Overview

overview

10

Static

static

362e568558...f5.msi

windows7-x64

10

362e568558...f5.msi

windows10-2004-x64

10

Resubmissions

15-07-2022 15:01

220715-sd2g2sbeg4 10

13-07-2022 23:35

220713-3kzl5sfee4 10

Analysis

  • max time kernel
    300s
  • max time network
    90s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • resource tags

    arch:x64arch:x86image:win7-20220414-enlocale:en-usos:windows7-x64system
  • submitted
    15-07-2022 15:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    362e56855844fb2be3dfae4b566ab676f6ec681fad1c1a2e8eb6d245d56b83f5.msi

  • Size

    676KB

  • MD5

    a0d132cdc67c29abf79ecf455c4a4e25

  • SHA1

    2b278de35e52d695b27e1c880d35db04daa982bf

  • SHA256

    362e56855844fb2be3dfae4b566ab676f6ec681fad1c1a2e8eb6d245d56b83f5

  • SHA512

    645d2e3a168667de44d04756f48fe1d7d6581efc0755dccd72f6e09e603300783777b3b3376bb0d2bfab4c1ad3d239845eb606acffc3ea4ea4261d451c427ddf

Score
10/10
qakbotvip011657721813bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

403.780

Botnet

vip01

Campaign

1657721813

C2

67.209.195.198:443

63.143.92.99:995

148.64.96.100:443

72.252.157.93:990

72.252.157.93:995

89.101.97.139:443

76.25.142.196:443

47.180.172.159:443

67.165.206.193:993

32.221.224.140:995

70.46.220.114:443

176.45.218.138:995

174.69.215.101:443

24.54.48.11:443

86.97.10.37:443

81.158.239.251:2078

37.34.253.233:443

120.150.218.241:995

186.90.153.162:2222

38.70.253.226:2222
Attributes
  • salt

    jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Blocklisted process makes network request 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 10 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 55 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\362e56855844fb2be3dfae4b566ab676f6ec681fad1c1a2e8eb6d245d56b83f5.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1672
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1476
    • C:\Windows\system32\regsvr32.exe
      regsvr32.exe -n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1140
      • C:\Windows\SysWOW64\regsvr32.exe
        -n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1612
        • C:\Windows\SysWOW64\explorer.exe
          C:\Windows\SysWOW64\explorer.exe
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:820
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /Z /ST 17:04 /tn kjdfaqvvkv /ET 17:15 /tr "powershell.exe -encodedCommand cgBlAGcAcwB2AHIAMwAyAC4AZQB4AGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABBAGQAbwBiAGUARgBvAG4AdABQAGEAYwBrAFwAbQBhAGkAbgAuAGQAbABsACIA" /SC ONCE
            5⤵
            • Creates scheduled task(s)
            PID:316
    • C:\Windows\system32\wscript.exe
      wscript.exe C:\Users\Admin\AppData\Local\AdobeFontPack\notify.vbs
      2⤵
        PID:1016
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:844
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000240" "00000000000004AC"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:1348
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {871882CD-646B-44C1-B072-CAA9A065BC6A} S-1-5-18:NT AUTHORITY\System:Service:
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:964
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -encodedCommand cgBlAGcAcwB2AHIAMwAyAC4AZQB4AGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABBAGQAbwBiAGUARgBvAG4AdABQAGEAYwBrAFwAbQBhAGkAbgAuAGQAbABsACIA
        2⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:952
        • C:\Windows\system32\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:776
          • C:\Windows\SysWOW64\regsvr32.exe
            C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
            4⤵
            • Loads dropped DLL
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:900
            • C:\Windows\SysWOW64\explorer.exe
              C:\Windows\SysWOW64\explorer.exe
              5⤵
              • Modifies data under HKEY_USERS
              PID:1640

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      60KB

      MD5

      589c442fc7a0c70dca927115a700d41e

      SHA1

      66a07dace3afbfd1aa07a47e6875beab62c4bb31

      SHA256

      2e5cb72e9eb43baafb6c6bfcc573aac92f49a8064c483f9d378a9e8e781a526a

      SHA512

      1b5fa79e52be495c42cf49618441fb7012e28c02e7a08a91da9213db3ab810f0e83485bc1dd5f625a47d0ba7cfcdd5ea50acc9a8dcebb39f048c40f01e94155b

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      340B

      MD5

      80f60e8179d5162c54af67174cba0260

      SHA1

      eac2c19aabdfbf72100de39bb211709a93920a43

      SHA256

      e5f4befdd51d28fe06ef780327a693402ecf17e903fac09fcc09c42ad5f83886

      SHA512

      eda44da8fa44347998be94417f530fd48a78e38310aabddc90d14f449f2dfb5754af89739b2df7df836339102ca002c68cfc86e443efc95b74b35f66d1742f0e

      Download Submit
    • C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
      Filesize

      1.3MB

      MD5

      2fce945f0621e3812618f55c4a3926e9

      SHA1

      65aa7e9e33d25ee812e9ac86f45488c6c531d9ad

      SHA256

      c7dfc591c7dc5371c60bd0fb1cc7ca2c14dd630a0e7272b4fac98e8d2ee5567a

      SHA512

      95a6c8761952b43c238094fba672c0c15d011ff0af69b5100b37a52ab9b00f355337a15787fea95bd31038a4dff5a1cdfeffa70b006849f66027dcd72f2b1614

      Download Submit
    • C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
      Filesize

      1.3MB

      MD5

      2fce945f0621e3812618f55c4a3926e9

      SHA1

      65aa7e9e33d25ee812e9ac86f45488c6c531d9ad

      SHA256

      c7dfc591c7dc5371c60bd0fb1cc7ca2c14dd630a0e7272b4fac98e8d2ee5567a

      SHA512

      95a6c8761952b43c238094fba672c0c15d011ff0af69b5100b37a52ab9b00f355337a15787fea95bd31038a4dff5a1cdfeffa70b006849f66027dcd72f2b1614

      Download Submit
    • C:\Users\Admin\AppData\Local\AdobeFontPack\notify.vbs
      Filesize

      68B

      MD5

      0308aa2c8dab8a69de41f5d16679bb9b

      SHA1

      c6827bf44a433ff086e787653361859d6f6e2fb3

      SHA256

      0a7e8fd68575db5f84c18b9a26e4058323d1357e2a29a5b12278e4bfa6939489

      SHA512

      1a1ca92e3c8d52c8b5adbb3117a88d8a2a8c33eaf2f7b0d620fe006653f57f4ba0b803884616594ca31e13a1b0b59ddae52cecf044621ec44371084dac6beb72

      Download Submit
    • \??\PIPE\wkssvc
      MD5

      d41d8cd98f00b204e9800998ecf8427e

      SHA1

      da39a3ee5e6b4b0d3255bfef95601890afd80709

      SHA256

      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

      SHA512

      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

      Download Submit
    • \Users\Admin\AppData\Local\AdobeFontPack\main.dll
      Filesize

      1.3MB

      MD5

      2fce945f0621e3812618f55c4a3926e9

      SHA1

      65aa7e9e33d25ee812e9ac86f45488c6c531d9ad

      SHA256

      c7dfc591c7dc5371c60bd0fb1cc7ca2c14dd630a0e7272b4fac98e8d2ee5567a

      SHA512

      95a6c8761952b43c238094fba672c0c15d011ff0af69b5100b37a52ab9b00f355337a15787fea95bd31038a4dff5a1cdfeffa70b006849f66027dcd72f2b1614

      Download Submit
    • \Users\Admin\AppData\Local\AdobeFontPack\main.dll
      Filesize

      1.3MB

      MD5

      2fce945f0621e3812618f55c4a3926e9

      SHA1

      65aa7e9e33d25ee812e9ac86f45488c6c531d9ad

      SHA256

      c7dfc591c7dc5371c60bd0fb1cc7ca2c14dd630a0e7272b4fac98e8d2ee5567a

      SHA512

      95a6c8761952b43c238094fba672c0c15d011ff0af69b5100b37a52ab9b00f355337a15787fea95bd31038a4dff5a1cdfeffa70b006849f66027dcd72f2b1614

      Download Submit
    • memory/316-78-0x0000000000000000-mapping.dmp
      Download
    • memory/776-85-0x0000000000000000-mapping.dmp
      Download
    • memory/820-77-0x0000000000080000-0x00000000000A2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/820-79-0x0000000000080000-0x00000000000A2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/820-74-0x0000000074441000-0x0000000074443000-memory.dmp
      Filesize

      8KB

      Download
    • memory/820-72-0x0000000000000000-mapping.dmp
      Download
    • memory/900-96-0x00000000002E0000-0x0000000000302000-memory.dmp
      Filesize

      136KB

      Download
    • memory/900-90-0x0000000000000000-mapping.dmp
      Download
    • memory/900-93-0x0000000000BE0000-0x0000000000D26000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/900-94-0x00000000002E0000-0x0000000000302000-memory.dmp
      Filesize

      136KB

      Download
    • memory/900-95-0x00000000002E0000-0x0000000000302000-memory.dmp
      Filesize

      136KB

      Download
    • memory/900-97-0x0000000000200000-0x0000000000222000-memory.dmp
      Filesize

      136KB

      Download
    • memory/900-98-0x00000000002E0000-0x0000000000302000-memory.dmp
      Filesize

      136KB

      Download
    • memory/900-102-0x00000000002E0000-0x0000000000302000-memory.dmp
      Filesize

      136KB

      Download
    • memory/952-88-0x0000000001044000-0x0000000001047000-memory.dmp
      Filesize

      12KB

      Download
    • memory/952-80-0x0000000000000000-mapping.dmp
      Download
    • memory/952-82-0x000007FEF3EE0000-0x000007FEF4903000-memory.dmp
      Filesize

      10.1MB

      Download
    • memory/952-83-0x000007FEF3380000-0x000007FEF3EDD000-memory.dmp
      Filesize

      11.4MB

      Download
    • memory/952-84-0x0000000001044000-0x0000000001047000-memory.dmp
      Filesize

      12KB

      Download
    • memory/952-89-0x000000000104B000-0x000000000106A000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1016-59-0x0000000000000000-mapping.dmp
      Download
    • memory/1140-58-0x0000000000000000-mapping.dmp
      Download
    • memory/1612-64-0x00000000753B1000-0x00000000753B3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1612-70-0x00000000001F0000-0x0000000000212000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1612-69-0x00000000003A0000-0x00000000003C2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1612-68-0x00000000003A0000-0x00000000003C2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1612-67-0x00000000003A0000-0x00000000003C2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1612-66-0x0000000000591000-0x000000000068E000-memory.dmp
      Filesize

      1012KB

      Download
    • memory/1612-63-0x0000000000000000-mapping.dmp
      Download
    • memory/1612-71-0x00000000003A0000-0x00000000003C2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1612-76-0x00000000003A0000-0x00000000003C2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1640-99-0x0000000000000000-mapping.dmp
      Download
    • memory/1640-103-0x00000000000C0000-0x00000000000E2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1640-104-0x00000000000C0000-0x00000000000E2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1672-54-0x000007FEFBAA1000-0x000007FEFBAA3000-memory.dmp
      Filesize

      8KB

      Download