qakbot | 0af20bafea6a34fceaba57171fd8d8fed74b3dd1b007503ab12dae115dde7c0d

General

Target

SCAN_WE2280/SCAN_WE2280.lnk
Size

2KB
MD5

6511778c2763f9ef59c9d7a4d65dd44a
SHA1

ccd6876de18508b9cc1540d38c04c4dee0359db3
SHA256

b286440ca1c5d399582c6595d787045293f121152a02e62f4dcd5c2cbc8ed0ca
SHA512

6e4bfd7d71202244ce642b5a7ef43c864875b3d1c31bbe45f2dd99e5294bd68500b665c3be2e2cc25a31f6ccbc2cef59f2de8da9d14aee39369d5ce1dd6a162e

Score

10^/10

qakbot azd 1670585059 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

404.46

Botnet

azd

Campaign

1670585059

C2

173.239.94.212:443

91.169.12.198:32100

74.66.134.24:443

66.191.69.18:995

182.75.189.42:995

78.69.251.252:2222

98.145.23.67:443

103.71.21.107:443

197.94.219.133:443

91.68.227.219:443

12.172.173.82:993

86.176.83.127:2222

64.121.161.102:443

41.98.21.114:443

92.154.17.149:2222

151.65.67.211:443

89.129.109.27:2222

76.11.14.249:443

69.119.123.159:2222

70.66.199.12:443

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Discovers systems in the same network 1 TTPs 1 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exe

pid process

5004 net.exe
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exenetstat.exe

pid process

2080 ipconfig.exe
812 netstat.exe
Runs net.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cmd.exe

pid	process
5004	net.exe

pid	process
2080	ipconfig.exe
812	netstat.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exewermgr.exe

pid	process
4744	rundll32.exe
4744	rundll32.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe
4956	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

4744 rundll32.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

netstat.exewhoami.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	812	netstat.exe
Token: SeDebugPrivilege	4124	whoami.exe
Token: SeDebugPrivilege	4124	whoami.exe
Token: SeDebugPrivilege	4124	whoami.exe
Token: SeDebugPrivilege	4124	whoami.exe
Token: SeDebugPrivilege	4124	whoami.exe
Token: SeDebugPrivilege	4124	whoami.exe
Token: SeDebugPrivilege	4124	whoami.exe
Token: SeDebugPrivilege	4124	whoami.exe
Token: SeDebugPrivilege	4124	whoami.exe
Token: SeDebugPrivilege	4124	whoami.exe
Token: SeDebugPrivilege	4124	whoami.exe
Token: SeDebugPrivilege	4124	whoami.exe
Token: SeDebugPrivilege	4124	whoami.exe
Token: SeDebugPrivilege	4124	whoami.exe
Token: SeDebugPrivilege	4124	whoami.exe
Token: SeDebugPrivilege	4124	whoami.exe
Token: SeDebugPrivilege	4124	whoami.exe
Token: SeDebugPrivilege	4124	whoami.exe
Token: SeDebugPrivilege	4124	whoami.exe
Token: SeDebugPrivilege	4124	whoami.exe
Token: SeDebugPrivilege	4124	whoami.exe
Token: SeDebugPrivilege	4124	whoami.exe
Token: SeDebugPrivilege	4124	whoami.exe
Token: SeDebugPrivilege	4124	whoami.exe
Token: SeDebugPrivilege	4124	whoami.exe
Token: SeDebugPrivilege	4124	whoami.exe
Token: SeDebugPrivilege	4124	whoami.exe
Token: SeSecurityPrivilege	1116	msiexec.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

cmd.execmd.exerundll32.exerundll32.exewermgr.exenet.exenet.exe

description	pid	process	target process
PID 4892 wrote to memory of 4624	4892	cmd.exe	cmd.exe
PID 4892 wrote to memory of 4624	4892	cmd.exe	cmd.exe
PID 4624 wrote to memory of 1716	4624	cmd.exe	rundll32.exe
PID 4624 wrote to memory of 1716	4624	cmd.exe	rundll32.exe
PID 1716 wrote to memory of 4744	1716	rundll32.exe	rundll32.exe
PID 1716 wrote to memory of 4744	1716	rundll32.exe	rundll32.exe
PID 1716 wrote to memory of 4744	1716	rundll32.exe	rundll32.exe
PID 4744 wrote to memory of 4956	4744	rundll32.exe	wermgr.exe
PID 4744 wrote to memory of 4956	4744	rundll32.exe	wermgr.exe
PID 4744 wrote to memory of 4956	4744	rundll32.exe	wermgr.exe
PID 4744 wrote to memory of 4956	4744	rundll32.exe	wermgr.exe
PID 4744 wrote to memory of 4956	4744	rundll32.exe	wermgr.exe
PID 4956 wrote to memory of 5004	4956	wermgr.exe	net.exe
PID 4956 wrote to memory of 5004	4956	wermgr.exe	net.exe
PID 4956 wrote to memory of 5004	4956	wermgr.exe	net.exe
PID 4956 wrote to memory of 4304	4956	wermgr.exe	cmd.exe
PID 4956 wrote to memory of 4304	4956	wermgr.exe	cmd.exe
PID 4956 wrote to memory of 4304	4956	wermgr.exe	cmd.exe
PID 4956 wrote to memory of 4992	4956	wermgr.exe	arp.exe
PID 4956 wrote to memory of 4992	4956	wermgr.exe	arp.exe
PID 4956 wrote to memory of 4992	4956	wermgr.exe	arp.exe
PID 4956 wrote to memory of 2080	4956	wermgr.exe	ipconfig.exe
PID 4956 wrote to memory of 2080	4956	wermgr.exe	ipconfig.exe
PID 4956 wrote to memory of 2080	4956	wermgr.exe	ipconfig.exe
PID 4956 wrote to memory of 4084	4956	wermgr.exe	nslookup.exe
PID 4956 wrote to memory of 4084	4956	wermgr.exe	nslookup.exe
PID 4956 wrote to memory of 4084	4956	wermgr.exe	nslookup.exe
PID 4956 wrote to memory of 2056	4956	wermgr.exe	net.exe
PID 4956 wrote to memory of 2056	4956	wermgr.exe	net.exe
PID 4956 wrote to memory of 2056	4956	wermgr.exe	net.exe
PID 2056 wrote to memory of 4908	2056	net.exe	net1.exe
PID 2056 wrote to memory of 4908	2056	net.exe	net1.exe
PID 2056 wrote to memory of 4908	2056	net.exe	net1.exe
PID 4956 wrote to memory of 2356	4956	wermgr.exe	route.exe
PID 4956 wrote to memory of 2356	4956	wermgr.exe	route.exe
PID 4956 wrote to memory of 2356	4956	wermgr.exe	route.exe
PID 4956 wrote to memory of 812	4956	wermgr.exe	netstat.exe
PID 4956 wrote to memory of 812	4956	wermgr.exe	netstat.exe
PID 4956 wrote to memory of 812	4956	wermgr.exe	netstat.exe
PID 4956 wrote to memory of 2060	4956	wermgr.exe	net.exe
PID 4956 wrote to memory of 2060	4956	wermgr.exe	net.exe
PID 4956 wrote to memory of 2060	4956	wermgr.exe	net.exe
PID 2060 wrote to memory of 4556	2060	net.exe	net1.exe
PID 2060 wrote to memory of 4556	2060	net.exe	net1.exe
PID 2060 wrote to memory of 4556	2060	net.exe	net1.exe
PID 4956 wrote to memory of 4124	4956	wermgr.exe	whoami.exe
PID 4956 wrote to memory of 4124	4956	wermgr.exe	whoami.exe
PID 4956 wrote to memory of 4124	4956	wermgr.exe	whoami.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\SCAN_WE2280\SCAN_WE2280.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4892

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c YouNewRules\NewIssues.cmd A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 9
2⤵
- Suspicious use of WriteProcessMemory
PID:4624

C:\Windows\system32\rundll32.exe
rundll32 /s newinvoice.patch,DrawThemeIcon
3⤵
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\SysWOW64\rundll32.exe
rundll32 /s newinvoice.patch,DrawThemeIcon
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4744

C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4956

C:\Windows\SysWOW64\net.exe
net view
6⤵
- Discovers systems in the same network
PID:5004

C:\Windows\SysWOW64\cmd.exe
cmd /c set
6⤵
PID:4304

C:\Windows\SysWOW64\arp.exe
arp -a
6⤵
PID:4992

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
6⤵
- Gathers network information
PID:2080

C:\Windows\SysWOW64\nslookup.exe
nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.WORKGROUP
6⤵
PID:4084

C:\Windows\SysWOW64\net.exe
net share
6⤵
- Suspicious use of WriteProcessMemory
PID:2056

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 share
7⤵
PID:4908

C:\Windows\SysWOW64\route.exe
route print
6⤵
PID:2356

C:\Windows\SysWOW64\netstat.exe
netstat -nao
6⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:812

C:\Windows\SysWOW64\net.exe
net localgroup
6⤵
- Suspicious use of WriteProcessMemory
PID:2060

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup
7⤵
PID:4556

C:\Windows\SysWOW64\whoami.exe
whoami /all
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4124

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1116

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/812-149-0x0000000000000000-mapping.dmp

Download
memory/1716-133-0x0000000000000000-mapping.dmp

Download
memory/2056-146-0x0000000000000000-mapping.dmp

Download
memory/2060-150-0x0000000000000000-mapping.dmp

Download
memory/2080-144-0x0000000000000000-mapping.dmp

Download
memory/2356-148-0x0000000000000000-mapping.dmp

Download
memory/4084-145-0x0000000000000000-mapping.dmp

Download
memory/4124-153-0x0000000000000000-mapping.dmp

Download
memory/4304-142-0x0000000000000000-mapping.dmp

Download
memory/4556-151-0x0000000000000000-mapping.dmp

Download
memory/4624-132-0x0000000000000000-mapping.dmp

Download
memory/4744-138-0x0000000002A50000-0x0000000002A7A000-memory.dmp

Filesize
168KB

Download
memory/4744-136-0x0000000002A50000-0x0000000002A7A000-memory.dmp

Filesize
168KB

Download
memory/4744-135-0x0000000002A20000-0x0000000002A4A000-memory.dmp

Filesize
168KB

Download
memory/4744-134-0x0000000000000000-mapping.dmp

Download
memory/4908-147-0x0000000000000000-mapping.dmp

Download
memory/4956-140-0x0000000000D80000-0x0000000000DAA000-memory.dmp

Filesize
168KB

Download
memory/4956-139-0x0000000000D80000-0x0000000000DAA000-memory.dmp

Filesize
168KB

Download
memory/4956-137-0x0000000000000000-mapping.dmp

Download
memory/4992-143-0x0000000000000000-mapping.dmp

Download
memory/5004-141-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads