Overview

overview

10

Static

static

9

b0d7b1ec0c...9a.exe

windows7_x64

10

b0d7b1ec0c...9a.exe

windows10-2004_x64

1

Analysis

  • max time kernel
    135s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    05-02-2022 11:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b0d7b1ec0cc40ce002fb52897af55d610da875792d57d3714caa01255c06d89a.exe

  • Size

    2.3MB

  • MD5

    fabbf0b8f976f393fd0438a61532a3f6

  • SHA1

    b8d59be52e7c6c9eaf35b95790703354541ae2b6

  • SHA256

    b0d7b1ec0cc40ce002fb52897af55d610da875792d57d3714caa01255c06d89a

  • SHA512

    005bc63e68519c60c64a0618d024fda412b0672918b9b1f8138773f6074b5239cf0bbb8eb54d24637835572707dbc5e38d48158605ef9726476c54fe5cee7376

Score
10/10
qakbotspx971586971769bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

324.127

Botnet

spx97

Campaign

1586971769

C2

72.214.55.147:995

78.96.64.230:443

100.38.123.22:443

47.205.231.60:443

185.145.113.249:443

72.16.212.107:465

94.52.124.226:443

72.255.200.69:2222

73.56.2.167:443

67.249.222.14:443

71.58.21.235:443

79.113.193.29:443

96.35.170.82:2222

76.111.128.194:443

181.126.86.223:443

67.209.195.198:3389

47.146.169.85:443

47.39.76.74:443

67.131.59.17:443

71.11.209.101:443

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b0d7b1ec0cc40ce002fb52897af55d610da875792d57d3714caa01255c06d89a.exe
    "C:\Users\Admin\AppData\Local\Temp\b0d7b1ec0cc40ce002fb52897af55d610da875792d57d3714caa01255c06d89a.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:832
    • C:\Users\Admin\AppData\Local\Temp\b0d7b1ec0cc40ce002fb52897af55d610da875792d57d3714caa01255c06d89a.exe
      C:\Users\Admin\AppData\Local\Temp\b0d7b1ec0cc40ce002fb52897af55d610da875792d57d3714caa01255c06d89a.exe /C
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1352
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\b0d7b1ec0cc40ce002fb52897af55d610da875792d57d3714caa01255c06d89a.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1692
      • C:\Windows\SysWOW64\PING.EXE
        ping.exe -n 6 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:1316

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/832-53-0x0000000076151000-0x0000000076153000-memory.dmp
    Filesize

    8KB

    Download
  • memory/832-54-0x0000000000220000-0x0000000000259000-memory.dmp
    Filesize

    228KB

    Download
  • memory/832-55-0x0000000000400000-0x0000000000647000-memory.dmp
    Filesize

    2.3MB

    Download
  • memory/1352-57-0x0000000000400000-0x0000000000647000-memory.dmp
    Filesize

    2.3MB

    Download