qakbot | f05334fea2fbec8b2135752dc8f895f0290377d937cae28a10adc3eebe71cf0f

General

Target

f05334fea2fbec8b2135752dc8f895f0290377d937cae28a10adc3eebe71cf0f.exe
Size

520KB
MD5

534394261be4f63a4b59501be880ee5d
SHA1

2909b52711253adf9e475a0f4ba487402f634298
SHA256

f05334fea2fbec8b2135752dc8f895f0290377d937cae28a10adc3eebe71cf0f
SHA512

75b86c62eae4b76ec42c749805a9c27e10c78ff8332509b81688c34b5e1fa1fcb9174121415398595eb7aa60d8d9aab361dbd43f978c807dc433f485bd20b57b

Score

10^/10

qakbot hhh23 1554720361 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

322.742

Botnet

hhh23

Campaign

1554720361

Credentials

Protocol: ftp
Host:
192.185.5.208
Port:
21
Username:
[email protected]
Password:
NxdkxAp4dUsY

Protocol: ftp
Host:
162.241.218.118
Port:
21
Username:
[email protected]
Password:
EcOV0DyGVgVN

Protocol: ftp
Host:
69.89.31.139
Port:
21
Username:
[email protected]
Password:
fcR7OvyLrMW6!

Protocol: ftp
Host:
169.207.67.14
Port:
21
Username:
[email protected]
Password:
eQyicNLzzqPN

C2

184.186.76.228:80

65.153.32.170:443

65.116.179.83:443

100.16.222.65:443

148.240.66.99:6881

172.78.85.124:443

71.210.140.93:995

72.29.181.77:2078

162.237.221.101:443

70.105.162.74:995

192.198.85.26:443

24.73.69.42:443

190.120.196.18:995

67.202.178.142:443

208.69.72.135:2222

69.159.223.202:443

174.48.72.160:443

75.183.171.155:3389

81.103.144.77:443

76.27.113.181:995

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f05334fea2fbec8b2135752dc8f895f0290377d937cae28a10adc3eebe71cf0f.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	f05334fea2fbec8b2135752dc8f895f0290377d937cae28a10adc3eebe71cf0f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

f05334fea2fbec8b2135752dc8f895f0290377d937cae28a10adc3eebe71cf0f.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	f05334fea2fbec8b2135752dc8f895f0290377d937cae28a10adc3eebe71cf0f.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	f05334fea2fbec8b2135752dc8f895f0290377d937cae28a10adc3eebe71cf0f.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	f05334fea2fbec8b2135752dc8f895f0290377d937cae28a10adc3eebe71cf0f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	f05334fea2fbec8b2135752dc8f895f0290377d937cae28a10adc3eebe71cf0f.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	f05334fea2fbec8b2135752dc8f895f0290377d937cae28a10adc3eebe71cf0f.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service	f05334fea2fbec8b2135752dc8f895f0290377d937cae28a10adc3eebe71cf0f.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2236 PING.EXE

pid	process
2236	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

f05334fea2fbec8b2135752dc8f895f0290377d937cae28a10adc3eebe71cf0f.exef05334fea2fbec8b2135752dc8f895f0290377d937cae28a10adc3eebe71cf0f.exe

pid	process
3528	f05334fea2fbec8b2135752dc8f895f0290377d937cae28a10adc3eebe71cf0f.exe
3528	f05334fea2fbec8b2135752dc8f895f0290377d937cae28a10adc3eebe71cf0f.exe
1944	f05334fea2fbec8b2135752dc8f895f0290377d937cae28a10adc3eebe71cf0f.exe
1944	f05334fea2fbec8b2135752dc8f895f0290377d937cae28a10adc3eebe71cf0f.exe
1944	f05334fea2fbec8b2135752dc8f895f0290377d937cae28a10adc3eebe71cf0f.exe
1944	f05334fea2fbec8b2135752dc8f895f0290377d937cae28a10adc3eebe71cf0f.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

f05334fea2fbec8b2135752dc8f895f0290377d937cae28a10adc3eebe71cf0f.execmd.exe

description	pid	process	target process
PID 3528 wrote to memory of 1944	3528	f05334fea2fbec8b2135752dc8f895f0290377d937cae28a10adc3eebe71cf0f.exe	f05334fea2fbec8b2135752dc8f895f0290377d937cae28a10adc3eebe71cf0f.exe
PID 3528 wrote to memory of 1944	3528	f05334fea2fbec8b2135752dc8f895f0290377d937cae28a10adc3eebe71cf0f.exe	f05334fea2fbec8b2135752dc8f895f0290377d937cae28a10adc3eebe71cf0f.exe
PID 3528 wrote to memory of 1944	3528	f05334fea2fbec8b2135752dc8f895f0290377d937cae28a10adc3eebe71cf0f.exe	f05334fea2fbec8b2135752dc8f895f0290377d937cae28a10adc3eebe71cf0f.exe
PID 3528 wrote to memory of 1720	3528	f05334fea2fbec8b2135752dc8f895f0290377d937cae28a10adc3eebe71cf0f.exe	cmd.exe
PID 3528 wrote to memory of 1720	3528	f05334fea2fbec8b2135752dc8f895f0290377d937cae28a10adc3eebe71cf0f.exe	cmd.exe
PID 3528 wrote to memory of 1720	3528	f05334fea2fbec8b2135752dc8f895f0290377d937cae28a10adc3eebe71cf0f.exe	cmd.exe
PID 1720 wrote to memory of 2236	1720	cmd.exe	PING.EXE
PID 1720 wrote to memory of 2236	1720	cmd.exe	PING.EXE
PID 1720 wrote to memory of 2236	1720	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\f05334fea2fbec8b2135752dc8f895f0290377d937cae28a10adc3eebe71cf0f.exe
"C:\Users\Admin\AppData\Local\Temp\f05334fea2fbec8b2135752dc8f895f0290377d937cae28a10adc3eebe71cf0f.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3528
- C:\Users\Admin\AppData\Local\Temp\f05334fea2fbec8b2135752dc8f895f0290377d937cae28a10adc3eebe71cf0f.exe
  C:\Users\Admin\AppData\Local\Temp\f05334fea2fbec8b2135752dc8f895f0290377d937cae28a10adc3eebe71cf0f.exe /C
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  PID:1944
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\f05334fea2fbec8b2135752dc8f895f0290377d937cae28a10adc3eebe71cf0f.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Windows\SysWOW64\PING.EXE
    ping.exe -n 6 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2236

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

1

T1018

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1720-141-0x0000000000000000-mapping.dmp

Download
memory/1944-135-0x0000000000000000-mapping.dmp

Download
memory/1944-140-0x0000000002140000-0x00000000021B5000-memory.dmp

Filesize
468KB

Download
memory/2236-142-0x0000000000000000-mapping.dmp

Download
memory/3528-130-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/3528-134-0x0000000002290000-0x0000000002305000-memory.dmp

Filesize
468KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads