qakbot | 6c347806d08055f6f0e93821fdbca5b98ed4f3057afd3160b18e9a8134e2c2f7

Resubmissions

17-11-2022 22:37

221117-2j257sca51 10

17-11-2022 22:35

221117-2hqqsagb29 1

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
17-11-2022 22:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CY67.zip
Size

435KB
MD5

5d6ef8be97e672979f6c04fd099a2d1d
SHA1

b9be124f3a7eae5beaf124f14c55b1538f9de97e
SHA256

097c48df84ad79130311c58baf6f53236cfb505ec5b8ec9553b348e99321bdc3
SHA512

a3b70c4e5dc5c05a5f459eebb1cc1d2d5d199cbb97efa31fa100fca42974568b93c30b18e2cf2ab4e93dea2b25c78260169b8aafb990fea760d86ea580ee9890
SSDEEP

12288:Tf8/GTQsRbziKbUV/RRwlmPquotUS8S1HHvuQJ30VOugU32Z:b4uQsRbvbopRwVbUy1nvuZ32Z

Score

10^/10

qakbot bb06 1668670510 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

404.30

Botnet

BB06

Campaign

1668670510

86.225.214.138:2222

71.183.236.133:443

182.66.197.35:443

70.66.199.12:443

76.80.180.154:995

180.151.104.143:443

92.149.205.238:2222

83.110.223.247:443

183.87.31.34:443

105.103.50.1:990

103.141.50.117:995

105.103.50.1:465

105.103.50.1:22

86.130.9.167:2222

86.99.15.243:2222

90.104.22.28:2222

172.117.139.142:995

176.142.207.63:443

142.161.27.232:2222

71.247.10.63:50003

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	WScript.exe

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

2552 regsvr32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

regsvr32.exewermgr.exe

pid	process
2552	regsvr32.exe
2552	regsvr32.exe
2348	wermgr.exe
2348	wermgr.exe
2348	wermgr.exe
2348	wermgr.exe
2348	wermgr.exe
2348	wermgr.exe
2348	wermgr.exe
2348	wermgr.exe
2348	wermgr.exe
2348	wermgr.exe
2348	wermgr.exe
2348	wermgr.exe
2348	wermgr.exe
2348	wermgr.exe
2348	wermgr.exe
2348	wermgr.exe
2348	wermgr.exe
2348	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

regsvr32.exe

pid process

2552 regsvr32.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

7zFM.exe

description pid process

Token: SeRestorePrivilege 2880 7zFM.exe
Token: 35 2880 7zFM.exe
Token: SeSecurityPrivilege 2880 7zFM.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

7zFM.exe

pid process

2880 7zFM.exe
2880 7zFM.exe

description	pid	process
Token: SeRestorePrivilege	2880	7zFM.exe
Token: 35	2880	7zFM.exe
Token: SeSecurityPrivilege	2880	7zFM.exe

pid	process
2880	7zFM.exe
2880	7zFM.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

WScript.exeregsvr32.exeregsvr32.exe

description	pid	process	target process
PID 3616 wrote to memory of 2904	3616	WScript.exe	regsvr32.exe
PID 3616 wrote to memory of 2904	3616	WScript.exe	regsvr32.exe
PID 2904 wrote to memory of 2552	2904	regsvr32.exe	regsvr32.exe
PID 2904 wrote to memory of 2552	2904	regsvr32.exe	regsvr32.exe
PID 2904 wrote to memory of 2552	2904	regsvr32.exe	regsvr32.exe
PID 2552 wrote to memory of 2348	2552	regsvr32.exe	wermgr.exe
PID 2552 wrote to memory of 2348	2552	regsvr32.exe	wermgr.exe
PID 2552 wrote to memory of 2348	2552	regsvr32.exe	wermgr.exe
PID 2552 wrote to memory of 2348	2552	regsvr32.exe	wermgr.exe
PID 2552 wrote to memory of 2348	2552	regsvr32.exe	wermgr.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\CY67.zip
1⤵
PID:3624

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2100

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\CY67.img"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2880

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\WW.js"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3616
- C:\Windows\System32\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" animators\messiest.tmp
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\SysWOW64\regsvr32.exe
    animators\messiest.tmp
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Windows\SysWOW64\wermgr.exe
      C:\Windows\SysWOW64\wermgr.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\WW.js

Filesize
9KB

MD5
9939ed981f80949de08b32d6383daa66

SHA1
ef86148f5ab069eb54a9c7742a9bf5c06fa9ffb1

SHA256
116a9ec7461830d99d4ed29418db43e9c1293361b337ea0abe31980406de00e8

SHA512
9de8f812284acd1fee7ff1c0e747b491905d0e1895686c718f380dc184f002e7e4dfdac016dd05bcf2b348d2bc2df90558ad493420d44b679a3e7adbc4ae55d5

Download Submit
C:\Users\Admin\Desktop\animators\messiest.tmp

Filesize
835KB

MD5
fc28fdaf31c995b7bad98c0fdfe75624

SHA1
ed03ff45ef51829fbb1a62b580ce9d2f6b70b785

SHA256
6c14b0dc6cf7330dac5faa3a04cabc6f6a63bcc29eef235991593df1bf23d981

SHA512
f48c41de2f9e81197eb2b120db10467be12f3dde0960771ba18db0d1b4b631cddcde754e345d33e3b37cfd736cd92f820528d94fe78f6e9ae35973be5c108842

Download Submit
C:\Users\Admin\Desktop\animators\messiest.tmp

Filesize
835KB

MD5
fc28fdaf31c995b7bad98c0fdfe75624

SHA1
ed03ff45ef51829fbb1a62b580ce9d2f6b70b785

SHA256
6c14b0dc6cf7330dac5faa3a04cabc6f6a63bcc29eef235991593df1bf23d981

SHA512
f48c41de2f9e81197eb2b120db10467be12f3dde0960771ba18db0d1b4b631cddcde754e345d33e3b37cfd736cd92f820528d94fe78f6e9ae35973be5c108842

Download Submit
C:\Users\Admin\Desktop\data.txt

Filesize
5B

MD5
2e24e01ec251c8c851897724d3469520

SHA1
0ddb51524f91c79380fbfaf345437a960c3c2428

SHA256
124880061f6255dd7b59b73613ea8d246648be1d34f860b753d4b390c51496d3

SHA512
537edd95435d2f2687a6ba41f1006bd96f8b4f2882a03f09103cd4d140df7e6116fe10a44d28dfdcd6598424ed33c16477df905a37ad3dd2e4a03784294fa1ab

Download Submit
memory/2348-140-0x0000000000000000-mapping.dmp

Download
memory/2348-142-0x0000000000660000-0x000000000068A000-memory.dmp

Filesize
168KB

Download
memory/2552-136-0x0000000000000000-mapping.dmp

Download
memory/2552-138-0x0000000000A00000-0x0000000000A2E000-memory.dmp

Filesize
184KB

Download
memory/2552-139-0x0000000000C80000-0x0000000000CAA000-memory.dmp

Filesize
168KB

Download
memory/2552-141-0x0000000000C80000-0x0000000000CAA000-memory.dmp

Filesize
168KB

Download
memory/2904-134-0x0000000000000000-mapping.dmp

Download