Play interactive tour

Edit tour

Analysis Report Akhirah Technologies Inc. Qakbot (2)

Overview

General Information

Sample Name:	Akhirah Technologies Inc. Qakbot (2) (renamed file extension from Qakbot (2) to exe)
Analysis ID:	278341
MD5:	a24a144da3f27d0060cb8961dc9169dd
SHA1:	79cb3718548421d6880fda8722ce44d31da0cc8c
SHA256:	f953b103ae09065e639890aa4e133f54ac9a2a5f5eb519d970b2b8d40d251626
Most interesting Screenshot:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to detect virtual machines (IN, VMware)

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to read device registry values (via SetupAPI)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries device information via Setup API

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

Akhirah Technologies Inc.exe (PID: 6688 cmdline: 'C:\Users\user\Desktop\Akhirah Technologies Inc.exe' MD5: A24A144DA3F27D0060CB8961DC9169DD)

Akhirah Technologies Inc.exe (PID: 6716 cmdline: 'C:\Users\user\Desktop\Akhirah Technologies Inc.exe' /C MD5: A24A144DA3F27D0060CB8961DC9169DD)

besos.exe (PID: 7044 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe MD5: A24A144DA3F27D0060CB8961DC9169DD)

besos.exe (PID: 5852 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe /C MD5: A24A144DA3F27D0060CB8961DC9169DD)

explorer.exe (PID: 1560 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)

schtasks.exe (PID: 7104 cmdline: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn picieuc /tr '\'C:\Users\user\Desktop\Akhirah Technologies Inc.exe\' /I picieuc' /SC ONCE /Z /ST 03:06 /ET 03:18 MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 7112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Akhirah Technologies Inc.exe (PID: 7144 cmdline: 'C:\Users\user\Desktop\Akhirah Technologies Inc.exe' /I picieuc MD5: A24A144DA3F27D0060CB8961DC9169DD)

Akhirah Technologies Inc.exe (PID: 5380 cmdline: 'C:\Users\user\Desktop\Akhirah Technologies Inc.exe' /I picieuc MD5: A24A144DA3F27D0060CB8961DC9169DD)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: Akhirah Technologies Inc.exe

Avira: detected

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe

Avira: detection malicious, Label: TR/Crypt.Agent.kdzty

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe	Virustotal: Detection: 62%			Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe	ReversingLabs: Detection: 75%

Multi AV Scanner detection for submitted file

Show sources

Source: Akhirah Technologies Inc.exe	Virustotal: Detection: 62%			Perma Link
Source: Akhirah Technologies Inc.exe	ReversingLabs: Detection: 75%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: Akhirah Technologies Inc.exe

Joe Sandbox ML: detected

Source: 4.2.besos.exe.2310000.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 2.2.Akhirah Technologies Inc.exe.2480000.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.2.Akhirah Technologies Inc.exe.2310000.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.2.Akhirah Technologies Inc.exe.1110000.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 9.2.besos.exe.2310000.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 24.2.Akhirah Technologies Inc.exe.1150000.1.unpack	Avira: Label: TR/Patched.Ren.Gen

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 11_2_04BAAB48 strncpy,strncmp,QueryPerformanceFrequency,QueryPerformanceCounter,CryptAcquireContextA,

11_2_04BAAB48

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 11_2_04BAF2B1 FindFirstFileW,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,

11_2_04BAF2B1

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 11_2_04BB4D1F __WSAFDIsSet,recv,WSAGetLastError,closesocket,

11_2_04BB4D1F

Source: Akhirah Technologies Inc.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: Akhirah Technologies Inc.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Akhirah Technologies Inc.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: Akhirah Technologies Inc.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: Akhirah Technologies Inc.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: Akhirah Technologies Inc.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: Akhirah Technologies Inc.exe, 00000001.00000003.211461368.0000000002527000.00000004.00000040.sdmp, explorer.exe	String found in binary or memory: http://www.ip-adress.com
Source: Akhirah Technologies Inc.exe, 00000001.00000003.211461368.0000000002527000.00000004.00000040.sdmp, explorer.exe, 0000000B.00000002.461141641.0000000004BA0000.00000040.00000001.sdmp	String found in binary or memory: http://www.ip-adress.com?
Source: Akhirah Technologies Inc.exe	String found in binary or memory: https://sectigo.com/CPS0

Source: besos.exe, 00000004.00000002.269314574.000000000097A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Code function: 1_2_004013AC PostQuitMessage,PostQuitMessage,PostQuitMessage,PostQuitMessage,NtdllDefWindowProc_A,	1_2_004013AC
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Code function: 2_2_004013AC PostQuitMessage,PostQuitMessage,PostQuitMessage,PostQuitMessage,NtdllDefWindowProc_A,	2_2_004013AC
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe	Code function: 4_2_004044DA NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,memcpy,lstrlenA,NtUnmapViewOfSection,GetCurrentProcess,NtUnmapViewOfSection,NtClose,	4_2_004044DA
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe	Code function: 4_2_004048A5 memset,GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,FreeLibrary,DeleteFileW,	4_2_004048A5
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe	Code function: 4_2_004013AC PostQuitMessage,PostQuitMessage,PostQuitMessage,PostQuitMessage,NtdllDefWindowProc_A,	4_2_004013AC
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Code function: 7_2_004013AC PostQuitMessage,PostQuitMessage,PostQuitMessage,PostQuitMessage,NtdllDefWindowProc_A,	7_2_004013AC
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe	Code function: 9_2_004013AC PostQuitMessage,PostQuitMessage,PostQuitMessage,PostQuitMessage,NtdllDefWindowProc_A,	9_2_004013AC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_009513AC PostQuitMessage,PostQuitMessage,PostQuitMessage,PostQuitMessage,NtdllDefWindowProc_A,	11_2_009513AC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_009548A5 memset,GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,FreeLibrary,DeleteFileW,	11_2_009548A5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_009544DA NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,memcpy,lstrlenA,NtUnmapViewOfSection,GetCurrentProcess,NtUnmapViewOfSection,NtClose,	11_2_009544DA
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Code function: 24_2_004013AC PostQuitMessage,PostQuitMessage,PostQuitMessage,PostQuitMessage,NtdllDefWindowProc_A,	24_2_004013AC

Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe

Code function: 1_2_004050D4 GetLastError,lstrlenA,EqualSid,memset,memset,CreateProcessAsUserW,CloseHandle,

1_2_004050D4

Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Code function: 1_2_00410010	1_2_00410010
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Code function: 1_2_004100F4	1_2_004100F4
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Code function: 1_2_004100B8	1_2_004100B8
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Code function: 1_2_0041015D	1_2_0041015D
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Code function: 1_2_00410178	1_2_00410178
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Code function: 1_2_00404D1C	1_2_00404D1C
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Code function: 2_2_00410010	2_2_00410010
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Code function: 2_2_004100F4	2_2_004100F4
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Code function: 2_2_004100B8	2_2_004100B8
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Code function: 2_2_0041015D	2_2_0041015D
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Code function: 2_2_00410178	2_2_00410178
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Code function: 2_2_00404D1C	2_2_00404D1C
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe	Code function: 4_2_0041000C	4_2_0041000C
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe	Code function: 4_2_00410010	4_2_00410010
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe	Code function: 4_2_004100F4	4_2_004100F4
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe	Code function: 4_2_004100B8	4_2_004100B8
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe	Code function: 4_2_0041015D	4_2_0041015D
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe	Code function: 4_2_00410178	4_2_00410178
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe	Code function: 4_2_00404D1C	4_2_00404D1C
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Code function: 7_2_00410010	7_2_00410010
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Code function: 7_2_004100F4	7_2_004100F4
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Code function: 7_2_004100B8	7_2_004100B8
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Code function: 7_2_0041015D	7_2_0041015D
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Code function: 7_2_00410178	7_2_00410178
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Code function: 7_2_00404D1C	7_2_00404D1C
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe	Code function: 9_2_00410010	9_2_00410010
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe	Code function: 9_2_004100F4	9_2_004100F4
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe	Code function: 9_2_004100B8	9_2_004100B8
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe	Code function: 9_2_0041015D	9_2_0041015D
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe	Code function: 9_2_00410178	9_2_00410178
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe	Code function: 9_2_00404D1C	9_2_00404D1C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00954D1C	11_2_00954D1C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BAA4EA	11_2_04BAA4EA
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BAA002	11_2_04BAA002
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BAD5ED	11_2_04BAD5ED
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BBB22F	11_2_04BBB22F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BABA18	11_2_04BABA18
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BBAA0F	11_2_04BBAA0F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BB666E	11_2_04BB666E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BB57A6	11_2_04BB57A6
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BAAFE8	11_2_04BAAFE8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BA9BE5	11_2_04BA9BE5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BAB30D	11_2_04BAB30D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BB6374	11_2_04BB6374
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BB6F64	11_2_04BB6F64
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Code function: 24_2_00410010	24_2_00410010
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Code function: 24_2_004100F4	24_2_004100F4
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Code function: 24_2_004100B8	24_2_004100B8
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Code function: 24_2_0041015D	24_2_0041015D
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Code function: 24_2_00410178	24_2_00410178
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Code function: 24_2_00404D1C	24_2_00404D1C

Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe

Code function: String function: 004020BC appears 44 times

Source: Akhirah Technologies Inc.exe

Static PE information: invalid certificate

Source: classification engine

Classification label: mal100.evad.winEXE@14/4@0/0

Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe

Code function: 1_2_0040503F CreateToolhelp32Snapshot,memset,Process32First,CloseHandle,Process32Next,FindCloseChangeNotification,

1_2_0040503F

Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe

Code function: 1_2_00407699 CoCreateInstance,

1_2_00407699

Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe

Code function: 1_2_00404096 FindResourceA,SizeofResource,LoadResource,

1_2_00404096

Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe

Code function: 1_2_00401071 StartServiceCtrlDispatcherA,

1_2_00401071

Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Code function: 1_2_00401071 StartServiceCtrlDispatcherA,	1_2_00401071
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Code function: 2_2_00401071 StartServiceCtrlDispatcherA,	2_2_00401071
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe	Code function: 4_2_00401071 StartServiceCtrlDispatcherA,	4_2_00401071
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Code function: 7_2_00401071 StartServiceCtrlDispatcherA,	7_2_00401071
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe	Code function: 9_2_00401071 StartServiceCtrlDispatcherA,	9_2_00401071
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00951071 StartServiceCtrlDispatcherA,	11_2_00951071
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Code function: 24_2_00401071 StartServiceCtrlDispatcherA,	24_2_00401071

Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Roouuh

Jump to behavior

Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Mutant created: \Sessions\1\BaseNamedObjects\hydvgap
Source: C:\Windows\SysWOW64\explorer.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{4B51853F-AA46-42B2-AE5E-C00DE858F865}
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{D6BB79AE-1669-4F75-932B-F781A0D506FC}
Source: C:\Windows\SysWOW64\explorer.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{B03C8747-1698-4412-9D7C-2D6146F92C17}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7112:120:WilError_01

Source: C:\Windows\SysWOW64\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\~besos.tmp

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe	Process created: C:\Windows\SysWOW64\explorer.exe			Jump to behavior

Source: Akhirah Technologies Inc.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Akhirah Technologies Inc.exe	Virustotal: Detection: 62%
Source: Akhirah Technologies Inc.exe	ReversingLabs: Detection: 75%

Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe

File read: C:\Users\user\Desktop\Akhirah Technologies Inc.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Akhirah Technologies Inc.exe 'C:\Users\user\Desktop\Akhirah Technologies Inc.exe'
Source: unknown	Process created: C:\Users\user\Desktop\Akhirah Technologies Inc.exe 'C:\Users\user\Desktop\Akhirah Technologies Inc.exe' /C
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn picieuc /tr '\'C:\Users\user\Desktop\Akhirah Technologies Inc.exe\' /I picieuc' /SC ONCE /Z /ST 03:06 /ET 03:18
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\Akhirah Technologies Inc.exe 'C:\Users\user\Desktop\Akhirah Technologies Inc.exe' /I picieuc
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe /C
Source: unknown	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: unknown	Process created: C:\Users\user\Desktop\Akhirah Technologies Inc.exe 'C:\Users\user\Desktop\Akhirah Technologies Inc.exe' /I picieuc
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Process created: C:\Users\user\Desktop\Akhirah Technologies Inc.exe 'C:\Users\user\Desktop\Akhirah Technologies Inc.exe' /C	Jump to behavior
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe	Jump to behavior
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn picieuc /tr '\'C:\Users\user\Desktop\Akhirah Technologies Inc.exe\' /I picieuc' /SC ONCE /Z /ST 03:06 /ET 03:18	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe /C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior

Source: Akhirah Technologies Inc.exe

Static file information: File size 2804696 > 1048576

Source: Akhirah Technologies Inc.exe

Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x2a8800

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Unpacked PE file: 1.2.Akhirah Technologies Inc.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Unpacked PE file: 2.2.Akhirah Technologies Inc.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe	Unpacked PE file: 4.2.besos.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Unpacked PE file: 7.2.Akhirah Technologies Inc.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe	Unpacked PE file: 9.2.besos.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Unpacked PE file: 24.2.Akhirah Technologies Inc.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Unpacked PE file: 1.2.Akhirah Technologies Inc.exe.400000.0.unpack
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Unpacked PE file: 2.2.Akhirah Technologies Inc.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe	Unpacked PE file: 4.2.besos.exe.400000.0.unpack
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Unpacked PE file: 7.2.Akhirah Technologies Inc.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe	Unpacked PE file: 9.2.besos.exe.400000.0.unpack
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Unpacked PE file: 24.2.Akhirah Technologies Inc.exe.400000.0.unpack

Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe

Code function: 1_2_004051E1 GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,

1_2_004051E1

Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Code function: 1_2_02303BD0 push edx; ret	1_2_02303D5E
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Code function: 1_2_022D2C02 push eax; ret	1_2_022D2C31
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Code function: 1_2_02303A80 push edx; ret	1_2_02303A8B
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Code function: 1_2_022D18C0 push 00000018h; ret	1_2_022D18C4
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Code function: 1_2_022D1589 push cs; ret	1_2_022D158A
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Code function: 7_2_01103BD0 push edx; ret	7_2_01103D5E
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Code function: 7_2_010D31A2 push eax; ret	7_2_010D31B4
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Code function: 7_2_010D18C0 push 00000018h; ret	7_2_010D18C4
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Code function: 7_2_010D4B33 push edi; ret	7_2_010D4B34
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Code function: 7_2_010D1589 push cs; ret	7_2_010D158A
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Code function: 7_2_010D2C02 push eax; ret	7_2_010D2C31
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe	Code function: 9_2_02303BD0 push edx; ret	9_2_02303D5E
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe	Code function: 9_2_022D4B33 push edi; ret	9_2_022D4B34
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe	Code function: 9_2_022D18C0 push 00000018h; ret	9_2_022D18C4
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe	Code function: 9_2_022D31A2 push eax; ret	9_2_022D31B4
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe	Code function: 9_2_022D2C02 push eax; ret	9_2_022D2C31
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe	Code function: 9_2_022D1589 push cs; ret	9_2_022D158A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BBEC66 push cs; iretd	11_2_04BBEC3A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BC105D push 0000006Ah; retf	11_2_04BC10CC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BC105B push 0000006Ah; retf	11_2_04BC10CC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BBEE16 push ebx; ret	11_2_04BBEE17
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BC0FF3 push 0000006Ah; retf	11_2_04BC10CC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BC7733 push esp; ret	11_2_04BC7734
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BBEB64 push cs; iretd	11_2_04BBEC3A
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Code function: 24_2_01143BD0 push edx; ret	24_2_01143D5E
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Code function: 24_2_011131A2 push eax; ret	24_2_011131B4
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Code function: 24_2_011118C0 push 00000018h; ret	24_2_011118C4
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Code function: 24_2_01114B33 push edi; ret	24_2_01114B34
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Code function: 24_2_01111589 push cs; ret	24_2_0111158A
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Code function: 24_2_01112C02 push eax; ret	24_2_01112C31

Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn picieuc /tr '\'C:\Users\user\Desktop\Akhirah Technologies Inc.exe\' /I picieuc' /SC ONCE /Z /ST 03:06 /ET 03:18

Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe

Code function: 1_2_00401071 StartServiceCtrlDispatcherA,

1_2_00401071

Hooking and other Techniques for Hiding and Protection:

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe

Memory written: PID: 1560 base: C3F380 value: E9 70 22 D1 FF

Jump to behavior

Malware Analysis System Evasion:

Contains functionality to compare user and computer (likely to detect sandboxes)

Show sources

Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Code function: GetModuleHandleA,GetModuleFileNameA,StrStrIA,	1_2_00403D67
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Code function: GetModuleHandleA,GetModuleFileNameA,StrStrIA,	2_2_00403D67
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe	Code function: GetModuleHandleA,GetModuleFileNameA,StrStrIA,	4_2_00403D67
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Code function: GetModuleHandleA,GetModuleFileNameA,StrStrIA,	7_2_00403D67
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe	Code function: GetModuleHandleA,GetModuleFileNameA,StrStrIA,	9_2_00403D67
Source: C:\Windows\SysWOW64\explorer.exe	Code function: GetModuleHandleA,GetModuleFileNameA,StrStrIA,	11_2_00953D67
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Code function: GetModuleHandleA,GetModuleFileNameA,StrStrIA,	24_2_00403D67

Contains functionality to detect virtual machines (IN, VMware)

Show sources

Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe

Code function: 1_2_0040343D in eax, dx

1_2_0040343D

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: besos.exe, 00000009.00000002.248721333.0000000002426000.00000004.00000040.sdmp

Binary or memory string: FIDDLER.EXE;SAMP1E.EXE;SAMPLE.EXE;RUNSAMPLE.EXE;LORDPE.EXE;REGSHOT.EXE;AUTORUNS.EXE;DSNIFF.EXE;VBOXTRAY.EXE;HASHMYFILES.EXE;PROCESSHACKER.EXE;PROCMON.EXE;PROCMON64.EXE;NETMON.EXE;VMTOOLSD.EXE;VM3DSERVICE.EXE;VGAUTHSERVICE.EXE;PR0C3XP.EXE;PROCESSHACKER.EXE;CFF EXPLORER.EXE;DUMPCAP.EXE;WIRESHARK.EXE;IDAQ.EXE;IDAQ64.EXE;TPAUTOCONNECT.EXE;RESOURCEHACKER.EXE;VMACTHLP.EXE;OLLYDBG.EXE;WINDBG.EXE;BDS-VISION-AGENT-NAI.EXE;BDS-VISION-APIS.EXE;BDS-VISION-AGENT-APP.EXE;MULTIANALYSIS_V1.0.294.EXE;X32DBG.EXE;VBOXTRAY.EXE;VBOXSERVICE.EXE;TCPVIEW.EXE

Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe

Code function: 1_2_00403C24 GetCurrentProcessId,CreateToolhelp32Snapshot,memset,Module32First,StrStrIA,Module32Next,CloseHandle,

1_2_00403C24

Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe

Code function: 1_2_0040356D SetupDiGetDeviceRegistryPropertyA,GetLastError,

1_2_0040356D

Source: C:\Windows\SysWOW64\explorer.exe

Window / User API: threadDelayed 774

Jump to behavior

Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe TID: 6692	Thread sleep count: 114 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe TID: 6720	Thread sleep count: 114 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe TID: 7048	Thread sleep count: 115 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe TID: 7148	Thread sleep count: 117 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe TID: 1748	Thread sleep count: 117 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 6356	Thread sleep time: -23220000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 6356	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe TID: 5464	Thread sleep count: 114 > 30	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 11_2_04BAF2B1 FindFirstFileW,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,

11_2_04BAF2B1

Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe

Code function: 1_2_004056D9 memset,GetCurrentProcessId,GetTickCount,GetModuleFileNameW,GetModuleFileNameW,GetCurrentProcess,LookupAccountSidW,GetLastError,KiUserCallbackDispatcher,GetModuleFileNameW,lstrcpynW,lstrlenW,lstrlenW,lstrcpynW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrlenA,GetCurrentProcess,GetCurrentProcess,memset,GetVersionExA,GetModuleHandleA,GetProcAddress,GetCurrentProcess,IsWow64Process,GetSystemInfo,GetWindowsDirectoryW,GetEnvironmentVariableW,GetEnvironmentVariableW,SetEnvironmentVariableW,GetEnvironmentVariableW,SetEnvironmentVariableW,GetEnvironmentVariableW,SetEnvironmentVariableW,GetEnvironmentVariableA,SetEnvironmentVariableA,GetComputerNameW,lstrlenA,

1_2_004056D9

Source: besos.exe, 00000009.00000002.248721333.0000000002426000.00000004.00000040.sdmp

Binary or memory string: Fiddler.exe;samp1e.exe;sample.exe;runsample.exe;lordpe.exe;regshot.exe;Autoruns.exe;dsniff.exe;VBoxTray.exe;HashMyFiles.exe;ProcessHacker.exe;Procmon.exe;Procmon64.exe;netmon.exe;vmtoolsd.exe;vm3dservice.exe;VGAuthService.exe;pr0c3xp.exe;ProcessHacker.exe;CFF Explorer.exe;dumpcap.exe;Wireshark.exe;idaq.exe;idaq64.exe;TPAutoConnect.exe;ResourceHacker.exe;vmacthlp.exe;OLLYDBG.EXE;windbg.exe;bds-vision-agent-nai.exe;bds-vision-apis.exe;bds-vision-agent-app.exe;MultiAnalysis_v1.0.294.exe;x32dbg.exe;VBoxTray.exe;VBoxService.exe;Tcpview.exe

Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 11_2_00956484 SetLastError,GetLastError,GetCurrentThread,LdrInitializeThunk,

11_2_00956484

Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe

Code function: 1_2_00403C24 GetCurrentProcessId,CreateToolhelp32Snapshot,memset,Module32First,StrStrIA,Module32Next,CloseHandle,

1_2_00403C24

Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe

Code function: 1_2_004051E1 GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,

1_2_004051E1

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 11_2_04BA98F3 GetProcessHeap,HeapAlloc,

11_2_04BA98F3

Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe

Memory protected: page execute read | page execute and read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects code into the Windows Explorer (explorer.exe)

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe

Memory written: PID: 1560 base: C3F380 value: E9

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe

Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe

Memory written: C:\Windows\SysWOW64\explorer.exe base: C3F380

Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Code function: OpenProcessToken,CloseHandle,FindCloseChangeNotification, C:\Windows\SysWOW64\explorer.exe

11_2_04BB0B7B

Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe

Code function: 1_2_00401A5B EntryPoint,GetCommandLineW,VirtualAllocEx,HeapCreate,GetModuleHandleA,lstrcmpiW,CoInitializeEx,GetForegroundWindow,ShellExecuteW,Sleep,ExitProcess,

1_2_00401A5B

Source: C:\Users\user\AppData\Roaming\Microsoft\Roouuh\besos.exe

Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe

Jump to behavior

Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe

Code function: 1_2_00407DF6 AllocateAndInitializeSid,AllocateAndInitializeSid,SetEntriesInAclA,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,FreeSid,FreeSid,LocalFree,LocalFree,FreeSid,FreeSid,

1_2_00407DF6

Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe

Code function: 1_2_00407C58 GetModuleFileNameW,AllocateAndInitializeSid,EqualSid,FreeSid,FindCloseChangeNotification,

1_2_00407C58

Source: explorer.exe, 0000000B.00000002.461081918.0000000003690000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000000B.00000002.461081918.0000000003690000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000B.00000002.461081918.0000000003690000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000B.00000002.461081918.0000000003690000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe

Code function: 1_2_0040334B cpuid

1_2_0040334B

Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe

Code function: 1_2_0040356D SetupDiGetDeviceRegistryPropertyA,GetLastError,

1_2_0040356D

Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 11_2_04BA3510 CreateNamedPipeA,

11_2_04BA3510

Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe

Code function: 1_2_00409277 memset,GetLocalTime,memset,GetLocalTime,DeleteFileW,

1_2_00409277

Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe

Code function: 1_2_00407F64 LookupAccountNameW,LookupAccountNameW,LookupAccountNameW,Sleep,

1_2_00407F64

Source: C:\Users\user\Desktop\Akhirah Technologies Inc.exe

1_2_004056D9

Source: C:\Windows\SysWOW64\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts1	Native API1	Valid Accounts1	Exploitation for Privilege Escalation1	Disable or Modify Tools1	Credential API Hooking1	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job1	Windows Service3	Valid Accounts1	Deobfuscate/Decode Files or Information1	Input Capture1	Account Discovery1	Remote Desktop Protocol	Credential API Hooking1	Exfiltration Over Bluetooth	Encrypted Channel2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Service Execution2	Scheduled Task/Job1	Access Token Manipulation1	Obfuscated Files or Information2	Security Account Manager	File and Directory Discovery1	SMB/Windows Admin Shares	Input Capture1	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Windows Service3	Software Packing21	NTDS	System Information Discovery35	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Process Injection323	Masquerading1	LSA Secrets	Query Registry1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Scheduled Task/Job1	Valid Accounts1	Cached Domain Credentials	Security Software Discovery321	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion11	DCSync	Virtualization/Sandbox Evasion11	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Access Token Manipulation1	Proc Filesystem	Process Discovery3	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection323	/etc/passwd and /etc/shadow	Application Window Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	System Owner/User Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Akhirah Technologies Inc. Qakbot (2)

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

AV Detection:

Cryptography:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails