qakbot | 0af20bafea6a34fceaba57171fd8d8fed74b3dd1b007503ab12dae115dde7c0d

General

Target

SCAN_WE2280/YouNewRules/NewIssues.cmd
Size

9KB
MD5

e17d2c748aa43b447c7dbcc654ed7ac1
SHA1

c1c00fd60968203cf76c1d50392f4d2725a71220
SHA256

6295018e08b1d466e8787fcaad8da9e8c777a01816a2868eba0cd8d8ef757352
SHA512

93c9aee06e2ffc2bd7711d299564debcd18804106b512ca9c736e49994a1e6ae09ae98f63302ef3c4b8d472152b36b82b21f1b6d4cdc17eff53358e1efc40c8c
SSDEEP

192:wa7Yp9CAdtjOZCukOEQ5OWGTGa1EUTPLtrpdfr8S83rgaRqWLU3:D7+IAdNOZwOEQ5OWGTGa/TPLtrzT8S8Y

Score

10^/10

qakbot azd 1670585059 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

404.46

Botnet

azd

Campaign

1670585059

C2

173.239.94.212:443

91.169.12.198:32100

74.66.134.24:443

66.191.69.18:995

182.75.189.42:995

78.69.251.252:2222

98.145.23.67:443

103.71.21.107:443

197.94.219.133:443

91.68.227.219:443

12.172.173.82:993

86.176.83.127:2222

64.121.161.102:443

41.98.21.114:443

92.154.17.149:2222

151.65.67.211:443

89.129.109.27:2222

76.11.14.249:443

69.119.123.159:2222

70.66.199.12:443

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Discovers systems in the same network 1 TTPs 1 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exe

pid process

2160 net.exe
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exenetstat.exe

pid process

4056 ipconfig.exe
1368 netstat.exe
Runs net.exe

pid	process
2160	net.exe

pid	process
4056	ipconfig.exe
1368	netstat.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exewermgr.exe

pid	process
364	rundll32.exe
364	rundll32.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe
3808	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

364 rundll32.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

netstat.exewhoami.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	1368	netstat.exe
Token: SeDebugPrivilege	4588	whoami.exe
Token: SeDebugPrivilege	4588	whoami.exe
Token: SeDebugPrivilege	4588	whoami.exe
Token: SeDebugPrivilege	4588	whoami.exe
Token: SeDebugPrivilege	4588	whoami.exe
Token: SeDebugPrivilege	4588	whoami.exe
Token: SeDebugPrivilege	4588	whoami.exe
Token: SeDebugPrivilege	4588	whoami.exe
Token: SeDebugPrivilege	4588	whoami.exe
Token: SeDebugPrivilege	4588	whoami.exe
Token: SeDebugPrivilege	4588	whoami.exe
Token: SeDebugPrivilege	4588	whoami.exe
Token: SeDebugPrivilege	4588	whoami.exe
Token: SeDebugPrivilege	4588	whoami.exe
Token: SeDebugPrivilege	4588	whoami.exe
Token: SeDebugPrivilege	4588	whoami.exe
Token: SeDebugPrivilege	4588	whoami.exe
Token: SeDebugPrivilege	4588	whoami.exe
Token: SeDebugPrivilege	4588	whoami.exe
Token: SeDebugPrivilege	4588	whoami.exe
Token: SeDebugPrivilege	4588	whoami.exe
Token: SeDebugPrivilege	4588	whoami.exe
Token: SeDebugPrivilege	4588	whoami.exe
Token: SeDebugPrivilege	4588	whoami.exe
Token: SeDebugPrivilege	4588	whoami.exe
Token: SeDebugPrivilege	4588	whoami.exe
Token: SeDebugPrivilege	4588	whoami.exe
Token: SeSecurityPrivilege	3568	msiexec.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

cmd.exerundll32.exerundll32.exewermgr.exenet.exenet.exe

description	pid	process	target process
PID 3448 wrote to memory of 4220	3448	cmd.exe	rundll32.exe
PID 3448 wrote to memory of 4220	3448	cmd.exe	rundll32.exe
PID 4220 wrote to memory of 364	4220	rundll32.exe	rundll32.exe
PID 4220 wrote to memory of 364	4220	rundll32.exe	rundll32.exe
PID 4220 wrote to memory of 364	4220	rundll32.exe	rundll32.exe
PID 364 wrote to memory of 3808	364	rundll32.exe	wermgr.exe
PID 364 wrote to memory of 3808	364	rundll32.exe	wermgr.exe
PID 364 wrote to memory of 3808	364	rundll32.exe	wermgr.exe
PID 364 wrote to memory of 3808	364	rundll32.exe	wermgr.exe
PID 364 wrote to memory of 3808	364	rundll32.exe	wermgr.exe
PID 3808 wrote to memory of 2160	3808	wermgr.exe	net.exe
PID 3808 wrote to memory of 2160	3808	wermgr.exe	net.exe
PID 3808 wrote to memory of 2160	3808	wermgr.exe	net.exe
PID 3808 wrote to memory of 4612	3808	wermgr.exe	cmd.exe
PID 3808 wrote to memory of 4612	3808	wermgr.exe	cmd.exe
PID 3808 wrote to memory of 4612	3808	wermgr.exe	cmd.exe
PID 3808 wrote to memory of 448	3808	wermgr.exe	arp.exe
PID 3808 wrote to memory of 448	3808	wermgr.exe	arp.exe
PID 3808 wrote to memory of 448	3808	wermgr.exe	arp.exe
PID 3808 wrote to memory of 4056	3808	wermgr.exe	ipconfig.exe
PID 3808 wrote to memory of 4056	3808	wermgr.exe	ipconfig.exe
PID 3808 wrote to memory of 4056	3808	wermgr.exe	ipconfig.exe
PID 3808 wrote to memory of 2752	3808	wermgr.exe	nslookup.exe
PID 3808 wrote to memory of 2752	3808	wermgr.exe	nslookup.exe
PID 3808 wrote to memory of 2752	3808	wermgr.exe	nslookup.exe
PID 3808 wrote to memory of 3408	3808	wermgr.exe	net.exe
PID 3808 wrote to memory of 3408	3808	wermgr.exe	net.exe
PID 3808 wrote to memory of 3408	3808	wermgr.exe	net.exe
PID 3408 wrote to memory of 2256	3408	net.exe	net1.exe
PID 3408 wrote to memory of 2256	3408	net.exe	net1.exe
PID 3408 wrote to memory of 2256	3408	net.exe	net1.exe
PID 3808 wrote to memory of 4352	3808	wermgr.exe	route.exe
PID 3808 wrote to memory of 4352	3808	wermgr.exe	route.exe
PID 3808 wrote to memory of 4352	3808	wermgr.exe	route.exe
PID 3808 wrote to memory of 1368	3808	wermgr.exe	netstat.exe
PID 3808 wrote to memory of 1368	3808	wermgr.exe	netstat.exe
PID 3808 wrote to memory of 1368	3808	wermgr.exe	netstat.exe
PID 3808 wrote to memory of 4548	3808	wermgr.exe	net.exe
PID 3808 wrote to memory of 4548	3808	wermgr.exe	net.exe
PID 3808 wrote to memory of 4548	3808	wermgr.exe	net.exe
PID 4548 wrote to memory of 3976	4548	net.exe	net1.exe
PID 4548 wrote to memory of 3976	4548	net.exe	net1.exe
PID 4548 wrote to memory of 3976	4548	net.exe	net1.exe
PID 3808 wrote to memory of 4588	3808	wermgr.exe	whoami.exe
PID 3808 wrote to memory of 4588	3808	wermgr.exe	whoami.exe
PID 3808 wrote to memory of 4588	3808	wermgr.exe	whoami.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SCAN_WE2280\YouNewRules\NewIssues.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:3448

C:\Windows\system32\rundll32.exe
rundll32 /s newinvoice.patch,DrawThemeIcon
2⤵
- Suspicious use of WriteProcessMemory
PID:4220

C:\Windows\SysWOW64\rundll32.exe
rundll32 /s newinvoice.patch,DrawThemeIcon
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:364

C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3808

C:\Windows\SysWOW64\net.exe
net view
5⤵
- Discovers systems in the same network
PID:2160

C:\Windows\SysWOW64\cmd.exe
cmd /c set
5⤵
PID:4612

C:\Windows\SysWOW64\arp.exe
arp -a
5⤵
PID:448

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
5⤵
- Gathers network information
PID:4056

C:\Windows\SysWOW64\nslookup.exe
nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.WORKGROUP
5⤵
PID:2752

C:\Windows\SysWOW64\net.exe
net share
5⤵
- Suspicious use of WriteProcessMemory
PID:3408

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 share
6⤵
PID:2256

C:\Windows\SysWOW64\route.exe
route print
5⤵
PID:4352

C:\Windows\SysWOW64\netstat.exe
netstat -nao
5⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:1368

C:\Windows\SysWOW64\net.exe
net localgroup
5⤵
- Suspicious use of WriteProcessMemory
PID:4548

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup
6⤵
PID:3976

C:\Windows\SysWOW64\whoami.exe
whoami /all
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4588

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3568

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/364-137-0x00000000030F0000-0x000000000311A000-memory.dmp

Filesize
168KB

Download
memory/364-133-0x0000000000000000-mapping.dmp

Download
memory/364-134-0x00000000030C0000-0x00000000030EA000-memory.dmp

Filesize
168KB

Download
memory/364-135-0x00000000030F0000-0x000000000311A000-memory.dmp

Filesize
168KB

Download
memory/448-142-0x0000000000000000-mapping.dmp

Download
memory/1368-148-0x0000000000000000-mapping.dmp

Download
memory/2160-140-0x0000000000000000-mapping.dmp

Download
memory/2256-146-0x0000000000000000-mapping.dmp

Download
memory/2752-144-0x0000000000000000-mapping.dmp

Download
memory/3408-145-0x0000000000000000-mapping.dmp

Download
memory/3808-139-0x0000000000D00000-0x0000000000D2A000-memory.dmp

Filesize
168KB

Download
memory/3808-136-0x0000000000000000-mapping.dmp

Download
memory/3808-138-0x0000000000D00000-0x0000000000D2A000-memory.dmp

Filesize
168KB

Download
memory/3976-150-0x0000000000000000-mapping.dmp

Download
memory/4056-143-0x0000000000000000-mapping.dmp

Download
memory/4220-132-0x0000000000000000-mapping.dmp

Download
memory/4352-147-0x0000000000000000-mapping.dmp

Download
memory/4548-149-0x0000000000000000-mapping.dmp

Download
memory/4588-151-0x0000000000000000-mapping.dmp

Download
memory/4612-141-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads