qakbot | f28ce294538fb56d8aff8077b149541bea56d8166d84c6e79cd0d9903f566b30

Analysis

max time kernel
61s
max time network
43s
platform
windows7_x64
resource
win7-20220715-en
resource tags

arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
submitted
24-07-2022 16:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f28ce294538fb56d8aff8077b149541bea56d8166d84c6e79cd0d9903f566b30.exe
Size

717KB
MD5

4b6accb73061345ed143f01d6199fc95
SHA1

4c157859670b75b6abc5a09715a0ff0b7f028f55
SHA256

f28ce294538fb56d8aff8077b149541bea56d8166d84c6e79cd0d9903f566b30
SHA512

8fd4948a04a0a5f74ee6b74599bc3a1840d8e1369bf436eb9f854d611e9a0ce60d5a8fa5b4775c916cfb7f6db04c437b2cff18355e354ae590405349629aa68c

Score

10^/10

qakbot spx35 1573827297 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

323.91

Botnet

spx35

Campaign

1573827297

71.77.231.251:443

76.116.128.81:443

108.5.34.128:443

75.110.90.155:443

181.126.80.118:443

62.103.70.217:995

207.237.1.152:443

47.202.98.230:443

63.224.81.92:995

74.33.70.14:443

81.103.144.77:443

75.142.59.167:443

104.173.119.54:2222

190.198.47.65:443

72.255.200.129:2222

73.137.187.150:443

24.203.221.252:2222

71.182.142.63:443

72.142.106.198:465

173.52.119.247:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1136 PING.EXE

pid	process
1136	PING.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

f28ce294538fb56d8aff8077b149541bea56d8166d84c6e79cd0d9903f566b30.exef28ce294538fb56d8aff8077b149541bea56d8166d84c6e79cd0d9903f566b30.exe

pid	process
620	f28ce294538fb56d8aff8077b149541bea56d8166d84c6e79cd0d9903f566b30.exe
1336	f28ce294538fb56d8aff8077b149541bea56d8166d84c6e79cd0d9903f566b30.exe
1336	f28ce294538fb56d8aff8077b149541bea56d8166d84c6e79cd0d9903f566b30.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

f28ce294538fb56d8aff8077b149541bea56d8166d84c6e79cd0d9903f566b30.execmd.exe

description	pid	process	target process
PID 620 wrote to memory of 1336	620	f28ce294538fb56d8aff8077b149541bea56d8166d84c6e79cd0d9903f566b30.exe	f28ce294538fb56d8aff8077b149541bea56d8166d84c6e79cd0d9903f566b30.exe
PID 620 wrote to memory of 1336	620	f28ce294538fb56d8aff8077b149541bea56d8166d84c6e79cd0d9903f566b30.exe	f28ce294538fb56d8aff8077b149541bea56d8166d84c6e79cd0d9903f566b30.exe
PID 620 wrote to memory of 1336	620	f28ce294538fb56d8aff8077b149541bea56d8166d84c6e79cd0d9903f566b30.exe	f28ce294538fb56d8aff8077b149541bea56d8166d84c6e79cd0d9903f566b30.exe
PID 620 wrote to memory of 1336	620	f28ce294538fb56d8aff8077b149541bea56d8166d84c6e79cd0d9903f566b30.exe	f28ce294538fb56d8aff8077b149541bea56d8166d84c6e79cd0d9903f566b30.exe
PID 620 wrote to memory of 2004	620	f28ce294538fb56d8aff8077b149541bea56d8166d84c6e79cd0d9903f566b30.exe	cmd.exe
PID 620 wrote to memory of 2004	620	f28ce294538fb56d8aff8077b149541bea56d8166d84c6e79cd0d9903f566b30.exe	cmd.exe
PID 620 wrote to memory of 2004	620	f28ce294538fb56d8aff8077b149541bea56d8166d84c6e79cd0d9903f566b30.exe	cmd.exe
PID 620 wrote to memory of 2004	620	f28ce294538fb56d8aff8077b149541bea56d8166d84c6e79cd0d9903f566b30.exe	cmd.exe
PID 2004 wrote to memory of 1136	2004	cmd.exe	PING.EXE
PID 2004 wrote to memory of 1136	2004	cmd.exe	PING.EXE
PID 2004 wrote to memory of 1136	2004	cmd.exe	PING.EXE
PID 2004 wrote to memory of 1136	2004	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\f28ce294538fb56d8aff8077b149541bea56d8166d84c6e79cd0d9903f566b30.exe
"C:\Users\Admin\AppData\Local\Temp\f28ce294538fb56d8aff8077b149541bea56d8166d84c6e79cd0d9903f566b30.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:620

C:\Users\Admin\AppData\Local\Temp\f28ce294538fb56d8aff8077b149541bea56d8166d84c6e79cd0d9903f566b30.exe
C:\Users\Admin\AppData\Local\Temp\f28ce294538fb56d8aff8077b149541bea56d8166d84c6e79cd0d9903f566b30.exe /C
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1336

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\f28ce294538fb56d8aff8077b149541bea56d8166d84c6e79cd0d9903f566b30.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\PING.EXE
ping.exe -n 6 127.0.0.1
3⤵
- Runs ping.exe
PID:1136

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/620-54-0x0000000075311000-0x0000000075313000-memory.dmp

Filesize
8KB

Download
memory/620-55-0x00000000002B0000-0x00000000002B7000-memory.dmp

Filesize
28KB

Download
memory/620-56-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1136-68-0x0000000000000000-mapping.dmp

Download
memory/1336-60-0x0000000000000000-mapping.dmp

Download
memory/1336-66-0x00000000003C0000-0x00000000003C7000-memory.dmp

Filesize
28KB

Download
memory/2004-67-0x0000000000000000-mapping.dmp

Download