Overview

overview

10

Static

static

9

ff37a6c3a4...6c.exe

windows7_x64

10

ff37a6c3a4...6c.exe

windows10-2004_x64

1

Analysis

  • max time kernel
    71s
  • max time network
    26s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    05-02-2022 07:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ff37a6c3a4b5fbf3a25504f2ff6ffa37e1c4c26b606db769d0e09fb7ac041a6c.exe

  • Size

    2.2MB

  • MD5

    e4c2bff686969ea9d59d708c90b9f2c6

  • SHA1

    d3a95ed1c15b5cd13ddaa99a4ccefac61f8296e2

  • SHA256

    ff37a6c3a4b5fbf3a25504f2ff6ffa37e1c4c26b606db769d0e09fb7ac041a6c

  • SHA512

    4d7dce524737e318ddea1d35a32705960095d994a16a480dba34dc6ea69b36cf7caa374f3beb350fc203582821d1db66f528e6bd5b47565af2cbd3ac1e583c3e

Score
10/10
qakbotspx991587123128bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

324.127

Botnet

spx99

Campaign

1587123128

C2

66.208.105.6:443

83.25.7.201:2222

68.134.181.98:443

108.190.151.108:2222

81.102.127.116:443

93.118.221.204:443

72.183.129.56:443

72.29.181.77:2222

96.35.170.82:2222

50.104.67.101:443

5.182.39.156:443

68.224.192.39:443

50.244.112.106:443

47.205.231.60:443

67.209.195.198:3389

47.146.169.85:443

86.124.13.55:443

108.30.161.143:443

75.87.161.32:995

67.131.59.17:443

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ff37a6c3a4b5fbf3a25504f2ff6ffa37e1c4c26b606db769d0e09fb7ac041a6c.exe
    "C:\Users\Admin\AppData\Local\Temp\ff37a6c3a4b5fbf3a25504f2ff6ffa37e1c4c26b606db769d0e09fb7ac041a6c.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Users\Admin\AppData\Local\Temp\ff37a6c3a4b5fbf3a25504f2ff6ffa37e1c4c26b606db769d0e09fb7ac041a6c.exe
      C:\Users\Admin\AppData\Local\Temp\ff37a6c3a4b5fbf3a25504f2ff6ffa37e1c4c26b606db769d0e09fb7ac041a6c.exe /C
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1680
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\ff37a6c3a4b5fbf3a25504f2ff6ffa37e1c4c26b606db769d0e09fb7ac041a6c.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1584
      • C:\Windows\SysWOW64\PING.EXE
        ping.exe -n 6 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:904

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1680-58-0x0000000000400000-0x0000000000633000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/2036-54-0x0000000075AB1000-0x0000000075AB3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2036-55-0x00000000001B0000-0x00000000001E9000-memory.dmp
    Filesize

    228KB

    Download
  • memory/2036-56-0x0000000000400000-0x0000000000633000-memory.dmp
    Filesize

    2.2MB

    Download