Behavioral Report

max time kernel70s
max time network48s
platformwindows7_x64
resourcewin7-20220414-en
submitted21-05-2022 10:47

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9.exe

Filesize

2MB

Completed

21-05-2022 10:53

Task

behavioral1

Score

10^/10

MD5

7d05b151fd2b28582cfca8ca8ceaa58f

SHA1

6d4d8baf550550ebd1e15f3b3a697f8516fe79cf

SHA256

736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9

SHA256

5e6b7105b5e36581a43b9d6e6e460c6ea08618a3b8fbad52f2aafdee4f4162dc40e6a723b03488dcf7f200ee251f3588c41cc41149739dfccc65988b29b77fb2

qakbot spx135 1591627649 banker stealer trojan

Extracted

Family	qakbot
Version	324.142
Botnet	spx135
Campaign	1591627649
C2	89.32.216.156:443 74.222.204.82:443 24.183.39.93:443 97.93.211.17:443 80.14.209.42:2222 96.35.170.82:2222 151.73.124.242:443 98.110.231.63:443 108.227.161.27:995 173.3.132.17:995 31.5.41.52:443 24.122.228.88:443 5.107.208.94:2222 76.185.136.58:443 50.29.166.232:995 73.210.114.187:443 92.114.107.193:995 24.43.22.220:993 50.247.230.33:995 72.142.106.198:465 102.41.122.185:995 67.131.59.17:443 184.98.104.7:995 69.11.247.242:443 201.127.4.70:443 72.204.242.138:50003 189.231.198.212:443 5.14.44.173:2222 5.14.76.156:443 151.205.102.42:443 179.51.23.31:443 72.190.101.70:443 73.76.47.127:443 80.240.26.178:443 72.36.59.46:2222 73.209.113.58:443 68.49.120.179:443 69.92.54.95:995 187.19.151.218:995 50.244.112.10:443 66.222.88.126:995 207.255.161.8:32102 108.58.9.238:995 105.98.154.57:443 98.219.77.197:443 216.163.4.91:443 47.152.210.233:443 178.223.17.74:995 72.204.242.138:20 82.127.193.151:2222 50.91.171.137:443 172.242.80.243:443 189.163.110.244:443 108.30.125.94:443 104.50.141.139:995 73.94.229.115:443 67.83.54.76:2222 72.29.181.77:2078 188.24.102.178:443 66.68.22.151:443 24.122.157.93:443 72.204.242.138:53 172.87.134.226:443 118.160.164.140:443 173.49.122.160:995 71.187.170.235:443 134.0.196.46:995 75.81.25.223:443 92.17.167.87:2222 185.246.9.69:995 70.123.92.175:2222 82.37.242.8:443 108.51.73.186:443 137.99.222.152:443 100.38.164.182:443 75.137.239.211:443 24.43.22.220:995 24.99.180.247:443 96.56.237.174:993 72.204.242.138:80 79.114.196.97:443 72.204.242.138:443 72.240.245.253:443 24.202.42.48:2222 46.102.60.186:443 200.113.201.83:993 98.27.176.35:443 47.201.1.210:443 50.78.93.74:443 68.60.221.169:465 66.26.160.37:443 190.198.124.212:2078 65.131.83.170:995 50.244.112.106:443 72.204.242.138:32102 77.159.149.74:443 184.96.155.4:993 72.16.212.108:465 47.153.115.154:995 72.240.200.181:2222 24.46.40.189:2222 68.82.125.234:443 188.173.70.18:443 47.40.244.237:443 5.13.105.2:443 76.30.66.244:443 5.14.188.235:443 72.204.242.138:995 5.69.56.255:443 5.14.248.119:443 188.192.75.8:443 24.27.82.216:2222 98.118.156.172:443 189.236.218.181:443 72.204.242.138:2078 47.41.3.40:443 108.28.90.129:443 184.89.71.68:443 31.50.210.205:2222 95.76.27.89:443 207.255.161.8:443 149.71.50.158:443 98.222.23.221:443 96.56.237.174:32103 68.116.193.239:443 100.38.123.22:443 47.24.47.218:443 24.110.96.149:443 181.91.254.1:443 96.18.240.158:443 67.165.206.193:995 69.28.222.54:443 98.243.187.85:443 184.180.157.203:2222 47.136.224.60:443 73.90.4.146:443 207.255.161.8:2222 203.33.139.134:443 104.221.4.11:2222 72.228.3.116:443 72.209.191.27:443 97.127.136.28:0 108.45.29.12:443 2.89.100.34:443 64.19.74.29:995 208.82.44.203:443 199.247.16.80:443 199.247.22.145:443 89.43.108.19:443 71.182.142.63:443 89.32.216.156:443 74.222.204.82:443 24.183.39.93:443 97.93.211.17:443 80.14.209.42:2222 96.35.170.82:2222 151.73.124.242:443 98.110.231.63:443 108.227.161.27:995 173.3.132.17:995 31.5.41.52:443 24.122.228.88:443 5.107.208.94:2222 76.185.136.58:443 50.29.166.232:995 73.210.114.187:443 92.114.107.193:995 24.43.22.220:993 50.247.230.33:995 72.142.106.198:465 102.41.122.185:995 67.131.59.17:443 184.98.104.7:995 69.11.247.242:443 201.127.4.70:443 72.204.242.138:50003 189.231.198.212:443 5.14.44.173:2222 5.14.76.156:443 151.205.102.42:443 179.51.23.31:443 72.190.101.70:443 73.76.47.127:443 80.240.26.178:443 72.36.59.46:2222 73.209.113.58:443 68.49.120.179:443 69.92.54.95:995 187.19.151.218:995 50.244.112.10:443 66.222.88.126:995 207.255.161.8:32102 108.58.9.238:995 105.98.154.57:443 98.219.77.197:443 216.163.4.91:443 47.152.210.233:443 178.223.17.74:995 72.204.242.138:20 82.127.193.151:2222 50.91.171.137:443 172.242.80.243:443 189.163.110.244:443 108.30.125.94:443 104.50.141.139:995 73.94.229.115:443 67.83.54.76:2222 72.29.181.77:2078 188.24.102.178:443 66.68.22.151:443 24.122.157.93:443 72.204.242.138:53 172.87.134.226:443 118.160.164.140:443 173.49.122.160:995 71.187.170.235:443 134.0.196.46:995 75.81.25.223:443 92.17.167.87:2222 185.246.9.69:995 70.123.92.175:2222 82.37.242.8:443 108.51.73.186:443 137.99.222.152:443 100.38.164.182:443 75.137.239.211:443 24.43.22.220:995 24.99.180.247:443 96.56.237.174:993 72.204.242.138:80 79.114.196.97:443 72.204.242.138:443 72.240.245.253:443 24.202.42.48:2222 46.102.60.186:443 200.113.201.83:993 98.27.176.35:443 47.201.1.210:443 50.78.93.74:443 68.60.221.169:465 66.26.160.37:443 190.198.124.212:2078 65.131.83.170:995 50.244.112.106:443 72.204.242.138:32102 77.159.149.74:443 184.96.155.4:993 72.16.212.108:465 47.153.115.154:995 72.240.200.181:2222 24.46.40.189:2222 68.82.125.234:443 188.173.70.18:443 47.40.244.237:443 5.13.105.2:443 76.30.66.244:443 5.14.188.235:443 72.204.242.138:995 5.69.56.255:443 5.14.248.119:443 188.192.75.8:443 24.27.82.216:2222 98.118.156.172:443 189.236.218.181:443 72.204.242.138:2078 47.41.3.40:443 108.28.90.129:443 184.89.71.68:443 31.50.210.205:2222 95.76.27.89:443 207.255.161.8:443 149.71.50.158:443 98.222.23.221:443 96.56.237.174:32103 68.116.193.239:443 100.38.123.22:443 47.24.47.218:443 24.110.96.149:443 181.91.254.1:443 96.18.240.158:443 67.165.206.193:995 69.28.222.54:443 98.243.187.85:443 184.180.157.203:2222 47.136.224.60:443 73.90.4.146:443 207.255.161.8:2222 203.33.139.134:443 104.221.4.11:2222 72.228.3.116:443 72.209.191.27:443 97.127.136.28:0 108.45.29.12:443 2.89.100.34:443 64.19.74.29:995 208.82.44.203:443 199.247.16.80:443 199.247.22.145:443 89.43.108.19:443 71.182.142.63:443

Discovery

Qakbot/Qbot

Description

Qbot or Qakbot is a sophisticated worm with banking capabilities.

Tags

trojan banker stealer qakbot
Enumerates physical storage devices

Description

Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

TTPs

System Information Discovery
Runs ping.exe
PING.EXE

TTPs

Remote System Discovery

Reported IOCs

pid process

1132 PING.EXE

pid	process
1132	PING.EXE

Suspicious behavior: EnumeratesProcesses

736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9.exe736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9.exe

Reported IOCs

pid	process
1800	736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9.exe
956	736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9.exe
956	736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9.exe

Suspicious use of WriteProcessMemory

736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9.execmd.exe

Reported IOCs

description	pid	process	target process
PID 1800 wrote to memory of 956	1800	736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9.exe	736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9.exe
PID 1800 wrote to memory of 956	1800	736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9.exe	736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9.exe
PID 1800 wrote to memory of 956	1800	736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9.exe	736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9.exe
PID 1800 wrote to memory of 956	1800	736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9.exe	736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9.exe
PID 1800 wrote to memory of 632	1800	736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9.exe	cmd.exe
PID 1800 wrote to memory of 632	1800	736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9.exe	cmd.exe
PID 1800 wrote to memory of 632	1800	736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9.exe	cmd.exe
PID 1800 wrote to memory of 632	1800	736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9.exe	cmd.exe
PID 632 wrote to memory of 1132	632	cmd.exe	PING.EXE
PID 632 wrote to memory of 1132	632	cmd.exe	PING.EXE
PID 632 wrote to memory of 1132	632	cmd.exe	PING.EXE
PID 632 wrote to memory of 1132	632	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9.exe

"C:\Users\Admin\AppData\Local\Temp\736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9.exe"

Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory

PID:1800

C:\Users\Admin\AppData\Local\Temp\736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9.exe

C:\Users\Admin\AppData\Local\Temp\736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9.exe /C

Suspicious behavior: EnumeratesProcesses

PID:956

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9.exe"

Suspicious use of WriteProcessMemory

PID:632

C:\Windows\SysWOW64\PING.EXE

ping.exe -n 6 127.0.0.1

Runs ping.exe

PID:1132

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

00:00 00:00

memory/632-60-0x0000000000000000-mapping.dmp

Download
memory/956-57-0x0000000000000000-mapping.dmp

Download
memory/956-59-0x0000000000400000-0x000000000069F000-memory.dmp

Download
memory/1132-61-0x0000000000000000-mapping.dmp

Download
memory/1800-55-0x0000000000220000-0x0000000000257000-memory.dmp

Download
memory/1800-56-0x0000000000400000-0x000000000069F000-memory.dmp

Download
memory/1800-54-0x0000000075C71000-0x0000000075C73000-memory.dmp

Download

Extracted

Filter: none

Description

Tags

Description

TTPs

TTPs

Reported IOCs

Reported IOCs

Reported IOCs

Title