qakbot | aa1fd9936567ccfbd41480838cf5eb4f5d74567993aa0aea1df06f03390cd326

General

Target

444444.exe
Size

720KB
MD5

1692df185b5b6c07a50b271118114c83
SHA1

f7456d027f7742aecb39ef0125cb13096f908a7e
SHA256

aa1fd9936567ccfbd41480838cf5eb4f5d74567993aa0aea1df06f03390cd326
SHA512

d083d8a2fed8a8864cb4bb5b90077c04512b1d7bcba39e18f4ced9574d36f3b0561d61a1d367a464500db2d219325611c35e31f215b829edc934892918927b1b
SSDEEP

12288:avKd+uePR25zgtEAjSfUO8l6ilUPpzfDpwlwwFpomqptfUpOlC+v1:IKd+z28EA4UOHqgTDpwlpPzutf5CA

Score

10^/10

qakbot spx49 1577446119 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

323.108

Botnet

spx49

Campaign

1577446119

C2

173.80.61.90:443

72.28.255.159:443

5.182.39.156:443

138.122.5.214:2222

47.23.101.26:465

72.190.101.70:443

208.126.142.17:443

72.224.159.224:2222

75.110.90.106:443

66.214.75.176:443

45.45.105.94:995

117.223.146.238:995

71.226.140.73:443

71.30.56.170:443

50.247.230.33:995

173.3.132.17:995

24.229.245.124:995

45.45.105.94:443

173.79.220.156:443

104.35.127.108:2222

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Executes dropped EXE 2 IoCs

pid	Process
1164	jbvofz.exe
4996	jbvofz.exe

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	444444.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	jbvofz.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service	jbvofz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	444444.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	444444.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service	444444.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	444444.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	444444.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	jbvofz.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	jbvofz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	jbvofz.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	jbvofz.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4944	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
5036	444444.exe
5036	444444.exe
3520	444444.exe
3520	444444.exe
3520	444444.exe
3520	444444.exe
1164	jbvofz.exe
1164	jbvofz.exe
4996	jbvofz.exe
4996	jbvofz.exe
4996	jbvofz.exe
4996	jbvofz.exe
1704	mobsync.exe
1704	mobsync.exe
1704	mobsync.exe
1704	mobsync.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
1164	jbvofz.exe
1164	jbvofz.exe
1164	jbvofz.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 3520	5036	444444.exe	87
PID 5036 wrote to memory of 3520	5036	444444.exe	87
PID 5036 wrote to memory of 3520	5036	444444.exe	87
PID 5036 wrote to memory of 1164	5036	444444.exe	96
PID 5036 wrote to memory of 1164	5036	444444.exe	96
PID 5036 wrote to memory of 1164	5036	444444.exe	96
PID 5036 wrote to memory of 4944	5036	444444.exe	97
PID 5036 wrote to memory of 4944	5036	444444.exe	97
PID 5036 wrote to memory of 4944	5036	444444.exe	97
PID 1164 wrote to memory of 4996	1164	jbvofz.exe	101
PID 1164 wrote to memory of 4996	1164	jbvofz.exe	101
PID 1164 wrote to memory of 4996	1164	jbvofz.exe	101
PID 1164 wrote to memory of 3952	1164	jbvofz.exe	103
PID 1164 wrote to memory of 3952	1164	jbvofz.exe	103
PID 1164 wrote to memory of 3952	1164	jbvofz.exe	103
PID 1164 wrote to memory of 3952	1164	jbvofz.exe	103
PID 1164 wrote to memory of 664	1164	jbvofz.exe	105
PID 1164 wrote to memory of 664	1164	jbvofz.exe	105
PID 1164 wrote to memory of 664	1164	jbvofz.exe	105
PID 1164 wrote to memory of 664	1164	jbvofz.exe	105
PID 1164 wrote to memory of 1704	1164	jbvofz.exe	107
PID 1164 wrote to memory of 1704	1164	jbvofz.exe	107
PID 1164 wrote to memory of 1704	1164	jbvofz.exe	107
PID 1164 wrote to memory of 1704	1164	jbvofz.exe	107

C:\Users\Admin\AppData\Local\Temp\444444.exe
"C:\Users\Admin\AppData\Local\Temp\444444.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Users\Admin\AppData\Local\Temp\444444.exe
  C:\Users\Admin\AppData\Local\Temp\444444.exe /C
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  PID:3520
- C:\Users\Admin\AppData\Roaming\Microsoft\Wkcusolxon\jbvofz.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Wkcusolxon\jbvofz.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1164
- - C:\Users\Admin\AppData\Roaming\Microsoft\Wkcusolxon\jbvofz.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Wkcusolxon\jbvofz.exe /C
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    PID:4996
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    PID:3952
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    PID:664
- - C:\Windows\SysWOW64\mobsync.exe
    C:\Windows\SysWOW64\mobsync.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1704
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn bdeheoqge /tr "\"C:\Users\Admin\AppData\Local\Temp\444444.exe\" /I bdeheoqge" /SC ONCE /Z /ST 21:45 /ET 21:57
  2⤵
  - Creates scheduled task(s)
  PID:4944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Wkcusolxon\jbvofz.dat

Filesize
63B

MD5
9412b1f648fa8cde3c0a388d839bccad

SHA1
d145b84726a2811663c7bba3264df819a53ff9d9

SHA256
2e80eeed30efc20bcbeeb7d264b1d4b88f890b77c053cd5eb5cdaf927c6e6d63

SHA512
97d6a228ca0f9dab4a733ef37cabf02b34565b878e4e4a9c54f2b7b9b11d2c130843ed45c2e59b7900f48b7fb4af6088dabc2c8b0467df3ad2ade208c3f16c2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Wkcusolxon\jbvofz.exe

Filesize
720KB

MD5
1692df185b5b6c07a50b271118114c83

SHA1
f7456d027f7742aecb39ef0125cb13096f908a7e

SHA256
aa1fd9936567ccfbd41480838cf5eb4f5d74567993aa0aea1df06f03390cd326

SHA512
d083d8a2fed8a8864cb4bb5b90077c04512b1d7bcba39e18f4ced9574d36f3b0561d61a1d367a464500db2d219325611c35e31f215b829edc934892918927b1b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Wkcusolxon\jbvofz.exe

Filesize
720KB

MD5
1692df185b5b6c07a50b271118114c83

SHA1
f7456d027f7742aecb39ef0125cb13096f908a7e

SHA256
aa1fd9936567ccfbd41480838cf5eb4f5d74567993aa0aea1df06f03390cd326

SHA512
d083d8a2fed8a8864cb4bb5b90077c04512b1d7bcba39e18f4ced9574d36f3b0561d61a1d367a464500db2d219325611c35e31f215b829edc934892918927b1b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Wkcusolxon\jbvofz.exe

Filesize
720KB

MD5
1692df185b5b6c07a50b271118114c83

SHA1
f7456d027f7742aecb39ef0125cb13096f908a7e

SHA256
aa1fd9936567ccfbd41480838cf5eb4f5d74567993aa0aea1df06f03390cd326

SHA512
d083d8a2fed8a8864cb4bb5b90077c04512b1d7bcba39e18f4ced9574d36f3b0561d61a1d367a464500db2d219325611c35e31f215b829edc934892918927b1b

Download Submit
memory/1164-23-0x00000000009D0000-0x0000000000A61000-memory.dmp

Filesize
580KB

Download
memory/1164-46-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1164-35-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1164-34-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1704-43-0x0000000002870000-0x00000000028AF000-memory.dmp

Filesize
252KB

Download
memory/1704-42-0x0000000000A30000-0x0000000000AC1000-memory.dmp

Filesize
580KB

Download
memory/1704-50-0x0000000002870000-0x00000000028AF000-memory.dmp

Filesize
252KB

Download
memory/1704-48-0x0000000002870000-0x00000000028AF000-memory.dmp

Filesize
252KB

Download
memory/1704-47-0x0000000002870000-0x00000000028AF000-memory.dmp

Filesize
252KB

Download
memory/1704-45-0x0000000000A30000-0x0000000000AC1000-memory.dmp

Filesize
580KB

Download
memory/1704-44-0x0000000002870000-0x00000000028AF000-memory.dmp

Filesize
252KB

Download
memory/1704-40-0x0000000000A30000-0x0000000000AC1000-memory.dmp

Filesize
580KB

Download
memory/3520-4-0x00000000021E0000-0x0000000002271000-memory.dmp

Filesize
580KB

Download
memory/3520-9-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4996-33-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4996-30-0x0000000000890000-0x0000000000921000-memory.dmp

Filesize
580KB

Download
memory/5036-27-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/5036-0-0x0000000002350000-0x00000000023E1000-memory.dmp

Filesize
580KB

Download
memory/5036-8-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/5036-1-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/5036-16-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads