qakbot | 25e4f8f33ec6b1d498b24622f833a2fb2b3a9a470e92759f31cd74d5726f5009

Analysis

max time kernel
149s
max time network
44s
platform
windows7_x64
resource
win7-20220414-en
submitted
21-05-2022 03:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DEBT_07854_06162020.vbs
Size

2.6MB
MD5

66222018f11f64892cf65efeaade4e51
SHA1

c9a4282e5ba84aaeb136bf47b8ae04185f32af86
SHA256

116905c43d121cc4e1fdaa9ef2e89bb2f83a4c89b5fb400024f94c5cb06b9b09
SHA512

1b1fe70395a322e8e7450e881cda37a58ff614146f1f7e66346b4e13bddad66c1a1f7b5f3f7c2aa81e6e58d1379fe9f00eb1f481250fba4af2c6015814e18980

Score

10^/10

qakbot spx142 1592381263 banker cryptone packer stealer trojan

Malware Config

Extracted

Family

qakbot

Version

324.142

Botnet

spx142

Campaign

1592381263

173.175.29.210:443

201.248.102.4:2078

182.185.94.24:995

41.97.182.19:443

37.182.238.170:2222

193.248.44.2:2222

188.26.243.186:443

84.247.55.190:443

58.233.220.182:443

82.79.67.68:443

217.162.149.212:443

173.49.122.160:995

117.216.177.27:443

219.92.104.54:443

5.107.220.84:2222

96.41.93.96:443

122.147.204.4:443

117.199.5.99:443

68.60.221.169:465

78.96.192.26:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

CryptOne packer 9 IoCs

Detects CryptOne packer defined in NCC blogpost.

cryptone packer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Churchill.exe	cryptone
\Users\Admin\AppData\Local\Temp\Churchill.exe	cryptone
C:\Users\Admin\AppData\Local\Temp\Churchill.exe	cryptone
C:\Users\Admin\AppData\Local\Temp\Churchill.exe	cryptone
\Users\Admin\AppData\Roaming\Microsoft\Isypdwvcrk\vwjly.exe	cryptone
\Users\Admin\AppData\Roaming\Microsoft\Isypdwvcrk\vwjly.exe	cryptone
C:\Users\Admin\AppData\Roaming\Microsoft\Isypdwvcrk\vwjly.exe	cryptone
C:\Users\Admin\AppData\Roaming\Microsoft\Isypdwvcrk\vwjly.exe	cryptone
C:\Users\Admin\AppData\Roaming\Microsoft\Isypdwvcrk\vwjly.exe	cryptone

Blocklisted process makes network request 2 IoCs

Processes:

WScript.exe

flow pid process

2 1480 WScript.exe
3 1480 WScript.exe
Executes dropped EXE 4 IoCs

Processes:

Churchill.exeChurchill.exevwjly.exevwjly.exe

pid process

1716 Churchill.exe
520 Churchill.exe
428 vwjly.exe
1164 vwjly.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Control Panel\International\Geo\Nation WScript.exe
Deletes itself 1 IoCs

Processes:

WScript.exe

pid process

1480 WScript.exe
Loads dropped DLL 3 IoCs

Processes:

Churchill.exe

pid process

1716 Churchill.exe
1716 Churchill.exe
1716 Churchill.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1096 schtasks.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

Churchill.exeChurchill.exevwjly.exevwjly.exeexplorer.exe

pid process

1716 Churchill.exe
520 Churchill.exe
520 Churchill.exe
428 vwjly.exe
1164 vwjly.exe
1164 vwjly.exe
1916 explorer.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

vwjly.exe

pid process

428 vwjly.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WScript.exe

pid process

1480 WScript.exe

flow	pid	process
2	1480	WScript.exe
3	1480	WScript.exe

pid	process
1716	Churchill.exe
520	Churchill.exe
428	vwjly.exe
1164	vwjly.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Control Panel\International\Geo\Nation	WScript.exe

pid	process
1480	WScript.exe

pid	process
1716	Churchill.exe
1716	Churchill.exe
1716	Churchill.exe

pid	process
1096	schtasks.exe

pid	process
1716	Churchill.exe
520	Churchill.exe
520	Churchill.exe
428	vwjly.exe
1164	vwjly.exe
1164	vwjly.exe
1916	explorer.exe

pid	process
428	vwjly.exe

pid	process
1480	WScript.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

Churchill.exevwjly.exe

description	pid	process	target process
PID 1716 wrote to memory of 520	1716	Churchill.exe	Churchill.exe
PID 1716 wrote to memory of 520	1716	Churchill.exe	Churchill.exe
PID 1716 wrote to memory of 520	1716	Churchill.exe	Churchill.exe
PID 1716 wrote to memory of 520	1716	Churchill.exe	Churchill.exe
PID 1716 wrote to memory of 428	1716	Churchill.exe	vwjly.exe
PID 1716 wrote to memory of 428	1716	Churchill.exe	vwjly.exe
PID 1716 wrote to memory of 428	1716	Churchill.exe	vwjly.exe
PID 1716 wrote to memory of 428	1716	Churchill.exe	vwjly.exe
PID 1716 wrote to memory of 1096	1716	Churchill.exe	schtasks.exe
PID 1716 wrote to memory of 1096	1716	Churchill.exe	schtasks.exe
PID 1716 wrote to memory of 1096	1716	Churchill.exe	schtasks.exe
PID 1716 wrote to memory of 1096	1716	Churchill.exe	schtasks.exe
PID 428 wrote to memory of 1164	428	vwjly.exe	vwjly.exe
PID 428 wrote to memory of 1164	428	vwjly.exe	vwjly.exe
PID 428 wrote to memory of 1164	428	vwjly.exe	vwjly.exe
PID 428 wrote to memory of 1164	428	vwjly.exe	vwjly.exe
PID 428 wrote to memory of 1916	428	vwjly.exe	explorer.exe
PID 428 wrote to memory of 1916	428	vwjly.exe	explorer.exe
PID 428 wrote to memory of 1916	428	vwjly.exe	explorer.exe
PID 428 wrote to memory of 1916	428	vwjly.exe	explorer.exe
PID 428 wrote to memory of 1916	428	vwjly.exe	explorer.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DEBT_07854_06162020.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Deletes itself
- Suspicious use of FindShellTrayWindow
PID:1480

C:\Users\Admin\AppData\Local\Temp\Churchill.exe
C:\Users\Admin\AppData\Local\Temp\Churchill.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1716

C:\Users\Admin\AppData\Local\Temp\Churchill.exe
C:\Users\Admin\AppData\Local\Temp\Churchill.exe /C
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:520

C:\Users\Admin\AppData\Roaming\Microsoft\Isypdwvcrk\vwjly.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Isypdwvcrk\vwjly.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:428

C:\Users\Admin\AppData\Roaming\Microsoft\Isypdwvcrk\vwjly.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Isypdwvcrk\vwjly.exe /C
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1164

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1916

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn ifcdalrb /tr "\"C:\Users\Admin\AppData\Local\Temp\Churchill.exe\" /I ifcdalrb" /SC ONCE /Z /ST 07:25 /ET 07:37
2⤵
- Creates scheduled task(s)
PID:1096

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Churchill.exe
Filesize
2.6MB

MD5
5004555240fa78e8e49483e33f7550c0

SHA1
4d51367638800728b94af5ba0b6d364c407c7773

SHA256
382ae412ae682c0c1241c2bbafec413b0f9bb5829a68ec199399dcb38e9cf05c

SHA512
874d12561cb2164309e8916fe54bed93d0166d8c738cde87244a99280200dd8663a25282a6bf812f116ef8f5de75c5f8e9cbc8c7fba0e6197ebe09b5e695fa60

Download Submit
C:\Users\Admin\AppData\Local\Temp\Churchill.exe
Filesize
2.6MB

MD5
5004555240fa78e8e49483e33f7550c0

SHA1
4d51367638800728b94af5ba0b6d364c407c7773

SHA256
382ae412ae682c0c1241c2bbafec413b0f9bb5829a68ec199399dcb38e9cf05c

SHA512
874d12561cb2164309e8916fe54bed93d0166d8c738cde87244a99280200dd8663a25282a6bf812f116ef8f5de75c5f8e9cbc8c7fba0e6197ebe09b5e695fa60

Download Submit
C:\Users\Admin\AppData\Local\Temp\Churchill.exe
Filesize
2.6MB

MD5
5004555240fa78e8e49483e33f7550c0

SHA1
4d51367638800728b94af5ba0b6d364c407c7773

SHA256
382ae412ae682c0c1241c2bbafec413b0f9bb5829a68ec199399dcb38e9cf05c

SHA512
874d12561cb2164309e8916fe54bed93d0166d8c738cde87244a99280200dd8663a25282a6bf812f116ef8f5de75c5f8e9cbc8c7fba0e6197ebe09b5e695fa60

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Isypdwvcrk\vwjly.exe
Filesize
2.6MB

MD5
5004555240fa78e8e49483e33f7550c0

SHA1
4d51367638800728b94af5ba0b6d364c407c7773

SHA256
382ae412ae682c0c1241c2bbafec413b0f9bb5829a68ec199399dcb38e9cf05c

SHA512
874d12561cb2164309e8916fe54bed93d0166d8c738cde87244a99280200dd8663a25282a6bf812f116ef8f5de75c5f8e9cbc8c7fba0e6197ebe09b5e695fa60

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Isypdwvcrk\vwjly.exe
Filesize
2.6MB

MD5
5004555240fa78e8e49483e33f7550c0

SHA1
4d51367638800728b94af5ba0b6d364c407c7773

SHA256
382ae412ae682c0c1241c2bbafec413b0f9bb5829a68ec199399dcb38e9cf05c

SHA512
874d12561cb2164309e8916fe54bed93d0166d8c738cde87244a99280200dd8663a25282a6bf812f116ef8f5de75c5f8e9cbc8c7fba0e6197ebe09b5e695fa60

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Isypdwvcrk\vwjly.exe
Filesize
2.6MB

MD5
5004555240fa78e8e49483e33f7550c0

SHA1
4d51367638800728b94af5ba0b6d364c407c7773

SHA256
382ae412ae682c0c1241c2bbafec413b0f9bb5829a68ec199399dcb38e9cf05c

SHA512
874d12561cb2164309e8916fe54bed93d0166d8c738cde87244a99280200dd8663a25282a6bf812f116ef8f5de75c5f8e9cbc8c7fba0e6197ebe09b5e695fa60

Download Submit
\Users\Admin\AppData\Local\Temp\Churchill.exe
Filesize
2.6MB

MD5
5004555240fa78e8e49483e33f7550c0

SHA1
4d51367638800728b94af5ba0b6d364c407c7773

SHA256
382ae412ae682c0c1241c2bbafec413b0f9bb5829a68ec199399dcb38e9cf05c

SHA512
874d12561cb2164309e8916fe54bed93d0166d8c738cde87244a99280200dd8663a25282a6bf812f116ef8f5de75c5f8e9cbc8c7fba0e6197ebe09b5e695fa60

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Isypdwvcrk\vwjly.exe
Filesize
2.6MB

MD5
5004555240fa78e8e49483e33f7550c0

SHA1
4d51367638800728b94af5ba0b6d364c407c7773

SHA256
382ae412ae682c0c1241c2bbafec413b0f9bb5829a68ec199399dcb38e9cf05c

SHA512
874d12561cb2164309e8916fe54bed93d0166d8c738cde87244a99280200dd8663a25282a6bf812f116ef8f5de75c5f8e9cbc8c7fba0e6197ebe09b5e695fa60

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Isypdwvcrk\vwjly.exe
Filesize
2.6MB

MD5
5004555240fa78e8e49483e33f7550c0

SHA1
4d51367638800728b94af5ba0b6d364c407c7773

SHA256
382ae412ae682c0c1241c2bbafec413b0f9bb5829a68ec199399dcb38e9cf05c

SHA512
874d12561cb2164309e8916fe54bed93d0166d8c738cde87244a99280200dd8663a25282a6bf812f116ef8f5de75c5f8e9cbc8c7fba0e6197ebe09b5e695fa60

Download Submit
memory/428-66-0x0000000000000000-mapping.dmp

Download
memory/428-70-0x0000000000400000-0x00000000006A8000-memory.dmp

Filesize
2.7MB

Download
memory/520-60-0x0000000000000000-mapping.dmp

Download
memory/520-63-0x0000000000400000-0x00000000006A8000-memory.dmp

Filesize
2.7MB

Download
memory/1096-68-0x0000000000000000-mapping.dmp

Download
memory/1164-72-0x0000000000000000-mapping.dmp

Download
memory/1164-75-0x0000000000400000-0x00000000006A8000-memory.dmp

Filesize
2.7MB

Download
memory/1716-56-0x00000000003A0000-0x00000000003D7000-memory.dmp

Filesize
220KB

Download
memory/1716-55-0x0000000075871000-0x0000000075873000-memory.dmp

Filesize
8KB

Download
memory/1716-57-0x0000000000400000-0x00000000006A8000-memory.dmp

Filesize
2.7MB

Download
memory/1916-76-0x0000000000000000-mapping.dmp

Download
memory/1916-78-0x0000000074641000-0x0000000074643000-memory.dmp

Filesize
8KB

Download
memory/1916-79-0x0000000000080000-0x00000000000BA000-memory.dmp

Filesize
232KB

Download
memory/1916-80-0x0000000000200000-0x0000000000233000-memory.dmp

Filesize
204KB

Download