qakbot | d700dba9a160bb284fae0681b3aa86237cadb1a1b0d73865d41c71c08a57ab62

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-02-2024 22:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad0e164f0b91d79e8ab8b644e98890e2.exe
Size

495KB
MD5

ad0e164f0b91d79e8ab8b644e98890e2
SHA1

35611babd7cd894d3d7f96ed5faa10c683537db0
SHA256

d700dba9a160bb284fae0681b3aa86237cadb1a1b0d73865d41c71c08a57ab62
SHA512

e6377b613576ecd1dc7215e937b5f662a96d3073aababe093ea4b22c85e8a4b93c98d47db8446fc37e3250aa1ad3c713d1752c4e36cfe698c8bdada35b597a60
SSDEEP

12288:0vx/ieOO4bKeDKnEFbgo/bqOxuZaVLUiSvCKM:0vx/im6drbgo+OxyaVLUrvC9

Score

10^/10

qakbot notset 1590741916 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

324.142

Botnet

notset

Campaign

1590741916

Credentials

Protocol: ftp
Host:
192.185.5.208
Port:
21
Username:
[email protected]
Password:
NxdkxAp4dUsY

Protocol: ftp
Host:
162.241.218.118
Port:
21
Username:
[email protected]
Password:
EcOV0DyGVgVN

Protocol: ftp
Host:
69.89.31.139
Port:
21
Username:
[email protected]
Password:
fcR7OvyLrMW6!

Protocol: ftp
Host:
169.207.67.14
Port:
21
Username:
[email protected]
Password:
eQyicNLzzqPN

108.227.161.27:995

173.187.103.35:443

117.216.185.86:443

24.43.22.220:443

72.190.101.70:443

207.255.161.8:2087

189.160.217.221:443

207.255.161.8:32102

24.226.137.154:443

66.222.88.126:995

108.58.9.238:995

1.40.42.4:443

47.152.210.233:443

72.45.14.185:443

82.127.193.151:2222

101.108.113.6:443

175.111.128.234:995

175.111.128.234:443

47.39.76.74:443

5.12.214.109:2222

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1120 PING.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

ad0e164f0b91d79e8ab8b644e98890e2.exead0e164f0b91d79e8ab8b644e98890e2.exe

pid process

2160 ad0e164f0b91d79e8ab8b644e98890e2.exe
2284 ad0e164f0b91d79e8ab8b644e98890e2.exe
2284 ad0e164f0b91d79e8ab8b644e98890e2.exe

pid	process
1120	PING.EXE

pid	process
2160	ad0e164f0b91d79e8ab8b644e98890e2.exe
2284	ad0e164f0b91d79e8ab8b644e98890e2.exe
2284	ad0e164f0b91d79e8ab8b644e98890e2.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

ad0e164f0b91d79e8ab8b644e98890e2.execmd.exe

description	pid	process	target process
PID 2160 wrote to memory of 2284	2160	ad0e164f0b91d79e8ab8b644e98890e2.exe	ad0e164f0b91d79e8ab8b644e98890e2.exe
PID 2160 wrote to memory of 2284	2160	ad0e164f0b91d79e8ab8b644e98890e2.exe	ad0e164f0b91d79e8ab8b644e98890e2.exe
PID 2160 wrote to memory of 2284	2160	ad0e164f0b91d79e8ab8b644e98890e2.exe	ad0e164f0b91d79e8ab8b644e98890e2.exe
PID 2160 wrote to memory of 2284	2160	ad0e164f0b91d79e8ab8b644e98890e2.exe	ad0e164f0b91d79e8ab8b644e98890e2.exe
PID 2160 wrote to memory of 2604	2160	ad0e164f0b91d79e8ab8b644e98890e2.exe	cmd.exe
PID 2160 wrote to memory of 2604	2160	ad0e164f0b91d79e8ab8b644e98890e2.exe	cmd.exe
PID 2160 wrote to memory of 2604	2160	ad0e164f0b91d79e8ab8b644e98890e2.exe	cmd.exe
PID 2160 wrote to memory of 2604	2160	ad0e164f0b91d79e8ab8b644e98890e2.exe	cmd.exe
PID 2604 wrote to memory of 1120	2604	cmd.exe	PING.EXE
PID 2604 wrote to memory of 1120	2604	cmd.exe	PING.EXE
PID 2604 wrote to memory of 1120	2604	cmd.exe	PING.EXE
PID 2604 wrote to memory of 1120	2604	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\ad0e164f0b91d79e8ab8b644e98890e2.exe
"C:\Users\Admin\AppData\Local\Temp\ad0e164f0b91d79e8ab8b644e98890e2.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2160

C:\Users\Admin\AppData\Local\Temp\ad0e164f0b91d79e8ab8b644e98890e2.exe
C:\Users\Admin\AppData\Local\Temp\ad0e164f0b91d79e8ab8b644e98890e2.exe /C
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2284

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\ad0e164f0b91d79e8ab8b644e98890e2.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2604

C:\Windows\SysWOW64\PING.EXE
ping.exe -n 6 127.0.0.1
3⤵
- Runs ping.exe
PID:1120

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2160-0-0x00000000002C0000-0x00000000002F8000-memory.dmp

Filesize
224KB

Download
memory/2160-1-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2160-2-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2160-5-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2284-3-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2284-4-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download