qakbot | 5c203f506be189f0339780ab75e52ab07afdd81c7b257ac04cab8648c911a6d5

Analysis

max time kernel
150s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
19-10-2022 15:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Calculation.lnk
Size

1KB
MD5

9ff4d8fdc5288f2c110d40c80c4dcc25
SHA1

522c827b70102c114c3efbe0e8dacf71ca7ce2b5
SHA256

6bcfce0c879a9fb19af5860fc8cad59149dbfe003e6b330f04ee25fd37554ee4
SHA512

563faf37901162d8e79efcbe94db9123a2e1987e2f1cf22fa9e47722ca019736422c1c1d4fceb14a9f31102acbaf3cba6bf96a83e4f7d6a9ad0b6a077ecf9c00

Score

10^/10

qakbot obama214 1666019778 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.973

Botnet

obama214

Campaign

1666019778

105.96.221.136:443

37.37.80.2:3389

105.154.56.232:995

41.107.116.19:443

105.103.52.189:443

159.192.204.135:443

41.107.58.251:443

177.152.65.142:443

102.47.218.41:443

176.45.35.243:443

70.173.248.13:443

102.159.77.134:995

220.123.29.76:443

82.12.196.197:443

103.156.237.71:443

149.126.159.254:443

176.44.119.153:443

181.56.171.3:995

190.205.229.67:2222

151.251.50.117:443

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Executes dropped EXE 1 IoCs

pid	Process
1184	mb.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1116	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1568	regsvr32.exe
1568	regsvr32.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe
216	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1568	regsvr32.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 4960	2264	cmd.exe	85
PID 2264 wrote to memory of 4960	2264	cmd.exe	85
PID 4960 wrote to memory of 1184	4960	cmd.exe	86
PID 4960 wrote to memory of 1184	4960	cmd.exe	86
PID 1184 wrote to memory of 1568	1184	mb.exe	87
PID 1184 wrote to memory of 1568	1184	mb.exe	87
PID 1184 wrote to memory of 1568	1184	mb.exe	87
PID 1568 wrote to memory of 216	1568	regsvr32.exe	88
PID 1568 wrote to memory of 216	1568	regsvr32.exe	88
PID 1568 wrote to memory of 216	1568	regsvr32.exe	88
PID 1568 wrote to memory of 216	1568	regsvr32.exe	88
PID 1568 wrote to memory of 216	1568	regsvr32.exe	88
PID 4960 wrote to memory of 1116	4960	cmd.exe	89
PID 4960 wrote to memory of 1116	4960	cmd.exe	89

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Calculation.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vertices\asteroidal.cmd regsvr
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4960
- - C:\Users\Admin\AppData\Local\Temp\mb.exe
    C:\Users\Admin\AppData\Local\Temp\mb.exe vertices\bombshell.asc
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1184
  - - C:\Windows\SysWOW64\regsvr32.exe
      vertices\bombshell.asc
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:1568
    - - C:\Windows\SysWOW64\wermgr.exe
        
        C:\Windows\SysWOW64\wermgr.exe
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:216
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mb.exe

Filesize
24KB

MD5
b0c2fa35d14a9fad919e99d9d75e1b9e

SHA1
8d7c2fd354363daee63e8f591ec52fa5d0e23f6f

SHA256
022cb167a29a32dae848be91aef721c74f1975af151807dafcc5ed832db246b7

SHA512
a6155e42b605425914d1bf745d9b2b5ed57976e161384731c6821a1f8fa2bc3207a863ae45d6ad371ac82733b72bb024204498baa4fb38ad46c6d7bc52e5a022

Download Submit
memory/216-139-0x0000000000A00000-0x0000000000A29000-memory.dmp

Filesize
164KB

Download
memory/216-142-0x0000000000A00000-0x0000000000A29000-memory.dmp

Filesize
164KB

Download
memory/1568-136-0x00000000016C0000-0x00000000016EC000-memory.dmp

Filesize
176KB

Download
memory/1568-137-0x0000000002D10000-0x0000000002D39000-memory.dmp

Filesize
164KB

Download
memory/1568-140-0x0000000002D10000-0x0000000002D39000-memory.dmp

Filesize
164KB

Download