Analysis

  • max time kernel
    151s
  • max time network
    32s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    06-06-2023 18:53

General

  • Target

    qak.bat

  • Size

    25B

  • MD5

    424453ad642c8ce93f83050149acf5fd

  • SHA1

    f4a96928b74f7f3ff0166d4994f9655212e0dabc

  • SHA256

    5235bde4a41039070e2bb59ab109bc9fd131fe3a407f5efa59f9165c3f638e96

  • SHA512

    9b2cce8aeda846fac949f1e209c76f0f60025ab8bff14e3277e1800864e53374e845adda77f4db37de3b28c2e13d5a2986b9f3f50642093421e5217e501fc4c7

Malware Config

Extracted

Family

qakbot

Version

404.1346

Botnet

BB31

Campaign

1685959443

C2

77.126.99.230:443

24.234.220.88:465

151.62.238.176:443

85.57.212.13:3389

199.27.66.213:443

12.172.173.82:21

12.172.173.82:50001

12.172.173.82:465

105.184.209.117:995

193.80.73.200:995

86.208.35.220:2222

93.187.148.45:995

37.189.89.196:443

182.75.189.42:995

65.95.141.84:2222

84.216.198.201:6881

105.102.10.220:443

124.246.122.199:2222

83.249.198.100:2222

1.221.179.74:443

Signatures

  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 37 IoCs
  • Suspicious use of SendNotifyMessage 37 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\qak.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Windows\system32\rundll32.exe
      rundll32.exe qak.dll,next
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1996
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe qak.dll,next
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1968
        • C:\Windows\SysWOW64\wermgr.exe
          C:\Windows\SysWOW64\wermgr.exe
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1452
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1448

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1448-72-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

  • memory/1448-73-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

  • memory/1452-60-0x00000000000B0000-0x00000000000B2000-memory.dmp

    Filesize

    8KB

  • memory/1452-61-0x0000000000080000-0x00000000000A4000-memory.dmp

    Filesize

    144KB

  • memory/1452-67-0x0000000000080000-0x00000000000A4000-memory.dmp

    Filesize

    144KB

  • memory/1452-68-0x0000000000080000-0x00000000000A4000-memory.dmp

    Filesize

    144KB

  • memory/1452-69-0x0000000000080000-0x00000000000A4000-memory.dmp

    Filesize

    144KB

  • memory/1452-70-0x0000000000080000-0x00000000000A4000-memory.dmp

    Filesize

    144KB

  • memory/1452-71-0x0000000000080000-0x00000000000A4000-memory.dmp

    Filesize

    144KB

  • memory/1968-54-0x0000000000170000-0x0000000000173000-memory.dmp

    Filesize

    12KB

  • memory/1968-55-0x0000000000190000-0x00000000001B4000-memory.dmp

    Filesize

    144KB