qakbot | 0bd6894c52fd77e1e13de3c97cb9b79757c73d1441f2bee852d6af9e954e3b59

General

Target

21.exe
Size

214KB
MD5

dd02e9fe9baf3f3ec6a70497a63face1
SHA1

a3ca2d93ba6ae5bf652c0e0268734000208e8d65
SHA256

0bd6894c52fd77e1e13de3c97cb9b79757c73d1441f2bee852d6af9e954e3b59
SHA512

cffe879f3c57cae85049d9836e15ed3e03246b33d88ec332707ec82157f2be4e804625eae8c4c6a2472fe72bc4ed82191e8c5bfb4420e704aca7b3543c164db7

Score

10^/10

qakbot tr01 1602688146 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

325.43

Botnet

tr01

Campaign

1602688146

C2

73.228.1.246:443

74.109.219.145:443

76.111.128.194:443

90.175.88.99:2222

108.191.28.158:443

68.225.60.77:443

75.136.40.155:443

5.193.181.221:2078

72.204.242.138:20

118.160.162.234:443

68.14.210.246:22

148.101.74.12:443

74.222.204.82:443

96.30.198.161:443

140.82.27.132:443

2.50.131.64:443

45.32.155.12:995

45.63.104.123:443

45.32.165.134:443

217.162.149.212:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Executes dropped EXE 2 IoCs

Processes:

yfpcyfam.exeyfpcyfam.exe

pid process

404 yfpcyfam.exe
2712 yfpcyfam.exe

pid	process
404	yfpcyfam.exe
2712	yfpcyfam.exe

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

yfpcyfam.exe21.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	yfpcyfam.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	yfpcyfam.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	21.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service	21.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	21.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	yfpcyfam.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	yfpcyfam.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service	yfpcyfam.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	yfpcyfam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	21.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	21.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	21.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1276 schtasks.exe

pid	process
1276	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

21.exe21.exeyfpcyfam.exeyfpcyfam.exeexplorer.exe

pid	process
3360	21.exe
3360	21.exe
1924	21.exe
1924	21.exe
1924	21.exe
1924	21.exe
404	yfpcyfam.exe
404	yfpcyfam.exe
2712	yfpcyfam.exe
2712	yfpcyfam.exe
2712	yfpcyfam.exe
2712	yfpcyfam.exe
3024	explorer.exe
3024	explorer.exe
3024	explorer.exe
3024	explorer.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

yfpcyfam.exe

pid process

404 yfpcyfam.exe

pid	process
404	yfpcyfam.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

21.exeyfpcyfam.exe

description	pid	process	target process
PID 3360 wrote to memory of 1924	3360	21.exe	21.exe
PID 3360 wrote to memory of 1924	3360	21.exe	21.exe
PID 3360 wrote to memory of 1924	3360	21.exe	21.exe
PID 3360 wrote to memory of 404	3360	21.exe	yfpcyfam.exe
PID 3360 wrote to memory of 404	3360	21.exe	yfpcyfam.exe
PID 3360 wrote to memory of 404	3360	21.exe	yfpcyfam.exe
PID 3360 wrote to memory of 1276	3360	21.exe	schtasks.exe
PID 3360 wrote to memory of 1276	3360	21.exe	schtasks.exe
PID 3360 wrote to memory of 1276	3360	21.exe	schtasks.exe
PID 404 wrote to memory of 2712	404	yfpcyfam.exe	yfpcyfam.exe
PID 404 wrote to memory of 2712	404	yfpcyfam.exe	yfpcyfam.exe
PID 404 wrote to memory of 2712	404	yfpcyfam.exe	yfpcyfam.exe
PID 404 wrote to memory of 3024	404	yfpcyfam.exe	explorer.exe
PID 404 wrote to memory of 3024	404	yfpcyfam.exe	explorer.exe
PID 404 wrote to memory of 3024	404	yfpcyfam.exe	explorer.exe
PID 404 wrote to memory of 3024	404	yfpcyfam.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\21.exe
"C:\Users\Admin\AppData\Local\Temp\21.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3360
- C:\Users\Admin\AppData\Local\Temp\21.exe
  C:\Users\Admin\AppData\Local\Temp\21.exe /C
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  PID:1924
- C:\Users\Admin\AppData\Roaming\Microsoft\Uebadnkbfk\yfpcyfam.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Uebadnkbfk\yfpcyfam.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:404
- - C:\Users\Admin\AppData\Roaming\Microsoft\Uebadnkbfk\yfpcyfam.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Uebadnkbfk\yfpcyfam.exe /C
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    PID:2712
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3024
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn llvzeuqo /tr "\"C:\Users\Admin\AppData\Local\Temp\21.exe\" /I llvzeuqo" /SC ONCE /Z /ST 07:12 /ET 07:24
  2⤵
  - Creates scheduled task(s)
  PID:1276

C:\Users\Admin\AppData\Local\Temp\21.exe
C:\Users\Admin\AppData\Local\Temp\21.exe /I llvzeuqo
1⤵
PID:3484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Uebadnkbfk\yfpcyfam.dat

Filesize
63B

MD5
ae8cdccf10b699d1abfa184dc83cb7d5

SHA1
f57372d3f81eb28f565214796f211a462d9b7b73

SHA256
d3a8eb05adf8e512a1d25936ba5c79051ed17e5c2ea8e9a2064fcb8597813fbd

SHA512
1075e777b8167ab855aa568734ff1fe50856c2914387de09bd31ef88661db35cfb975194223b8f0fe9a32d942d6ada203fcbf2993767843867ff15dc621a4538

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Uebadnkbfk\yfpcyfam.exe

Filesize
214KB

MD5
dd02e9fe9baf3f3ec6a70497a63face1

SHA1
a3ca2d93ba6ae5bf652c0e0268734000208e8d65

SHA256
0bd6894c52fd77e1e13de3c97cb9b79757c73d1441f2bee852d6af9e954e3b59

SHA512
cffe879f3c57cae85049d9836e15ed3e03246b33d88ec332707ec82157f2be4e804625eae8c4c6a2472fe72bc4ed82191e8c5bfb4420e704aca7b3543c164db7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Uebadnkbfk\yfpcyfam.exe

Filesize
214KB

MD5
dd02e9fe9baf3f3ec6a70497a63face1

SHA1
a3ca2d93ba6ae5bf652c0e0268734000208e8d65

SHA256
0bd6894c52fd77e1e13de3c97cb9b79757c73d1441f2bee852d6af9e954e3b59

SHA512
cffe879f3c57cae85049d9836e15ed3e03246b33d88ec332707ec82157f2be4e804625eae8c4c6a2472fe72bc4ed82191e8c5bfb4420e704aca7b3543c164db7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Uebadnkbfk\yfpcyfam.exe

Filesize
214KB

MD5
dd02e9fe9baf3f3ec6a70497a63face1

SHA1
a3ca2d93ba6ae5bf652c0e0268734000208e8d65

SHA256
0bd6894c52fd77e1e13de3c97cb9b79757c73d1441f2bee852d6af9e954e3b59

SHA512
cffe879f3c57cae85049d9836e15ed3e03246b33d88ec332707ec82157f2be4e804625eae8c4c6a2472fe72bc4ed82191e8c5bfb4420e704aca7b3543c164db7

Download Submit
memory/404-141-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/404-150-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/404-136-0x0000000000000000-mapping.dmp

Download
memory/1276-139-0x0000000000000000-mapping.dmp

Download
memory/1924-132-0x0000000000000000-mapping.dmp

Download
memory/1924-133-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1924-135-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2712-145-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2712-142-0x0000000000000000-mapping.dmp

Download
memory/2712-144-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3024-146-0x0000000000000000-mapping.dmp

Download
memory/3024-147-0x0000000000850000-0x0000000000887000-memory.dmp

Filesize
220KB

Download
memory/3024-148-0x0000000002460000-0x000000000248E000-memory.dmp

Filesize
184KB

Download
memory/3024-151-0x0000000000850000-0x0000000000887000-memory.dmp

Filesize
220KB

Download
memory/3024-152-0x0000000002460000-0x000000000248E000-memory.dmp

Filesize
184KB

Download
memory/3360-140-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3360-130-0x00000000005C0000-0x00000000005F4000-memory.dmp

Filesize
208KB

Download
memory/3360-134-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3360-131-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads