qakbot | d700dba9a160bb284fae0681b3aa86237cadb1a1b0d73865d41c71c08a57ab62

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28/02/2024, 22:48 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad0e164f0b91d79e8ab8b644e98890e2.exe
Size

495KB
MD5

ad0e164f0b91d79e8ab8b644e98890e2
SHA1

35611babd7cd894d3d7f96ed5faa10c683537db0
SHA256

d700dba9a160bb284fae0681b3aa86237cadb1a1b0d73865d41c71c08a57ab62
SHA512

e6377b613576ecd1dc7215e937b5f662a96d3073aababe093ea4b22c85e8a4b93c98d47db8446fc37e3250aa1ad3c713d1752c4e36cfe698c8bdada35b597a60
SSDEEP

12288:0vx/ieOO4bKeDKnEFbgo/bqOxuZaVLUiSvCKM:0vx/im6drbgo+OxyaVLUrvC9

Score

10^/10

qakbot notset 1590741916 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

324.142

Botnet

notset

Campaign

1590741916

Credentials

Protocol: ftp
Host:
192.185.5.208
Port:
21
Username:
logger@dustinkeeling.com
Password:
NxdkxAp4dUsY

Protocol: ftp
Host:
162.241.218.118
Port:
21
Username:
logger@misterexterior.com
Password:
EcOV0DyGVgVN

Protocol: ftp
Host:
69.89.31.139
Port:
21
Username:
cpanel@vivekharris-architects.com
Password:
fcR7OvyLrMW6!

Protocol: ftp
Host:
169.207.67.14
Port:
21
Username:
cpanel@dovetailsolar.com
Password:
eQyicNLzzqPN

108.227.161.27:995

173.187.103.35:443

117.216.185.86:443

24.43.22.220:443

72.190.101.70:443

207.255.161.8:2087

189.160.217.221:443

207.255.161.8:32102

24.226.137.154:443

66.222.88.126:995

108.58.9.238:995

1.40.42.4:443

47.152.210.233:443

72.45.14.185:443

82.127.193.151:2222

101.108.113.6:443

175.111.128.234:995

175.111.128.234:443

47.39.76.74:443

5.12.214.109:2222

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1120	PING.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2160	ad0e164f0b91d79e8ab8b644e98890e2.exe
2284	ad0e164f0b91d79e8ab8b644e98890e2.exe
2284	ad0e164f0b91d79e8ab8b644e98890e2.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2284	2160	ad0e164f0b91d79e8ab8b644e98890e2.exe	28
PID 2160 wrote to memory of 2284	2160	ad0e164f0b91d79e8ab8b644e98890e2.exe	28
PID 2160 wrote to memory of 2284	2160	ad0e164f0b91d79e8ab8b644e98890e2.exe	28
PID 2160 wrote to memory of 2284	2160	ad0e164f0b91d79e8ab8b644e98890e2.exe	28
PID 2160 wrote to memory of 2604	2160	ad0e164f0b91d79e8ab8b644e98890e2.exe	29
PID 2160 wrote to memory of 2604	2160	ad0e164f0b91d79e8ab8b644e98890e2.exe	29
PID 2160 wrote to memory of 2604	2160	ad0e164f0b91d79e8ab8b644e98890e2.exe	29
PID 2160 wrote to memory of 2604	2160	ad0e164f0b91d79e8ab8b644e98890e2.exe	29
PID 2604 wrote to memory of 1120	2604	cmd.exe	31
PID 2604 wrote to memory of 1120	2604	cmd.exe	31
PID 2604 wrote to memory of 1120	2604	cmd.exe	31
PID 2604 wrote to memory of 1120	2604	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\ad0e164f0b91d79e8ab8b644e98890e2.exe
"C:\Users\Admin\AppData\Local\Temp\ad0e164f0b91d79e8ab8b644e98890e2.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Users\Admin\AppData\Local\Temp\ad0e164f0b91d79e8ab8b644e98890e2.exe
  C:\Users\Admin\AppData\Local\Temp\ad0e164f0b91d79e8ab8b644e98890e2.exe /C
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2284
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\ad0e164f0b91d79e8ab8b644e98890e2.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\SysWOW64\PING.EXE
    ping.exe -n 6 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2160-0-0x00000000002C0000-0x00000000002F8000-memory.dmp

Filesize
224KB

Download
memory/2160-1-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2160-2-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2160-5-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2284-3-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2284-4-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download