Malware sandboxing report by Hatching Triage

Sharing

Copy URL

Twitter E-mail

General

Target

8.bin
Size

757KB
Sample

191111-7tn19rbh9x
MD5

37bb4d9f1bd92067748c2d86dc487105
SHA1

aa8ccf3c1a22c3102c604f63964ccf4751d15288
SHA256

eb17935cf972d90be92c9b39fff8b3d760ecda78a6f602cb2b8bbaf3d87e6b61
SHA512

da67ef1ef3ddfc7c3a9bbc6d0bc42935ac737f2fbf98a102a0aef92358e20b94163701e21786447c56d772f5c0a16170834c1b34b0ce0ae93ac2d20f4ad7a4b4

Score

10^/10

Malware Config

Extracted

Family

qakbot

Campaign

1573401612

Credentials

Protocol: ftp
Host:
192.185.5.208
Port:
21
Username:
logger@dustinkeeling.com
Password:
NxdkxAp4dUsY

Protocol: ftp
Host:
162.241.218.118
Port:
21
Username:
logger@misterexterior.com
Password:
EcOV0DyGVgVN

Protocol: ftp
Host:
69.89.31.139
Port:
21
Username:
cpanel@vivekharris-architects.com
Password:
fcR7OvyLrMW6!

Protocol: ftp
Host:
169.207.67.14
Port:
21
Username:
cpanel@dovetailsolar.com
Password:
eQyicNLzzqPN

50.246.229.50:443

74.134.35.54:443

75.110.219.10:443

65.16.241.150:443

74.134.4.236:443

182.56.93.78:995

184.191.62.78:443

76.181.237.223:443

2.50.41.185:443

107.12.140.181:443

72.29.181.77:2078

73.137.187.150:443

71.93.60.90:443

72.46.151.196:995

173.233.182.249:443

67.10.18.112:993

181.47.60.21:995

97.83.66.143:443

184.74.101.234:995

181.1.204.139:443

Targets

- Target
  
  8.bin
- Size
  
  757KB
- MD5
  
  37bb4d9f1bd92067748c2d86dc487105
- SHA1
  
  aa8ccf3c1a22c3102c604f63964ccf4751d15288
- SHA256
  
  eb17935cf972d90be92c9b39fff8b3d760ecda78a6f602cb2b8bbaf3d87e6b61
- SHA512
  
  da67ef1ef3ddfc7c3a9bbc6d0bc42935ac737f2fbf98a102a0aef92358e20b94163701e21786447c56d772f5c0a16170834c1b34b0ce0ae93ac2d20f4ad7a4b4
Score

10^/10

trojan banker stealer qakbot persistence evasion
- Qakbot/Qbot
  Qbot or Qakbot is a sophisticated worm with banking capabilities.
  trojan banker stealer qakbot
- Windows security bypass
  evasion trojan
- Executes dropped EXE
- Turns off Windows Defender SpyNet reporting
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run entry to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
- Modifies service
  persistence
task1 task2

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Tasks

task1

persistenceevasiontrojanspreadingfamilyqakbot

Score

10^/10

task2

persistenceevasiontrojanspreadingfamilyqakbot

Score

10^/10

Sharing

General

Malware Config

Extracted

Targets

Qakbot/Qbot

Windows security bypass

Executes dropped EXE

Turns off Windows Defender SpyNet reporting

Loads dropped DLL

Windows security modification

Adds Run entry to start application

Checks whether UAC is enabled

Checks system information in the registry

Modifies service

MITRE ATT&CK Matrix

Tasks

task1

task2