qakbot | aa1fd9936567ccfbd41480838cf5eb4f5d74567993aa0aea1df06f03390cd326

General

Target

444444.exe
Size

720KB
MD5

1692df185b5b6c07a50b271118114c83
SHA1

f7456d027f7742aecb39ef0125cb13096f908a7e
SHA256

aa1fd9936567ccfbd41480838cf5eb4f5d74567993aa0aea1df06f03390cd326
SHA512

d083d8a2fed8a8864cb4bb5b90077c04512b1d7bcba39e18f4ced9574d36f3b0561d61a1d367a464500db2d219325611c35e31f215b829edc934892918927b1b
SSDEEP

12288:avKd+uePR25zgtEAjSfUO8l6ilUPpzfDpwlwwFpomqptfUpOlC+v1:IKd+z28EA4UOHqgTDpwlpPzutf5CA

Score

10^/10

qakbot spx49 1577446119 banker persistence stealer trojan

Malware Config

Extracted

Family

qakbot

Version

323.108

Botnet

spx49

Campaign

1577446119

C2

173.80.61.90:443

72.28.255.159:443

5.182.39.156:443

138.122.5.214:2222

47.23.101.26:465

72.190.101.70:443

208.126.142.17:443

72.224.159.224:2222

75.110.90.106:443

66.214.75.176:443

45.45.105.94:995

117.223.146.238:995

71.226.140.73:443

71.30.56.170:443

50.247.230.33:995

173.3.132.17:995

24.229.245.124:995

45.45.105.94:443

173.79.220.156:443

104.35.127.108:2222

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Executes dropped EXE 2 IoCs

Processes:

roveaguj.exeroveaguj.exe

pid	Process
2620	roveaguj.exe
2568	roveaguj.exe

Loads dropped DLL 2 IoCs

Processes:

444444.exeroveaguj.exe

pid	Process
2516	444444.exe
2620	roveaguj.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Run\dhvowhwl = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Fphuwcfwritq\\roveaguj.exe\""	explorer.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exe

pid	Process
2492	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

444444.exe444444.exeroveaguj.exeroveaguj.exeexplorer.exe

pid	Process
2516	444444.exe
2536	444444.exe
2536	444444.exe
2620	roveaguj.exe
2568	roveaguj.exe
2568	roveaguj.exe
1864	explorer.exe
1864	explorer.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

roveaguj.exe

pid	Process
2620	roveaguj.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

444444.exeroveaguj.exe

description	pid	Process	procid_target
PID 2516 wrote to memory of 2536	2516	444444.exe	27
PID 2516 wrote to memory of 2536	2516	444444.exe	27
PID 2516 wrote to memory of 2536	2516	444444.exe	27
PID 2516 wrote to memory of 2536	2516	444444.exe	27
PID 2516 wrote to memory of 2620	2516	444444.exe	28
PID 2516 wrote to memory of 2620	2516	444444.exe	28
PID 2516 wrote to memory of 2620	2516	444444.exe	28
PID 2516 wrote to memory of 2620	2516	444444.exe	28
PID 2620 wrote to memory of 2568	2620	roveaguj.exe	29
PID 2620 wrote to memory of 2568	2620	roveaguj.exe	29
PID 2620 wrote to memory of 2568	2620	roveaguj.exe	29
PID 2620 wrote to memory of 2568	2620	roveaguj.exe	29
PID 2516 wrote to memory of 2492	2516	444444.exe	30
PID 2516 wrote to memory of 2492	2516	444444.exe	30
PID 2516 wrote to memory of 2492	2516	444444.exe	30
PID 2516 wrote to memory of 2492	2516	444444.exe	30
PID 2620 wrote to memory of 1864	2620	roveaguj.exe	31
PID 2620 wrote to memory of 1864	2620	roveaguj.exe	31
PID 2620 wrote to memory of 1864	2620	roveaguj.exe	31
PID 2620 wrote to memory of 1864	2620	roveaguj.exe	31
PID 2620 wrote to memory of 1864	2620	roveaguj.exe	31

C:\Users\Admin\AppData\Local\Temp\444444.exe
"C:\Users\Admin\AppData\Local\Temp\444444.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Users\Admin\AppData\Local\Temp\444444.exe
  C:\Users\Admin\AppData\Local\Temp\444444.exe /C
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2536
- C:\Users\Admin\AppData\Roaming\Microsoft\Fphuwcfwritq\roveaguj.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Fphuwcfwritq\roveaguj.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Users\Admin\AppData\Roaming\Microsoft\Fphuwcfwritq\roveaguj.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Fphuwcfwritq\roveaguj.exe /C
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2568
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:1864
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn shngvoqk /tr "\"C:\Users\Admin\AppData\Local\Temp\444444.exe\" /I shngvoqk" /SC ONCE /Z /ST 21:45 /ET 21:57
  2⤵
  - Creates scheduled task(s)
  PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Fphuwcfwritq\roveaguj.dat

Filesize
63B

MD5
f98d71431ea51c2acacfcd996d65303e

SHA1
a19bcfcd8f7d7239c7f8d8170b0494959b948ba1

SHA256
c3107a27c219c2d6dcb068c6da22941a1c62a6feb8771c48e0e80cda80cafebb

SHA512
42827bd6fe3f0d6bfc861b65d68d51e0de25e7f0ffcae814501a3d0f7cd6534f9d1f96b1e598345f046ebe4a5857506dbab4f929ca5337487a45910d2665429d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Fphuwcfwritq\roveaguj.exe

Filesize
720KB

MD5
1692df185b5b6c07a50b271118114c83

SHA1
f7456d027f7742aecb39ef0125cb13096f908a7e

SHA256
aa1fd9936567ccfbd41480838cf5eb4f5d74567993aa0aea1df06f03390cd326

SHA512
d083d8a2fed8a8864cb4bb5b90077c04512b1d7bcba39e18f4ced9574d36f3b0561d61a1d367a464500db2d219325611c35e31f215b829edc934892918927b1b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Fphuwcfwritq\roveaguj.exe

Filesize
720KB

MD5
1692df185b5b6c07a50b271118114c83

SHA1
f7456d027f7742aecb39ef0125cb13096f908a7e

SHA256
aa1fd9936567ccfbd41480838cf5eb4f5d74567993aa0aea1df06f03390cd326

SHA512
d083d8a2fed8a8864cb4bb5b90077c04512b1d7bcba39e18f4ced9574d36f3b0561d61a1d367a464500db2d219325611c35e31f215b829edc934892918927b1b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Fphuwcfwritq\roveaguj.exe

Filesize
720KB

MD5
1692df185b5b6c07a50b271118114c83

SHA1
f7456d027f7742aecb39ef0125cb13096f908a7e

SHA256
aa1fd9936567ccfbd41480838cf5eb4f5d74567993aa0aea1df06f03390cd326

SHA512
d083d8a2fed8a8864cb4bb5b90077c04512b1d7bcba39e18f4ced9574d36f3b0561d61a1d367a464500db2d219325611c35e31f215b829edc934892918927b1b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Fphuwcfwritq\roveaguj.exe

Filesize
720KB

MD5
1692df185b5b6c07a50b271118114c83

SHA1
f7456d027f7742aecb39ef0125cb13096f908a7e

SHA256
aa1fd9936567ccfbd41480838cf5eb4f5d74567993aa0aea1df06f03390cd326

SHA512
d083d8a2fed8a8864cb4bb5b90077c04512b1d7bcba39e18f4ced9574d36f3b0561d61a1d367a464500db2d219325611c35e31f215b829edc934892918927b1b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Fphuwcfwritq\roveaguj.exe

Filesize
720KB

MD5
1692df185b5b6c07a50b271118114c83

SHA1
f7456d027f7742aecb39ef0125cb13096f908a7e

SHA256
aa1fd9936567ccfbd41480838cf5eb4f5d74567993aa0aea1df06f03390cd326

SHA512
d083d8a2fed8a8864cb4bb5b90077c04512b1d7bcba39e18f4ced9574d36f3b0561d61a1d367a464500db2d219325611c35e31f215b829edc934892918927b1b

Download Submit
memory/1864-34-0x0000000000530000-0x000000000056F000-memory.dmp

Filesize
252KB

Download
memory/1864-35-0x0000000000530000-0x000000000056F000-memory.dmp

Filesize
252KB

Download
memory/1864-44-0x0000000000530000-0x000000000056F000-memory.dmp

Filesize
252KB

Download
memory/1864-41-0x0000000000530000-0x000000000056F000-memory.dmp

Filesize
252KB

Download
memory/1864-39-0x0000000000530000-0x000000000056F000-memory.dmp

Filesize
252KB

Download
memory/1864-38-0x0000000000530000-0x000000000056F000-memory.dmp

Filesize
252KB

Download
memory/1864-36-0x0000000000080000-0x0000000000111000-memory.dmp

Filesize
580KB

Download
memory/1864-33-0x0000000000080000-0x0000000000111000-memory.dmp

Filesize
580KB

Download
memory/1864-31-0x0000000000080000-0x0000000000111000-memory.dmp

Filesize
580KB

Download
memory/1864-30-0x0000000000080000-0x0000000000111000-memory.dmp

Filesize
580KB

Download
memory/2516-1-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2516-0-0x0000000001CF0000-0x0000000001D81000-memory.dmp

Filesize
580KB

Download
memory/2516-28-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2516-11-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2536-5-0x0000000001D50000-0x0000000001DE1000-memory.dmp

Filesize
580KB

Download
memory/2536-8-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2568-27-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2620-29-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2620-18-0x00000000004C0000-0x0000000000551000-memory.dmp

Filesize
580KB

Download
memory/2620-37-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads