Overview

overview

10

Static

static

hola.html

windows7-x64

1

hola.html

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-09-2022 16:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    hola.html

  • Size

    792KB

  • MD5

    f8463962698412317442b7fec3e90e50

  • SHA1

    db969a6149e6e7346c18f56430b6d12fffc5ffc8

  • SHA256

    d2520eaede1f6f07a4e8d23607a5786f7e7290f30afaae3bbae0d3784a41bfbd

  • SHA512

    94715707aed563a2c128f98b83f4265a4ff376b863bc87e46d6f623ac829ff157557338c8c7645e8ad4c28a29f102dc657e61e8ea448cbfeb2d4c2822cc30704

  • SSDEEP

    12288:+73GOdabXoA27IkrwQql0tfCal/ApRt9IGase9CIZZl7X6bfEogvSeOxjKWE0:+7uXG7qQJFC93gzCSIfRU6+Wf

Score
10/10
qakbotbb1664184863bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

403.895

Botnet

BB

Campaign

1664184863

C2

197.204.227.155:443

123.23.64.230:443

173.218.180.91:443

111.125.157.230:443

70.49.33.200:2222

149.28.38.16:995

86.132.13.105:2078

149.28.38.16:443

45.77.159.252:995

45.77.159.252:443

149.28.63.197:995

144.202.15.58:443

45.63.10.144:443

45.63.10.144:995

149.28.63.197:443

144.202.15.58:995

39.121.226.109:443

177.255.14.99:995

134.35.10.30:443

99.232.140.205:2222
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates connected drives 3 TTPs 4 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 41 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\hola.html
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2368
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2368 CREDAT:17410 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:4120
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4952
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "E:\banners\womanizedBarnstormers.js"
      1⤵
      • Checks computer location settings
      • Enumerates connected drives
      • Suspicious use of WriteProcessMemory
      PID:4880
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""E:\banners\mentallyRedeemers.cmd" svr"
        2⤵
        • Enumerates connected drives
        • Suspicious use of WriteProcessMemory
        PID:4368
        • C:\Windows\system32\regsvr32.exe
          regsvr32 banners\rescales.db
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3636
          • C:\Windows\SysWOW64\regsvr32.exe
            banners\rescales.db
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:4460
            • C:\Windows\SysWOW64\wermgr.exe
              C:\Windows\SysWOW64\wermgr.exe
              5⤵
                PID:2328
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "E:\banners\womanizedBarnstormers.js"
        1⤵
        • Checks computer location settings
        • Enumerates connected drives
        • Suspicious use of WriteProcessMemory
        PID:3348
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""E:\banners\mentallyRedeemers.cmd" svr"
          2⤵
          • Enumerates connected drives
          • Suspicious use of WriteProcessMemory
          PID:4672
          • C:\Windows\system32\regsvr32.exe
            regsvr32 banners\rescales.db
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2012
            • C:\Windows\SysWOW64\regsvr32.exe
              banners\rescales.db
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:1472
              • C:\Windows\SysWOW64\wermgr.exe
                C:\Windows\SysWOW64\wermgr.exe
                5⤵
                  PID:1308

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          471B

          MD5

          ec21d7b0db946b7ecab4c4ead789e338

          SHA1

          b708c1a90566be72204ed5340bd05d7224e51403

          SHA256

          e15133cd7594e706cf5141df1a4780c26e101c85c68262346f91b38d546cd47e

          SHA512

          d34772501233d31566db776e19b58a4d5b0ee4a76613ac0e9960edaf42bcda35af3d83592f71cb53a1ef9f428ea6e67e0624bd1c84d29f04c7a360ffbc03d1fc

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          404B

          MD5

          f83d47b08f83acd1b6a3ada082f4691b

          SHA1

          ea13007274bfbf140412c836824e4026b7adb41b

          SHA256

          e14306b1f946ad498b8d08e10830abc56b67a4952a3c173bb724710f911e6722

          SHA512

          a78b00ac62fac746e1da2daad9e9aebbdcecd0dc7bfe3aee55a46021bc6c9c006de0b30429a68dcc6900b83e1e03a25404c4bec296e646c99182353c39b12eef

          Download Submit

        • C:\Users\Admin\Downloads\Art#1015(Sept2622).zip.l4m598k.partial
          Filesize

          592KB

          MD5

          b09e1bbe558cd40e3b34fd486d06aaa2

          SHA1

          e1c8c0ff40cf05c4065363cfa29cfe9b02525794

          SHA256

          684d62ff07a87386bc347bedd988b89b3f15866b91cd4912666447e807adcc1f

          SHA512

          bae625a452f234ac0fd50eead983f994b6a3a4631089cf5e230745c895433b9eb2c2f3d93b4e603ca20f342e696d29221cda1f4695119a710985fbd23044929c

          Download Submit

        • memory/1308-154-0x0000000000000000-mapping.dmp

          Download

        • memory/1308-156-0x0000000000340000-0x0000000000362000-memory.dmp

          Filesize

          136KB

          Download

        • memory/1472-152-0x0000000002760000-0x00000000027A1000-memory.dmp

          Filesize

          260KB

          Download

        • memory/1472-155-0x00000000027D0000-0x00000000027F2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/1472-153-0x00000000027D0000-0x00000000027F2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/1472-151-0x00000000027D0000-0x00000000027F2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/1472-149-0x0000000000000000-mapping.dmp

          Download

        • memory/1472-150-0x0000000002050000-0x0000000002168000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2012-148-0x0000000000000000-mapping.dmp

          Download

        • memory/2328-144-0x0000000000000000-mapping.dmp

          Download

        • memory/2328-145-0x0000000000F50000-0x0000000000F72000-memory.dmp

          Filesize

          136KB

          Download

        • memory/3636-139-0x0000000000000000-mapping.dmp

          Download

        • memory/4368-138-0x0000000000000000-mapping.dmp

          Download

        • memory/4460-140-0x0000000000000000-mapping.dmp

          Download

        • memory/4460-146-0x0000000002BA0000-0x0000000002BC2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/4460-143-0x0000000002BA0000-0x0000000002BC2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/4460-142-0x0000000002B30000-0x0000000002B71000-memory.dmp

          Filesize

          260KB

          Download

        • memory/4460-141-0x0000000002BA0000-0x0000000002BC2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/4672-147-0x0000000000000000-mapping.dmp

          Download