Overview

overview

10

Static

static

9

file1.exe

windows7_x64

10

file1.exe

windows10_x64

10

Analysis

  • max time kernel
    65s
  • max time network
    12s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    09-11-2020 20:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file1.exe

  • Size

    1.1MB

  • MD5

    0c5d9a27daa00d234af1a30882aacc50

  • SHA1

    ac369d06c81af9d663e135a04dc94e582a0604fb

  • SHA256

    faf8184aa2a041106b6db4e567716ef5327df36371e5044b1c3818c1ac4d0466

  • SHA512

    4f16b17d05359863da6e8128215d68532f81350b339167469174993064451fc1f7b2fbe9af0d58c43e04611ac7912369f8af9f59092305b4ca7390a93066a7d9

Score
10/10
qakbotspx1351591627649bankercryptonepackerstealertrojan

Malware Config

Extracted

Family

qakbot

Botnet

spx135

Campaign

1591627649

C2

89.32.216.156:443

74.222.204.82:443

24.183.39.93:443

97.93.211.17:443

80.14.209.42:2222

96.35.170.82:2222

151.73.124.242:443

98.110.231.63:443

108.227.161.27:995

173.3.132.17:995

31.5.41.52:443

24.122.228.88:443

5.107.208.94:2222

76.185.136.58:443

50.29.166.232:995

73.210.114.187:443

92.114.107.193:995

24.43.22.220:993

50.247.230.33:995

72.142.106.198:465

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • CryptOne packer 5 IoCs

    Detects CryptOne packer defined in NCC blogpost.

    cryptonepacker
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file1.exe
    "C:\Users\Admin\AppData\Local\Temp\file1.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1320
    • C:\Users\Admin\AppData\Local\Temp\file1.exe
      C:\Users\Admin\AppData\Local\Temp\file1.exe /C
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1788
    • C:\Users\Admin\AppData\Roaming\Microsoft\Xfzezfol\icfjslh.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Xfzezfol\icfjslh.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1684
      • C:\Users\Admin\AppData\Roaming\Microsoft\Xfzezfol\icfjslh.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Xfzezfol\icfjslh.exe /C
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:1468
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:604
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn ddhyoml /tr "\"C:\Users\Admin\AppData\Local\Temp\file1.exe\" /I ddhyoml" /SC ONCE /Z /ST 23:58 /ET 24:10
      2⤵
      • Creates scheduled task(s)
      PID:1772

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Xfzezfol\icfjslh.dat
    MD5

    9da514a801cdf795e73167bdf8d09389

    SHA1

    a088d7c65956df9f66569ac6a9b519726f31bb4f

    SHA256

    38195beecd2f89d68d919c9a990a759475cae4c984785c7dd524c102b5487269

    SHA512

    922ac135020ff431821a0f01ae3d0b4e0ffefda7cebcd6ff0f02360e2394bc0e7e49a5162eb195912c8610c09b2bf3e44c45833f7dccf3726928585c9df7c2ea

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Xfzezfol\icfjslh.exe
    MD5

    0c5d9a27daa00d234af1a30882aacc50

    SHA1

    ac369d06c81af9d663e135a04dc94e582a0604fb

    SHA256

    faf8184aa2a041106b6db4e567716ef5327df36371e5044b1c3818c1ac4d0466

    SHA512

    4f16b17d05359863da6e8128215d68532f81350b339167469174993064451fc1f7b2fbe9af0d58c43e04611ac7912369f8af9f59092305b4ca7390a93066a7d9

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Xfzezfol\icfjslh.exe
    MD5

    0c5d9a27daa00d234af1a30882aacc50

    SHA1

    ac369d06c81af9d663e135a04dc94e582a0604fb

    SHA256

    faf8184aa2a041106b6db4e567716ef5327df36371e5044b1c3818c1ac4d0466

    SHA512

    4f16b17d05359863da6e8128215d68532f81350b339167469174993064451fc1f7b2fbe9af0d58c43e04611ac7912369f8af9f59092305b4ca7390a93066a7d9

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Xfzezfol\icfjslh.exe
    MD5

    0c5d9a27daa00d234af1a30882aacc50

    SHA1

    ac369d06c81af9d663e135a04dc94e582a0604fb

    SHA256

    faf8184aa2a041106b6db4e567716ef5327df36371e5044b1c3818c1ac4d0466

    SHA512

    4f16b17d05359863da6e8128215d68532f81350b339167469174993064451fc1f7b2fbe9af0d58c43e04611ac7912369f8af9f59092305b4ca7390a93066a7d9

    Download Submit
  • \Users\Admin\AppData\Roaming\Microsoft\Xfzezfol\icfjslh.exe
    MD5

    0c5d9a27daa00d234af1a30882aacc50

    SHA1

    ac369d06c81af9d663e135a04dc94e582a0604fb

    SHA256

    faf8184aa2a041106b6db4e567716ef5327df36371e5044b1c3818c1ac4d0466

    SHA512

    4f16b17d05359863da6e8128215d68532f81350b339167469174993064451fc1f7b2fbe9af0d58c43e04611ac7912369f8af9f59092305b4ca7390a93066a7d9

    Download Submit
  • \Users\Admin\AppData\Roaming\Microsoft\Xfzezfol\icfjslh.exe
    MD5

    0c5d9a27daa00d234af1a30882aacc50

    SHA1

    ac369d06c81af9d663e135a04dc94e582a0604fb

    SHA256

    faf8184aa2a041106b6db4e567716ef5327df36371e5044b1c3818c1ac4d0466

    SHA512

    4f16b17d05359863da6e8128215d68532f81350b339167469174993064451fc1f7b2fbe9af0d58c43e04611ac7912369f8af9f59092305b4ca7390a93066a7d9

    Download Submit
  • memory/604-12-0x0000000000000000-mapping.dmp
    Download
  • memory/1468-8-0x0000000000000000-mapping.dmp
    Download
  • memory/1468-10-0x0000000002430000-0x0000000002441000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1684-4-0x0000000000000000-mapping.dmp
    Download
  • memory/1684-11-0x0000000000380000-0x00000000003BA000-memory.dmp
    Filesize

    232KB

    Download
  • memory/1772-6-0x0000000000000000-mapping.dmp
    Download
  • memory/1788-0-0x0000000000000000-mapping.dmp
    Download
  • memory/1788-1-0x00000000023B0000-0x00000000023C1000-memory.dmp
    Filesize

    68KB

    Download