Overview

overview

10

Static

static

Compliance...5.html

windows7-x64

1

Compliance...5.html

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-10-2022 15:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ComplianceReportCopy#1895.html

  • Size

    948KB

  • MD5

    fc215315429a2e75ed87b7bb0003ae03

  • SHA1

    09226ca97e186af4eb6d10a4f0487aed35e1bf00

  • SHA256

    e03a155f5d48ed8f464d85fd9195e66466cd83904326b381d56c7e75f964493f

  • SHA512

    819596fdc26d753f151021277fd01104d1e273c03e52573a565ec2a987bc83d4f3582f0dda3f5a4d239a0203bf1dbd5898c8db5c9cb6c84507304bbe734ac857

  • SSDEEP

    12288:Eeu/HcqMiBik2duJteYCG5nZaH0RM4gY9OJ9LWE91BdXU68O0DN+eSM06c51KdKl:lwH4BFetJZuVk9OJ9L/Bdk610B506ql

Score
10/10
qakbotobama2161666689942bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

403.1051

Botnet

obama216

Campaign

1666689942

C2

24.116.45.121:443

24.206.27.39:443

71.199.168.185:443

70.115.104.126:443

190.24.45.24:995

24.9.220.167:443

68.62.199.70:443

43.241.159.238:443

113.162.196.232:443

156.217.60.239:995

197.204.70.167:443

197.202.196.43:443

24.130.228.100:443

41.109.228.108:995

64.123.103.123:443

190.193.180.228:443

24.177.111.153:443

60.54.65.27:443

189.129.38.158:2222

206.1.164.250:443
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" C:\Users\Admin\AppData\Local\Temp\ComplianceReportCopy#1895.html
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4904
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" C:\Users\Admin\AppData\Local\Temp\ComplianceReportCopy#1895.html
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • NTFS ADS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4956
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.0.1345252783\366883094" -parentBuildID 20200403170909 -prefsHandle 1684 -prefMapHandle 1676 -prefsLen 1 -prefMapSize 220117 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 1764 gpu
        3⤵
          PID:1280
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.3.1777550678\850897927" -childID 1 -isForBrowser -prefsHandle 2532 -prefMapHandle 2524 -prefsLen 112 -prefMapSize 220117 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 2456 tab
          3⤵
            PID:3436
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.13.320831\1313000310" -childID 2 -isForBrowser -prefsHandle 3012 -prefMapHandle 3008 -prefsLen 897 -prefMapSize 220117 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 3024 tab
            3⤵
              PID:4264
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4956.20.1844068975\417675187" -childID 3 -isForBrowser -prefsHandle 3816 -prefMapHandle 3812 -prefsLen 6894 -prefMapSize 220117 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4956 "\\.\pipe\gecko-crash-server-pipe.4956" 3824 tab
              3⤵
                PID:4420
          • C:\Windows\System32\rundll32.exe
            C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
            1⤵
              PID:4876
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c standby\prefixes.cmd regs
              1⤵
              • Enumerates connected drives
              PID:4180
              • C:\Users\Admin\AppData\Local\Temp\aloofnessQuell.com
                C:\Users\Admin\AppData\Local\Temp\\aloofnessQuell.com standby\fine.dat
                2⤵
                • Executes dropped EXE
                PID:1132
                • C:\Windows\SysWOW64\regsvr32.exe
                  standby\fine.dat
                  3⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: MapViewOfSection
                  PID:4032
                  • C:\Windows\SysWOW64\wermgr.exe
                    C:\Windows\SysWOW64\wermgr.exe
                    4⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2280

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Persistence

            Privilege Escalation

            Defense Evasion

            Credential Access

            Discovery

            Query Registry

            2
            T1012

            Peripheral Device Discovery

            1
            T1120

            System Information Discovery

            2
            T1082

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\aloofnessQuell.com
              Filesize

              24KB

              MD5

              b0c2fa35d14a9fad919e99d9d75e1b9e

              SHA1

              8d7c2fd354363daee63e8f591ec52fa5d0e23f6f

              SHA256

              022cb167a29a32dae848be91aef721c74f1975af151807dafcc5ed832db246b7

              SHA512

              a6155e42b605425914d1bf745d9b2b5ed57976e161384731c6821a1f8fa2bc3207a863ae45d6ad371ac82733b72bb024204498baa4fb38ad46c6d7bc52e5a022

              Download Submit
            • memory/1132-132-0x0000000000000000-mapping.dmp
              Download
            • memory/2280-138-0x0000000000000000-mapping.dmp
              Download
            • memory/2280-140-0x0000000000550000-0x0000000000579000-memory.dmp
              Filesize

              164KB

              Download
            • memory/2280-141-0x0000000000550000-0x0000000000579000-memory.dmp
              Filesize

              164KB

              Download
            • memory/4032-134-0x0000000000000000-mapping.dmp
              Download
            • memory/4032-135-0x0000000003200000-0x0000000003229000-memory.dmp
              Filesize

              164KB

              Download
            • memory/4032-136-0x00000000031A0000-0x00000000031C9000-memory.dmp
              Filesize

              164KB

              Download
            • memory/4032-137-0x0000000003200000-0x0000000003229000-memory.dmp
              Filesize

              164KB

              Download
            • memory/4032-139-0x0000000003200000-0x0000000003229000-memory.dmp
              Filesize

              164KB

              Download