Overview

overview

10

Static

static

CL.lnk

windows10-1703-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    145s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    22-11-2022 16:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CL.lnk

  • Size

    1KB

  • MD5

    7d82b0c9baf5165ad9f2da1015f35310

  • SHA1

    e81bbc1d79eedd5b00a423dde28826716c38e326

  • SHA256

    1bd2c7e0204b957470fa5f955a22b9a7bf905e23f41acbcc83a4ec08b922f1c1

  • SHA512

    f40e1c7ec6018f60590c73d37c7ec88807ba6e11fddbb503c036432fcdb7b7ecef23f4ccef252705a5c5e71d22282ca9ca55fb63e4efa87c6d4efbbd9a9747b6

Score
10/10
qakbotbb061668418916bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

404.27

Botnet

BB06

Campaign

1668418916

C2

24.142.218.202:443

152.170.17.136:443

90.104.22.28:2222

24.64.114.59:61202

86.225.214.138:2222

92.27.86.48:2222

70.120.228.205:2083

24.206.27.39:443

27.99.45.237:2222

105.103.27.80:32103

170.253.25.35:443

24.64.114.59:2222

92.207.132.174:2222

86.133.237.3:443

172.117.139.142:995

108.6.249.139:443

92.239.81.124:443

86.129.13.128:2222

47.34.30.133:443

86.148.55.111:443
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\CL.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2692
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\SysWOW64\cmd.exe" /q /c drab\octupling.cmd
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3792
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /K drab\charring.cmd system regsv
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4696
        • C:\Windows\SysWOW64\replace.exe
          replace C:\Windows\\system32\\regsvr32.exe C:\Users\Admin\AppData\Local\Temp /A
          4⤵
            PID:2160
          • C:\Users\Admin\AppData\Local\Temp\regsvr32.exe
            regsvr32.exe /i /s drab\\grouts.tmp
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:348
            • C:\Windows\SysWOW64\wermgr.exe
              C:\Windows\SysWOW64\wermgr.exe
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:4884

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\regsvr32.exe
      Filesize

      20KB

      MD5

      6cab3a2319f53bebabbd57f2bbefc392

      SHA1

      ab13317a13ca27435d8fc9fc950e7234a8169873

      SHA256

      62ec2017a419d26d687e909c994269d4480cfdddde664b10cd369fbc9814f2ad

      SHA512

      2345de8d240a5c8b73bf1735cb7cf8861e6c8fed2f71cdcaf5c37e96565915b6bb3a38747ba3234c95303545e1d29358d70f246854af8d3f6ea116cf6d1eb90b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\regsvr32.exe
      Filesize

      20KB

      MD5

      6cab3a2319f53bebabbd57f2bbefc392

      SHA1

      ab13317a13ca27435d8fc9fc950e7234a8169873

      SHA256

      62ec2017a419d26d687e909c994269d4480cfdddde664b10cd369fbc9814f2ad

      SHA512

      2345de8d240a5c8b73bf1735cb7cf8861e6c8fed2f71cdcaf5c37e96565915b6bb3a38747ba3234c95303545e1d29358d70f246854af8d3f6ea116cf6d1eb90b

      Download Submit
    • memory/348-175-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/348-162-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/348-185-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/348-184-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/348-183-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/348-182-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/348-181-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/348-180-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/348-179-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/348-178-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/348-177-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/348-176-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/348-267-0x0000000004F10000-0x0000000004F3A000-memory.dmp
      Filesize

      168KB

      Download
    • memory/348-216-0x0000000004E90000-0x0000000004ED7000-memory.dmp
      Filesize

      284KB

      Download
    • memory/348-168-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/348-172-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/348-171-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/348-170-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/348-173-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/348-169-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/348-217-0x0000000004F10000-0x0000000004F3A000-memory.dmp
      Filesize

      168KB

      Download
    • memory/348-166-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/348-165-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/348-164-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/348-163-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/348-174-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/348-161-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/348-159-0x0000000000000000-mapping.dmp
      Download
    • memory/2160-154-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2160-153-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2160-148-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2160-149-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2160-150-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2160-151-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2160-152-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2160-143-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2160-142-0x0000000000000000-mapping.dmp
      Download
    • memory/2160-155-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2160-156-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2160-157-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2160-147-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2160-146-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2160-145-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2160-144-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3792-116-0x0000000000000000-mapping.dmp
      Download
    • memory/3792-128-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3792-117-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3792-118-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3792-119-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3792-120-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3792-121-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3792-122-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3792-123-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3792-124-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3792-125-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3792-126-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3792-127-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4696-158-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4696-137-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4696-130-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4696-132-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4696-131-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4696-133-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4696-134-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4696-135-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4696-136-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4696-129-0x0000000000000000-mapping.dmp
      Download
    • memory/4696-138-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4696-139-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4696-141-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4696-140-0x00000000779A0000-0x0000000077B2E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4884-225-0x0000000000000000-mapping.dmp
      Download
    • memory/4884-279-0x0000000002730000-0x000000000275A000-memory.dmp
      Filesize

      168KB

      Download
    • memory/4884-284-0x0000000002730000-0x000000000275A000-memory.dmp
      Filesize

      168KB

      Download