qakbot | c75a2ceda2254b4ca603a616208c8f6731dc73af40d6f7c42a51de38ead202f2

Analysis

max time kernel
187s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28/10/2022, 19:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Details.lnk
Size

1KB
MD5

23142f4050cfad38e20d0043c76836fc
SHA1

4693a89acfaebbdd72a26a85d75f0ce05d67354e
SHA256

870658ffc670b3da2bc4c55bd9ae84a6b6220ae64845a84ed077837d76c2719e
SHA512

3b03e2515f044479162c3dfc3c81a3982caf7a18a1249c782764b2b17ad4b74a0f300303dd90cb01e106104bcf1bb1b61074dc95e0af0f1f790abacf673a2a9c

Score

10^/10

qakbot bb04 1666863946 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

404.2

Botnet

BB04

Campaign

1666863946

27.110.134.202:995

1.156.220.47:17155

186.188.80.134:443

1.190.199.101:9480

187.1.1.181:42178

118.200.83.226:443

187.0.1.144:51727

193.3.19.137:443

1.201.68.209:12157

188.49.56.189:443

187.0.1.14:58271

190.74.248.136:443

201.210.92.3:2222

187.0.1.105:40325

64.123.103.123:443

41.97.169.44:443

72.88.245.71:443

187.0.1.45:59049

41.100.163.127:443

187.0.1.83:62527

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Executes dropped EXE 1 IoCs

pid	Process
2332	regsvr32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5092	regsvr32.exe
5092	regsvr32.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe
1028	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
5092	regsvr32.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 4264	2324	cmd.exe	82
PID 2324 wrote to memory of 4264	2324	cmd.exe	82
PID 4264 wrote to memory of 220	4264	cmd.exe	83
PID 4264 wrote to memory of 220	4264	cmd.exe	83
PID 4264 wrote to memory of 2332	4264	cmd.exe	84
PID 4264 wrote to memory of 2332	4264	cmd.exe	84
PID 2332 wrote to memory of 5092	2332	regsvr32.exe	85
PID 2332 wrote to memory of 5092	2332	regsvr32.exe	85
PID 2332 wrote to memory of 5092	2332	regsvr32.exe	85
PID 5092 wrote to memory of 1028	5092	regsvr32.exe	86
PID 5092 wrote to memory of 1028	5092	regsvr32.exe	86
PID 5092 wrote to memory of 1028	5092	regsvr32.exe	86
PID 5092 wrote to memory of 1028	5092	regsvr32.exe	86
PID 5092 wrote to memory of 1028	5092	regsvr32.exe	86

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Details.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c disallowable\precondition.cmd r3 2.e xe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4264
- - C:\Windows\system32\replace.exe
    replace C:\Windows\system32\regsvr32.exe C:\Users\Admin\AppData\Local\Temp /A
    3⤵
    PID:220
- - C:\Users\Admin\AppData\Local\Temp\regsvr32.exe
    regsvr32.exe disallowable\expectorant.dat
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\Windows\SysWOW64\regsvr32.exe
      disallowable\expectorant.dat
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:5092
    - - C:\Windows\SysWOW64\wermgr.exe
        
        C:\Windows\SysWOW64\wermgr.exe
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\regsvr32.exe

Filesize
24KB

MD5
b0c2fa35d14a9fad919e99d9d75e1b9e

SHA1
8d7c2fd354363daee63e8f591ec52fa5d0e23f6f

SHA256
022cb167a29a32dae848be91aef721c74f1975af151807dafcc5ed832db246b7

SHA512
a6155e42b605425914d1bf745d9b2b5ed57976e161384731c6821a1f8fa2bc3207a863ae45d6ad371ac82733b72bb024204498baa4fb38ad46c6d7bc52e5a022

Download Submit
C:\Users\Admin\AppData\Local\Temp\regsvr32.exe

Filesize
24KB

MD5
b0c2fa35d14a9fad919e99d9d75e1b9e

SHA1
8d7c2fd354363daee63e8f591ec52fa5d0e23f6f

SHA256
022cb167a29a32dae848be91aef721c74f1975af151807dafcc5ed832db246b7

SHA512
a6155e42b605425914d1bf745d9b2b5ed57976e161384731c6821a1f8fa2bc3207a863ae45d6ad371ac82733b72bb024204498baa4fb38ad46c6d7bc52e5a022

Download Submit
memory/1028-142-0x0000000000E20000-0x0000000000E49000-memory.dmp

Filesize
164KB

Download
memory/1028-143-0x0000000000E20000-0x0000000000E49000-memory.dmp

Filesize
164KB

Download
memory/5092-138-0x00000000028C0000-0x00000000028EB000-memory.dmp

Filesize
172KB

Download
memory/5092-139-0x00000000028F0000-0x0000000002919000-memory.dmp

Filesize
164KB

Download
memory/5092-141-0x00000000028F0000-0x0000000002919000-memory.dmp

Filesize
164KB

Download