Analysis

  • max time kernel
    61s
  • max time network
    64s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/02/2023, 16:58

General

  • Target

    x.bat

  • Size

    24B

  • MD5

    4c761c8d5cfa48b9e24ca8759aa5bd6f

  • SHA1

    aa0ad683e37d9570dacd74734c2866c480d78547

  • SHA256

    4936f4877eb907b0053d88c90e3b4a277740038fcf7fa87965d4342fb51515b3

  • SHA512

    3d4fd1a28012a0c5de552dffa1dbe7e399be411273cc7ad5a174f20a705a56ba71c487bdfce1ab4576041a3389ad8827b9d0500b95ab8dca247fba42450cadd9

Malware Config

Extracted

Family

qakbot

Version

404.506

Botnet

obama238

Campaign

1675870889

C2

81.229.117.95:2222

46.24.103.218:2078

74.92.243.113:50000

213.31.90.183:2222

103.71.21.107:443

27.109.19.90:2078

82.36.36.76:443

71.31.101.183:443

198.2.51.242:993

91.68.227.219:443

88.111.182.118:2222

68.150.18.161:443

50.68.204.71:995

76.27.40.189:443

2.98.146.106:995

70.121.198.103:2078

76.80.180.154:995

197.148.17.17:2078

12.172.173.82:32101

98.147.155.235:443

Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\x.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4488
    • C:\Windows\system32\rundll32.exe
      rundll32.exe x.dll,Wind
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:960
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe x.dll,Wind
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:4252
        • C:\Windows\SysWOW64\wermgr.exe
          C:\Windows\SysWOW64\wermgr.exe
          4⤵
            PID:1408
          • C:\Windows\SysWOW64\wermgr.exe
            C:\Windows\SysWOW64\wermgr.exe
            4⤵
              PID:4408
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 360
                5⤵
                • Program crash
                PID:3424
            • C:\Windows\SysWOW64\msra.exe
              C:\Windows\SysWOW64\msra.exe
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:2856
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4408 -ip 4408
        1⤵
          PID:1492

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2856-143-0x0000000000800000-0x0000000000823000-memory.dmp

          Filesize

          140KB

        • memory/2856-144-0x0000000000800000-0x0000000000823000-memory.dmp

          Filesize

          140KB

        • memory/4252-134-0x0000000010000000-0x0000000010023000-memory.dmp

          Filesize

          140KB

        • memory/4252-137-0x00000000009D0000-0x00000000009D3000-memory.dmp

          Filesize

          12KB

        • memory/4252-141-0x00000000009D0000-0x00000000009D3000-memory.dmp

          Filesize

          12KB