qakbot | c3cbf54a0103490dc5581d766e4462e4b5eb9e8cd45c9c97853e3bdd5e1361d7

Resubmissions

30-11-2022 21:30

221130-1cq9paba9x 10

30-11-2022 21:10

221130-zz49dshg41 3

Analysis

max time kernel
1202s
max time network
1186s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
30-11-2022 21:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WP.vbs
Size

182B
MD5

9b9b29197cae0e97c7f2e73b309e51ff
SHA1

14787348dd8d419227afd51659540a3b80641eee
SHA256

fef9692d8290f862a3c9561e5fa6331f4a084ecdd8e5f920d3f8a4b3d9899e9c
SHA512

57977963d61517f02c88a356bef8b892448b32ee9ad1cbbc82e988c503da3b091808f8b86d13a9693cb43e51a76cb2a04a504ad9897ceef805456a2852c7cac4

Score

10^/10

qakbot obama224 1669794048 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

404.46

Botnet

obama224

Campaign

1669794048

75.161.233.194:995

216.82.134.218:443

174.104.184.149:443

173.18.126.3:443

87.202.101.164:50000

172.90.139.138:2222

184.153.132.82:443

185.135.120.81:443

24.228.132.224:2222

87.223.84.190:443

178.153.195.40:443

24.64.114.59:2222

77.126.81.208:443

75.99.125.235:2222

173.239.94.212:443

98.145.23.67:443

109.177.245.176:2222

72.200.109.104:443

12.172.173.82:993

82.11.242.219:443

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4048 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
4048	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exerundll32.exewermgr.exe

pid	process
4872	powershell.exe
4872	powershell.exe
4872	powershell.exe
4048	rundll32.exe
4048	rundll32.exe
4640	wermgr.exe
4640	wermgr.exe
4640	wermgr.exe
4640	wermgr.exe
4640	wermgr.exe
4640	wermgr.exe
4640	wermgr.exe
4640	wermgr.exe
4640	wermgr.exe
4640	wermgr.exe
4640	wermgr.exe
4640	wermgr.exe
4640	wermgr.exe
4640	wermgr.exe
4640	wermgr.exe
4640	wermgr.exe
4640	wermgr.exe
4640	wermgr.exe
4640	wermgr.exe
4640	wermgr.exe
4640	wermgr.exe
4640	wermgr.exe
4640	wermgr.exe
4640	wermgr.exe
4640	wermgr.exe
4640	wermgr.exe
4640	wermgr.exe
4640	wermgr.exe
4640	wermgr.exe
4640	wermgr.exe
4640	wermgr.exe
4640	wermgr.exe
4640	wermgr.exe
4640	wermgr.exe
4640	wermgr.exe
4640	wermgr.exe
4640	wermgr.exe
4640	wermgr.exe
4640	wermgr.exe
4640	wermgr.exe
4640	wermgr.exe
4640	wermgr.exe
4640	wermgr.exe
4640	wermgr.exe
4640	wermgr.exe
4640	wermgr.exe
4640	wermgr.exe
4640	wermgr.exe
4640	wermgr.exe
4640	wermgr.exe
4640	wermgr.exe
4640	wermgr.exe
4640	wermgr.exe
4640	wermgr.exe
4640	wermgr.exe
4640	wermgr.exe
4640	wermgr.exe
4640	wermgr.exe
4640	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

4048 rundll32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4872 powershell.exe

pid	process
4048	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	4872	powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

WScript.exepowershell.exerundll32.exe

description	pid	process	target process
PID 1020 wrote to memory of 4872	1020	WScript.exe	powershell.exe
PID 1020 wrote to memory of 4872	1020	WScript.exe	powershell.exe
PID 1020 wrote to memory of 4872	1020	WScript.exe	powershell.exe
PID 4872 wrote to memory of 4048	4872	powershell.exe	rundll32.exe
PID 4872 wrote to memory of 4048	4872	powershell.exe	rundll32.exe
PID 4872 wrote to memory of 4048	4872	powershell.exe	rundll32.exe
PID 4048 wrote to memory of 4640	4048	rundll32.exe	wermgr.exe
PID 4048 wrote to memory of 4640	4048	rundll32.exe	wermgr.exe
PID 4048 wrote to memory of 4640	4048	rundll32.exe	wermgr.exe
PID 4048 wrote to memory of 4640	4048	rundll32.exe	wermgr.exe
PID 4048 wrote to memory of 4640	4048	rundll32.exe	wermgr.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\WP.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1020

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass metaphysic\\donatory.ps1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4872

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\users\public\muskUnflurried.txt DrawThemeIcon
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4048

C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4640

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\users\public\muskUnflurried.txt
Filesize
577KB

MD5
427f7efc54aea640c2a2bb7fd54da8b6

SHA1
96e05fef19277c7a980b2d1073e28c9d56aba7fe

SHA256
1ec0273e4902c632750a9158c8931495e4d0d747884cc5218044a7bd5ede6ed5

SHA512
aa3987cf0d84432de5b231cde938bc4e60b716966889c5a36653098b3377acd63363b6fe31ab181abe8f31a61c46f44ea62437167ad04d64ede8d62ac3b51245

Download Submit
\Users\Public\muskUnflurried.txt
Filesize
577KB

MD5
427f7efc54aea640c2a2bb7fd54da8b6

SHA1
96e05fef19277c7a980b2d1073e28c9d56aba7fe

SHA256
1ec0273e4902c632750a9158c8931495e4d0d747884cc5218044a7bd5ede6ed5

SHA512
aa3987cf0d84432de5b231cde938bc4e60b716966889c5a36653098b3377acd63363b6fe31ab181abe8f31a61c46f44ea62437167ad04d64ede8d62ac3b51245

Download Submit
memory/4048-214-0x0000000000000000-mapping.dmp

Download
memory/4048-265-0x0000000000E00000-0x0000000000F4A000-memory.dmp

Filesize
1.3MB

Download
memory/4048-266-0x0000000001110000-0x000000000113A000-memory.dmp

Filesize
168KB

Download
memory/4048-318-0x0000000001110000-0x000000000113A000-memory.dmp

Filesize
168KB

Download
memory/4640-334-0x00000000004E0000-0x000000000050A000-memory.dmp

Filesize
168KB

Download
memory/4640-302-0x00000000004E0000-0x000000000050A000-memory.dmp

Filesize
168KB

Download
memory/4640-275-0x0000000000000000-mapping.dmp

Download
memory/4872-155-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-188-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-122-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-123-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-124-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-125-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-128-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-127-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-126-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-129-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-130-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-131-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-133-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-132-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-134-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-135-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-136-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-137-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-138-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-139-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-140-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-141-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-142-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-143-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-144-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-145-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-146-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-148-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-149-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-160-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-152-0x00000000044D0000-0x0000000004506000-memory.dmp

Filesize
216KB

Download
memory/4872-153-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-154-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-120-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-162-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-157-0x0000000006F00000-0x0000000007528000-memory.dmp

Filesize
6.2MB

Download
memory/4872-158-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-159-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-151-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-121-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-156-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-163-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-164-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-165-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-166-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-167-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-168-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-169-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-170-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-171-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-172-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-173-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-174-0x0000000007620000-0x0000000007642000-memory.dmp

Filesize
136KB

Download
memory/4872-175-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-176-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-177-0x00000000076C0000-0x0000000007726000-memory.dmp

Filesize
408KB

Download
memory/4872-178-0x0000000007830000-0x0000000007896000-memory.dmp

Filesize
408KB

Download
memory/4872-179-0x00000000079E0000-0x0000000007D30000-memory.dmp

Filesize
3.3MB

Download
memory/4872-180-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-181-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-182-0x00000000078A0000-0x00000000078BC000-memory.dmp

Filesize
112KB

Download
memory/4872-183-0x0000000007DF0000-0x0000000007E3B000-memory.dmp

Filesize
300KB

Download
memory/4872-184-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-185-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-186-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-187-0x0000000008070000-0x00000000080E6000-memory.dmp

Filesize
472KB

Download
memory/4872-161-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-189-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-190-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-119-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-118-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-117-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-116-0x0000000000000000-mapping.dmp

Download
memory/4872-191-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/4872-198-0x0000000009100000-0x0000000009194000-memory.dmp

Filesize
592KB

Download
memory/4872-199-0x0000000008250000-0x000000000826A000-memory.dmp

Filesize
104KB

Download
memory/4872-200-0x0000000008E80000-0x0000000008EA2000-memory.dmp

Filesize
136KB

Download
memory/4872-201-0x00000000096A0000-0x0000000009B9E000-memory.dmp

Filesize
5.0MB

Download