qakbot | b493c7d8e596fa4beb94ef6bd733c923ce613e65947bf1ed098a3ea0d81648d9

General

Target

b493c7d8e596fa4beb94ef6bd733c923ce613e65947bf1ed098a3ea0d81648d9.exe
Size

1.0MB
MD5

ae040adc65709061d79938035502f560
SHA1

f70b2b6ac1a8cebba2eba0e5d97f1d681d61e670
SHA256

b493c7d8e596fa4beb94ef6bd733c923ce613e65947bf1ed098a3ea0d81648d9
SHA512

c91c5a48f4132c103dc552fcc4a5224cc9ea26571f376a6d500660a61f79908adb002c97fc2f2b170a8c75a22fc1f6d338ce79ef083f9adcbf804533903fda3d
SSDEEP

12288:ZPqflDDoYeMGKAJ5BGv7B2QX6EQ2XbhYoKw:V006ADo12mNbRKw

Score

10^/10

qakbot notset 1604404534 banker discovery stealer trojan

Malware Config

Extracted

Family

qakbot

Version

325.59

Botnet

notset

Campaign

1604404534

Credentials

Protocol: ftp
Host:
192.185.5.208
Port:
21
Username:
[email protected]
Password:
NxdkxAp4dUsY

Protocol: ftp
Host:
162.241.218.118
Port:
21
Username:
[email protected]
Password:
EcOV0DyGVgVN

Protocol: ftp
Host:
69.89.31.139
Port:
21
Username:
[email protected]
Password:
fcR7OvyLrMW6!

Protocol: ftp
Host:
169.207.67.14
Port:
21
Username:
[email protected]
Password:
eQyicNLzzqPN

C2

67.6.55.77:443

89.136.39.108:443

2.50.58.76:443

188.25.158.61:443

45.63.107.192:995

45.32.154.10:443

94.52.160.116:443

45.63.107.192:2222

45.63.107.192:443

72.204.242.138:465

84.117.176.32:443

95.77.223.148:443

47.146.39.147:443

41.225.13.128:8443

80.14.209.42:2222

190.220.8.10:995

66.76.105.194:443

105.101.69.242:443

89.33.87.107:443

75.136.40.155:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b493c7d8e596fa4beb94ef6bd733c923ce613e65947bf1ed098a3ea0d81648d9.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	b493c7d8e596fa4beb94ef6bd733c923ce613e65947bf1ed098a3ea0d81648d9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

b493c7d8e596fa4beb94ef6bd733c923ce613e65947bf1ed098a3ea0d81648d9.execmd.exePING.EXEb493c7d8e596fa4beb94ef6bd733c923ce613e65947bf1ed098a3ea0d81648d9.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b493c7d8e596fa4beb94ef6bd733c923ce613e65947bf1ed098a3ea0d81648d9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b493c7d8e596fa4beb94ef6bd733c923ce613e65947bf1ed098a3ea0d81648d9.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

cmd.exePING.EXE

pid process

4052 cmd.exe
3972 PING.EXE

pid	process
4052	cmd.exe
3972	PING.EXE

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

b493c7d8e596fa4beb94ef6bd733c923ce613e65947bf1ed098a3ea0d81648d9.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	b493c7d8e596fa4beb94ef6bd733c923ce613e65947bf1ed098a3ea0d81648d9.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	b493c7d8e596fa4beb94ef6bd733c923ce613e65947bf1ed098a3ea0d81648d9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	b493c7d8e596fa4beb94ef6bd733c923ce613e65947bf1ed098a3ea0d81648d9.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	b493c7d8e596fa4beb94ef6bd733c923ce613e65947bf1ed098a3ea0d81648d9.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	b493c7d8e596fa4beb94ef6bd733c923ce613e65947bf1ed098a3ea0d81648d9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	b493c7d8e596fa4beb94ef6bd733c923ce613e65947bf1ed098a3ea0d81648d9.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3972 PING.EXE

pid	process
3972	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

b493c7d8e596fa4beb94ef6bd733c923ce613e65947bf1ed098a3ea0d81648d9.exeb493c7d8e596fa4beb94ef6bd733c923ce613e65947bf1ed098a3ea0d81648d9.exe

pid	process
1528	b493c7d8e596fa4beb94ef6bd733c923ce613e65947bf1ed098a3ea0d81648d9.exe
1528	b493c7d8e596fa4beb94ef6bd733c923ce613e65947bf1ed098a3ea0d81648d9.exe
2340	b493c7d8e596fa4beb94ef6bd733c923ce613e65947bf1ed098a3ea0d81648d9.exe
2340	b493c7d8e596fa4beb94ef6bd733c923ce613e65947bf1ed098a3ea0d81648d9.exe
2340	b493c7d8e596fa4beb94ef6bd733c923ce613e65947bf1ed098a3ea0d81648d9.exe
2340	b493c7d8e596fa4beb94ef6bd733c923ce613e65947bf1ed098a3ea0d81648d9.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

b493c7d8e596fa4beb94ef6bd733c923ce613e65947bf1ed098a3ea0d81648d9.execmd.exe

description	pid	process	target process
PID 1528 wrote to memory of 2340	1528	b493c7d8e596fa4beb94ef6bd733c923ce613e65947bf1ed098a3ea0d81648d9.exe	b493c7d8e596fa4beb94ef6bd733c923ce613e65947bf1ed098a3ea0d81648d9.exe
PID 1528 wrote to memory of 2340	1528	b493c7d8e596fa4beb94ef6bd733c923ce613e65947bf1ed098a3ea0d81648d9.exe	b493c7d8e596fa4beb94ef6bd733c923ce613e65947bf1ed098a3ea0d81648d9.exe
PID 1528 wrote to memory of 2340	1528	b493c7d8e596fa4beb94ef6bd733c923ce613e65947bf1ed098a3ea0d81648d9.exe	b493c7d8e596fa4beb94ef6bd733c923ce613e65947bf1ed098a3ea0d81648d9.exe
PID 1528 wrote to memory of 4052	1528	b493c7d8e596fa4beb94ef6bd733c923ce613e65947bf1ed098a3ea0d81648d9.exe	cmd.exe
PID 1528 wrote to memory of 4052	1528	b493c7d8e596fa4beb94ef6bd733c923ce613e65947bf1ed098a3ea0d81648d9.exe	cmd.exe
PID 1528 wrote to memory of 4052	1528	b493c7d8e596fa4beb94ef6bd733c923ce613e65947bf1ed098a3ea0d81648d9.exe	cmd.exe
PID 4052 wrote to memory of 3972	4052	cmd.exe	PING.EXE
PID 4052 wrote to memory of 3972	4052	cmd.exe	PING.EXE
PID 4052 wrote to memory of 3972	4052	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\b493c7d8e596fa4beb94ef6bd733c923ce613e65947bf1ed098a3ea0d81648d9.exe
"C:\Users\Admin\AppData\Local\Temp\b493c7d8e596fa4beb94ef6bd733c923ce613e65947bf1ed098a3ea0d81648d9.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Users\Admin\AppData\Local\Temp\b493c7d8e596fa4beb94ef6bd733c923ce613e65947bf1ed098a3ea0d81648d9.exe
  C:\Users\Admin\AppData\Local\Temp\b493c7d8e596fa4beb94ef6bd733c923ce613e65947bf1ed098a3ea0d81648d9.exe /C
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  PID:2340
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\b493c7d8e596fa4beb94ef6bd733c923ce613e65947bf1ed098a3ea0d81648d9.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:4052
- - C:\Windows\SysWOW64\PING.EXE
    ping.exe -n 6 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4020,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=4108 /prefetch:8
1⤵
PID:4024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

1

T1018

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1528-0-0x0000000002260000-0x0000000002297000-memory.dmp

Filesize
220KB

Download
memory/1528-1-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1528-6-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1528-5-0x0000000000400000-0x000000000050C000-memory.dmp

Filesize
1.0MB

Download
memory/2340-2-0x0000000000400000-0x000000000050C000-memory.dmp

Filesize
1.0MB

Download
memory/2340-3-0x0000000000400000-0x000000000050C000-memory.dmp

Filesize
1.0MB

Download
memory/2340-4-0x0000000000400000-0x000000000050C000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads