qakbot | 9f9f2cdbdd69839ca8bc42311dcd24bc35cdd08f23361f93acc3cec26debe5d2

Resubmissions

20/12/2022, 06:53

221220-hnxazaca31 10

13/12/2022, 21:26

221213-z96j7saf8z 3

Analysis

max time kernel
150s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
20/12/2022, 06:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DCIM 3863334.img
Size

1.5MB
MD5

fe3c04b654b48971d55d5fdf538d9cc1
SHA1

94354bfee25a993ea43340b334d0f0653856f36e
SHA256

329fb204d7fbedd3aca1478eb5dea12a2ef873e978289695a5be4d3c2a266a99
SHA512

f56f6a420ad6c2cb26808b90126e8a23949298b6fb56e0ba32f11e88fc630b5ef924dd80f322b539c27d3aa1954b1f01f9216bfed56f7c8b4634c044cb0b5c01
SSDEEP

12288:8T3PUXXkw/BRbA1bxGpXOjyejWW9yWzg53kI:Yw/BeWpXOjYWYWzg5kI

Score

10^/10

qakbot obama227 1670928929 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

404.52

Botnet

obama227

Campaign

1670928929

27.109.19.90:2078

108.44.207.232:443

156.220.0.161:993

77.86.98.236:443

23.242.141.218:2222

108.162.6.34:443

73.223.248.31:443

217.43.16.149:443

91.178.75.146:2222

193.251.52.34:2222

86.165.15.180:2222

73.36.196.11:443

24.228.132.224:2222

86.98.23.199:443

176.151.15.101:443

70.55.120.16:2222

181.164.194.223:443

69.133.162.35:443

92.154.17.149:2222

184.68.116.146:61202

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4368	rundll32.exe
4368	rundll32.exe
4368	rundll32.exe
4368	rundll32.exe
4368	rundll32.exe
4368	rundll32.exe
3912	wermgr.exe
3912	wermgr.exe
3912	wermgr.exe
3912	wermgr.exe
3912	wermgr.exe
3912	wermgr.exe
3912	wermgr.exe
3912	wermgr.exe
3912	wermgr.exe
3912	wermgr.exe
3912	wermgr.exe
3912	wermgr.exe
3912	wermgr.exe
3912	wermgr.exe
3912	wermgr.exe
3912	wermgr.exe
3912	wermgr.exe
3912	wermgr.exe
3912	wermgr.exe
3912	wermgr.exe
3912	wermgr.exe
3912	wermgr.exe
3912	wermgr.exe
3912	wermgr.exe
3912	wermgr.exe
3912	wermgr.exe
3912	wermgr.exe
3912	wermgr.exe
3912	wermgr.exe
3912	wermgr.exe
3912	wermgr.exe
3912	wermgr.exe
3912	wermgr.exe
3912	wermgr.exe
3912	wermgr.exe
3912	wermgr.exe
3912	wermgr.exe
3912	wermgr.exe
3912	wermgr.exe
3912	wermgr.exe
3912	wermgr.exe
3912	wermgr.exe
3912	wermgr.exe
3912	wermgr.exe
3912	wermgr.exe
3912	wermgr.exe
3912	wermgr.exe
3912	wermgr.exe
3912	wermgr.exe
3912	wermgr.exe
3912	wermgr.exe
3912	wermgr.exe
3912	wermgr.exe
3912	wermgr.exe
3912	wermgr.exe
3912	wermgr.exe
3912	wermgr.exe
3912	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4368	rundll32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	3012	cmd.exe
Token: SeManageVolumePrivilege	3012	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4284 wrote to memory of 4368	4284	rundll32.exe	95
PID 4284 wrote to memory of 4368	4284	rundll32.exe	95
PID 4284 wrote to memory of 4368	4284	rundll32.exe	95
PID 4368 wrote to memory of 3912	4368	rundll32.exe	96
PID 4368 wrote to memory of 3912	4368	rundll32.exe	96
PID 4368 wrote to memory of 3912	4368	rundll32.exe	96
PID 4368 wrote to memory of 3912	4368	rundll32.exe	96
PID 4368 wrote to memory of 3912	4368	rundll32.exe	96

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\DCIM 3863334.img"
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3012

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:636

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" \desktop.dat,qqqq
1⤵
- Suspicious use of WriteProcessMemory
PID:4284
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" \desktop.dat,qqqq
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4368
- - C:\Windows\SysWOW64\wermgr.exe
    C:\Windows\SysWOW64\wermgr.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3912-139-0x0000000000890000-0x00000000008BA000-memory.dmp

Filesize
168KB

Download
memory/3912-140-0x0000000000890000-0x00000000008BA000-memory.dmp

Filesize
168KB

Download
memory/4368-133-0x00000000014D0000-0x00000000014FA000-memory.dmp

Filesize
168KB

Download