qakbot | b3ce4d863e60bc8e533ace948cab3222dd4fa70ac7f93c9391ab769d74902169

General

Target

WP.vbs
Size

178B
MD5

e79b8eac6811c47921d7b7e02df81bc8
SHA1

3a242182768de828966235c3a92d2c8956d27672
SHA256

1ca39f8d606633829b551ef3d1a99a9e45f7ce32c1e7e4c1b573d91b1582692d
SHA512

d9e691cd695d06931cbeab643a8e63244e16ca98f1affaf2464c3af455a958aaba5c8f4aae86134ba97813f086e2c3d1f66466dc13c75520e2b04fc6c223526d

Score

10^/10

qakbot obama224 1669794048 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

404.46

Botnet

obama224

Campaign

1669794048

C2

75.161.233.194:995

216.82.134.218:443

174.104.184.149:443

173.18.126.3:443

87.202.101.164:50000

172.90.139.138:2222

184.153.132.82:443

185.135.120.81:443

24.228.132.224:2222

87.223.84.190:443

178.153.195.40:443

24.64.114.59:2222

77.126.81.208:443

75.99.125.235:2222

173.239.94.212:443

98.145.23.67:443

109.177.245.176:2222

72.200.109.104:443

12.172.173.82:993

82.11.242.219:443

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1052 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Discovers systems in the same network 1 TTPs 1 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exe

pid process

1804 net.exe
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exenetstat.exe

pid process

1612 ipconfig.exe
1484 netstat.exe
Runs net.exe

pid	process
1052	rundll32.exe

pid	process
1804	net.exe

pid	process
1612	ipconfig.exe
1484	netstat.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exerundll32.exewermgr.exe

pid	process
668	powershell.exe
668	powershell.exe
1052	rundll32.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe
836	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

1052 rundll32.exe

pid	process
1052	rundll32.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

powershell.exenetstat.exewhoami.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	668	powershell.exe
Token: SeDebugPrivilege	1484	netstat.exe
Token: SeDebugPrivilege	1100	whoami.exe
Token: SeDebugPrivilege	1100	whoami.exe
Token: SeDebugPrivilege	1100	whoami.exe
Token: SeDebugPrivilege	1100	whoami.exe
Token: SeDebugPrivilege	1100	whoami.exe
Token: SeDebugPrivilege	1100	whoami.exe
Token: SeDebugPrivilege	1100	whoami.exe
Token: SeDebugPrivilege	1100	whoami.exe
Token: SeDebugPrivilege	1100	whoami.exe
Token: SeDebugPrivilege	1100	whoami.exe
Token: SeDebugPrivilege	1100	whoami.exe
Token: SeDebugPrivilege	1100	whoami.exe
Token: SeDebugPrivilege	1100	whoami.exe
Token: SeDebugPrivilege	1100	whoami.exe
Token: SeDebugPrivilege	1100	whoami.exe
Token: SeDebugPrivilege	1100	whoami.exe
Token: SeDebugPrivilege	1100	whoami.exe
Token: SeDebugPrivilege	1100	whoami.exe
Token: SeDebugPrivilege	1100	whoami.exe
Token: SeDebugPrivilege	1100	whoami.exe
Token: SeDebugPrivilege	1100	whoami.exe
Token: SeDebugPrivilege	1100	whoami.exe
Token: SeDebugPrivilege	1100	whoami.exe
Token: SeRestorePrivilege	1608	msiexec.exe
Token: SeTakeOwnershipPrivilege	1608	msiexec.exe
Token: SeSecurityPrivilege	1608	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WScript.exepowershell.exerundll32.exewermgr.exenet.exenet.exe

description	pid	process	target process
PID 520 wrote to memory of 668	520	WScript.exe	powershell.exe
PID 520 wrote to memory of 668	520	WScript.exe	powershell.exe
PID 520 wrote to memory of 668	520	WScript.exe	powershell.exe
PID 520 wrote to memory of 668	520	WScript.exe	powershell.exe
PID 668 wrote to memory of 1052	668	powershell.exe	rundll32.exe
PID 668 wrote to memory of 1052	668	powershell.exe	rundll32.exe
PID 668 wrote to memory of 1052	668	powershell.exe	rundll32.exe
PID 668 wrote to memory of 1052	668	powershell.exe	rundll32.exe
PID 668 wrote to memory of 1052	668	powershell.exe	rundll32.exe
PID 668 wrote to memory of 1052	668	powershell.exe	rundll32.exe
PID 668 wrote to memory of 1052	668	powershell.exe	rundll32.exe
PID 1052 wrote to memory of 836	1052	rundll32.exe	wermgr.exe
PID 1052 wrote to memory of 836	1052	rundll32.exe	wermgr.exe
PID 1052 wrote to memory of 836	1052	rundll32.exe	wermgr.exe
PID 1052 wrote to memory of 836	1052	rundll32.exe	wermgr.exe
PID 1052 wrote to memory of 836	1052	rundll32.exe	wermgr.exe
PID 1052 wrote to memory of 836	1052	rundll32.exe	wermgr.exe
PID 836 wrote to memory of 1804	836	wermgr.exe	net.exe
PID 836 wrote to memory of 1804	836	wermgr.exe	net.exe
PID 836 wrote to memory of 1804	836	wermgr.exe	net.exe
PID 836 wrote to memory of 1804	836	wermgr.exe	net.exe
PID 836 wrote to memory of 580	836	wermgr.exe	cmd.exe
PID 836 wrote to memory of 580	836	wermgr.exe	cmd.exe
PID 836 wrote to memory of 580	836	wermgr.exe	cmd.exe
PID 836 wrote to memory of 580	836	wermgr.exe	cmd.exe
PID 836 wrote to memory of 1380	836	wermgr.exe	arp.exe
PID 836 wrote to memory of 1380	836	wermgr.exe	arp.exe
PID 836 wrote to memory of 1380	836	wermgr.exe	arp.exe
PID 836 wrote to memory of 1380	836	wermgr.exe	arp.exe
PID 836 wrote to memory of 1612	836	wermgr.exe	ipconfig.exe
PID 836 wrote to memory of 1612	836	wermgr.exe	ipconfig.exe
PID 836 wrote to memory of 1612	836	wermgr.exe	ipconfig.exe
PID 836 wrote to memory of 1612	836	wermgr.exe	ipconfig.exe
PID 836 wrote to memory of 852	836	wermgr.exe	nslookup.exe
PID 836 wrote to memory of 852	836	wermgr.exe	nslookup.exe
PID 836 wrote to memory of 852	836	wermgr.exe	nslookup.exe
PID 836 wrote to memory of 852	836	wermgr.exe	nslookup.exe
PID 836 wrote to memory of 1052	836	wermgr.exe	net.exe
PID 836 wrote to memory of 1052	836	wermgr.exe	net.exe
PID 836 wrote to memory of 1052	836	wermgr.exe	net.exe
PID 836 wrote to memory of 1052	836	wermgr.exe	net.exe
PID 1052 wrote to memory of 1748	1052	net.exe	net1.exe
PID 1052 wrote to memory of 1748	1052	net.exe	net1.exe
PID 1052 wrote to memory of 1748	1052	net.exe	net1.exe
PID 1052 wrote to memory of 1748	1052	net.exe	net1.exe
PID 836 wrote to memory of 1840	836	wermgr.exe	route.exe
PID 836 wrote to memory of 1840	836	wermgr.exe	route.exe
PID 836 wrote to memory of 1840	836	wermgr.exe	route.exe
PID 836 wrote to memory of 1840	836	wermgr.exe	route.exe
PID 836 wrote to memory of 1484	836	wermgr.exe	netstat.exe
PID 836 wrote to memory of 1484	836	wermgr.exe	netstat.exe
PID 836 wrote to memory of 1484	836	wermgr.exe	netstat.exe
PID 836 wrote to memory of 1484	836	wermgr.exe	netstat.exe
PID 836 wrote to memory of 2008	836	wermgr.exe	net.exe
PID 836 wrote to memory of 2008	836	wermgr.exe	net.exe
PID 836 wrote to memory of 2008	836	wermgr.exe	net.exe
PID 836 wrote to memory of 2008	836	wermgr.exe	net.exe
PID 2008 wrote to memory of 2000	2008	net.exe	net1.exe
PID 2008 wrote to memory of 2000	2008	net.exe	net1.exe
PID 2008 wrote to memory of 2000	2008	net.exe	net1.exe
PID 2008 wrote to memory of 2000	2008	net.exe	net1.exe
PID 836 wrote to memory of 1100	836	wermgr.exe	whoami.exe
PID 836 wrote to memory of 1100	836	wermgr.exe	whoami.exe
PID 836 wrote to memory of 1100	836	wermgr.exe	whoami.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\WP.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass metaphysic\\vied.ps1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:668

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\users\public\hashesObligation.txt DrawThemeIcon
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1052

C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\SysWOW64\net.exe
net view
5⤵
- Discovers systems in the same network
PID:1804

C:\Windows\SysWOW64\cmd.exe
cmd /c set
5⤵
PID:580

C:\Windows\SysWOW64\arp.exe
arp -a
5⤵
PID:1380

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
5⤵
- Gathers network information
PID:1612

C:\Windows\SysWOW64\nslookup.exe
nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.WORKGROUP
5⤵
PID:852

C:\Windows\SysWOW64\net.exe
net share
5⤵
- Suspicious use of WriteProcessMemory
PID:1052

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 share
6⤵
PID:1748

C:\Windows\SysWOW64\route.exe
route print
5⤵
PID:1840

C:\Windows\SysWOW64\netstat.exe
netstat -nao
5⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Windows\SysWOW64\net.exe
net localgroup
5⤵
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup
6⤵
PID:2000

C:\Windows\SysWOW64\whoami.exe
whoami /all
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1100

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1608

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\users\public\hashesObligation.txt
Filesize
577KB

MD5
4d2a4e2da95f4ca2799497d7b4262a92

SHA1
dd405984d9fbc66c0f2ce1ce90c12af85e1daec5

SHA256
1ad02331cceaebe32e8c820e1ce7ef7de84c51c873b440ada1dd510a93bfbe8d

SHA512
08c0ba81b4d309478353132a5b5e7226bd7a1687658b59d6d541418497cb9965855547180033c684d7e23ba91fd4bcd4deed423c61cf054e1d85d327093a00e2

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Public\hashesObligation.txt
Filesize
577KB

MD5
4d2a4e2da95f4ca2799497d7b4262a92

SHA1
dd405984d9fbc66c0f2ce1ce90c12af85e1daec5

SHA256
1ad02331cceaebe32e8c820e1ce7ef7de84c51c873b440ada1dd510a93bfbe8d

SHA512
08c0ba81b4d309478353132a5b5e7226bd7a1687658b59d6d541418497cb9965855547180033c684d7e23ba91fd4bcd4deed423c61cf054e1d85d327093a00e2

Download Submit
memory/520-54-0x000007FEFBFC1000-0x000007FEFBFC3000-memory.dmp

Filesize
8KB

Download
memory/580-75-0x0000000000000000-mapping.dmp

Download
memory/668-58-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download
memory/668-57-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download
memory/668-56-0x0000000075881000-0x0000000075883000-memory.dmp

Filesize
8KB

Download
memory/668-55-0x0000000000000000-mapping.dmp

Download
memory/668-63-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download
memory/836-69-0x0000000000000000-mapping.dmp

Download
memory/836-73-0x0000000000080000-0x00000000000AA000-memory.dmp

Filesize
168KB

Download
memory/836-72-0x0000000000080000-0x00000000000AA000-memory.dmp

Filesize
168KB

Download
memory/852-79-0x0000000000000000-mapping.dmp

Download
memory/1052-80-0x0000000000000000-mapping.dmp

Download
memory/1052-59-0x0000000000000000-mapping.dmp

Download
memory/1052-67-0x00000000007F0000-0x000000000081A000-memory.dmp

Filesize
168KB

Download
memory/1052-64-0x0000000000650000-0x000000000067D000-memory.dmp

Filesize
180KB

Download
memory/1052-71-0x00000000007F0000-0x000000000081A000-memory.dmp

Filesize
168KB

Download
memory/1052-65-0x00000000007F0000-0x000000000081A000-memory.dmp

Filesize
168KB

Download
memory/1052-68-0x00000000007F0000-0x000000000081A000-memory.dmp

Filesize
168KB

Download
memory/1100-87-0x0000000000000000-mapping.dmp

Download
memory/1380-76-0x0000000000000000-mapping.dmp

Download
memory/1484-84-0x0000000000000000-mapping.dmp

Download
memory/1612-77-0x0000000000000000-mapping.dmp

Download
memory/1748-81-0x0000000000000000-mapping.dmp

Download
memory/1804-74-0x0000000000000000-mapping.dmp

Download
memory/1840-83-0x0000000000000000-mapping.dmp

Download
memory/2000-86-0x0000000000000000-mapping.dmp

Download
memory/2008-85-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads