Overview

overview

10

Static

static

BF.vbs

windows7-x64

10

BF.vbs

windows10-2004-x64

10

teased/beguiler.vbs

windows7-x64

3

teased/beguiler.vbs

windows10-2004-x64

7

teased/brainwaves.ps1

windows7-x64

1

teased/brainwaves.ps1

windows10-2004-x64

1

Resubmissions

09-12-2022 21:26

221209-z981bshc2x 10

01-12-2022 07:02

221201-hvaqjseb89 10

Analysis

  • max time kernel
    601s
  • max time network
    590s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    09-12-2022 21:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    BF.vbs

  • Size

    180B

  • MD5

    fcf6c65b599aaad756e0c32e688ec9db

  • SHA1

    28e5e0be32ec5d837dcbbf8bbe5be9a44e14750b

  • SHA256

    dc9c38ba168c5fd0c78917e9cd8f1ddf7119c59a80ef5e097705091a157a3cb0

  • SHA512

    e25f419e1b489e7f23259395ed39bca2b964ef5a963efdaa102415928f7e5370823a128c5510f5417617c50b200f2588257716d45a8c742e3cca364daa44e37b

Score
10/10
qakbotbb081669628564bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

404.46

Botnet

BB08

Campaign

1669628564

C2

98.147.155.235:443

85.52.73.34:2222

75.158.15.211:443

2.91.184.252:995

92.106.70.62:2222

85.152.152.46:443

86.159.48.25:2222

217.128.91.196:2222

92.11.189.236:2222

83.92.85.93:443

2.83.62.105:443

93.24.192.142:20

76.20.42.45:443

24.64.114.59:2078

73.36.196.11:443

130.43.99.103:995

172.117.139.142:995

100.16.107.117:443

12.172.173.82:22

176.151.15.101:443
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Discovers systems in the same network 1 TTPs 1 IoCs
    discovery
  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\BF.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1848
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass teased\\brainwaves.ps1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1212
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\system32\rundll32.exe" C:\users\public\extroversionRadiantly.txt DrawThemeIcon
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2000
        • C:\Windows\SysWOW64\wermgr.exe
          C:\Windows\SysWOW64\wermgr.exe
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1464
          • C:\Windows\SysWOW64\net.exe
            net view
            5⤵
            • Discovers systems in the same network
            PID:1328
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c set
            5⤵
              PID:1316
            • C:\Windows\SysWOW64\arp.exe
              arp -a
              5⤵
                PID:1392
              • C:\Windows\SysWOW64\ipconfig.exe
                ipconfig /all
                5⤵
                • Gathers network information
                PID:828
              • C:\Windows\SysWOW64\nslookup.exe
                nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.WORKGROUP
                5⤵
                  PID:1692
                • C:\Windows\SysWOW64\net.exe
                  net share
                  5⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1172
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 share
                    6⤵
                      PID:1740
                  • C:\Windows\SysWOW64\route.exe
                    route print
                    5⤵
                      PID:388
                    • C:\Windows\SysWOW64\netstat.exe
                      netstat -nao
                      5⤵
                      • Gathers network information
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2016
                    • C:\Windows\SysWOW64\net.exe
                      net localgroup
                      5⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1480
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 localgroup
                        6⤵
                          PID:1628
                      • C:\Windows\SysWOW64\whoami.exe
                        whoami /all
                        5⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:532
              • C:\Windows\system32\msiexec.exe
                C:\Windows\system32\msiexec.exe /V
                1⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1968

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Command-Line Interface

              1
              T1059

              Persistence

              Privilege Escalation

              Defense Evasion

              Credential Access

              Discovery

              System Information Discovery

              2
              T1082

              Remote System Discovery

              1
              T1018

              Lateral Movement

              Collection

              Exfiltration

              Command and Control

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\users\public\extroversionRadiantly.txt
                Filesize

                725KB

                MD5

                ed77586a14e95e3480d26c85219ae795

                SHA1

                bc15afb8b4aec58f7c3ce38f780ce4c5f8444b1d

                SHA256

                e978b0c77018e382ef87f6cee623b5b8b436a331449f8e2edca65b1c045aacc7

                SHA512

                03fee67cc0dda7b9518e5cb7934e0a18d872d40c357b70454d2353f91ac763eabeec5c9f2ca62cdcb510dff09f11e1acd47caaf7a96651c4010a5402c45ec857

                Download Submit
              • \??\PIPE\samr
                MD5

                d41d8cd98f00b204e9800998ecf8427e

                SHA1

                da39a3ee5e6b4b0d3255bfef95601890afd80709

                SHA256

                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                SHA512

                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                Download Submit
              • \Users\Public\extroversionRadiantly.txt
                Filesize

                725KB

                MD5

                ed77586a14e95e3480d26c85219ae795

                SHA1

                bc15afb8b4aec58f7c3ce38f780ce4c5f8444b1d

                SHA256

                e978b0c77018e382ef87f6cee623b5b8b436a331449f8e2edca65b1c045aacc7

                SHA512

                03fee67cc0dda7b9518e5cb7934e0a18d872d40c357b70454d2353f91ac763eabeec5c9f2ca62cdcb510dff09f11e1acd47caaf7a96651c4010a5402c45ec857

                Download Submit
              • memory/388-79-0x0000000000000000-mapping.dmp
                Download
              • memory/532-84-0x0000000000000000-mapping.dmp
                Download
              • memory/828-74-0x0000000000000000-mapping.dmp
                Download
              • memory/1172-77-0x0000000000000000-mapping.dmp
                Download
              • memory/1212-57-0x0000000073CF0000-0x000000007429B000-memory.dmp
                Filesize

                5.7MB

                Download
              • memory/1212-61-0x0000000073CF0000-0x000000007429B000-memory.dmp
                Filesize

                5.7MB

                Download
              • memory/1212-58-0x0000000073CF0000-0x000000007429B000-memory.dmp
                Filesize

                5.7MB

                Download
              • memory/1212-56-0x0000000076091000-0x0000000076093000-memory.dmp
                Filesize

                8KB

                Download
              • memory/1212-55-0x0000000000000000-mapping.dmp
                Download
              • memory/1316-72-0x0000000000000000-mapping.dmp
                Download
              • memory/1328-71-0x0000000000000000-mapping.dmp
                Download
              • memory/1392-73-0x0000000000000000-mapping.dmp
                Download
              • memory/1464-70-0x0000000000080000-0x00000000000AA000-memory.dmp
                Filesize

                168KB

                Download
              • memory/1464-69-0x0000000000080000-0x00000000000AA000-memory.dmp
                Filesize

                168KB

                Download
              • memory/1464-66-0x0000000000000000-mapping.dmp
                Download
              • memory/1480-81-0x0000000000000000-mapping.dmp
                Download
              • memory/1628-82-0x0000000000000000-mapping.dmp
                Download
              • memory/1692-76-0x0000000000000000-mapping.dmp
                Download
              • memory/1740-78-0x0000000000000000-mapping.dmp
                Download
              • memory/1848-54-0x000007FEFBCA1000-0x000007FEFBCA3000-memory.dmp
                Filesize

                8KB

                Download
              • memory/2000-68-0x00000000001C0000-0x00000000001EA000-memory.dmp
                Filesize

                168KB

                Download
              • memory/2000-65-0x00000000001C0000-0x00000000001EA000-memory.dmp
                Filesize

                168KB

                Download
              • memory/2000-64-0x0000000001D80000-0x0000000001DF3000-memory.dmp
                Filesize

                460KB

                Download
              • memory/2000-59-0x0000000000000000-mapping.dmp
                Download
              • memory/2016-80-0x0000000000000000-mapping.dmp
                Download