Overview

overview

10

Static

static

8

120 seconds - Win. 10

windows10_x64

10

Analysis

  • max time kernel
    74s
  • max time network
    117s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    04-02-2021 17:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    information (93).xls

  • Size

    320KB

  • MD5

    3cc237fd87987968d9830a125b9f8ded

  • SHA1

    3c57c67646bfcf338b04192d7043357ddb4d72b1

  • SHA256

    2f50dc749600c23ef5faa7c5a4598047575cc6d3bd379afa49ba7b1272be8561

  • SHA512

    32747880798621c71cb146047ceb971623bbc13267aae38a158c7548b80c9ec61cdeadbc3c9ddfbfd888011f2b973b2bbec45037251bfd67c0f4a8b7c3e866a2

Score
10/10
qakbottr1612175155bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Botnet

tr

Campaign

1612175155

C2

89.3.198.238:443

172.78.30.215:443

85.52.72.32:2222

76.110.113.71:995

106.51.52.111:443

75.67.192.125:443

172.115.177.204:2222

197.45.110.165:995

82.76.47.211:443

45.77.115.208:443

45.32.211.207:443

144.202.38.185:443

207.246.116.237:995

149.28.101.90:995

149.28.101.90:8443

207.246.116.237:8443

144.202.38.185:2222

45.32.211.207:8443

149.28.101.90:443

149.28.101.90:2222

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Loads dropped DLL 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\information (93).xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:744
    • C:\Windows\SYSTEM32\rundll32.exe
      rundll32 C:\sdios\dswgc\dqlqv.doq,DllRegisterServer
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:64
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32 C:\sdios\dswgc\dqlqv.doq,DllRegisterServer
        3⤵
        • Loads dropped DLL
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:8
        • C:\Windows\SysWOW64\explorer.exe
          C:\Windows\SysWOW64\explorer.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3816
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn etaxgpukt /tr "regsvr32.exe -s \"\"" /SC ONCE /Z /ST 17:54 /ET 18:06
            5⤵
            • Creates scheduled task(s)
            PID:2536
  • \??\c:\windows\system32\regsvr32.exe
    regsvr32.exe -s ""
    1⤵
      PID:752

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    3
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    3
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\sdios\dswgc\dqlqv.doq
      MD5

      873e74b88e18c15365f236ac1f98e2e0

      SHA1

      aa43ad94aeb7800931206e733494148abfe39d3f

      SHA256

      7c16cd83d2c94fd23635df1e30d20f88a9a0359870a7d8e7cae03269f980f023

      SHA512

      0bd59ab2bd699f7120ca32faacd72119f956ccb31f65b36a564b64d3503f1f983c5b1c08e8f6dc09e203e2b14e53685cb28b053b374b0b90019b3d4e396fc120

      Download Submit
    • \sdios\dswgc\dqlqv.doq
      MD5

      873e74b88e18c15365f236ac1f98e2e0

      SHA1

      aa43ad94aeb7800931206e733494148abfe39d3f

      SHA256

      7c16cd83d2c94fd23635df1e30d20f88a9a0359870a7d8e7cae03269f980f023

      SHA512

      0bd59ab2bd699f7120ca32faacd72119f956ccb31f65b36a564b64d3503f1f983c5b1c08e8f6dc09e203e2b14e53685cb28b053b374b0b90019b3d4e396fc120

      Download Submit
    • memory/8-13-0x0000000005E00000-0x0000000005E35000-memory.dmp
      Filesize

      212KB

      Download
    • memory/8-12-0x0000000005D70000-0x0000000005DB7000-memory.dmp
      Filesize

      284KB

      Download
    • memory/8-11-0x0000000004400000-0x0000000004401000-memory.dmp
      Filesize

      4KB

      Download
    • memory/8-9-0x0000000000000000-mapping.dmp
      Download
    • memory/64-7-0x0000000000000000-mapping.dmp
      Download
    • memory/744-18-0x00007FFF49320000-0x00007FFF49330000-memory.dmp
      Filesize

      64KB

      Download
    • memory/744-6-0x00007FFF49320000-0x00007FFF49330000-memory.dmp
      Filesize

      64KB

      Download
    • memory/744-5-0x00007FFF6D370000-0x00007FFF6D9A7000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/744-4-0x00007FFF49320000-0x00007FFF49330000-memory.dmp
      Filesize

      64KB

      Download
    • memory/744-3-0x00007FFF49320000-0x00007FFF49330000-memory.dmp
      Filesize

      64KB

      Download
    • memory/744-2-0x00007FFF49320000-0x00007FFF49330000-memory.dmp
      Filesize

      64KB

      Download
    • memory/744-19-0x00007FFF49320000-0x00007FFF49330000-memory.dmp
      Filesize

      64KB

      Download
    • memory/744-20-0x00007FFF49320000-0x00007FFF49330000-memory.dmp
      Filesize

      64KB

      Download
    • memory/744-21-0x00007FFF49320000-0x00007FFF49330000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2536-15-0x0000000000000000-mapping.dmp
      Download
    • memory/3816-14-0x0000000000000000-mapping.dmp
      Download
    • memory/3816-16-0x0000000000840000-0x0000000000875000-memory.dmp
      Filesize

      212KB

      Download
    • memory/3816-17-0x0000000000840000-0x0000000000875000-memory.dmp
      Filesize

      212KB

      Download