Overview

overview

10

Static

static

9

9c76a29d93...fd.exe

windows7_x64

10

9c76a29d93...fd.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    155s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    05-02-2022 12:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9c76a29d9349d21165a916b11ded6139a3cc066d3c59880a5b9016d42ea948fd.exe

  • Size

    2.4MB

  • MD5

    0f72869956627879b0ae5bbf36458d4e

  • SHA1

    7d54df00b0132c05551f077cdd9264d1b9f5cbad

  • SHA256

    9c76a29d9349d21165a916b11ded6139a3cc066d3c59880a5b9016d42ea948fd

  • SHA512

    d6f1ec2c6a6bfbafed2190bfc5fb2907df4f3e824f9dcfcf1e924e9873ebd4d9665b10b64a7ba53088c90fe0266e424d9cc4f172653d96f852b8edbc86f21652

Score
10/10
qakbotspx911586271924bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

324.75

Botnet

spx91

Campaign

1586271924

C2

95.77.223.148:443

68.14.210.246:22

151.205.102.42:443

80.11.10.151:990

24.32.119.146:443

173.69.58.179:443

78.96.245.58:443

172.78.87.180:443

173.3.106.172:2222

207.144.193.210:443

47.134.5.231:443

72.142.106.198:465

108.56.213.203:443

172.251.50.199:443

74.109.200.208:443

108.227.161.27:995

98.13.0.128:443

79.113.219.121:443

84.247.55.190:443

80.14.209.42:2222

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies data under HKEY_USERS 51 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9c76a29d9349d21165a916b11ded6139a3cc066d3c59880a5b9016d42ea948fd.exe
    "C:\Users\Admin\AppData\Local\Temp\9c76a29d9349d21165a916b11ded6139a3cc066d3c59880a5b9016d42ea948fd.exe"
    1⤵
      PID:2464
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 628
        2⤵
        • Program crash
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1548
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2464 -ip 2464
      1⤵
      • Suspicious use of NtCreateProcessExOtherParentProcess
      • Suspicious use of WriteProcessMemory
      PID:1864
    • C:\Windows\system32\MusNotifyIcon.exe
      %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
      1⤵
      • Checks processor information in registry
      PID:3884
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k NetworkService -p
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:3660

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2464-130-0x00000000023B0000-0x00000000023F3000-memory.dmp
      Filesize

      268KB

      Download
    • memory/2464-131-0x0000000000400000-0x000000000066F000-memory.dmp
      Filesize

      2.4MB

      Download