Overview

overview

10

Static

static

f05334fea2...0f.exe

windows7-x64

10

f05334fea2...0f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    54s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20220715-en
  • resource tags

    arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
  • submitted
    24-07-2022 14:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f05334fea2fbec8b2135752dc8f895f0290377d937cae28a10adc3eebe71cf0f.exe

  • Size

    520KB

  • MD5

    534394261be4f63a4b59501be880ee5d

  • SHA1

    2909b52711253adf9e475a0f4ba487402f634298

  • SHA256

    f05334fea2fbec8b2135752dc8f895f0290377d937cae28a10adc3eebe71cf0f

  • SHA512

    75b86c62eae4b76ec42c749805a9c27e10c78ff8332509b81688c34b5e1fa1fcb9174121415398595eb7aa60d8d9aab361dbd43f978c807dc433f485bd20b57b

Score
10/10
qakbothhh231554720361bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

322.742

Botnet

hhh23

Campaign

1554720361

Credentials

  • Protocol:     ftp
  • Host:
    192.185.5.208
  • Port:
    21
  • Username:
    logger@dustinkeeling.com
  • Password:
    NxdkxAp4dUsY

  • Protocol:     ftp
  • Host:
    162.241.218.118
  • Port:
    21
  • Username:
    logger@misterexterior.com
  • Password:
    EcOV0DyGVgVN

  • Protocol:     ftp
  • Host:
    69.89.31.139
  • Port:
    21
  • Username:
    cpanel@vivekharris-architects.com
  • Password:
    fcR7OvyLrMW6!

  • Protocol:     ftp
  • Host:
    169.207.67.14
  • Port:
    21
  • Username:
    cpanel@dovetailsolar.com
  • Password:
    eQyicNLzzqPN
C2

184.186.76.228:80

65.153.32.170:443

65.116.179.83:443

100.16.222.65:443

148.240.66.99:6881

172.78.85.124:443

71.210.140.93:995

72.29.181.77:2078

162.237.221.101:443

70.105.162.74:995

192.198.85.26:443

24.73.69.42:443

190.120.196.18:995

67.202.178.142:443

208.69.72.135:2222

69.159.223.202:443

174.48.72.160:443

75.183.171.155:3389

81.103.144.77:443

76.27.113.181:995

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f05334fea2fbec8b2135752dc8f895f0290377d937cae28a10adc3eebe71cf0f.exe
    "C:\Users\Admin\AppData\Local\Temp\f05334fea2fbec8b2135752dc8f895f0290377d937cae28a10adc3eebe71cf0f.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1972
    • C:\Users\Admin\AppData\Local\Temp\f05334fea2fbec8b2135752dc8f895f0290377d937cae28a10adc3eebe71cf0f.exe
      C:\Users\Admin\AppData\Local\Temp\f05334fea2fbec8b2135752dc8f895f0290377d937cae28a10adc3eebe71cf0f.exe /C
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2004
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\f05334fea2fbec8b2135752dc8f895f0290377d937cae28a10adc3eebe71cf0f.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1380
      • C:\Windows\SysWOW64\PING.EXE
        ping.exe -n 6 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:268

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/268-68-0x0000000000000000-mapping.dmp
    Download
  • memory/1380-67-0x0000000000000000-mapping.dmp
    Download
  • memory/1972-54-0x0000000075371000-0x0000000075373000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1972-55-0x0000000000400000-0x0000000000488000-memory.dmp
    Filesize

    544KB

    Download
  • memory/1972-59-0x0000000000320000-0x0000000000395000-memory.dmp
    Filesize

    468KB

    Download
  • memory/2004-60-0x0000000000000000-mapping.dmp
    Download
  • memory/2004-66-0x0000000000380000-0x00000000003F5000-memory.dmp
    Filesize

    468KB

    Download