Overview

overview

10

Static

static

9

736c373f09...c9.exe

windows7_x64

10

736c373f09...c9.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    70s
  • max time network
    48s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 10:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9.exe

  • Size

    2.6MB

  • MD5

    7d05b151fd2b28582cfca8ca8ceaa58f

  • SHA1

    6d4d8baf550550ebd1e15f3b3a697f8516fe79cf

  • SHA256

    736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9

  • SHA512

    5e6b7105b5e36581a43b9d6e6e460c6ea08618a3b8fbad52f2aafdee4f4162dc40e6a723b03488dcf7f200ee251f3588c41cc41149739dfccc65988b29b77fb2

Score
10/10
qakbotspx1351591627649bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

324.142

Botnet

spx135

Campaign

1591627649

C2

89.32.216.156:443

74.222.204.82:443

24.183.39.93:443

97.93.211.17:443

80.14.209.42:2222

96.35.170.82:2222

151.73.124.242:443

98.110.231.63:443

108.227.161.27:995

173.3.132.17:995

31.5.41.52:443

24.122.228.88:443

5.107.208.94:2222

76.185.136.58:443

50.29.166.232:995

73.210.114.187:443

92.114.107.193:995

24.43.22.220:993

50.247.230.33:995

72.142.106.198:465

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9.exe
    "C:\Users\Admin\AppData\Local\Temp\736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1800
    • C:\Users\Admin\AppData\Local\Temp\736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9.exe
      C:\Users\Admin\AppData\Local\Temp\736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9.exe /C
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:956
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\736c373f09596e706dae01b4cb6a57647046f5047c8b67eb418d51b819a29ac9.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:632
      • C:\Windows\SysWOW64\PING.EXE
        ping.exe -n 6 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:1132

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/632-60-0x0000000000000000-mapping.dmp
    Download
  • memory/956-57-0x0000000000000000-mapping.dmp
    Download
  • memory/956-59-0x0000000000400000-0x000000000069F000-memory.dmp
    Filesize

    2.6MB

    Download
  • memory/1132-61-0x0000000000000000-mapping.dmp
    Download
  • memory/1800-54-0x0000000075C71000-0x0000000075C73000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1800-55-0x0000000000220000-0x0000000000257000-memory.dmp
    Filesize

    220KB

    Download
  • memory/1800-56-0x0000000000400000-0x000000000069F000-memory.dmp
    Filesize

    2.6MB

    Download