qakbot | 1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e

General

Target

1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e.exe
Size

580KB
MD5

068710300defccac15e8bee569682fff
SHA1

4a44425eec56c8310e3fa34ca9542a490b7d6133
SHA256

1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e
SHA512

d8bd5d3271a7d30b00447a5bcab103a87024c057b940e15e6d4a6882573fd5f7eae64c0b139e77be539f5e13915f4b8ba6eaa28d75a956d3d75afc8ac61cf8a2
SSDEEP

6144:abJZWua+S7vgXGCTkqe+oQePWTmzxWSilcsjhbS1Zi7DzmzAEN:abjVa9ruXTDKPn76njhbSnirOA

Score

10^/10

qakbot notset 1588850855 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

324.141

Botnet

notset

Campaign

1588850855

Credentials

Protocol: ftp
Host:
192.185.5.208
Port:
21
Username:
logger@dustinkeeling.com
Password:
NxdkxAp4dUsY

Protocol: ftp
Host:
162.241.218.118
Port:
21
Username:
logger@misterexterior.com
Password:
EcOV0DyGVgVN

Protocol: ftp
Host:
69.89.31.139
Port:
21
Username:
cpanel@vivekharris-architects.com
Password:
fcR7OvyLrMW6!

Protocol: ftp
Host:
169.207.67.14
Port:
21
Username:
cpanel@dovetailsolar.com
Password:
eQyicNLzzqPN

C2

24.110.14.40:443

96.35.170.82:2222

50.78.93.74:443

76.187.97.98:2222

202.77.4.37:443

89.38.171.30:443

66.26.160.37:443

58.108.188.231:443

67.83.54.76:2222

102.41.116.213:995

78.96.245.58:443

176.193.14.165:2222

73.1.68.242:443

96.37.113.36:443

98.22.234.245:443

76.15.41.32:443

95.77.235.132:0

24.226.137.154:443

24.99.180.247:443

24.43.22.220:995

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service	1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e.exe1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e.exe

pid	process
4876	1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e.exe
4876	1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e.exe
2208	1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e.exe
2208	1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e.exe
2208	1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e.exe
2208	1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e.exe

description	pid	process	target process
PID 4876 wrote to memory of 2208	4876	1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e.exe	1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e.exe
PID 4876 wrote to memory of 2208	4876	1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e.exe	1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e.exe
PID 4876 wrote to memory of 2208	4876	1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e.exe	1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e.exe

C:\Users\Admin\AppData\Local\Temp\1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e.exe
"C:\Users\Admin\AppData\Local\Temp\1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4876

C:\Users\Admin\AppData\Local\Temp\1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e.exe
C:\Users\Admin\AppData\Local\Temp\1c3c26e127a3f89f7b8c3092e4a50e143fc0b1aed45bcefb8cf38a983d6a366e.exe /C
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:2208

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2208-134-0x0000000000000000-mapping.dmp

Download
memory/2208-135-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2208-136-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/4876-132-0x0000000000640000-0x0000000000677000-memory.dmp

Filesize
220KB

Download
memory/4876-133-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/4876-137-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads