qakbot | f51f0d16811fcec281c57895d839e2c4a7b52ee4957221c23e8781200c3f7c33

General

Target

f51f0d16811fcec281c57895d839e2c4a7b52ee4957221c23e8781200c3f7c33.exe
Size

2.0MB
MD5

6d2c38664e16c3af259924a6b305f7e9
SHA1

57e75be243c8fb92079e67ccbe84e770469c634a
SHA256

f51f0d16811fcec281c57895d839e2c4a7b52ee4957221c23e8781200c3f7c33
SHA512

049faf572fb034c6351bbdcf174ebc5434e7f005673a544999bd466f8ad97ea2bb8a69b816c1b58f866ae2c6c96af8795ffb23a5f076ebf14416f096f9e48021

Score

10^/10

qakbot spx114 1588766102 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

324.136

Botnet

spx114

Campaign

1588766102

C2

78.96.148.177:443

5.13.110.111:443

73.214.231.2:443

98.116.119.123:443

108.190.151.108:2222

186.28.178.94:443

24.226.137.154:443

207.255.158.180:443

46.214.62.199:443

148.75.231.53:443

89.212.207.43:443

102.41.116.213:995

69.88.211.123:443

47.232.26.181:443

89.45.98.163:443

72.36.59.46:2222

5.107.193.147:2222

63.230.2.205:2083

68.134.181.98:443

24.110.96.149:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1788 PING.EXE

pid	process
1788	PING.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

f51f0d16811fcec281c57895d839e2c4a7b52ee4957221c23e8781200c3f7c33.exef51f0d16811fcec281c57895d839e2c4a7b52ee4957221c23e8781200c3f7c33.exe

pid	process
636	f51f0d16811fcec281c57895d839e2c4a7b52ee4957221c23e8781200c3f7c33.exe
1716	f51f0d16811fcec281c57895d839e2c4a7b52ee4957221c23e8781200c3f7c33.exe
1716	f51f0d16811fcec281c57895d839e2c4a7b52ee4957221c23e8781200c3f7c33.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

f51f0d16811fcec281c57895d839e2c4a7b52ee4957221c23e8781200c3f7c33.execmd.exe

description	pid	process	target process
PID 636 wrote to memory of 1716	636	f51f0d16811fcec281c57895d839e2c4a7b52ee4957221c23e8781200c3f7c33.exe	f51f0d16811fcec281c57895d839e2c4a7b52ee4957221c23e8781200c3f7c33.exe
PID 636 wrote to memory of 1716	636	f51f0d16811fcec281c57895d839e2c4a7b52ee4957221c23e8781200c3f7c33.exe	f51f0d16811fcec281c57895d839e2c4a7b52ee4957221c23e8781200c3f7c33.exe
PID 636 wrote to memory of 1716	636	f51f0d16811fcec281c57895d839e2c4a7b52ee4957221c23e8781200c3f7c33.exe	f51f0d16811fcec281c57895d839e2c4a7b52ee4957221c23e8781200c3f7c33.exe
PID 636 wrote to memory of 1716	636	f51f0d16811fcec281c57895d839e2c4a7b52ee4957221c23e8781200c3f7c33.exe	f51f0d16811fcec281c57895d839e2c4a7b52ee4957221c23e8781200c3f7c33.exe
PID 636 wrote to memory of 2024	636	f51f0d16811fcec281c57895d839e2c4a7b52ee4957221c23e8781200c3f7c33.exe	cmd.exe
PID 636 wrote to memory of 2024	636	f51f0d16811fcec281c57895d839e2c4a7b52ee4957221c23e8781200c3f7c33.exe	cmd.exe
PID 636 wrote to memory of 2024	636	f51f0d16811fcec281c57895d839e2c4a7b52ee4957221c23e8781200c3f7c33.exe	cmd.exe
PID 636 wrote to memory of 2024	636	f51f0d16811fcec281c57895d839e2c4a7b52ee4957221c23e8781200c3f7c33.exe	cmd.exe
PID 2024 wrote to memory of 1788	2024	cmd.exe	PING.EXE
PID 2024 wrote to memory of 1788	2024	cmd.exe	PING.EXE
PID 2024 wrote to memory of 1788	2024	cmd.exe	PING.EXE
PID 2024 wrote to memory of 1788	2024	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\f51f0d16811fcec281c57895d839e2c4a7b52ee4957221c23e8781200c3f7c33.exe
"C:\Users\Admin\AppData\Local\Temp\f51f0d16811fcec281c57895d839e2c4a7b52ee4957221c23e8781200c3f7c33.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:636

C:\Users\Admin\AppData\Local\Temp\f51f0d16811fcec281c57895d839e2c4a7b52ee4957221c23e8781200c3f7c33.exe
C:\Users\Admin\AppData\Local\Temp\f51f0d16811fcec281c57895d839e2c4a7b52ee4957221c23e8781200c3f7c33.exe /C
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1716

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\f51f0d16811fcec281c57895d839e2c4a7b52ee4957221c23e8781200c3f7c33.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\PING.EXE
ping.exe -n 6 127.0.0.1
3⤵
- Runs ping.exe
PID:1788

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/636-54-0x0000000075781000-0x0000000075783000-memory.dmp

Filesize
8KB

Download
memory/636-55-0x0000000000220000-0x0000000000257000-memory.dmp

Filesize
220KB

Download
memory/636-56-0x0000000000400000-0x0000000000602000-memory.dmp

Filesize
2.0MB

Download
memory/1716-57-0x0000000000000000-mapping.dmp

Download
memory/1716-59-0x0000000000400000-0x0000000000602000-memory.dmp

Filesize
2.0MB

Download
memory/1788-61-0x0000000000000000-mapping.dmp

Download
memory/2024-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing