qakbot | cbb5114f1dd640b0190d01edcd3a3a8735bd77765c162ab8be0e19bc160de52a

General

Target

Document/RecentInformation.cmd
Size

14KB
MD5

f18d614e3540584b79d49e0cfcb0e88f
SHA1

8fe4e33c8e800c44831189a569f00917bd1122e7
SHA256

8fbddac0206ad7bfb20fd8fd52039af73cc3915993a329a6dfe586d439742c3d
SHA512

c2f61e870018974f4a9c7bf555ea351d372db6fa3970d298d14d3e6d79f7e8d7cb6c772d21d57f79c3c993b3293994ccdd7f313585f41d0398e1e9d375e8e360
SSDEEP

192:lYPZ+xip5B0Nq0ExipR0pv436X74KWbRbtP3oZY:A+xKS4xKkPkrtbN36Y

Score

10^/10

qakbot azd 1671805456 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

404.62

Botnet

azd

Campaign

1671805456

C2

79.77.142.22:2222

70.51.134.110:2222

156.217.79.168:995

93.156.98.4:443

108.6.249.139:443

89.152.120.181:443

152.170.17.136:443

83.248.199.56:443

136.35.241.159:443

72.200.109.104:443

84.113.121.103:443

38.166.41.88:2087

173.178.151.233:443

85.72.107.2:2222

91.254.132.23:443

195.198.103.184:443

96.255.66.51:995

178.142.126.181:443

176.142.207.63:443

199.83.165.233:443

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Discovers systems in the same network 1 TTPs 1 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exe

pid process

1632 net.exe
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exenetstat.exe

pid process

4764 ipconfig.exe
4604 netstat.exe
Runs net.exe

pid	process
1632	net.exe

pid	process
4764	ipconfig.exe
4604	netstat.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exewermgr.exe

pid	process
4644	rundll32.exe
4644	rundll32.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe
4284	wermgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

4644 rundll32.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

netstat.exewhoami.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	4604	netstat.exe
Token: SeDebugPrivilege	3032	whoami.exe
Token: SeDebugPrivilege	3032	whoami.exe
Token: SeDebugPrivilege	3032	whoami.exe
Token: SeDebugPrivilege	3032	whoami.exe
Token: SeDebugPrivilege	3032	whoami.exe
Token: SeDebugPrivilege	3032	whoami.exe
Token: SeDebugPrivilege	3032	whoami.exe
Token: SeDebugPrivilege	3032	whoami.exe
Token: SeDebugPrivilege	3032	whoami.exe
Token: SeDebugPrivilege	3032	whoami.exe
Token: SeDebugPrivilege	3032	whoami.exe
Token: SeDebugPrivilege	3032	whoami.exe
Token: SeDebugPrivilege	3032	whoami.exe
Token: SeDebugPrivilege	3032	whoami.exe
Token: SeDebugPrivilege	3032	whoami.exe
Token: SeDebugPrivilege	3032	whoami.exe
Token: SeDebugPrivilege	3032	whoami.exe
Token: SeDebugPrivilege	3032	whoami.exe
Token: SeDebugPrivilege	3032	whoami.exe
Token: SeDebugPrivilege	3032	whoami.exe
Token: SeDebugPrivilege	3032	whoami.exe
Token: SeDebugPrivilege	3032	whoami.exe
Token: SeDebugPrivilege	3032	whoami.exe
Token: SeDebugPrivilege	3032	whoami.exe
Token: SeDebugPrivilege	3032	whoami.exe
Token: SeDebugPrivilege	3032	whoami.exe
Token: SeDebugPrivilege	3032	whoami.exe
Token: SeSecurityPrivilege	4064	msiexec.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

cmd.exerundll32.exerundll32.exewermgr.exenet.exenet.exe

description	pid	process	target process
PID 3460 wrote to memory of 5012	3460	cmd.exe	rundll32.exe
PID 3460 wrote to memory of 5012	3460	cmd.exe	rundll32.exe
PID 5012 wrote to memory of 4644	5012	rundll32.exe	rundll32.exe
PID 5012 wrote to memory of 4644	5012	rundll32.exe	rundll32.exe
PID 5012 wrote to memory of 4644	5012	rundll32.exe	rundll32.exe
PID 4644 wrote to memory of 4284	4644	rundll32.exe	wermgr.exe
PID 4644 wrote to memory of 4284	4644	rundll32.exe	wermgr.exe
PID 4644 wrote to memory of 4284	4644	rundll32.exe	wermgr.exe
PID 4644 wrote to memory of 4284	4644	rundll32.exe	wermgr.exe
PID 4644 wrote to memory of 4284	4644	rundll32.exe	wermgr.exe
PID 4284 wrote to memory of 1632	4284	wermgr.exe	net.exe
PID 4284 wrote to memory of 1632	4284	wermgr.exe	net.exe
PID 4284 wrote to memory of 1632	4284	wermgr.exe	net.exe
PID 4284 wrote to memory of 4900	4284	wermgr.exe	cmd.exe
PID 4284 wrote to memory of 4900	4284	wermgr.exe	cmd.exe
PID 4284 wrote to memory of 4900	4284	wermgr.exe	cmd.exe
PID 4284 wrote to memory of 548	4284	wermgr.exe	arp.exe
PID 4284 wrote to memory of 548	4284	wermgr.exe	arp.exe
PID 4284 wrote to memory of 548	4284	wermgr.exe	arp.exe
PID 4284 wrote to memory of 4764	4284	wermgr.exe	ipconfig.exe
PID 4284 wrote to memory of 4764	4284	wermgr.exe	ipconfig.exe
PID 4284 wrote to memory of 4764	4284	wermgr.exe	ipconfig.exe
PID 4284 wrote to memory of 5020	4284	wermgr.exe	nslookup.exe
PID 4284 wrote to memory of 5020	4284	wermgr.exe	nslookup.exe
PID 4284 wrote to memory of 5020	4284	wermgr.exe	nslookup.exe
PID 4284 wrote to memory of 3492	4284	wermgr.exe	net.exe
PID 4284 wrote to memory of 3492	4284	wermgr.exe	net.exe
PID 4284 wrote to memory of 3492	4284	wermgr.exe	net.exe
PID 3492 wrote to memory of 3956	3492	net.exe	net1.exe
PID 3492 wrote to memory of 3956	3492	net.exe	net1.exe
PID 3492 wrote to memory of 3956	3492	net.exe	net1.exe
PID 4284 wrote to memory of 4180	4284	wermgr.exe	route.exe
PID 4284 wrote to memory of 4180	4284	wermgr.exe	route.exe
PID 4284 wrote to memory of 4180	4284	wermgr.exe	route.exe
PID 4284 wrote to memory of 4604	4284	wermgr.exe	netstat.exe
PID 4284 wrote to memory of 4604	4284	wermgr.exe	netstat.exe
PID 4284 wrote to memory of 4604	4284	wermgr.exe	netstat.exe
PID 4284 wrote to memory of 1728	4284	wermgr.exe	net.exe
PID 4284 wrote to memory of 1728	4284	wermgr.exe	net.exe
PID 4284 wrote to memory of 1728	4284	wermgr.exe	net.exe
PID 1728 wrote to memory of 3212	1728	net.exe	net1.exe
PID 1728 wrote to memory of 3212	1728	net.exe	net1.exe
PID 1728 wrote to memory of 3212	1728	net.exe	net1.exe
PID 4284 wrote to memory of 3032	4284	wermgr.exe	whoami.exe
PID 4284 wrote to memory of 3032	4284	wermgr.exe	whoami.exe
PID 4284 wrote to memory of 3032	4284	wermgr.exe	whoami.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Document\RecentInformation.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:3460

C:\Windows\system32\rundll32.exe
rundll32 /s newinformation.new,Updt
2⤵
- Suspicious use of WriteProcessMemory
PID:5012

C:\Windows\SysWOW64\rundll32.exe
rundll32 /s newinformation.new,Updt
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4644

C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4284

C:\Windows\SysWOW64\net.exe
net view
5⤵
- Discovers systems in the same network
PID:1632

C:\Windows\SysWOW64\cmd.exe
cmd /c set
5⤵
PID:4900

C:\Windows\SysWOW64\arp.exe
arp -a
5⤵
PID:548

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
5⤵
- Gathers network information
PID:4764

C:\Windows\SysWOW64\nslookup.exe
nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.WORKGROUP
5⤵
PID:5020

C:\Windows\SysWOW64\net.exe
net share
5⤵
- Suspicious use of WriteProcessMemory
PID:3492

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 share
6⤵
PID:3956

C:\Windows\SysWOW64\route.exe
route print
5⤵
PID:4180

C:\Windows\SysWOW64\netstat.exe
netstat -nao
5⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:4604

C:\Windows\SysWOW64\net.exe
net localgroup
5⤵
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup
6⤵
PID:3212

C:\Windows\SysWOW64\whoami.exe
whoami /all
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4064

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/548-144-0x0000000000000000-mapping.dmp

Download
memory/1632-142-0x0000000000000000-mapping.dmp

Download
memory/1728-151-0x0000000000000000-mapping.dmp

Download
memory/3032-153-0x0000000000000000-mapping.dmp

Download
memory/3212-152-0x0000000000000000-mapping.dmp

Download
memory/3492-147-0x0000000000000000-mapping.dmp

Download
memory/3956-148-0x0000000000000000-mapping.dmp

Download
memory/4180-149-0x0000000000000000-mapping.dmp

Download
memory/4284-141-0x0000000000D30000-0x0000000000D5A000-memory.dmp

Filesize
168KB

Download
memory/4284-140-0x0000000000D30000-0x0000000000D5A000-memory.dmp

Filesize
168KB

Download
memory/4284-139-0x0000000000000000-mapping.dmp

Download
memory/4604-150-0x0000000000000000-mapping.dmp

Download
memory/4644-134-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download
memory/4644-133-0x0000000000000000-mapping.dmp

Download
memory/4764-145-0x0000000000000000-mapping.dmp

Download
memory/4900-143-0x0000000000000000-mapping.dmp

Download
memory/5012-132-0x0000000000000000-mapping.dmp

Download
memory/5020-146-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads