Overview

overview

10

Static

static

9

a2e6326628...17.exe

windows7_x64

10

a2e6326628...17.exe

windows10-2004_x64

1

Analysis

  • max time kernel
    147s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    05-02-2022 12:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a2e6326628b67563b1fde916775f1cf450aae991dd7093504ce0da40d4ccc517.exe

  • Size

    2.1MB

  • MD5

    89219389c1102eed2efbd47a9f7f5390

  • SHA1

    4f50fad9b879360a6164628569a7a404ce058142

  • SHA256

    a2e6326628b67563b1fde916775f1cf450aae991dd7093504ce0da40d4ccc517

  • SHA512

    49ed40619937f22922562c325ce0e679e295b75ec6297ffc2fe106fa63c882905153a854a70a1310e279842d1508ca028b0bcaf9b78b739aadcc411202cdc2f6

Score
10/10
qakbotspx911586264831bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

324.75

Botnet

spx91

Campaign

1586264831

C2

100.38.123.22:443

72.16.212.107:465

65.131.79.162:995

65.96.36.157:443

24.61.47.73:443

73.192.209.168:443

93.114.89.119:995

71.58.21.235:443

68.174.9.179:443

73.137.187.150:443

71.178.38.101:443

50.29.181.193:995

31.5.189.71:443

68.49.120.179:443

24.203.36.180:2222

81.102.127.116:443

86.106.126.189:443

68.224.192.39:443

184.21.151.81:995

173.175.29.210:443

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a2e6326628b67563b1fde916775f1cf450aae991dd7093504ce0da40d4ccc517.exe
    "C:\Users\Admin\AppData\Local\Temp\a2e6326628b67563b1fde916775f1cf450aae991dd7093504ce0da40d4ccc517.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2024
    • C:\Users\Admin\AppData\Local\Temp\a2e6326628b67563b1fde916775f1cf450aae991dd7093504ce0da40d4ccc517.exe
      C:\Users\Admin\AppData\Local\Temp\a2e6326628b67563b1fde916775f1cf450aae991dd7093504ce0da40d4ccc517.exe /C
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1636
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\a2e6326628b67563b1fde916775f1cf450aae991dd7093504ce0da40d4ccc517.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1372
      • C:\Windows\SysWOW64\PING.EXE
        ping.exe -n 6 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:1596

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1636-58-0x0000000000400000-0x0000000000611000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/2024-54-0x00000000751B1000-0x00000000751B3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2024-55-0x00000000001C0000-0x00000000001F9000-memory.dmp
    Filesize

    228KB

    Download
  • memory/2024-57-0x0000000000400000-0x0000000000611000-memory.dmp
    Filesize

    2.1MB

    Download