qakbot | 696156d9a4117cba652b18b012db376fddfbd7db8b26a638c760d61b98d3590d

Analysis

max time kernel
150s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2023, 20:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5q4psw.msi
Size

496KB
MD5

e35727b10193fe55df216a1f9d166997
SHA1

9ddafa77fc9fdea0085e41aa0f3a1ee0d15d9c8a
SHA256

696156d9a4117cba652b18b012db376fddfbd7db8b26a638c760d61b98d3590d
SHA512

2bba74b0b7f5ee8509310030bb45def13b87394e55edf8d0e51595d6cc669f4b2c7497d95331c09c9f7b453f3c9acdeb03e41cd5e5dc14f9ecb9dd9f79d7ad8d
SSDEEP

12288:wn+NgINNEcfjVRMigNFoILI8KviLjvhAol71Q:wnX9gjVRMDqH8fL154

Score

10^/10

qakbot obama265 1685436052 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

404.1320

Botnet

obama265

Campaign

1685436052

103.42.86.42:995

174.4.89.3:443

161.142.103.187:995

78.160.146.127:443

84.35.26.14:995

12.172.173.82:20

70.28.50.223:2078

124.149.143.189:2222

70.160.67.203:443

186.64.67.30:443

103.123.223.133:443

94.207.104.225:443

89.114.140.100:443

213.64.33.61:2222

86.176.144.234:2222

72.134.124.16:443

47.34.30.133:443

109.50.149.241:2222

85.104.105.67:443

81.111.108.123:443

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Loads dropped DLL 1 IoCs

pid	Process
1712	rundll32.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{2DB09FCD-7D8E-4C24-BF5D-FB5BD25D67B7}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB99.tmp	msiexec.exe
File created	C:\Windows\Installer\e570a91.msi	msiexec.exe
File created	C:\Windows\Installer\e570a8f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e570a8f.msi	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a577c74c521b2f150000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a577c74c0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900a577c74c000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a577c74c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a577c74c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1492	msiexec.exe
1492	msiexec.exe
1712	rundll32.exe
1712	rundll32.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe
3932	wermgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1452	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1452	msiexec.exe
Token: SeSecurityPrivilege	1492	msiexec.exe
Token: SeCreateTokenPrivilege	1452	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1452	msiexec.exe
Token: SeLockMemoryPrivilege	1452	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1452	msiexec.exe
Token: SeMachineAccountPrivilege	1452	msiexec.exe
Token: SeTcbPrivilege	1452	msiexec.exe
Token: SeSecurityPrivilege	1452	msiexec.exe
Token: SeTakeOwnershipPrivilege	1452	msiexec.exe
Token: SeLoadDriverPrivilege	1452	msiexec.exe
Token: SeSystemProfilePrivilege	1452	msiexec.exe
Token: SeSystemtimePrivilege	1452	msiexec.exe
Token: SeProfSingleProcessPrivilege	1452	msiexec.exe
Token: SeIncBasePriorityPrivilege	1452	msiexec.exe
Token: SeCreatePagefilePrivilege	1452	msiexec.exe
Token: SeCreatePermanentPrivilege	1452	msiexec.exe
Token: SeBackupPrivilege	1452	msiexec.exe
Token: SeRestorePrivilege	1452	msiexec.exe
Token: SeShutdownPrivilege	1452	msiexec.exe
Token: SeDebugPrivilege	1452	msiexec.exe
Token: SeAuditPrivilege	1452	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1452	msiexec.exe
Token: SeChangeNotifyPrivilege	1452	msiexec.exe
Token: SeRemoteShutdownPrivilege	1452	msiexec.exe
Token: SeUndockPrivilege	1452	msiexec.exe
Token: SeSyncAgentPrivilege	1452	msiexec.exe
Token: SeEnableDelegationPrivilege	1452	msiexec.exe
Token: SeManageVolumePrivilege	1452	msiexec.exe
Token: SeImpersonatePrivilege	1452	msiexec.exe
Token: SeCreateGlobalPrivilege	1452	msiexec.exe
Token: SeBackupPrivilege	2064	vssvc.exe
Token: SeRestorePrivilege	2064	vssvc.exe
Token: SeAuditPrivilege	2064	vssvc.exe
Token: SeBackupPrivilege	1492	msiexec.exe
Token: SeRestorePrivilege	1492	msiexec.exe
Token: SeRestorePrivilege	1492	msiexec.exe
Token: SeTakeOwnershipPrivilege	1492	msiexec.exe
Token: SeRestorePrivilege	1492	msiexec.exe
Token: SeTakeOwnershipPrivilege	1492	msiexec.exe
Token: SeRestorePrivilege	1492	msiexec.exe
Token: SeTakeOwnershipPrivilege	1492	msiexec.exe
Token: SeRestorePrivilege	1492	msiexec.exe
Token: SeTakeOwnershipPrivilege	1492	msiexec.exe
Token: SeRestorePrivilege	1492	msiexec.exe
Token: SeTakeOwnershipPrivilege	1492	msiexec.exe
Token: SeRestorePrivilege	1492	msiexec.exe
Token: SeTakeOwnershipPrivilege	1492	msiexec.exe
Token: SeRestorePrivilege	1492	msiexec.exe
Token: SeTakeOwnershipPrivilege	1492	msiexec.exe
Token: SeRestorePrivilege	1492	msiexec.exe
Token: SeTakeOwnershipPrivilege	1492	msiexec.exe
Token: SeRestorePrivilege	1492	msiexec.exe
Token: SeTakeOwnershipPrivilege	1492	msiexec.exe
Token: SeRestorePrivilege	1492	msiexec.exe
Token: SeTakeOwnershipPrivilege	1492	msiexec.exe
Token: SeRestorePrivilege	1492	msiexec.exe
Token: SeTakeOwnershipPrivilege	1492	msiexec.exe
Token: SeRestorePrivilege	1492	msiexec.exe
Token: SeTakeOwnershipPrivilege	1492	msiexec.exe
Token: SeRestorePrivilege	1492	msiexec.exe
Token: SeTakeOwnershipPrivilege	1492	msiexec.exe
Token: SeRestorePrivilege	1492	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1452	msiexec.exe
1452	msiexec.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 1872	1492	msiexec.exe	98
PID 1492 wrote to memory of 1872	1492	msiexec.exe	98
PID 1492 wrote to memory of 4596	1492	msiexec.exe	100
PID 1492 wrote to memory of 4596	1492	msiexec.exe	100
PID 1492 wrote to memory of 1404	1492	msiexec.exe	101
PID 1492 wrote to memory of 1404	1492	msiexec.exe	101
PID 4596 wrote to memory of 1712	4596	rundll32.exe	102
PID 4596 wrote to memory of 1712	4596	rundll32.exe	102
PID 4596 wrote to memory of 1712	4596	rundll32.exe	102
PID 1712 wrote to memory of 3932	1712	rundll32.exe	103
PID 1712 wrote to memory of 3932	1712	rundll32.exe	103
PID 1712 wrote to memory of 3932	1712	rundll32.exe	103
PID 1712 wrote to memory of 3932	1712	rundll32.exe	103
PID 1712 wrote to memory of 3932	1712	rundll32.exe	103
PID 1712 wrote to memory of 3932	1712	rundll32.exe	103

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\5q4psw.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1452

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1872
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4596
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll,next
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\Windows\SysWOW64\wermgr.exe
      C:\Windows\SysWOW64\wermgr.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3932
- C:\Windows\system32\wscript.exe
  wscript.exe C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs
  2⤵
  PID:1404

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e570a90.rbs

Filesize
9KB

MD5
c4c2870ad9d276fc753680ede5bf3748

SHA1
0c56d7b4b51a825f9c7bad5b85fe087675f93a98

SHA256
a1177a71ea9106b3b3b28957ae17738ebc8c05fbf0f861e76a40328bfa1d9334

SHA512
f806c37fca3498034da775b6f6ea50258e80a890654cd2b87313286c23d3481d7519fab1d809a5a50e9d422a8a664d2cfe935486aaa4543b537fd39049653e36

Download Submit
C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll

Filesize
930KB

MD5
0c8e5b12b177a199008b2282c7506fff

SHA1
0dfee8bae7073512f8bfdabaf0c0b7c882b3864e

SHA256
9a407a2f0ba3c0e3ba3cfa2ffd6472db3bc572b8ef08f1fba7139cbd36cc8dca

SHA512
6464ec42cccb85e7c067ad9f7c8b804d064a6974e8184bc5134436fad004bf87630869c107bb91f87bdc59f7938a8a157f59a436ce0265c070db32a54c4541b5

Download Submit
C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\main.dll

Filesize
930KB

MD5
0c8e5b12b177a199008b2282c7506fff

SHA1
0dfee8bae7073512f8bfdabaf0c0b7c882b3864e

SHA256
9a407a2f0ba3c0e3ba3cfa2ffd6472db3bc572b8ef08f1fba7139cbd36cc8dca

SHA512
6464ec42cccb85e7c067ad9f7c8b804d064a6974e8184bc5134436fad004bf87630869c107bb91f87bdc59f7938a8a157f59a436ce0265c070db32a54c4541b5

Download Submit
C:\Users\Admin\AppData\Local\AdobeAcrobatPDFBrowserPlugin\notify.vbs

Filesize
132B

MD5
0d4c9f15ce74465c59ae36a27f98c817

SHA1
9cce8eefa4d3d9c5e161c5dbb860cfe1489c6b1a

SHA256
d24e3399060b51f3a1c9d41a67de2601888a35c99da8db70070d757bb3f1913a

SHA512
9bed0eafc2cf2a2360850ca1070ffb04ac14f04c78379485998a93f45012b5c11cc7f6f68129f65b8b5f90437cb965908c6a1bb9d83a56b068d6bde1d5fdad1f

Download Submit
C:\Windows\Installer\e570a8f.msi

Filesize
496KB

MD5
e35727b10193fe55df216a1f9d166997

SHA1
9ddafa77fc9fdea0085e41aa0f3a1ee0d15d9c8a

SHA256
696156d9a4117cba652b18b012db376fddfbd7db8b26a638c760d61b98d3590d

SHA512
2bba74b0b7f5ee8509310030bb45def13b87394e55edf8d0e51595d6cc669f4b2c7497d95331c09c9f7b453f3c9acdeb03e41cd5e5dc14f9ecb9dd9f79d7ad8d

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
dbcc2a29396c97b0dbf045f7584ce6de

SHA1
65ee7393a5a8e01e71a23fa16a85b9e0c094162a

SHA256
1708890e990a39e20fece73710bfc16a4255c56f0f3424151740edf9c726bf83

SHA512
d0c17b3d0dd6377b2cb39a9f7b5cc1b392f7ef70d90806a50d07bc100468096c96a03e119a465973114d4e668528c4f8c11555d5efb3e7fbc2a0058eb9aa0533

Download Submit
\??\Volume{4cc777a5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{1c8a8b6c-e8d3-466c-a088-725b819a4170}_OnDiskSnapshotProp

Filesize
5KB

MD5
c509ebd1ff0a353f0f772958913c9fb1

SHA1
41a954e2fe0f9543a2751fca386326d7101362a1

SHA256
6995d088aac5e989e9140aaf46cc6a31c09280956016e43fd34e14541b073eed

SHA512
aaa8ed4776a144e7b791696b76d0f5da6943adf3a6162687c3d81ffdfc54b0e20407d9e5769de3ee420f53dcdf5a5452bfae749851ec11b9be4b78109725fb71

Download Submit
memory/1712-173-0x0000000010000000-0x0000000010200000-memory.dmp

Filesize
2.0MB

Download
memory/1712-159-0x0000000000570000-0x0000000000573000-memory.dmp

Filesize
12KB

Download
memory/1712-160-0x0000000002250000-0x0000000002274000-memory.dmp

Filesize
144KB

Download
memory/3932-166-0x0000000000EF0000-0x0000000000F14000-memory.dmp

Filesize
144KB

Download
memory/3932-174-0x0000000000EF0000-0x0000000000F14000-memory.dmp

Filesize
144KB

Download
memory/3932-175-0x0000000000EF0000-0x0000000000F14000-memory.dmp

Filesize
144KB

Download
memory/3932-176-0x0000000000EF0000-0x0000000000F14000-memory.dmp

Filesize
144KB

Download
memory/3932-177-0x0000000000EF0000-0x0000000000F14000-memory.dmp

Filesize
144KB

Download
memory/3932-172-0x0000000000EF0000-0x0000000000F14000-memory.dmp

Filesize
144KB

Download
memory/3932-165-0x0000000000F20000-0x0000000000F22000-memory.dmp

Filesize
8KB

Download