General
-
Target
8.bin
-
Size
757KB
-
Sample
191111-7tn19rbh9x
-
MD5
37bb4d9f1bd92067748c2d86dc487105
-
SHA1
aa8ccf3c1a22c3102c604f63964ccf4751d15288
-
SHA256
eb17935cf972d90be92c9b39fff8b3d760ecda78a6f602cb2b8bbaf3d87e6b61
-
SHA512
da67ef1ef3ddfc7c3a9bbc6d0bc42935ac737f2fbf98a102a0aef92358e20b94163701e21786447c56d772f5c0a16170834c1b34b0ce0ae93ac2d20f4ad7a4b4
Malware Config
Extracted
qakbot
1573401612
Protocol: ftp- Host:
192.185.5.208 - Port:
21 - Username:
logger@dustinkeeling.com - Password:
NxdkxAp4dUsY
Protocol: ftp- Host:
162.241.218.118 - Port:
21 - Username:
logger@misterexterior.com - Password:
EcOV0DyGVgVN
Protocol: ftp- Host:
69.89.31.139 - Port:
21 - Username:
cpanel@vivekharris-architects.com - Password:
fcR7OvyLrMW6!
Protocol: ftp- Host:
169.207.67.14 - Port:
21 - Username:
cpanel@dovetailsolar.com - Password:
eQyicNLzzqPN
50.246.229.50:443
74.134.35.54:443
75.110.219.10:443
65.16.241.150:443
74.134.4.236:443
182.56.93.78:995
184.191.62.78:443
76.181.237.223:443
2.50.41.185:443
107.12.140.181:443
72.29.181.77:2078
73.137.187.150:443
71.93.60.90:443
72.46.151.196:995
173.233.182.249:443
67.10.18.112:993
181.47.60.21:995
97.83.66.143:443
184.74.101.234:995
181.1.204.139:443
71.58.21.235:443
107.12.131.249:443
76.169.19.193:443
168.245.228.71:443
96.244.38.23:443
71.197.126.250:443
67.246.16.250:995
75.110.250.89:443
50.78.93.74:995
47.23.101.26:993
73.79.10.31:443
12.5.37.3:995
24.30.71.200:443
172.78.45.13:995
68.225.250.136:443
75.142.59.167:443
96.35.170.82:2222
73.235.65.73:443
172.250.91.246:443
47.202.98.230:443
186.109.159.172:443
104.173.119.54:2222
73.232.165.200:995
75.110.90.155:443
166.62.180.194:2078
62.103.70.217:995
108.45.183.59:443
47.153.115.154:443
108.5.34.128:443
76.116.128.81:443
107.184.252.92:443
24.180.7.155:443
72.28.255.159:443
71.77.231.251:443
74.73.27.35:443
186.90.187.252:443
67.214.201.117:2222
104.235.77.28:443
47.180.66.10:443
65.30.12.240:443
181.197.195.138:995
76.80.66.226:443
188.52.63.36:443
104.175.193.24:443
2.177.101.143:443
49.191.131.67:443
67.160.63.127:443
75.70.218.193:443
176.205.181.71:443
72.142.106.198:465
47.146.169.85:443
24.184.6.58:2222
24.93.168.38:443
162.244.225.30:443
67.200.146.98:2222
162.244.224.166:443
104.34.122.18:443
72.29.181.77:2083
12.5.37.3:443
112.171.126.153:443
75.131.72.82:2087
66.214.75.176:443
199.126.92.231:995
173.178.129.3:990
73.226.220.56:443
12.176.32.146:443
174.130.203.235:443
72.16.212.107:995
205.250.79.62:443
201.152.218.64:995
108.227.161.27:443
181.126.80.118:443
108.160.123.244:443
50.247.230.33:443
104.32.185.213:2222
68.174.15.223:443
96.59.11.86:443
174.131.181.120:995
207.162.184.228:443
75.165.181.122:443
173.178.129.3:443
47.23.101.26:465
206.51.202.106:50002
75.131.72.82:995
174.48.72.160:443
172.251.125.166:443
68.238.144.55:443
71.30.56.170:443
174.16.234.171:993
116.58.100.130:443
75.175.209.163:995
68.238.56.27:443
184.180.157.203:2222
173.22.120.11:2222
47.153.115.154:443
24.203.64.26:2222
64.19.74.29:995
104.3.91.20:995
75.130.117.134:443
173.3.132.17:995
75.131.72.82:443
100.4.185.8:443
47.153.115.154:995
5.182.39.156:443
97.84.226.90:443
23.240.185.215:443
68.131.9.203:443
75.81.25.223:995
24.201.68.105:2078
32.208.1.239:443
74.194.4.181:443
70.34.10.217:443
47.214.144.253:443
207.237.1.152:443
76.116.90.159:443
173.52.119.247:443
201.188.85.71:443
172.251.77.230:443
174.197.2.131:443
197.82.208.34:995
209.182.122.217:443
69.170.237.82:995
73.200.219.143:443
98.155.154.220:443
98.30.99.15:443
81.103.144.77:443
98.148.177.77:443
69.207.57.35:443
47.155.19.205:443
187.163.139.200:993
Targets
-
-
Target
8.bin
-
Size
757KB
-
MD5
37bb4d9f1bd92067748c2d86dc487105
-
SHA1
aa8ccf3c1a22c3102c604f63964ccf4751d15288
-
SHA256
eb17935cf972d90be92c9b39fff8b3d760ecda78a6f602cb2b8bbaf3d87e6b61
-
SHA512
da67ef1ef3ddfc7c3a9bbc6d0bc42935ac737f2fbf98a102a0aef92358e20b94163701e21786447c56d772f5c0a16170834c1b34b0ce0ae93ac2d20f4ad7a4b4
-
Executes dropped EXE
-
Turns off Windows Defender SpyNet reporting
-
Loads dropped DLL
-
Adds Run entry to start application
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
Modifies service
-
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Discovery
Query Registry
3Remote System Discovery
1System Information Discovery
3Peripheral Device Discovery
1Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Modify Existing Service
1Scheduled Task
1Registry Run Keys / Startup Folder
1Privilege Escalation