qakbot | 3fbeaa3e3173d1154d5e6fdc7876d1203b9f286e019ebe3830c94643b73ac7bb

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02-11-2022 14:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RS.lnk
Size

1KB
MD5

cb00e4087f8027ff9cc1b1f3a370ce5f
SHA1

71bd2d7efcead213664c14cb355cbf38e7dda809
SHA256

a908e696b7849601cef9f2298a164819c7bcdf06182f897f3f20e76c815678c0
SHA512

fb03e1f0079a768ca0a68d849566a0c2baba5480ee68904069ab8be0c400013aeda7ec0cdda361b229bd9d63b136d56064e5b843c94f2031092012d44704118b

Score

10^/10

qakbot bb05 1667294768 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

404.20

Botnet

BB05

Campaign

1667294768

136.232.184.134:995

1.65.20.175:53249

187.0.1.154:63263

50.68.204.71:995

74.92.243.113:50000

1.149.126.159:57345

187.0.1.182:17093

123.3.240.16:995

76.68.34.167:2222

172.219.147.156:3389

94.49.5.116:443

187.0.1.181:14507

206.1.223.234:2087

187.0.1.186:18828

131.23.1.187:1

23.233.254.195:443

76.125.91.160:443

187.0.1.90:42349

70.51.139.148:2222

187.0.1.76:47526

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Executes dropped EXE 1 IoCs

pid	Process
4904	televisesLefties.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2232	regsvr32.exe
2232	regsvr32.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe
2500	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2232	regsvr32.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4976 wrote to memory of 5040	4976	cmd.exe	80
PID 4976 wrote to memory of 5040	4976	cmd.exe	80
PID 5040 wrote to memory of 4904	5040	cmd.exe	81
PID 5040 wrote to memory of 4904	5040	cmd.exe	81
PID 4904 wrote to memory of 2232	4904	televisesLefties.exe	82
PID 4904 wrote to memory of 2232	4904	televisesLefties.exe	82
PID 4904 wrote to memory of 2232	4904	televisesLefties.exe	82
PID 2232 wrote to memory of 2500	2232	regsvr32.exe	83
PID 2232 wrote to memory of 2500	2232	regsvr32.exe	83
PID 2232 wrote to memory of 2500	2232	regsvr32.exe	83
PID 2232 wrote to memory of 2500	2232	regsvr32.exe	83
PID 2232 wrote to memory of 2500	2232	regsvr32.exe	83

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\RS.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4976
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cycling\huh.cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5040
- - C:\Users\Admin\AppData\Local\Temp\televisesLefties.exe
    C:\Users\Admin\AppData\Local\Temp\\televisesLefties.exe cycling\deer.dat
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4904
  - - C:\Windows\SysWOW64\regsvr32.exe
      cycling\deer.dat
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2232
    - - C:\Windows\SysWOW64\wermgr.exe
        
        C:\Windows\SysWOW64\wermgr.exe
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\televisesLefties.exe

Filesize
24KB

MD5
b0c2fa35d14a9fad919e99d9d75e1b9e

SHA1
8d7c2fd354363daee63e8f591ec52fa5d0e23f6f

SHA256
022cb167a29a32dae848be91aef721c74f1975af151807dafcc5ed832db246b7

SHA512
a6155e42b605425914d1bf745d9b2b5ed57976e161384731c6821a1f8fa2bc3207a863ae45d6ad371ac82733b72bb024204498baa4fb38ad46c6d7bc52e5a022

Download Submit
memory/2232-135-0x0000000000000000-mapping.dmp

Download
memory/2232-136-0x0000000000810000-0x000000000083C000-memory.dmp

Filesize
176KB

Download
memory/2232-137-0x0000000000860000-0x000000000088A000-memory.dmp

Filesize
168KB

Download
memory/2232-139-0x0000000000860000-0x000000000088A000-memory.dmp

Filesize
168KB

Download
memory/2500-138-0x0000000000000000-mapping.dmp

Download
memory/2500-140-0x0000000001230000-0x000000000125A000-memory.dmp

Filesize
168KB

Download
memory/2500-141-0x0000000001230000-0x000000000125A000-memory.dmp

Filesize
168KB

Download
memory/4904-133-0x0000000000000000-mapping.dmp

Download
memory/5040-132-0x0000000000000000-mapping.dmp

Download