Overview

overview

10

Static

static

1

raw.js

windows7-x64

10

raw.js

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    26-05-2023 22:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    raw.js

  • Size

    15KB

  • MD5

    37f56794fcc202b0568d6005de64fe12

  • SHA1

    11a3e14c1daff0b32af21d071c1593a9fa3f4975

  • SHA256

    0bbcf926861f0bab4410477493187a89fc7e28b9da5a1bf607c33316f575343f

  • SHA512

    85c23a31c25e814ae95f2c6bad29411cc1cec410ddcadac1a47e7d71c81d99342d1db66c57a01ca81e842a20608b3c57be33f2c939a04f306bb406625354839e

  • SSDEEP

    192:72QHFX0ZcX/Cv3gtMMNcJ5+km8ime6C7IRmX/noHnkpgmlyHnlTjYktAcn/kdeD:iYX/voRacJRHwrYmX/YU+AktAikdo

Score
10/10
qakbotbb291685100431bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

404.1249

Botnet

BB29

Campaign

1685100431

C2

50.68.186.195:443

66.180.234.51:2222

103.141.50.43:995

69.242.31.249:443

173.88.135.179:443

12.172.173.82:465

86.130.9.242:2222

92.27.86.48:2222

88.126.94.4:50000

113.11.92.30:443

12.172.173.82:995

92.154.17.149:2222

92.135.0.154:2222

212.169.233.141:3389

103.123.223.133:443

12.172.173.82:32101

70.28.50.223:3389

47.21.51.138:443

75.98.154.19:443

47.205.25.170:443

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Blocklisted process makes network request 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 9 IoCs
  • Modifies data under HKEY_USERS 44 IoCs
  • Suspicious behavior: EnumeratesProcesses 58 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\raw.js
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1848
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1616
    • C:\Windows\system32\wscript.exe
      wscript.exe C:\Users\Admin\AppData\Local\ZoomDesktopClient\notify.vbs
      2⤵
        PID:1644
      • C:\Windows\system32\rundll32.exe
        rundll32.exe C:\Users\Admin\AppData\Local\ZoomDesktopClient\main.dll,next
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1648
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe C:\Users\Admin\AppData\Local\ZoomDesktopClient\main.dll,next
          3⤵
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1920
          • C:\Windows\SysWOW64\wermgr.exe
            C:\Windows\SysWOW64\wermgr.exe
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:868
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
        PID:936
      • C:\Windows\system32\DrvInst.exe
        DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003AC" "00000000000003DC"
        1⤵
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        PID:1684

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Config.Msi\6d3ad2.rbs
        Filesize

        8KB

        MD5

        5e5468f7d25a33c039643707a22e1750

        SHA1

        d1caea38f6fae5b7de107016a6db68d2a1553fef

        SHA256

        7d3cb0a8f6752822731c920d18eedf2dc0007ee8c27069593dfa3f6c7023fe60

        SHA512

        4e87592876dc93ee94f69aa54fcf280906126c4d218d45bf08d9907992b15bb0e154f2ceddd059ad84614e64fe2a8fe565c17151eb6f4abacf0411ec94897b32

        Download Submit

      • C:\Users\Admin\AppData\Local\ZoomDesktopClient\main.dll
        Filesize

        727KB

        MD5

        880aaeb61626ae9a43cc8aae144d949a

        SHA1

        7f6bde013a551b9ecd609e364c8db8c568e1660b

        SHA256

        6c0d3531c95bf245d6413dc7f3bf5739fc41f6064bf6d8fc66443f8e46d9ffd2

        SHA512

        b27b685bc27973c47ff6c53a9fd3a8d7aa963c27240d36eb9c1f78f3d2d24a79ca15374ec5bc88a70a1a3f4986acf60cb37807b294f658953f750810127b13a2

        Download Submit

      • C:\Users\Admin\AppData\Local\ZoomDesktopClient\notify.vbs
        Filesize

        106B

        MD5

        81bc3c331877bbb6f1d9688813402d28

        SHA1

        c06175deba61f3eb2ee47893d26dcfbf680d7b20

        SHA256

        6142d9959be3e3d6276d33b6a8f5feac0116da002ae847f96079d7371974919f

        SHA512

        31da6db1ea4780852fd941f9a887693fae756c369b3c3ae71f76ba331445fa82b33bcea43c67df4c5df555055556242b172c0c256d0ea9f1bf190b70816bdf6f

        Download Submit

      • C:\Windows\Installer\MSIB904.tmp
        Filesize

        416KB

        MD5

        84f60d908dc7e65d585d1f1e51a1c211

        SHA1

        09d7ae37353a93c2d3651cfb7c70b2a164a169c4

        SHA256

        a9740680f1c75a1b5ceb136f04ab322d3dcec86bb4102e54de16c72cb3970dd5

        SHA512

        6a251b9facaf407fce79715a2bc9853133a66ba9edf4ce9465e23b4de9d0f663ff45b1bd7e620bce2f44e603e321592ff6414d0e17dd65a4c683f0b89d3044c3

        Download Submit

      • \Users\Admin\AppData\Local\ZoomDesktopClient\main.dll
        Filesize

        727KB

        MD5

        880aaeb61626ae9a43cc8aae144d949a

        SHA1

        7f6bde013a551b9ecd609e364c8db8c568e1660b

        SHA256

        6c0d3531c95bf245d6413dc7f3bf5739fc41f6064bf6d8fc66443f8e46d9ffd2

        SHA512

        b27b685bc27973c47ff6c53a9fd3a8d7aa963c27240d36eb9c1f78f3d2d24a79ca15374ec5bc88a70a1a3f4986acf60cb37807b294f658953f750810127b13a2

        Download Submit

      • \Users\Admin\AppData\Local\ZoomDesktopClient\main.dll
        Filesize

        727KB

        MD5

        880aaeb61626ae9a43cc8aae144d949a

        SHA1

        7f6bde013a551b9ecd609e364c8db8c568e1660b

        SHA256

        6c0d3531c95bf245d6413dc7f3bf5739fc41f6064bf6d8fc66443f8e46d9ffd2

        SHA512

        b27b685bc27973c47ff6c53a9fd3a8d7aa963c27240d36eb9c1f78f3d2d24a79ca15374ec5bc88a70a1a3f4986acf60cb37807b294f658953f750810127b13a2

        Download Submit

      • \Users\Admin\AppData\Local\ZoomDesktopClient\main.dll
        Filesize

        727KB

        MD5

        880aaeb61626ae9a43cc8aae144d949a

        SHA1

        7f6bde013a551b9ecd609e364c8db8c568e1660b

        SHA256

        6c0d3531c95bf245d6413dc7f3bf5739fc41f6064bf6d8fc66443f8e46d9ffd2

        SHA512

        b27b685bc27973c47ff6c53a9fd3a8d7aa963c27240d36eb9c1f78f3d2d24a79ca15374ec5bc88a70a1a3f4986acf60cb37807b294f658953f750810127b13a2

        Download Submit

      • \Users\Admin\AppData\Local\ZoomDesktopClient\main.dll
        Filesize

        727KB

        MD5

        880aaeb61626ae9a43cc8aae144d949a

        SHA1

        7f6bde013a551b9ecd609e364c8db8c568e1660b

        SHA256

        6c0d3531c95bf245d6413dc7f3bf5739fc41f6064bf6d8fc66443f8e46d9ffd2

        SHA512

        b27b685bc27973c47ff6c53a9fd3a8d7aa963c27240d36eb9c1f78f3d2d24a79ca15374ec5bc88a70a1a3f4986acf60cb37807b294f658953f750810127b13a2

        Download Submit

      • memory/868-98-0x0000000000080000-0x00000000000A4000-memory.dmp

        Filesize

        144KB

        Download

      • memory/868-97-0x00000000000B0000-0x00000000000B2000-memory.dmp

        Filesize

        8KB

        Download

      • memory/868-104-0x0000000000080000-0x00000000000A4000-memory.dmp

        Filesize

        144KB

        Download

      • memory/868-106-0x0000000000080000-0x00000000000A4000-memory.dmp

        Filesize

        144KB

        Download

      • memory/868-107-0x0000000000080000-0x00000000000A4000-memory.dmp

        Filesize

        144KB

        Download

      • memory/868-108-0x0000000000080000-0x00000000000A4000-memory.dmp

        Filesize

        144KB

        Download

      • memory/868-109-0x0000000000080000-0x00000000000A4000-memory.dmp

        Filesize

        144KB

        Download

      • memory/1920-89-0x0000000000170000-0x0000000000194000-memory.dmp

        Filesize

        144KB

        Download

      • memory/1920-94-0x0000000010000000-0x00000000100BD000-memory.dmp

        Filesize

        756KB

        Download

      • memory/1920-88-0x0000000000160000-0x0000000000163000-memory.dmp

        Filesize

        12KB

        Download

      • memory/1920-105-0x0000000010000000-0x00000000100BD000-memory.dmp

        Filesize

        756KB

        Download