qakbot | 2cd1be65e78ccbd2cdc8bd3711e1f2199a706c341cd62c6636d4cba96a5ce447

Analysis

max time kernel
149s
max time network
145s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
22-11-2022 16:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CL.lnk
Size

1KB
MD5

7d82b0c9baf5165ad9f2da1015f35310
SHA1

e81bbc1d79eedd5b00a423dde28826716c38e326
SHA256

1bd2c7e0204b957470fa5f955a22b9a7bf905e23f41acbcc83a4ec08b922f1c1
SHA512

f40e1c7ec6018f60590c73d37c7ec88807ba6e11fddbb503c036432fcdb7b7ecef23f4ccef252705a5c5e71d22282ca9ca55fb63e4efa87c6d4efbbd9a9747b6

Score

10^/10

qakbot bb06 1668418916 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

404.27

Botnet

BB06

Campaign

1668418916

24.142.218.202:443

152.170.17.136:443

90.104.22.28:2222

24.64.114.59:61202

86.225.214.138:2222

92.27.86.48:2222

70.120.228.205:2083

24.206.27.39:443

27.99.45.237:2222

105.103.27.80:32103

170.253.25.35:443

24.64.114.59:2222

92.207.132.174:2222

86.133.237.3:443

172.117.139.142:995

108.6.249.139:443

92.239.81.124:443

86.129.13.128:2222

47.34.30.133:443

86.148.55.111:443

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Executes dropped EXE 1 IoCs

Processes:

regsvr32.exe

pid process

348 regsvr32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exewermgr.exe

pid	process
348	regsvr32.exe
348	regsvr32.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe
4884	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

regsvr32.exe

pid process

348 regsvr32.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

cmd.execmd.execmd.exeregsvr32.exe

description	pid	process	target process
PID 2692 wrote to memory of 3792	2692	cmd.exe	cmd.exe
PID 2692 wrote to memory of 3792	2692	cmd.exe	cmd.exe
PID 2692 wrote to memory of 3792	2692	cmd.exe	cmd.exe
PID 3792 wrote to memory of 4696	3792	cmd.exe	cmd.exe
PID 3792 wrote to memory of 4696	3792	cmd.exe	cmd.exe
PID 3792 wrote to memory of 4696	3792	cmd.exe	cmd.exe
PID 4696 wrote to memory of 2160	4696	cmd.exe	replace.exe
PID 4696 wrote to memory of 2160	4696	cmd.exe	replace.exe
PID 4696 wrote to memory of 2160	4696	cmd.exe	replace.exe
PID 4696 wrote to memory of 348	4696	cmd.exe	regsvr32.exe
PID 4696 wrote to memory of 348	4696	cmd.exe	regsvr32.exe
PID 4696 wrote to memory of 348	4696	cmd.exe	regsvr32.exe
PID 348 wrote to memory of 4884	348	regsvr32.exe	wermgr.exe
PID 348 wrote to memory of 4884	348	regsvr32.exe	wermgr.exe
PID 348 wrote to memory of 4884	348	regsvr32.exe	wermgr.exe
PID 348 wrote to memory of 4884	348	regsvr32.exe	wermgr.exe
PID 348 wrote to memory of 4884	348	regsvr32.exe	wermgr.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\CL.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\SysWOW64\cmd.exe" /q /c drab\octupling.cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K drab\charring.cmd system regsv
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4696
  - - C:\Windows\SysWOW64\replace.exe
      replace C:\Windows\\system32\\regsvr32.exe C:\Users\Admin\AppData\Local\Temp /A
      4⤵
      PID:2160
  - - C:\Users\Admin\AppData\Local\Temp\regsvr32.exe
      regsvr32.exe /i /s drab\\grouts.tmp
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:348
    - - C:\Windows\SysWOW64\wermgr.exe
        
        C:\Windows\SysWOW64\wermgr.exe
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\regsvr32.exe

Filesize
20KB

MD5
6cab3a2319f53bebabbd57f2bbefc392

SHA1
ab13317a13ca27435d8fc9fc950e7234a8169873

SHA256
62ec2017a419d26d687e909c994269d4480cfdddde664b10cd369fbc9814f2ad

SHA512
2345de8d240a5c8b73bf1735cb7cf8861e6c8fed2f71cdcaf5c37e96565915b6bb3a38747ba3234c95303545e1d29358d70f246854af8d3f6ea116cf6d1eb90b

Download Submit
C:\Users\Admin\AppData\Local\Temp\regsvr32.exe

Filesize
20KB

MD5
6cab3a2319f53bebabbd57f2bbefc392

SHA1
ab13317a13ca27435d8fc9fc950e7234a8169873

SHA256
62ec2017a419d26d687e909c994269d4480cfdddde664b10cd369fbc9814f2ad

SHA512
2345de8d240a5c8b73bf1735cb7cf8861e6c8fed2f71cdcaf5c37e96565915b6bb3a38747ba3234c95303545e1d29358d70f246854af8d3f6ea116cf6d1eb90b

Download Submit
memory/348-175-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/348-162-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/348-185-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/348-184-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/348-183-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/348-182-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/348-181-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/348-180-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/348-179-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/348-178-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/348-177-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/348-176-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/348-267-0x0000000004F10000-0x0000000004F3A000-memory.dmp

Filesize
168KB

Download
memory/348-216-0x0000000004E90000-0x0000000004ED7000-memory.dmp

Filesize
284KB

Download
memory/348-168-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/348-172-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/348-171-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/348-170-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/348-173-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/348-169-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/348-217-0x0000000004F10000-0x0000000004F3A000-memory.dmp

Filesize
168KB

Download
memory/348-166-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/348-165-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/348-164-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/348-163-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/348-174-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/348-161-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/348-159-0x0000000000000000-mapping.dmp

Download
memory/2160-154-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2160-153-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2160-148-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2160-149-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2160-150-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2160-151-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2160-152-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2160-143-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2160-142-0x0000000000000000-mapping.dmp

Download
memory/2160-155-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2160-156-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2160-157-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2160-147-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2160-146-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2160-145-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2160-144-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/3792-116-0x0000000000000000-mapping.dmp

Download
memory/3792-128-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/3792-117-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/3792-118-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/3792-119-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/3792-120-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/3792-121-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/3792-122-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/3792-123-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/3792-124-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/3792-125-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/3792-126-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/3792-127-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4696-158-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4696-137-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4696-130-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4696-132-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4696-131-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4696-133-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4696-134-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4696-135-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4696-136-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4696-129-0x0000000000000000-mapping.dmp

Download
memory/4696-138-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4696-139-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4696-141-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4696-140-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4884-225-0x0000000000000000-mapping.dmp

Download
memory/4884-279-0x0000000002730000-0x000000000275A000-memory.dmp

Filesize
168KB

Download
memory/4884-284-0x0000000002730000-0x000000000275A000-memory.dmp

Filesize
168KB

Download