Overview

overview

10

Static

static

9

9c76a29d93...fd.exe

windows7_x64

10

9c76a29d93...fd.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    05-02-2022 12:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9c76a29d9349d21165a916b11ded6139a3cc066d3c59880a5b9016d42ea948fd.exe

  • Size

    2.4MB

  • MD5

    0f72869956627879b0ae5bbf36458d4e

  • SHA1

    7d54df00b0132c05551f077cdd9264d1b9f5cbad

  • SHA256

    9c76a29d9349d21165a916b11ded6139a3cc066d3c59880a5b9016d42ea948fd

  • SHA512

    d6f1ec2c6a6bfbafed2190bfc5fb2907df4f3e824f9dcfcf1e924e9873ebd4d9665b10b64a7ba53088c90fe0266e424d9cc4f172653d96f852b8edbc86f21652

Score
10/10
qakbotspx911586271924bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

324.75

Botnet

spx91

Campaign

1586271924

C2

95.77.223.148:443

68.14.210.246:22

151.205.102.42:443

80.11.10.151:990

24.32.119.146:443

173.69.58.179:443

78.96.245.58:443

172.78.87.180:443

173.3.106.172:2222

207.144.193.210:443

47.134.5.231:443

72.142.106.198:465

108.56.213.203:443

172.251.50.199:443

74.109.200.208:443

108.227.161.27:995

98.13.0.128:443

79.113.219.121:443

84.247.55.190:443

80.14.209.42:2222

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9c76a29d9349d21165a916b11ded6139a3cc066d3c59880a5b9016d42ea948fd.exe
    "C:\Users\Admin\AppData\Local\Temp\9c76a29d9349d21165a916b11ded6139a3cc066d3c59880a5b9016d42ea948fd.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1476
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 320
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:1556

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1476-55-0x0000000074EC1000-0x0000000074EC3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1476-56-0x0000000000220000-0x0000000000263000-memory.dmp
    Filesize

    268KB

    Download
  • memory/1476-57-0x0000000000400000-0x000000000066F000-memory.dmp
    Filesize

    2.4MB

    Download
  • memory/1556-59-0x0000000000870000-0x0000000000871000-memory.dmp
    Filesize

    4KB

    Download