Analysis

  • max time kernel
    39s
  • max time network
    42s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/02/2023, 17:04

General

  • Target

    x.bat

  • Size

    24B

  • MD5

    4c761c8d5cfa48b9e24ca8759aa5bd6f

  • SHA1

    aa0ad683e37d9570dacd74734c2866c480d78547

  • SHA256

    4936f4877eb907b0053d88c90e3b4a277740038fcf7fa87965d4342fb51515b3

  • SHA512

    3d4fd1a28012a0c5de552dffa1dbe7e399be411273cc7ad5a174f20a705a56ba71c487bdfce1ab4576041a3389ad8827b9d0500b95ab8dca247fba42450cadd9

Malware Config

Extracted

Family

qakbot

Version

404.492

Botnet

BB14

Campaign

1675848844

C2

70.64.77.115:443

69.119.123.159:2222

109.11.175.42:2222

172.248.42.122:443

64.130.78.191:443

24.64.112.40:2078

71.46.234.171:443

103.141.50.117:995

41.231.232.68:995

183.87.163.165:443

95.94.41.77:2222

82.121.195.187:2222

173.18.126.3:443

174.68.148.189:443

12.172.173.82:2087

84.108.200.161:443

86.182.184.130:443

85.59.61.52:2222

201.244.108.183:995

123.3.240.16:995

Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

  • Suspicious behavior: EnumeratesProcesses 54 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\x.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2340
    • C:\Windows\system32\rundll32.exe
      rundll32.exe x.dll,Wind
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4828
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe x.dll,Wind
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:4148
        • C:\Windows\SysWOW64\wermgr.exe
          C:\Windows\SysWOW64\wermgr.exe
          4⤵
            PID:4448
          • C:\Windows\SysWOW64\wermgr.exe
            C:\Windows\SysWOW64\wermgr.exe
            4⤵
              PID:4544
            • C:\Windows\SysWOW64\msra.exe
              C:\Windows\SysWOW64\msra.exe
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:2088

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2088-142-0x0000000001200000-0x0000000001223000-memory.dmp

        Filesize

        140KB

      • memory/2088-143-0x0000000001200000-0x0000000001223000-memory.dmp

        Filesize

        140KB

      • memory/4148-134-0x0000000010000000-0x0000000010023000-memory.dmp

        Filesize

        140KB

      • memory/4148-139-0x0000000002BD0000-0x0000000002BD3000-memory.dmp

        Filesize

        12KB