qakbot | 8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad

General

Target

8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe
Size

708KB
MD5

d93db4daa650dcdc5ffe670d61fcfa8f
SHA1

3ed89771339ea3e6d0ea56d16aface69ddef4f74
SHA256

8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad
SHA512

bb1ab6ef623db5f71573ddd23a7c1873fabfc87c6f4f181fd8c8328367457bffc99edbb28d1c51991b137a69794d0915b845d9fbea6ca54c1dd922e9a797dabd

Score

10^/10

qakbot spx46 1576587820 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

323.91

Botnet

spx46

Campaign

1576587820

C2

32.208.1.239:8443

181.123.59.111:443

73.226.220.56:443

93.177.144.236:443

24.184.6.58:2222

72.16.212.107:465

162.244.224.166:443

62.47.252.79:993

67.10.18.112:993

104.235.119.20:443

72.224.159.224:2222

181.197.195.138:995

74.134.35.54:443

174.20.189.226:995

67.214.21.207:443

187.163.101.137:995

72.47.115.182:443

173.31.178.20:443

75.131.72.82:995

5.182.39.156:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service	8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3168 PING.EXE

pid	process
3168	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe

pid	process
4216	8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe
4216	8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe
1132	8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe
1132	8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe
1132	8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe
1132	8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.execmd.exe

description	pid	process	target process
PID 4216 wrote to memory of 1132	4216	8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe	8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe
PID 4216 wrote to memory of 1132	4216	8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe	8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe
PID 4216 wrote to memory of 1132	4216	8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe	8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe
PID 4216 wrote to memory of 920	4216	8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe	cmd.exe
PID 4216 wrote to memory of 920	4216	8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe	cmd.exe
PID 4216 wrote to memory of 920	4216	8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe	cmd.exe
PID 920 wrote to memory of 3168	920	cmd.exe	PING.EXE
PID 920 wrote to memory of 3168	920	cmd.exe	PING.EXE
PID 920 wrote to memory of 3168	920	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe
"C:\Users\Admin\AppData\Local\Temp\8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4216

C:\Users\Admin\AppData\Local\Temp\8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe
C:\Users\Admin\AppData\Local\Temp\8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe /C
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:1132

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\8d58c29a45d8a94f3add1317a2d1c00e0d6eda898293a81952f5603967ce45ad.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:920

C:\Windows\SysWOW64\PING.EXE
ping.exe -n 6 127.0.0.1
3⤵
- Runs ping.exe
PID:3168

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/920-141-0x0000000000000000-mapping.dmp

Download
memory/1132-135-0x0000000000000000-mapping.dmp

Download
memory/1132-140-0x00000000022F0000-0x0000000002382000-memory.dmp

Filesize
584KB

Download
memory/3168-142-0x0000000000000000-mapping.dmp

Download
memory/4216-130-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4216-134-0x00000000023C0000-0x0000000002452000-memory.dmp

Filesize
584KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads