qakbot | 11d68ac0b4a4d3751af85e834d86c949d01e83ab13f56ccf91f45b60dce77771

Analysis

max time kernel
149s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27/10/2022, 17:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Details.lnk
Size

1KB
MD5

42e2185e08761d42775f2a89aaf827fd
SHA1

0c276a0dc6c1a35270123cdd97f504de5ebb40ce
SHA256

cb5e60973a355414dbe266f111e597afeaa0f92e44409c87dcb5facae1828594
SHA512

c4ec4227e01fea963d8f0b9b0ae776e22b76980b607267bbd6e58a75e80f7d7768fbfa920a4756543c025e324806c275597c26b8e3702e4ef09fd6ce47f6434b

Score

10^/10

qakbot bb04 1666776497 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.1051

Botnet

BB04

Campaign

1666776497

197.204.53.242:443

83.244.63.21:443

27.110.134.202:995

173.49.74.62:443

181.164.194.228:443

24.116.45.121:443

41.47.249.185:443

24.206.27.39:443

113.183.223.8:443

186.188.80.134:443

64.207.237.118:443

156.216.134.70:995

58.247.115.126:995

180.151.116.67:443

41.140.63.187:443

144.202.15.58:443

190.199.97.108:993

172.117.139.142:995

45.230.169.132:995

24.9.220.167:443

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Executes dropped EXE 1 IoCs

pid	Process
4620	regsvr32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4180	regsvr32.exe
4180	regsvr32.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe
3976	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4180	regsvr32.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 3624	1856	cmd.exe	83
PID 1856 wrote to memory of 3624	1856	cmd.exe	83
PID 3624 wrote to memory of 2116	3624	cmd.exe	84
PID 3624 wrote to memory of 2116	3624	cmd.exe	84
PID 3624 wrote to memory of 4620	3624	cmd.exe	85
PID 3624 wrote to memory of 4620	3624	cmd.exe	85
PID 4620 wrote to memory of 4180	4620	regsvr32.exe	86
PID 4620 wrote to memory of 4180	4620	regsvr32.exe	86
PID 4620 wrote to memory of 4180	4620	regsvr32.exe	86
PID 4180 wrote to memory of 3976	4180	regsvr32.exe	87
PID 4180 wrote to memory of 3976	4180	regsvr32.exe	87
PID 4180 wrote to memory of 3976	4180	regsvr32.exe	87
PID 4180 wrote to memory of 3976	4180	regsvr32.exe	87
PID 4180 wrote to memory of 3976	4180	regsvr32.exe	87

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Details.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c alphabetical\histories.cmd vr 32. exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3624
- - C:\Windows\system32\replace.exe
    replace C:\Windows\\system32\\regsvr32.exe C:\Users\Admin\AppData\Local\Temp /A
    3⤵
    PID:2116
- - C:\Users\Admin\AppData\Local\Temp\regsvr32.exe
    regsvr32.exe alphabetical\provenance.dat
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4620
  - - C:\Windows\SysWOW64\regsvr32.exe
      alphabetical\provenance.dat
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:4180
    - - C:\Windows\SysWOW64\wermgr.exe
        
        C:\Windows\SysWOW64\wermgr.exe
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\regsvr32.exe

Filesize
24KB

MD5
b0c2fa35d14a9fad919e99d9d75e1b9e

SHA1
8d7c2fd354363daee63e8f591ec52fa5d0e23f6f

SHA256
022cb167a29a32dae848be91aef721c74f1975af151807dafcc5ed832db246b7

SHA512
a6155e42b605425914d1bf745d9b2b5ed57976e161384731c6821a1f8fa2bc3207a863ae45d6ad371ac82733b72bb024204498baa4fb38ad46c6d7bc52e5a022

Download Submit
C:\Users\Admin\AppData\Local\Temp\regsvr32.exe

Filesize
24KB

MD5
b0c2fa35d14a9fad919e99d9d75e1b9e

SHA1
8d7c2fd354363daee63e8f591ec52fa5d0e23f6f

SHA256
022cb167a29a32dae848be91aef721c74f1975af151807dafcc5ed832db246b7

SHA512
a6155e42b605425914d1bf745d9b2b5ed57976e161384731c6821a1f8fa2bc3207a863ae45d6ad371ac82733b72bb024204498baa4fb38ad46c6d7bc52e5a022

Download Submit
memory/3976-145-0x0000000000180000-0x00000000001A9000-memory.dmp

Filesize
164KB

Download
memory/3976-144-0x0000000000180000-0x00000000001A9000-memory.dmp

Filesize
164KB

Download
memory/4180-138-0x00000000006E0000-0x0000000000780000-memory.dmp

Filesize
640KB

Download
memory/4180-140-0x0000000000AE0000-0x0000000000B09000-memory.dmp

Filesize
164KB

Download
memory/4180-141-0x0000000002640000-0x0000000002669000-memory.dmp

Filesize
164KB

Download
memory/4180-139-0x0000000002640000-0x0000000002669000-memory.dmp

Filesize
164KB

Download
memory/4180-143-0x0000000002640000-0x0000000002669000-memory.dmp

Filesize
164KB

Download