Overview

overview

10

Static

static

DV_9513.iso

windows10-1703-x64

3

DV.lnk

windows10-1703-x64

10

selectable...er.cmd

windows10-1703-x64

1

selectable...rs.dll

windows10-1703-x64

10

Analysis

  • max time kernel
    305s
  • max time network
    224s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    31/10/2022, 19:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DV.lnk

  • Size

    1KB

  • MD5

    cfc2c6be0247c15708ee077d293956c4

  • SHA1

    6b2c2bc858149a1af62ae414d4fbebb9d4ecb966

  • SHA256

    5ff465cd23c117c77714927839880e588a27cd933222d9e26f39507d09e53dbf

  • SHA512

    aeb4bae560b31d514cdffc0f9b52c1e58e9de0bfce51fd431431ddb2e4347047f3bba578a10dba5f7a3c6483a90af3f0b74dc13a2dd1bda07c422e8915e8708a

Score
10/10
qakbotbb051667208499bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

404.14

Botnet

BB05

Campaign

1667208499

C2

174.77.209.5:443

187.0.1.74:23795

24.206.27.39:443

1.156.220.169:30723

156.216.39.119:995

58.186.75.42:443

1.156.197.160:30467

187.1.1.190:4844

186.18.210.16:443

1.181.56.171:771

90.165.109.4:2222

187.0.1.186:39742

87.57.13.215:443

187.0.1.207:52344

227.26.3.227:1

98.207.190.55:443

187.0.1.197:7017

188.49.56.189:443

102.156.160.115:443

187.0.1.24:17751
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Executes dropped EXE 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\DV.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2356
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c selectable\embalmer.cmd reg
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2712
      • C:\Users\Admin\AppData\Local\Temp\shelteredHonorariums.com
        C:\Users\Admin\AppData\Local\Temp\\shelteredHonorariums.com selectable\pulsars.dat
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2748
        • C:\Windows\SysWOW64\regsvr32.exe
          selectable\pulsars.dat
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:3288
          • C:\Windows\SysWOW64\wermgr.exe
            C:\Windows\SysWOW64\wermgr.exe
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:4912
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3260
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\selectable\embalmer.cmd" "
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:304
      • C:\Users\Admin\AppData\Local\Temp\shelteredHonorariums.com
        C:\Users\Admin\AppData\Local\Temp\\shelteredHonorariums.com selectable\pulsars.dat
        2⤵
        • Executes dropped EXE
        PID:1036
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c selectable\embalmer.cmd reg
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1640
      • C:\Users\Admin\AppData\Local\Temp\shelteredHonorariums.com
        C:\Users\Admin\AppData\Local\Temp\\shelteredHonorariums.com selectable\pulsars.dat
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1984
        • C:\Windows\SysWOW64\regsvr32.exe
          selectable\pulsars.dat
          3⤵
            PID:1064
      • C:\Users\Admin\AppData\Local\Temp\shelteredHonorariums.com
        "C:\Users\Admin\AppData\Local\Temp\shelteredHonorariums.com"
        1⤵
        • Executes dropped EXE
        PID:1568

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\selectable\pulsars.dat
        Filesize

        4KB

        MD5

        4e0db1a476c3aa5acb7260520b782e10

        SHA1

        3076999a576fc02d0c9ec927a1803937e8bb7a9c

        SHA256

        ffe342138e54568a0c5b38a767ce0cb1071f2c53b999d9620732750210f50b96

        SHA512

        013e3c916e5aaf3acff235876de065f90d1924e58857bba6979baefec37e8bf5a3121a7320605b352c30c2abe499431a5c981faf486f791cf29e5dbbfacfd6a8

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\shelteredHonorariums.com
        Filesize

        23KB

        MD5

        a8819a40562f8afe1ea5a24d4fafea5d

        SHA1

        c5da393b44176770471a8d6b9324eb387046f52b

        SHA256

        cec94c3829884bdf1d35ea3e02988c748c0f6881819719242605e3c5f531fffc

        SHA512

        a4673f9ab8017277723a5486f15da54e6d7a025f0e0eff9355ceb72bde151054ee299af4fb83a3ebe01dba3db3f56abee3a13854a2272099b6f263fb118dab19

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\shelteredHonorariums.com
        Filesize

        23KB

        MD5

        a8819a40562f8afe1ea5a24d4fafea5d

        SHA1

        c5da393b44176770471a8d6b9324eb387046f52b

        SHA256

        cec94c3829884bdf1d35ea3e02988c748c0f6881819719242605e3c5f531fffc

        SHA512

        a4673f9ab8017277723a5486f15da54e6d7a025f0e0eff9355ceb72bde151054ee299af4fb83a3ebe01dba3db3f56abee3a13854a2272099b6f263fb118dab19

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\shelteredHonorariums.com
        Filesize

        23KB

        MD5

        a8819a40562f8afe1ea5a24d4fafea5d

        SHA1

        c5da393b44176770471a8d6b9324eb387046f52b

        SHA256

        cec94c3829884bdf1d35ea3e02988c748c0f6881819719242605e3c5f531fffc

        SHA512

        a4673f9ab8017277723a5486f15da54e6d7a025f0e0eff9355ceb72bde151054ee299af4fb83a3ebe01dba3db3f56abee3a13854a2272099b6f263fb118dab19

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\shelteredHonorariums.com
        Filesize

        23KB

        MD5

        a8819a40562f8afe1ea5a24d4fafea5d

        SHA1

        c5da393b44176770471a8d6b9324eb387046f52b

        SHA256

        cec94c3829884bdf1d35ea3e02988c748c0f6881819719242605e3c5f531fffc

        SHA512

        a4673f9ab8017277723a5486f15da54e6d7a025f0e0eff9355ceb72bde151054ee299af4fb83a3ebe01dba3db3f56abee3a13854a2272099b6f263fb118dab19

        Download Submit

      • memory/3288-157-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3288-163-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3288-130-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3288-131-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3288-132-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3288-133-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3288-134-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3288-135-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3288-136-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3288-137-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3288-138-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3288-139-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3288-140-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3288-141-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3288-142-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3288-143-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3288-144-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3288-145-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3288-146-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3288-147-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3288-148-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3288-149-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3288-150-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3288-151-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3288-152-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3288-153-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3288-154-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3288-155-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3288-156-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3288-128-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3288-158-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3288-159-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3288-160-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3288-161-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3288-162-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3288-129-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3288-164-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3288-165-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3288-166-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3288-167-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3288-168-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3288-169-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3288-170-0x0000000003490000-0x0000000003502000-memory.dmp

        Filesize

        456KB

        Download

      • memory/3288-171-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3288-172-0x0000000003510000-0x000000000353A000-memory.dmp

        Filesize

        168KB

        Download

      • memory/3288-173-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3288-174-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3288-175-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3288-176-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3288-220-0x0000000003510000-0x000000000353A000-memory.dmp

        Filesize

        168KB

        Download

      • memory/3288-124-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3288-125-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3288-126-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3288-127-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/4912-181-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/4912-180-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/4912-184-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/4912-185-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/4912-186-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/4912-187-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/4912-183-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/4912-188-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/4912-182-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/4912-189-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/4912-179-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/4912-178-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/4912-190-0x0000000077D40000-0x0000000077ECE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/4912-212-0x0000000000600000-0x000000000062A000-memory.dmp

        Filesize

        168KB

        Download

      • memory/4912-231-0x0000000000600000-0x000000000062A000-memory.dmp

        Filesize

        168KB

        Download