Overview

overview

10

Static

static

9

f13afe8343...8d.exe

windows7_x64

10

f13afe8343...8d.exe

windows10-2004_x64

1

Analysis

  • max time kernel
    152s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    05-02-2022 08:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f13afe8343381ec04ff08b231b0fd9ccd2a3e11264fb651d5ae43945cc1dcc8d.exe

  • Size

    2.2MB

  • MD5

    db8916ad4b0bd08a4acb74641e7baede

  • SHA1

    d1a5125d449c0dc8170bf2de72eff35228bb4eb3

  • SHA256

    f13afe8343381ec04ff08b231b0fd9ccd2a3e11264fb651d5ae43945cc1dcc8d

  • SHA512

    48d268a4e5b9add0c67fdd29df269400fcc1f87cee77511a0601f65d9ee44dbb661076f63672c5b11d811967242ab64a7fa760a16385d4e4b86f529518bba1b6

Score
10/10
qakbotspx991587123128bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

324.127

Botnet

spx99

Campaign

1587123128

C2

66.208.105.6:443

83.25.7.201:2222

68.134.181.98:443

108.190.151.108:2222

81.102.127.116:443

93.118.221.204:443

72.183.129.56:443

72.29.181.77:2222

96.35.170.82:2222

50.104.67.101:443

5.182.39.156:443

68.224.192.39:443

50.244.112.106:443

47.205.231.60:443

67.209.195.198:3389

47.146.169.85:443

86.124.13.55:443

108.30.161.143:443

75.87.161.32:995

67.131.59.17:443

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f13afe8343381ec04ff08b231b0fd9ccd2a3e11264fb651d5ae43945cc1dcc8d.exe
    "C:\Users\Admin\AppData\Local\Temp\f13afe8343381ec04ff08b231b0fd9ccd2a3e11264fb651d5ae43945cc1dcc8d.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1628
    • C:\Users\Admin\AppData\Local\Temp\f13afe8343381ec04ff08b231b0fd9ccd2a3e11264fb651d5ae43945cc1dcc8d.exe
      C:\Users\Admin\AppData\Local\Temp\f13afe8343381ec04ff08b231b0fd9ccd2a3e11264fb651d5ae43945cc1dcc8d.exe /C
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1348
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\f13afe8343381ec04ff08b231b0fd9ccd2a3e11264fb651d5ae43945cc1dcc8d.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:796
      • C:\Windows\SysWOW64\PING.EXE
        ping.exe -n 6 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:1716

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1628-54-0x0000000075D61000-0x0000000075D63000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1628-56-0x0000000000220000-0x0000000000259000-memory.dmp
    Filesize

    228KB

    Download
  • memory/1628-57-0x0000000000400000-0x0000000000633000-memory.dmp
    Filesize

    2.2MB

    Download