Overview

overview

10

Static

static

c0beb47f62...ad.msi

windows7-x64

10

c0beb47f62...ad.msi

windows10-2004-x64

10

Resubmissions

05-12-2022 21:51

221205-1qkdasag75 10

05-12-2022 21:06

221205-zx2qgsah5z 10

Analysis

  • max time kernel
    1801s
  • max time network
    1806s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    05-12-2022 21:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c0beb47f629a5debe0e99790d16a4d04afe786d6fb42c5ab6dfcaed84d86e7ad.msi

  • Size

    597KB

  • MD5

    13bd4a09264d6312d957d61d64e79f53

  • SHA1

    5ebf19ba1be83ad9e15991e76e509a57aaa9e9c0

  • SHA256

    c0beb47f629a5debe0e99790d16a4d04afe786d6fb42c5ab6dfcaed84d86e7ad

  • SHA512

    b7943be0b78a7de293b19e2b75a6b44bae34997c555e1a83a0064087d828616e601cc04cb8f13e6e44e8b9cb67fe2328b3826c8d31edf8cd5a74e9def710e582

  • SSDEEP

    12288:rZzDzxF3RR3sSRogrrYW4OH5IBwBZ3TzChsL4o1U:rZzDzvvRoCBH2WBJChsMo1U

Score
10/10
qakbotaa1649749884bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

403.573

Botnet

AA

Campaign

1649749884

C2

120.150.218.241:995

186.64.67.38:443

196.203.37.215:80

1.161.71.109:443

82.152.39.39:443

76.69.155.202:2222

72.66.116.235:995

103.107.113.120:443

113.11.89.165:995

208.107.221.224:443

103.88.226.30:443

75.99.168.194:443

75.113.214.234:2222

76.169.147.192:32103

190.73.3.148:2222

39.52.2.90:995

38.70.253.226:2222

5.95.58.211:2087

74.15.2.252:2222

76.70.9.169:2222
Attributes
  • salt

    jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Blocklisted process makes network request 4 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 10 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\c0beb47f629a5debe0e99790d16a4d04afe786d6fb42c5ab6dfcaed84d86e7ad.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2004
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1220
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 7696D9205181F55651E91281B65E2471
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1712
      • C:\Windows\SysWOW64\regsvr32.exe
        "C:\Windows\SysWOW64\regsvr32.exe" C:\Users\Admin\AppData\Local\SetupTest\1.dll
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1724
        • C:\Windows\SysWOW64\explorer.exe
          C:\Windows\SysWOW64\explorer.exe
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:108
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2036
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000584" "00000000000005A0"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:1908

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB
    Filesize

    765B

    MD5

    6af6b6f4ae6196f189dddbc3359153d0

    SHA1

    a6b8bcd8d52bc78e6ab09a4691eb235bc342da76

    SHA256

    56843ed6f900a0b68969b73463c867953773db38d9070ad3f3bc9f17019199e4

    SHA512

    3ceab49c2e2ed4103e34f9174c69931dba4fd85442084ce37d7bd6bd829068e023f8dcba5f5cdc6c9f5633ab549d481cb322252b75ffd58ae316c273e70888e0

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    61KB

    MD5

    fc4666cbca561e864e7fdf883a9e6661

    SHA1

    2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

    SHA256

    10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

    SHA512

    c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AEACCDA8653DD8D7B2EA32F21D15D44F_D2D3A37B25AAA89445E8EFE144391472
    Filesize

    637B

    MD5

    f65e6919f241c149d42e36d0e6751e12

    SHA1

    ed0f88a86d27ab339f1b5ac02dd8a01fdd969a0e

    SHA256

    6e31167e7da0fc7f95061a6ba9201fe52bcaf0e58bca6b22d3d2be857fff1a69

    SHA512

    3b02e7a213b3f625c942ec818a53dcb2c08916b3820991256d9c8168b9cccfa4193019e410ddae30ce52c1afacb3068421da1c0ffa506709673871a263c1bdfb

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F
    Filesize

    1KB

    MD5

    c2e74c923e71f2331e4ac3e559feed88

    SHA1

    0dafbf3c9b11edb7a0c7d149f545b88004a951f8

    SHA256

    e2d1f43e63c1fda37b1c26cbeac110ad9edd19f6e3b337b616d57a6c0cb0c54c

    SHA512

    7ee607f0f947a04137c3849697ad5b8ca70b142d2cca8520c7b1f29e009369aff67528ccc01f8a64909bc250dbfcfbf7cbe3a42625a6320196f2f5b253ac9e71

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
    Filesize

    1KB

    MD5

    a266bb7dcc38a562631361bbf61dd11b

    SHA1

    3b1efd3a66ea28b16697394703a72ca340a05bd5

    SHA256

    df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

    SHA512

    0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB
    Filesize

    484B

    MD5

    913999d3b52ec10da7ca3a8d154e1af1

    SHA1

    ef4a5d3f606e366224dc07469e2d6c21bf6a212c

    SHA256

    6742a691ce91ab831ab3189c88fbf22a3da3fa22a3ddfa1bcf3262c1f2f39c0a

    SHA512

    cfb43b77f97dec8f9c45a30c2c8ec35a3ec9d7152fb8e4fd1771f3fc3b3765994e160514a798e3f812448168e7ce7d7ad12ade54d310dc639e9812338fb1b5e1

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    8e108d707c2af719ece0f0c405443df5

    SHA1

    54c3c4c6250e49c490ed9ebc07d8514f7ee0dd85

    SHA256

    d86070f150d3d12ff71b3ecf0f720542d6194c1eaff939071ced77878793b679

    SHA512

    3b9d9d0c95ddafb14c6f9f68d9a0bf716d5561d47aa059fb735f5e9223e7df8214e1d4a316e2f512d09d9ac31265327a4d4a20187174a0a844c75a0b7b8cad78

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AEACCDA8653DD8D7B2EA32F21D15D44F_D2D3A37B25AAA89445E8EFE144391472
    Filesize

    488B

    MD5

    32e615552b954fdf2ff3a1884c3b1a9e

    SHA1

    5dda7927befa707e6f0d7bdac5e60dc8d499f521

    SHA256

    353768c759ac9ccbc2f98ce35f3b89eac5933d25f5b61f5c9165553e1ee18300

    SHA512

    944fc462db2e31a787e5dd365c970c94670e92b26ea2772ab6233f92fc697c5c43fdbda1535ff86dddfe11bdb3836e8dd48ceb1290c0938f7f586c314bfb2f5e

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F
    Filesize

    482B

    MD5

    1a9f235515623ab0dc4622d3e9e6af1d

    SHA1

    4d6ad32268238f1bcf7a24134c539651499f7736

    SHA256

    f36c14bdaa95f974b217d918367da7807e107765457880ae6e58265c29b848b5

    SHA512

    78e024d156a1e6b8c0d3581147a7f13473a55d0ff53eefc7474d838635e82e6ee74f80773800dbc9f31af3598d28b9f7ddac1246cf50fd40e77e41d7e07b5ef5

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
    Filesize

    242B

    MD5

    2519bde316042dec0c7492a656c05a00

    SHA1

    53c42b800e6cee64090c51fd3aa4f89c931d5428

    SHA256

    4e042c03006bca0e2d8241ccca5e032b150475a1283c2908661c376e2c204175

    SHA512

    9de32530e401a14bc868e68237f13ddf5345d04922477e6806a5b218d32918e9aea7c0d5012d93834f6fe36f564831b47d0482d846ae62dc521de7945f8e7db8

    Download Submit
  • C:\Users\Admin\AppData\Local\SetupTest\1.dll
    Filesize

    716KB

    MD5

    726a41b2959768c5c3d2c7c213e6d0d8

    SHA1

    e28186bc0d771d20527b5f80757f4ee3f0ce442e

    SHA256

    6d8ef65670101ecf342152a34ae4b17784186759686c0e5eb631a9fa47315647

    SHA512

    4c349bc12d66be7abde0af38491ce082a9e13036db882bfaeff3ee6ede650c070b1c0f73bea18ae75d7eaff457436a04f0467d50c45c077162e63487cb5a7f34

    Download Submit
  • \??\PIPE\samr
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit
  • \??\PIPE\samr
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit
  • \Users\Admin\AppData\Local\SetupTest\1.dll
    Filesize

    716KB

    MD5

    726a41b2959768c5c3d2c7c213e6d0d8

    SHA1

    e28186bc0d771d20527b5f80757f4ee3f0ce442e

    SHA256

    6d8ef65670101ecf342152a34ae4b17784186759686c0e5eb631a9fa47315647

    SHA512

    4c349bc12d66be7abde0af38491ce082a9e13036db882bfaeff3ee6ede650c070b1c0f73bea18ae75d7eaff457436a04f0467d50c45c077162e63487cb5a7f34

    Download Submit
  • memory/108-78-0x0000000000000000-mapping.dmp
    Download
  • memory/108-80-0x0000000073C91000-0x0000000073C93000-memory.dmp
    Filesize

    8KB

    Download
  • memory/108-81-0x0000000000080000-0x000000000010F000-memory.dmp
    Filesize

    572KB

    Download
  • memory/108-82-0x0000000000080000-0x000000000010F000-memory.dmp
    Filesize

    572KB

    Download
  • memory/1712-67-0x0000000074AB1000-0x0000000074AB3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1712-66-0x0000000000000000-mapping.dmp
    Download
  • memory/1724-68-0x0000000000000000-mapping.dmp
    Download
  • memory/1724-72-0x0000000010000000-0x000000001008F000-memory.dmp
    Filesize

    572KB

    Download
  • memory/2004-54-0x000007FEFB6D1000-0x000007FEFB6D3000-memory.dmp
    Filesize

    8KB

    Download