ccbc7652b7c8bc5e20642ba758b262a906ba1e0fc60f8fafb696625bb.exe	c9dd577ccbc7652b7c8bc5e20642ba758b262a906ba1e0fc60f8fafb696625bb.exe
PID 4144 wrote to memory of 3292	4144	c9dd577ccbc7652b7c8bc5e20642ba758b262a906ba1e0fc60f8fafb696625bb.exe	c9dd577ccbc7652b7c8bc5e20642ba758b262a906ba1e0fc60f8fafb696625bb.exe
PID 4144 wrote to memory of 3292	4144	c9dd577ccbc7652b7c8bc5e20642ba758b262a906ba1e0fc60f8fafb696625bb.exe	c9dd577ccbc7652b7c8bc5e20642ba758b262a906ba1e0fc60f8fafb696625bb.exe
PID 4144 wrote to memory of 3436	4144	c9dd577ccbc7652b7c8bc5e20642ba758b262a906ba1e0fc60f8fafb696625bb.exe	schtasks.exe
PID 4144 wrote to memory of 3436	4144	c9dd577ccbc7652b7c8bc5e20642ba758b262a906ba1e0fc60f8fafb696625bb.exe	schtasks.exe
PID 4144 wrote to memory of 3436	4144	c9dd577ccbc7652b7c8bc5e20642ba758b262a906ba1e0fc60f8fafb696625bb.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\c9dd577ccbc7652b7c8bc5e20642ba758b262a906ba1e0fc60f8fafb696625bb.exe
"C:\Users\Admin\AppData\Local\Temp\c9dd577ccbc7652b7c8bc5e20642ba758b262a906ba1e0fc60f8fafb696625bb.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4144

C:\Users\Admin\AppData\Local\Temp\c9dd577ccbc7652b7c8bc5e20642ba758b262a906ba1e0fc60f8fafb696625bb.exe
C:\Users\Admin\AppData\Local\Temp\c9dd577ccbc7652b7c8bc5e20642ba758b262a906ba1e0fc60f8fafb696625bb.exe /C
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:3292

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn ywoxudomyj /tr "\"C:\Users\Admin\AppData\Local\Temp\c9dd577ccbc7652b7c8bc5e20642ba758b262a906ba1e0fc60f8fafb696625bb.exe\" /I ywoxudomyj" /SC ONCE /Z /ST 22:11 /ET 22:23
2⤵
- Creates scheduled task(s)
PID:3436

C:\Users\Admin\AppData\Local\Temp\c9dd577ccbc7652b7c8bc5e20642ba758b262a906ba1e0fc60f8fafb696625bb.exe
C:\Users\Admin\AppData\Local\Temp\c9dd577ccbc7652b7c8bc5e20642ba758b262a906ba1e0fc60f8fafb696625bb.exe /I ywoxudomyj
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3292-136-0x00000000020A0000-0x00000000020FA000-memory.dmp

Filesize
360KB

Download
memory/3292-137-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4144-134-0x00000000021B0000-0x000000000220A000-memory.dmp

Filesize
360KB

Download
memory/4144-135-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4604-138-0x00000000005B0000-0x000000000060A000-memory.dmp

Filesize
360KB

Download
memory/4604-139-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads