Overview

overview

10

Static

static

Document/N...on.dll

windows7-x64

3

Document/N...on.dll

windows10-2004-x64

3

Document/R...on.cmd

windows7-x64

10

Document/R...on.cmd

windows10-2004-x64

10

SCANED_HM8476.lnk

windows7-x64

10

SCANED_HM8476.lnk

windows10-2004-x64

10

Analysis

  • max time kernel
    939s
  • max time network
    934s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    24-12-2022 01:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Document/RecentInformation.cmd

  • Size

    14KB

  • MD5

    f18d614e3540584b79d49e0cfcb0e88f

  • SHA1

    8fe4e33c8e800c44831189a569f00917bd1122e7

  • SHA256

    8fbddac0206ad7bfb20fd8fd52039af73cc3915993a329a6dfe586d439742c3d

  • SHA512

    c2f61e870018974f4a9c7bf555ea351d372db6fa3970d298d14d3e6d79f7e8d7cb6c772d21d57f79c3c993b3293994ccdd7f313585f41d0398e1e9d375e8e360

  • SSDEEP

    192:lYPZ+xip5B0Nq0ExipR0pv436X74KWbRbtP3oZY:A+xKS4xKkPkrtbN36Y

Score
10/10
qakbotazd1671805456bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

404.62

Botnet

azd

Campaign

1671805456

C2

79.77.142.22:2222

70.51.134.110:2222

156.217.79.168:995

93.156.98.4:443

108.6.249.139:443

89.152.120.181:443

152.170.17.136:443

83.248.199.56:443

136.35.241.159:443

72.200.109.104:443

84.113.121.103:443

38.166.41.88:2087

173.178.151.233:443

85.72.107.2:2222

91.254.132.23:443

195.198.103.184:443

96.255.66.51:995

178.142.126.181:443

176.142.207.63:443

199.83.165.233:443
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Discovers systems in the same network 1 TTPs 1 IoCs
    discovery
  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Document\RecentInformation.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1980
    • C:\Windows\system32\rundll32.exe
      rundll32 /s newinformation.new,Updt
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1912
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32 /s newinformation.new,Updt
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2012
        • C:\Windows\SysWOW64\wermgr.exe
          C:\Windows\SysWOW64\wermgr.exe
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1560
          • C:\Windows\SysWOW64\net.exe
            net view
            5⤵
            • Discovers systems in the same network
            PID:1636
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c set
            5⤵
              PID:1420
            • C:\Windows\SysWOW64\arp.exe
              arp -a
              5⤵
                PID:2024
              • C:\Windows\SysWOW64\ipconfig.exe
                ipconfig /all
                5⤵
                • Gathers network information
                PID:1772
              • C:\Windows\SysWOW64\nslookup.exe
                nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.WORKGROUP
                5⤵
                  PID:1180
                • C:\Windows\SysWOW64\net.exe
                  net share
                  5⤵
                  • Suspicious use of WriteProcessMemory
                  PID:672
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 share
                    6⤵
                      PID:284
                  • C:\Windows\SysWOW64\route.exe
                    route print
                    5⤵
                      PID:1908
                    • C:\Windows\SysWOW64\netstat.exe
                      netstat -nao
                      5⤵
                      • Gathers network information
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1244
                    • C:\Windows\SysWOW64\net.exe
                      net localgroup
                      5⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1544
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 localgroup
                        6⤵
                          PID:1044
                      • C:\Windows\SysWOW64\whoami.exe
                        whoami /all
                        5⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1736
              • C:\Windows\system32\taskmgr.exe
                "C:\Windows\system32\taskmgr.exe" /4
                1⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                PID:980
              • C:\Windows\system32\msiexec.exe
                C:\Windows\system32\msiexec.exe /V
                1⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1752

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Command-Line Interface

              1
              T1059

              Persistence

              Privilege Escalation

              Defense Evasion

              Credential Access

              Discovery

              Remote System Discovery

              1
              T1018

              System Information Discovery

              1
              T1082

              Lateral Movement

              Collection

              Exfiltration

              Command and Control

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • memory/284-75-0x0000000000000000-mapping.dmp
                Download
              • memory/672-74-0x0000000000000000-mapping.dmp
                Download
              • memory/980-66-0x0000000140000000-0x00000001405E8000-memory.dmp
                Filesize

                5.9MB

                Download
              • memory/980-65-0x000007FEFB831000-0x000007FEFB833000-memory.dmp
                Filesize

                8KB

                Download
              • memory/1044-79-0x0000000000000000-mapping.dmp
                Download
              • memory/1180-73-0x0000000000000000-mapping.dmp
                Download
              • memory/1244-77-0x0000000000000000-mapping.dmp
                Download
              • memory/1420-69-0x0000000000000000-mapping.dmp
                Download
              • memory/1544-78-0x0000000000000000-mapping.dmp
                Download
              • memory/1560-67-0x0000000000130000-0x000000000015A000-memory.dmp
                Filesize

                168KB

                Download
              • memory/1560-64-0x0000000000130000-0x000000000015A000-memory.dmp
                Filesize

                168KB

                Download
              • memory/1560-62-0x0000000000000000-mapping.dmp
                Download
              • memory/1636-68-0x0000000000000000-mapping.dmp
                Download
              • memory/1736-80-0x0000000000000000-mapping.dmp
                Download
              • memory/1772-71-0x0000000000000000-mapping.dmp
                Download
              • memory/1908-76-0x0000000000000000-mapping.dmp
                Download
              • memory/1912-54-0x0000000000000000-mapping.dmp
                Download
              • memory/2012-56-0x0000000076031000-0x0000000076033000-memory.dmp
                Filesize

                8KB

                Download
              • memory/2012-57-0x0000000010000000-0x000000001002A000-memory.dmp
                Filesize

                168KB

                Download
              • memory/2012-55-0x0000000000000000-mapping.dmp
                Download
              • memory/2024-70-0x0000000000000000-mapping.dmp
                Download