Analysis

  • max time kernel
    149s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    08/02/2023, 17:04

General

  • Target

    x.bat

  • Size

    24B

  • MD5

    4c761c8d5cfa48b9e24ca8759aa5bd6f

  • SHA1

    aa0ad683e37d9570dacd74734c2866c480d78547

  • SHA256

    4936f4877eb907b0053d88c90e3b4a277740038fcf7fa87965d4342fb51515b3

  • SHA512

    3d4fd1a28012a0c5de552dffa1dbe7e399be411273cc7ad5a174f20a705a56ba71c487bdfce1ab4576041a3389ad8827b9d0500b95ab8dca247fba42450cadd9

Malware Config

Extracted

Family

qakbot

Version

404.492

Botnet

BB14

Campaign

1675848844

C2

70.64.77.115:443

69.119.123.159:2222

109.11.175.42:2222

172.248.42.122:443

64.130.78.191:443

24.64.112.40:2078

71.46.234.171:443

103.141.50.117:995

41.231.232.68:995

183.87.163.165:443

95.94.41.77:2222

82.121.195.187:2222

173.18.126.3:443

174.68.148.189:443

12.172.173.82:2087

84.108.200.161:443

86.182.184.130:443

85.59.61.52:2222

201.244.108.183:995

123.3.240.16:995

Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\x.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1104
    • C:\Windows\system32\rundll32.exe
      rundll32.exe x.dll,Wind
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2008
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe x.dll,Wind
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:968
        • C:\Windows\SysWOW64\wermgr.exe
          C:\Windows\SysWOW64\wermgr.exe
          4⤵
            PID:572
          • C:\Windows\SysWOW64\wermgr.exe
            C:\Windows\SysWOW64\wermgr.exe
            4⤵
              PID:1824
            • C:\Windows\SysWOW64\msra.exe
              C:\Windows\SysWOW64\msra.exe
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:568

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/568-68-0x00000000000C0000-0x00000000000E3000-memory.dmp

        Filesize

        140KB

      • memory/568-69-0x00000000000C0000-0x00000000000E3000-memory.dmp

        Filesize

        140KB

      • memory/968-56-0x0000000075631000-0x0000000075633000-memory.dmp

        Filesize

        8KB

      • memory/968-57-0x0000000010000000-0x0000000010023000-memory.dmp

        Filesize

        140KB

      • memory/968-62-0x0000000000130000-0x0000000000133000-memory.dmp

        Filesize

        12KB

      • memory/968-63-0x0000000000130000-0x0000000000133000-memory.dmp

        Filesize

        12KB