qakbot | 4efe4077d505425e64296f10f757d3fe682637d817c27e2325d4a6cf8b8617f7

General

Target

4efe4077d505425e64296f10f757d3fe682637d817c27e2325d4a6cf8b8617f7.exe
Size

339KB
MD5

6ec710592f870d7235255f1343ae8f02
SHA1

f51e09560aeb67f18abbc82509e94bd034272e6e
SHA256

4efe4077d505425e64296f10f757d3fe682637d817c27e2325d4a6cf8b8617f7
SHA512

6a3f804b1220d21807d6d9921792e172b313a592545e61fbdbc9f9af13ea946f0bab5c153470bbe89d7a1cbbea7d061af843eef3a5f13bb2b6801edf88a550e6

Score

10^/10

qakbot abc027 1604574287 banker persistence stealer trojan

Malware Config

Extracted

Family

qakbot

Version

325.59

Botnet

abc027

Campaign

1604574287

C2

93.86.252.177:995

184.98.97.227:995

188.25.24.21:2222

1.54.190.204:443

89.137.211.239:443

78.101.234.58:443

41.206.131.166:443

87.27.110.90:2222

47.44.217.98:443

197.45.110.165:995

217.133.54.140:32100

41.97.170.119:443

185.246.9.69:995

90.53.232.130:2222

72.186.1.237:443

144.139.230.139:443

86.164.27.33:2222

185.105.131.233:443

90.146.209.224:2222

108.46.145.30:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4efe4077d505425e64296f10f757d3fe682637d817c27e2325d4a6cf8b8617f7.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\kakzdrw = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Rfzio\\wmmue.exe\""	4efe4077d505425e64296f10f757d3fe682637d817c27e2325d4a6cf8b8617f7.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1772 schtasks.exe

pid	process
1772	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

4efe4077d505425e64296f10f757d3fe682637d817c27e2325d4a6cf8b8617f7.exe4efe4077d505425e64296f10f757d3fe682637d817c27e2325d4a6cf8b8617f7.exe4efe4077d505425e64296f10f757d3fe682637d817c27e2325d4a6cf8b8617f7.exe

pid	process
732	4efe4077d505425e64296f10f757d3fe682637d817c27e2325d4a6cf8b8617f7.exe
1660	4efe4077d505425e64296f10f757d3fe682637d817c27e2325d4a6cf8b8617f7.exe
1660	4efe4077d505425e64296f10f757d3fe682637d817c27e2325d4a6cf8b8617f7.exe
268	4efe4077d505425e64296f10f757d3fe682637d817c27e2325d4a6cf8b8617f7.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

4efe4077d505425e64296f10f757d3fe682637d817c27e2325d4a6cf8b8617f7.exetaskeng.exe

description	pid	process	target process
PID 732 wrote to memory of 1660	732	4efe4077d505425e64296f10f757d3fe682637d817c27e2325d4a6cf8b8617f7.exe	4efe4077d505425e64296f10f757d3fe682637d817c27e2325d4a6cf8b8617f7.exe
PID 732 wrote to memory of 1660	732	4efe4077d505425e64296f10f757d3fe682637d817c27e2325d4a6cf8b8617f7.exe	4efe4077d505425e64296f10f757d3fe682637d817c27e2325d4a6cf8b8617f7.exe
PID 732 wrote to memory of 1660	732	4efe4077d505425e64296f10f757d3fe682637d817c27e2325d4a6cf8b8617f7.exe	4efe4077d505425e64296f10f757d3fe682637d817c27e2325d4a6cf8b8617f7.exe
PID 732 wrote to memory of 1660	732	4efe4077d505425e64296f10f757d3fe682637d817c27e2325d4a6cf8b8617f7.exe	4efe4077d505425e64296f10f757d3fe682637d817c27e2325d4a6cf8b8617f7.exe
PID 732 wrote to memory of 1772	732	4efe4077d505425e64296f10f757d3fe682637d817c27e2325d4a6cf8b8617f7.exe	schtasks.exe
PID 732 wrote to memory of 1772	732	4efe4077d505425e64296f10f757d3fe682637d817c27e2325d4a6cf8b8617f7.exe	schtasks.exe
PID 732 wrote to memory of 1772	732	4efe4077d505425e64296f10f757d3fe682637d817c27e2325d4a6cf8b8617f7.exe	schtasks.exe
PID 732 wrote to memory of 1772	732	4efe4077d505425e64296f10f757d3fe682637d817c27e2325d4a6cf8b8617f7.exe	schtasks.exe
PID 1356 wrote to memory of 268	1356	taskeng.exe	4efe4077d505425e64296f10f757d3fe682637d817c27e2325d4a6cf8b8617f7.exe
PID 1356 wrote to memory of 268	1356	taskeng.exe	4efe4077d505425e64296f10f757d3fe682637d817c27e2325d4a6cf8b8617f7.exe
PID 1356 wrote to memory of 268	1356	taskeng.exe	4efe4077d505425e64296f10f757d3fe682637d817c27e2325d4a6cf8b8617f7.exe
PID 1356 wrote to memory of 268	1356	taskeng.exe	4efe4077d505425e64296f10f757d3fe682637d817c27e2325d4a6cf8b8617f7.exe

C:\Users\Admin\AppData\Local\Temp\4efe4077d505425e64296f10f757d3fe682637d817c27e2325d4a6cf8b8617f7.exe
"C:\Users\Admin\AppData\Local\Temp\4efe4077d505425e64296f10f757d3fe682637d817c27e2325d4a6cf8b8617f7.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:732

C:\Users\Admin\AppData\Local\Temp\4efe4077d505425e64296f10f757d3fe682637d817c27e2325d4a6cf8b8617f7.exe
C:\Users\Admin\AppData\Local\Temp\4efe4077d505425e64296f10f757d3fe682637d817c27e2325d4a6cf8b8617f7.exe /C
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1660

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn nzbkgdju /tr "\"C:\Users\Admin\AppData\Local\Temp\4efe4077d505425e64296f10f757d3fe682637d817c27e2325d4a6cf8b8617f7.exe\" /I nzbkgdju" /SC ONCE /Z /ST 18:09 /ET 18:21
2⤵
- Creates scheduled task(s)
PID:1772

C:\Windows\system32\taskeng.exe
taskeng.exe {2E8751FF-BF44-442F-8432-7779215B28CE} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1356

C:\Users\Admin\AppData\Local\Temp\4efe4077d505425e64296f10f757d3fe682637d817c27e2325d4a6cf8b8617f7.exe
C:\Users\Admin\AppData\Local\Temp\4efe4077d505425e64296f10f757d3fe682637d817c27e2325d4a6cf8b8617f7.exe /I nzbkgdju
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:268

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/268-62-0x0000000000000000-mapping.dmp

Download
memory/268-64-0x0000000000220000-0x000000000027A000-memory.dmp

Filesize
360KB

Download
memory/268-65-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/732-54-0x0000000075781000-0x0000000075783000-memory.dmp

Filesize
8KB

Download
memory/732-55-0x0000000000250000-0x00000000002AA000-memory.dmp

Filesize
360KB

Download
memory/732-56-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1660-57-0x0000000000000000-mapping.dmp

Download
memory/1660-59-0x0000000000230000-0x000000000028A000-memory.dmp

Filesize
360KB

Download
memory/1660-60-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1772-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads