qakbot | 3fbeaa3e3173d1154d5e6fdc7876d1203b9f286e019ebe3830c94643b73ac7bb

Analysis

max time kernel
149s
max time network
51s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
02/11/2022, 14:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

RS.lnk
Size

1KB
MD5

cb00e4087f8027ff9cc1b1f3a370ce5f
SHA1

71bd2d7efcead213664c14cb355cbf38e7dda809
SHA256

a908e696b7849601cef9f2298a164819c7bcdf06182f897f3f20e76c815678c0
SHA512

fb03e1f0079a768ca0a68d849566a0c2baba5480ee68904069ab8be0c400013aeda7ec0cdda361b229bd9d63b136d56064e5b843c94f2031092012d44704118b

Score

10^/10

qakbot bb05 1667294768 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

404.20

Botnet

BB05

Campaign

1667294768

136.232.184.134:995

1.65.20.175:53249

187.0.1.154:63263

50.68.204.71:995

74.92.243.113:50000

1.149.126.159:57345

187.0.1.182:17093

123.3.240.16:995

76.68.34.167:2222

172.219.147.156:3389

94.49.5.116:443

187.0.1.181:14507

206.1.223.234:2087

187.0.1.186:18828

131.23.1.187:1

23.233.254.195:443

76.125.91.160:443

187.0.1.90:42349

70.51.139.148:2222

187.0.1.76:47526

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Executes dropped EXE 1 IoCs

pid	Process
548	televisesLefties.exe

Loads dropped DLL 1 IoCs

pid	Process
1296	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1428	regsvr32.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe
964	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1428	regsvr32.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1128 wrote to memory of 1296	1128	cmd.exe	28
PID 1128 wrote to memory of 1296	1128	cmd.exe	28
PID 1128 wrote to memory of 1296	1128	cmd.exe	28
PID 1296 wrote to memory of 548	1296	cmd.exe	29
PID 1296 wrote to memory of 548	1296	cmd.exe	29
PID 1296 wrote to memory of 548	1296	cmd.exe	29
PID 548 wrote to memory of 1428	548	televisesLefties.exe	30
PID 548 wrote to memory of 1428	548	televisesLefties.exe	30
PID 548 wrote to memory of 1428	548	televisesLefties.exe	30
PID 548 wrote to memory of 1428	548	televisesLefties.exe	30
PID 548 wrote to memory of 1428	548	televisesLefties.exe	30
PID 548 wrote to memory of 1428	548	televisesLefties.exe	30
PID 548 wrote to memory of 1428	548	televisesLefties.exe	30
PID 1428 wrote to memory of 964	1428	regsvr32.exe	31
PID 1428 wrote to memory of 964	1428	regsvr32.exe	31
PID 1428 wrote to memory of 964	1428	regsvr32.exe	31
PID 1428 wrote to memory of 964	1428	regsvr32.exe	31
PID 1428 wrote to memory of 964	1428	regsvr32.exe	31
PID 1428 wrote to memory of 964	1428	regsvr32.exe	31

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\RS.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1128
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cycling\huh.cmd
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Users\Admin\AppData\Local\Temp\televisesLefties.exe
    C:\Users\Admin\AppData\Local\Temp\\televisesLefties.exe cycling\deer.dat
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:548
  - - C:\Windows\SysWOW64\regsvr32.exe
      cycling\deer.dat
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:1428
    - - C:\Windows\SysWOW64\wermgr.exe
        
        C:\Windows\SysWOW64\wermgr.exe
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\televisesLefties.exe

Filesize
19KB

MD5
59bce9f07985f8a4204f4d6554cff708

SHA1
645c424974fbe5fe7a04cac73f1c23c96e1570b8

SHA256
ca24aef558647274d019dfb4d7fd1506d84ec278795c30ba53b81bb36130dc57

SHA512
3cf5825a9c7fb80ea0bd36775a92d07f34cd3709ed2c7c8f500f1c8baa5242768f6d575bd2477b77e3f177e7a4994d5c5bddb24c6eb43b60a6bd83ea026a8198

Download Submit
\Users\Admin\AppData\Local\Temp\televisesLefties.exe

Filesize
19KB

MD5
59bce9f07985f8a4204f4d6554cff708

SHA1
645c424974fbe5fe7a04cac73f1c23c96e1570b8

SHA256
ca24aef558647274d019dfb4d7fd1506d84ec278795c30ba53b81bb36130dc57

SHA512
3cf5825a9c7fb80ea0bd36775a92d07f34cd3709ed2c7c8f500f1c8baa5242768f6d575bd2477b77e3f177e7a4994d5c5bddb24c6eb43b60a6bd83ea026a8198

Download Submit
memory/964-106-0x00000000000C0000-0x00000000000EA000-memory.dmp

Filesize
168KB

Download
memory/964-105-0x00000000000C0000-0x00000000000EA000-memory.dmp

Filesize
168KB

Download
memory/1128-54-0x000007FEFC591000-0x000007FEFC593000-memory.dmp

Filesize
8KB

Download
memory/1428-97-0x0000000076961000-0x0000000076963000-memory.dmp

Filesize
8KB

Download
memory/1428-100-0x0000000000180000-0x00000000001AC000-memory.dmp

Filesize
176KB

Download
memory/1428-101-0x00000000001B0000-0x00000000001DA000-memory.dmp

Filesize
168KB

Download
memory/1428-99-0x00000000001B0000-0x00000000001DA000-memory.dmp

Filesize
168KB

Download
memory/1428-104-0x00000000001B0000-0x00000000001DA000-memory.dmp

Filesize
168KB

Download
memory/1428-98-0x00000000001B0000-0x00000000001DA000-memory.dmp

Filesize
168KB

Download