qakbot | 0ab3186065e48ac254a736411ed9a6a47264aacfae7b849f4bbc57187e8da828

Analysis

max time kernel
150s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23/12/2022, 15:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

enjoying-H76.wsf
Size

484B
MD5

886626f72e3b4e7eaf76d806c853d3e6
SHA1

2f8daa763b0ae68e118be1cd5a78d3a1ea154da2
SHA256

405b8f2cb367e0fad300fcda2f7a93b17b2cf4e545a5ae0709a1a63d7fcf7cbe
SHA512

0f340cad2baa62cbbab8be9c21acded0d6525f21f8973652f1cf3623a66a5ded9cac353014c6fe520310292f90ad4e8e8ecbcc89b0631c079a1a9843eb9f1701

Score

10^/10

qakbot bb11 1671792531 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

404.62

Botnet

BB11

Campaign

1671792531

116.74.162.173:443

108.6.249.139:443

2.99.47.198:2222

89.79.229.50:443

89.152.120.181:443

152.170.17.136:443

197.0.175.244:443

83.248.199.56:443

84.113.121.103:443

175.139.207.179:2222

190.78.77.15:993

162.248.14.107:443

184.153.132.82:443

12.172.173.82:995

12.172.173.82:50001

37.15.128.31:2222

178.142.126.181:443

176.142.207.63:443

199.83.165.233:443

93.147.134.85:443

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Loads dropped DLL 1 IoCs

pid	Process
1328	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1328	rundll32.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe
1116	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1328	rundll32.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 868	1812	WScript.exe	28
PID 1812 wrote to memory of 868	1812	WScript.exe	28
PID 1812 wrote to memory of 868	1812	WScript.exe	28
PID 868 wrote to memory of 1328	868	rundll32.exe	29
PID 868 wrote to memory of 1328	868	rundll32.exe	29
PID 868 wrote to memory of 1328	868	rundll32.exe	29
PID 868 wrote to memory of 1328	868	rundll32.exe	29
PID 868 wrote to memory of 1328	868	rundll32.exe	29
PID 868 wrote to memory of 1328	868	rundll32.exe	29
PID 868 wrote to memory of 1328	868	rundll32.exe	29
PID 1328 wrote to memory of 1116	1328	rundll32.exe	30
PID 1328 wrote to memory of 1116	1328	rundll32.exe	30
PID 1328 wrote to memory of 1116	1328	rundll32.exe	30
PID 1328 wrote to memory of 1116	1328	rundll32.exe	30
PID 1328 wrote to memory of 1116	1328	rundll32.exe	30
PID 1328 wrote to memory of 1116	1328	rundll32.exe	30

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\enjoying-H76.wsf"
1⤵
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\i.txt,Updt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:868
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\i.txt,Updt
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1328
  - - C:\Windows\SysWOW64\wermgr.exe
      C:\Windows\SysWOW64\wermgr.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\i.txt

Filesize
817KB

MD5
49b9c7ceb82aa902d1450f18ce6eefb2

SHA1
ae26b23113dd4b629885d89867fd44698a2f7423

SHA256
4db8d023ec1ca958af48ad3f43e1199c167d5081f311abc202ebd47607b4c648

SHA512
003e37990c3ef42c865a09f5e227e7f7cd1c2c615f1c47a81b1d33efdc04dad1b3935a17d69926b4391406cc5fbd3d87ed54968a2c737b3e37afd97fed2f41d2

Download Submit
\Users\Admin\i.txt

Filesize
817KB

MD5
49b9c7ceb82aa902d1450f18ce6eefb2

SHA1
ae26b23113dd4b629885d89867fd44698a2f7423

SHA256
4db8d023ec1ca958af48ad3f43e1199c167d5081f311abc202ebd47607b4c648

SHA512
003e37990c3ef42c865a09f5e227e7f7cd1c2c615f1c47a81b1d33efdc04dad1b3935a17d69926b4391406cc5fbd3d87ed54968a2c737b3e37afd97fed2f41d2

Download Submit
memory/1116-66-0x0000000000080000-0x00000000000AA000-memory.dmp

Filesize
168KB

Download
memory/1116-67-0x0000000000080000-0x00000000000AA000-memory.dmp

Filesize
168KB

Download
memory/1328-57-0x0000000076091000-0x0000000076093000-memory.dmp

Filesize
8KB

Download
memory/1328-59-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download