qakbot | 8605debb4d016c1466956c6520b20afa78f3ebf6a005c97a849096bad00c103d

General

Target

718c0ae260ecee2538564a2a55af22b53f39a24013f008251f443d6dbc8eb06d.exe
Size

640KB
MD5

b566458411258f397f6c836d26204b3e
SHA1

f9f7f315306eb85c3525210093b3832bcb4c247b
SHA256

718c0ae260ecee2538564a2a55af22b53f39a24013f008251f443d6dbc8eb06d
SHA512

202574ceb2777c4bb54156b95f0fd354bface83255d4d5e51444104034231651d241761c0af34681247d5792163ed7144caa89d9177bac716835fcb5e6f6bfa0

Score

10^/10

qakbot 1566230092 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

323.49

Campaign

1566230092

Credentials

Protocol: ftp
Host:
192.185.5.208
Port:
21
Username:
logger@dustinkeeling.com
Password:
NxdkxAp4dUsY

Protocol: ftp
Host:
162.241.218.118
Port:
21
Username:
logger@misterexterior.com
Password:
EcOV0DyGVgVN

Protocol: ftp
Host:
69.89.31.139
Port:
21
Username:
cpanel@vivekharris-architects.com
Password:
fcR7OvyLrMW6!

Protocol: ftp
Host:
169.207.67.14
Port:
21
Username:
cpanel@dovetailsolar.com
Password:
eQyicNLzzqPN

C2

24.180.7.155:443

72.255.200.129:443

67.200.146.98:2222

98.173.34.212:995

75.71.201.170:443

69.170.21.98:443

65.116.179.83:443

68.174.15.223:443

96.20.238.2:2078

64.229.194.89:995

206.51.202.106:50003

98.17.133.209:995

67.71.130.80:2222

216.221.88.160:443

47.153.115.154:443

162.244.224.166:443

65.94.90.23:3389

209.222.185.155:990

98.233.116.181:443

70.53.246.156:995

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

718c0ae260ecee2538564a2a55af22b53f39a24013f008251f443d6dbc8eb06d.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	718c0ae260ecee2538564a2a55af22b53f39a24013f008251f443d6dbc8eb06d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

718c0ae260ecee2538564a2a55af22b53f39a24013f008251f443d6dbc8eb06d.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service	718c0ae260ecee2538564a2a55af22b53f39a24013f008251f443d6dbc8eb06d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	718c0ae260ecee2538564a2a55af22b53f39a24013f008251f443d6dbc8eb06d.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	718c0ae260ecee2538564a2a55af22b53f39a24013f008251f443d6dbc8eb06d.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	718c0ae260ecee2538564a2a55af22b53f39a24013f008251f443d6dbc8eb06d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	718c0ae260ecee2538564a2a55af22b53f39a24013f008251f443d6dbc8eb06d.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	718c0ae260ecee2538564a2a55af22b53f39a24013f008251f443d6dbc8eb06d.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3328 PING.EXE

pid	process
3328	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

718c0ae260ecee2538564a2a55af22b53f39a24013f008251f443d6dbc8eb06d.exe718c0ae260ecee2538564a2a55af22b53f39a24013f008251f443d6dbc8eb06d.exe

pid	process
3936	718c0ae260ecee2538564a2a55af22b53f39a24013f008251f443d6dbc8eb06d.exe
3936	718c0ae260ecee2538564a2a55af22b53f39a24013f008251f443d6dbc8eb06d.exe
3032	718c0ae260ecee2538564a2a55af22b53f39a24013f008251f443d6dbc8eb06d.exe
3032	718c0ae260ecee2538564a2a55af22b53f39a24013f008251f443d6dbc8eb06d.exe
3032	718c0ae260ecee2538564a2a55af22b53f39a24013f008251f443d6dbc8eb06d.exe
3032	718c0ae260ecee2538564a2a55af22b53f39a24013f008251f443d6dbc8eb06d.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

718c0ae260ecee2538564a2a55af22b53f39a24013f008251f443d6dbc8eb06d.execmd.exe

description	pid	process	target process
PID 3936 wrote to memory of 3032	3936	718c0ae260ecee2538564a2a55af22b53f39a24013f008251f443d6dbc8eb06d.exe	718c0ae260ecee2538564a2a55af22b53f39a24013f008251f443d6dbc8eb06d.exe
PID 3936 wrote to memory of 3032	3936	718c0ae260ecee2538564a2a55af22b53f39a24013f008251f443d6dbc8eb06d.exe	718c0ae260ecee2538564a2a55af22b53f39a24013f008251f443d6dbc8eb06d.exe
PID 3936 wrote to memory of 3032	3936	718c0ae260ecee2538564a2a55af22b53f39a24013f008251f443d6dbc8eb06d.exe	718c0ae260ecee2538564a2a55af22b53f39a24013f008251f443d6dbc8eb06d.exe
PID 3936 wrote to memory of 4596	3936	718c0ae260ecee2538564a2a55af22b53f39a24013f008251f443d6dbc8eb06d.exe	cmd.exe
PID 3936 wrote to memory of 4596	3936	718c0ae260ecee2538564a2a55af22b53f39a24013f008251f443d6dbc8eb06d.exe	cmd.exe
PID 3936 wrote to memory of 4596	3936	718c0ae260ecee2538564a2a55af22b53f39a24013f008251f443d6dbc8eb06d.exe	cmd.exe
PID 4596 wrote to memory of 3328	4596	cmd.exe	PING.EXE
PID 4596 wrote to memory of 3328	4596	cmd.exe	PING.EXE
PID 4596 wrote to memory of 3328	4596	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\718c0ae260ecee2538564a2a55af22b53f39a24013f008251f443d6dbc8eb06d.exe
"C:\Users\Admin\AppData\Local\Temp\718c0ae260ecee2538564a2a55af22b53f39a24013f008251f443d6dbc8eb06d.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3936

C:\Users\Admin\AppData\Local\Temp\718c0ae260ecee2538564a2a55af22b53f39a24013f008251f443d6dbc8eb06d.exe
C:\Users\Admin\AppData\Local\Temp\718c0ae260ecee2538564a2a55af22b53f39a24013f008251f443d6dbc8eb06d.exe /C
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:3032

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\718c0ae260ecee2538564a2a55af22b53f39a24013f008251f443d6dbc8eb06d.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4596

C:\Windows\SysWOW64\PING.EXE
ping.exe -n 6 127.0.0.1
3⤵
- Runs ping.exe
PID:3328

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3032-136-0x0000000000000000-mapping.dmp

Download
memory/3032-142-0x00000000021D0000-0x0000000002268000-memory.dmp

Filesize
608KB

Download
memory/3328-144-0x0000000000000000-mapping.dmp

Download
memory/3936-130-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/3936-135-0x00000000022B0000-0x0000000002348000-memory.dmp

Filesize
608KB

Download
memory/4596-143-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads