Resubmissions

28-12-2022 20:37

221228-zea5taef5v 10

13-07-2021 12:27

210713-cvc55ag4yn 10

25-02-2021 06:56

210225-dwftz9jkjn 10

04-11-2019 11:15

191104-athqk1tjxn 10

Analysis

  • max time kernel
    18s
  • max time network
    18s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    13-07-2021 12:27

General

  • Target

    update2.exe

  • Size

    746KB

  • MD5

    0bfb4a1efbb20a7291fcc022dec7d58b

  • SHA1

    faec2a0afe296224f980ac059cf63f18eba800ce

  • SHA256

    73ae67036a0d291c18208037010de359520cd613dda2f9eabfde3fec5558324f

  • SHA512

    eae0e585ef29f56f27da897783ec582b228124437a6355cfd7b56be229558913dfd87d3005482c0fe54ba8f5e79fb1d50f869bd0e619b0ca7318ac055c62b425

Malware Config

Extracted

Family

qakbot

Version

323.91

Campaign

1572863946

Credentials

  • Protocol:
    ftp
  • Host:
    192.185.5.208
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    NxdkxAp4dUsY

  • Protocol:
    ftp
  • Host:
    162.241.218.118
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    EcOV0DyGVgVN

  • Protocol:
    ftp
  • Host:
    69.89.31.139
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    fcR7OvyLrMW6!

  • Protocol:
    ftp
  • Host:
    169.207.67.14
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    eQyicNLzzqPN
C2

112.171.126.153:443

67.200.146.98:2222

174.16.234.171:993

71.30.56.170:443

71.77.231.251:443

72.213.98.233:443

2.50.170.151:443

184.180.157.203:2222

96.35.170.82:2222

64.19.74.29:995

104.32.185.213:2222

104.3.91.20:995

173.22.120.11:2222

173.3.132.17:995

74.194.4.181:443

75.131.72.82:443

68.238.144.55:443

100.4.185.8:443

104.34.122.18:443

65.30.12.240:443

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

  • Executes dropped EXE 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 12 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\update2.exe
    "C:\Users\Admin\AppData\Local\Temp\update2.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:532
    • C:\Users\Admin\AppData\Local\Temp\update2.exe
      C:\Users\Admin\AppData\Local\Temp\update2.exe /C
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      PID:2848
    • C:\Users\Admin\AppData\Roaming\Microsoft\Fbanaruzwge\umvur.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Fbanaruzwge\umvur.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1252
      • C:\Users\Admin\AppData\Roaming\Microsoft\Fbanaruzwge\umvur.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Fbanaruzwge\umvur.exe /C
        3⤵
        • Executes dropped EXE
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        PID:2096
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:3920
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn jzyymajt /tr "\"C:\Users\Admin\AppData\Local\Temp\update2.exe\" /I jzyymajt" /SC ONCE /Z /ST 14:34 /ET 14:46
      2⤵
      • Creates scheduled task(s)
      PID:2152

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/532-116-0x0000000002330000-0x00000000023C2000-memory.dmp

    Filesize

    584KB

  • memory/532-114-0x0000000000400000-0x00000000004C1000-memory.dmp

    Filesize

    772KB

  • memory/3920-133-0x00000000047C0000-0x0000000004801000-memory.dmp

    Filesize

    260KB

  • memory/3920-132-0x0000000000400000-0x0000000000492000-memory.dmp

    Filesize

    584KB