Overview

overview

10

Static

static

362e568558...f5.msi

windows7-x64

10

362e568558...f5.msi

windows10-2004-x64

10

Resubmissions

15-07-2022 15:01

220715-sd2g2sbeg4 10

13-07-2022 23:35

220713-3kzl5sfee4 10

Analysis

  • max time kernel
    299s
  • max time network
    283s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-07-2022 15:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    362e56855844fb2be3dfae4b566ab676f6ec681fad1c1a2e8eb6d245d56b83f5.msi

  • Size

    676KB

  • MD5

    a0d132cdc67c29abf79ecf455c4a4e25

  • SHA1

    2b278de35e52d695b27e1c880d35db04daa982bf

  • SHA256

    362e56855844fb2be3dfae4b566ab676f6ec681fad1c1a2e8eb6d245d56b83f5

  • SHA512

    645d2e3a168667de44d04756f48fe1d7d6581efc0755dccd72f6e09e603300783777b3b3376bb0d2bfab4c1ad3d239845eb606acffc3ea4ea4261d451c427ddf

Score
10/10
qakbotvip011657721813bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

403.780

Botnet

vip01

Campaign

1657721813

C2

67.209.195.198:443

63.143.92.99:995

148.64.96.100:443

72.252.157.93:990

72.252.157.93:995

89.101.97.139:443

76.25.142.196:443

47.180.172.159:443

67.165.206.193:993

32.221.224.140:995

70.46.220.114:443

176.45.218.138:995

174.69.215.101:443

24.54.48.11:443

86.97.10.37:443

81.158.239.251:2078

37.34.253.233:443

120.150.218.241:995

186.90.153.162:2222

38.70.253.226:2222
Attributes
  • salt

    jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Blocklisted process makes network request 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 8 IoCs
  • Checks SCSI registry key(s) 3 TTPs 8 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 51 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\362e56855844fb2be3dfae4b566ab676f6ec681fad1c1a2e8eb6d245d56b83f5.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1180
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5008
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:988
      • C:\Windows\system32\wscript.exe
        wscript.exe C:\Users\Admin\AppData\Local\AdobeFontPack\notify.vbs
        2⤵
          PID:4628
        • C:\Windows\system32\regsvr32.exe
          regsvr32.exe -n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:5028
          • C:\Windows\SysWOW64\regsvr32.exe
            -n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
            3⤵
            • Loads dropped DLL
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:1644
            • C:\Windows\SysWOW64\explorer.exe
              C:\Windows\SysWOW64\explorer.exe
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:1356
              • C:\Windows\SysWOW64\schtasks.exe
                "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /Z /ST 17:04 /tn hodqehtlb /ET 17:15 /tr "powershell.exe -encodedCommand cgBlAGcAcwB2AHIAMwAyAC4AZQB4AGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABBAGQAbwBiAGUARgBvAG4AdABQAGEAYwBrAFwAbQBhAGkAbgAuAGQAbABsACIA" /SC ONCE
                5⤵
                • Creates scheduled task(s)
                PID:4812
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Checks SCSI registry key(s)
        • Suspicious use of AdjustPrivilegeToken
        PID:4936
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /4
        1⤵
        • Checks SCSI registry key(s)
        • Checks processor information in registry
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4364
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -encodedCommand cgBlAGcAcwB2AHIAMwAyAC4AZQB4AGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABBAGQAbwBiAGUARgBvAG4AdABQAGEAYwBrAFwAbQBhAGkAbgAuAGQAbABsACIA
        1⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious use of WriteProcessMemory
        PID:1124
        • C:\Windows\system32\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4704
          • C:\Windows\SysWOW64\regsvr32.exe
            C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
            3⤵
            • Loads dropped DLL
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:1324
            • C:\Windows\SysWOW64\explorer.exe
              C:\Windows\SysWOW64\explorer.exe
              4⤵
              • Modifies data under HKEY_USERS
              PID:1828

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      3
      T1012

      Peripheral Device Discovery

      2
      T1120

      System Information Discovery

      3
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_32ADABCB823BA1231EA36C215C0D3FFB
        Filesize

        727B

        MD5

        0d26fcd430e8da3f1d2268e5f2c96948

        SHA1

        fde47603630d4b585d3d9d0b9c71a2d04b8d0e4f

        SHA256

        98a8204e097137c5ac750cb4154fe9579c2254180cc842f15d8344e8e2be37ee

        SHA512

        80ba38928c8d6eedfb8e0cb537f0bbab152918c2c65b917ecf33ebad22a49976783560dd963f253dd5a439ee2de695802f357cba2a8aa29b9bd5dc72eb71673a

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
        Filesize

        727B

        MD5

        a485d69614a6015dd87f332f156dbcda

        SHA1

        e173979fc219cc09b20f79a8ac9d2ee72d93668d

        SHA256

        44a294a4e02743fc51bfa36b844d2cbf5f7ee94a9476dcd01ff5300a71860c48

        SHA512

        4f7d64e45b6cb134c8676a4b1e2cc3e43bf24c15670aa8f9b7a4101ca8383d3c2bcf09dfc3856847e72168043dd8ddcf553cf5ecfe99c69032b8eb48508dad60

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_32ADABCB823BA1231EA36C215C0D3FFB
        Filesize

        408B

        MD5

        e76ffa7952dba33605daa88634086d1e

        SHA1

        00c9f59d2a967022b1232b5885833cf1d76d7181

        SHA256

        e9b2d317ec450ae38bc348f393672f1d71c86d69c57257d70d581bb3af3df617

        SHA512

        81c4db42514d562c5b1b44f93ceeca4291a3bd3a637255e646091071d59836880dc1b748036f5ede6ea49d1cfb6d2e8f0e48e8d64f5868b38c6cf17bdb950340

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
        Filesize

        412B

        MD5

        62ba4607d3fbf883ae7eceb6720f3042

        SHA1

        22411cae724a5e025ca805eea4099a1d2b4b5cca

        SHA256

        ab9c07c77ab34a36c3ee729e0522cebd9d300464ad7ef0b5e03fb6f40cddd1d2

        SHA512

        819a3cbc7a9851975c2a771e33bb0d2b07fd30fed9a91cb29077909ba57ec012ed42d73f54b1181c1643821bc16050bf2bf76e98b725dd3d1d1001988b3e184d

        Download Submit
      • C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
        Filesize

        1.3MB

        MD5

        2fce945f0621e3812618f55c4a3926e9

        SHA1

        65aa7e9e33d25ee812e9ac86f45488c6c531d9ad

        SHA256

        c7dfc591c7dc5371c60bd0fb1cc7ca2c14dd630a0e7272b4fac98e8d2ee5567a

        SHA512

        95a6c8761952b43c238094fba672c0c15d011ff0af69b5100b37a52ab9b00f355337a15787fea95bd31038a4dff5a1cdfeffa70b006849f66027dcd72f2b1614

        Download Submit
      • C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
        Filesize

        1.3MB

        MD5

        2fce945f0621e3812618f55c4a3926e9

        SHA1

        65aa7e9e33d25ee812e9ac86f45488c6c531d9ad

        SHA256

        c7dfc591c7dc5371c60bd0fb1cc7ca2c14dd630a0e7272b4fac98e8d2ee5567a

        SHA512

        95a6c8761952b43c238094fba672c0c15d011ff0af69b5100b37a52ab9b00f355337a15787fea95bd31038a4dff5a1cdfeffa70b006849f66027dcd72f2b1614

        Download Submit
      • C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
        Filesize

        1.3MB

        MD5

        2fce945f0621e3812618f55c4a3926e9

        SHA1

        65aa7e9e33d25ee812e9ac86f45488c6c531d9ad

        SHA256

        c7dfc591c7dc5371c60bd0fb1cc7ca2c14dd630a0e7272b4fac98e8d2ee5567a

        SHA512

        95a6c8761952b43c238094fba672c0c15d011ff0af69b5100b37a52ab9b00f355337a15787fea95bd31038a4dff5a1cdfeffa70b006849f66027dcd72f2b1614

        Download Submit
      • C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
        Filesize

        1.3MB

        MD5

        2fce945f0621e3812618f55c4a3926e9

        SHA1

        65aa7e9e33d25ee812e9ac86f45488c6c531d9ad

        SHA256

        c7dfc591c7dc5371c60bd0fb1cc7ca2c14dd630a0e7272b4fac98e8d2ee5567a

        SHA512

        95a6c8761952b43c238094fba672c0c15d011ff0af69b5100b37a52ab9b00f355337a15787fea95bd31038a4dff5a1cdfeffa70b006849f66027dcd72f2b1614

        Download Submit
      • C:\Users\Admin\AppData\Local\AdobeFontPack\notify.vbs
        Filesize

        68B

        MD5

        0308aa2c8dab8a69de41f5d16679bb9b

        SHA1

        c6827bf44a433ff086e787653361859d6f6e2fb3

        SHA256

        0a7e8fd68575db5f84c18b9a26e4058323d1357e2a29a5b12278e4bfa6939489

        SHA512

        1a1ca92e3c8d52c8b5adbb3117a88d8a2a8c33eaf2f7b0d620fe006653f57f4ba0b803884616594ca31e13a1b0b59ddae52cecf044621ec44371084dac6beb72

        Download Submit
      • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
        Filesize

        23.0MB

        MD5

        937ea5f1c25fdc6763beb157c5787bc0

        SHA1

        9ce46fde420bfbdfaa94546136ed6db7e405841f

        SHA256

        bec68424e36a3ee88c55ca0876f044f412b5150f67abfb60468d6a39c771b88d

        SHA512

        2ca5f427e2fbffafccedd62e52c2fcb1422bf4dcc3310e2dc1142e08f0e5d310cef9ce8913f87618f47462437d89841cd6c1fafdd8c0263a7ccb83e2aa832fdb

        Download Submit
      • \??\Volume{edc211e1-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{53e9cfab-6a5c-4e75-8f3b-d1075e64c696}_OnDiskSnapshotProp
        Filesize

        5KB

        MD5

        ac2bdd5812f305b27ff190a1b66c414f

        SHA1

        7427c41766ed5400657c52bcae914b994344eccf

        SHA256

        ada6a112b60a3ff39080aba9b08680563d0d487db663034c6cfe61431d44e8f9

        SHA512

        c5ceb2674ef3e454c131d0262bfa74b28502e91efcb29742aba0400ee999199918151b33b0d640cc3d8b56c0f1831b23bf72857d3c46d3326b4bc052c5236631

        Download Submit
      • memory/988-130-0x0000000000000000-mapping.dmp
        Download
      • memory/1124-151-0x00000173FAE80000-0x00000173FAEA2000-memory.dmp
        Filesize

        136KB

        Download
      • memory/1124-156-0x00007FFD50F30000-0x00007FFD519F1000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/1324-154-0x0000000000000000-mapping.dmp
        Download
      • memory/1324-157-0x0000000001510000-0x0000000001532000-memory.dmp
        Filesize

        136KB

        Download
      • memory/1324-161-0x0000000001510000-0x0000000001532000-memory.dmp
        Filesize

        136KB

        Download
      • memory/1324-159-0x0000000001510000-0x0000000001532000-memory.dmp
        Filesize

        136KB

        Download
      • memory/1324-158-0x00000000014C0000-0x00000000014E2000-memory.dmp
        Filesize

        136KB

        Download
      • memory/1356-149-0x0000000000DC0000-0x0000000000DE2000-memory.dmp
        Filesize

        136KB

        Download
      • memory/1356-150-0x0000000000DC0000-0x0000000000DE2000-memory.dmp
        Filesize

        136KB

        Download
      • memory/1356-146-0x0000000000000000-mapping.dmp
        Download
      • memory/1644-147-0x0000000003670000-0x0000000003692000-memory.dmp
        Filesize

        136KB

        Download
      • memory/1644-143-0x0000000003670000-0x0000000003692000-memory.dmp
        Filesize

        136KB

        Download
      • memory/1644-139-0x0000000000000000-mapping.dmp
        Download
      • memory/1644-145-0x0000000003670000-0x0000000003692000-memory.dmp
        Filesize

        136KB

        Download
      • memory/1644-144-0x0000000003620000-0x0000000003642000-memory.dmp
        Filesize

        136KB

        Download
      • memory/1828-160-0x0000000000000000-mapping.dmp
        Download
      • memory/1828-162-0x0000000000890000-0x00000000008B2000-memory.dmp
        Filesize

        136KB

        Download
      • memory/1828-163-0x0000000000890000-0x00000000008B2000-memory.dmp
        Filesize

        136KB

        Download
      • memory/4628-135-0x0000000000000000-mapping.dmp
        Download
      • memory/4704-152-0x0000000000000000-mapping.dmp
        Download
      • memory/4812-148-0x0000000000000000-mapping.dmp
        Download
      • memory/5028-136-0x0000000000000000-mapping.dmp
        Download