Overview

overview

10

Static

static

1

F12.wsf

windows11-21h2-x64

10

Analysis

  • max time kernel
    40s
  • max time network
    16s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    10-12-2024 10:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    F12.wsf

  • Size

    102.2MB

  • MD5

    71dc49c8604801a97f6c2650fecc7905

  • SHA1

    4c686cb740384db18febff3a9e230935cc71451e

  • SHA256

    eca4870cb095914b3ea2e75bf4362ef7ada9d207995ae850e67d52cda0b5aff5

  • SHA512

    b1f47d228af3fd83af27162c1d7cae3407893531379862ea4d099d9def200fc3e13d49a0792c4ba8d8f1ef1c3c40e635702cac9137ad1729aabe3cc00dffc3be

  • SSDEEP

    24576:Q4PRw+wFwJGwgwsZicphuWJmknFM+9zKhGCN0sigLe:zPRw+wFwJGwgwz

Score
10/10
qakbotbb111671725928bankerdiscoverystealertrojan

Malware Config

Extracted

Family

qakbot

Version

404.66

Botnet

BB11

Campaign

1671725928

C2

27.109.19.90:2078

50.68.204.71:995

217.43.16.149:443

181.118.206.65:995

152.171.41.171:443

98.187.21.2:443

121.121.100.148:995

87.252.106.197:995

172.90.139.138:2222

172.248.42.122:443

24.142.218.202:443

76.100.159.250:443

92.8.187.85:2222

69.133.162.35:443

50.86.217.209:443

78.18.42.55:443

92.27.86.48:2222

185.13.180.250:443

50.26.197.236:993

24.69.84.237:443
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

  • Qakbot family
    qakbot
  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\F12.wsf"
    1⤵
      PID:3504
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:1124
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "E:\F12.wsf"
        1⤵
        • Enumerates connected drives
        • Suspicious use of WriteProcessMemory
        PID:1896
        • C:\Windows\System32\regsvr32.exe
          "C:\Windows\System32\regsvr32.exe" C:\Users\Admin\me.txt
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2416
          • C:\Windows\SysWOW64\regsvr32.exe
            C:\Users\Admin\me.txt
            3⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:4580
            • C:\Windows\SysWOW64\wermgr.exe
              C:\Windows\SysWOW64\wermgr.exe
              4⤵
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:3700

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\me.txt
        Filesize

        733KB

        MD5

        388130763a39816b5de645a0db65fe8e

        SHA1

        0daf7bf5fd13a9b4d29591bebfc4a21793cce0ff

        SHA256

        b319b04368220e6e7379586ed5576a6bfed90c0f975fa0012011d7b702e2b959

        SHA512

        4e38e8c048465796a9cb735eec80abf0e83eb7fe07327a72daee3e03ee1f000dda5c58597c5051d54a236d18a78962db7141a549cb7c0a283ec905ffece90bdc

        Download Submit

      • memory/3700-8-0x0000000000680000-0x00000000006AA000-memory.dmp

        Filesize

        168KB

        Download

      • memory/3700-9-0x0000000000680000-0x00000000006AA000-memory.dmp

        Filesize

        168KB

        Download

      • memory/3700-10-0x0000000000680000-0x00000000006AA000-memory.dmp

        Filesize

        168KB

        Download

      • memory/3700-12-0x0000000000680000-0x00000000006AA000-memory.dmp

        Filesize

        168KB

        Download

      • memory/3700-11-0x0000000000680000-0x00000000006AA000-memory.dmp

        Filesize

        168KB

        Download

      • memory/3700-13-0x0000000000680000-0x00000000006AA000-memory.dmp

        Filesize

        168KB

        Download

      • memory/4580-3-0x0000000074FA0000-0x000000007505A000-memory.dmp

        Filesize

        744KB

        Download

      • memory/4580-4-0x0000000002C50000-0x0000000002C7A000-memory.dmp

        Filesize

        168KB

        Download

      • memory/4580-5-0x0000000002C50000-0x0000000002C7A000-memory.dmp

        Filesize

        168KB

        Download

      • memory/4580-6-0x0000000074FA0000-0x000000007505A000-memory.dmp

        Filesize

        744KB

        Download