update.bin

Target

update.bin

Size

645KB

Sample

191206-s2wazv1yle

Score

10 ^/10

MD5

a74234fff324ecde0028dd860ca0a935

SHA1

ac7e1a4eb12a7f39ad6334085eda68e125fe3523

SHA256

983ea66816fa3e0a089be5ac33e8f3e2ff92b53e804389805fc591ea12cf09d0

SHA512

c2f8b3521a53142ecb20e49ad3bd5636d228973cad83afe89844e7bd2185f8d8e58b83024f1f16da2389abfecbaf05301a9de750c72ba50f9089b093266ee845

Extracted

Family	qakbot
Campaign	1575272833
C2	173.172.205.216:995 71.77.231.251:443 75.110.250.89:443 72.190.101.70:443 12.5.37.3:995 68.49.120.179:443 184.74.101.234:995 24.30.71.200:443 100.4.185.8:443 72.218.167.183:443 80.14.209.42:2222 187.206.88.42:995 104.34.122.18:443 81.103.144.77:443 75.110.219.10:443 12.5.37.3:443 74.134.35.54:443 70.183.3.199:443 64.250.55.239:443 75.142.59.167:443 72.29.181.77:2222 24.164.79.147:443 174.131.181.120:995 107.12.140.181:443 24.27.82.216:2222 197.89.42.74:995 198.72.193.198:2222 104.152.16.45:995 208.101.161.39:443 99.250.71.19:443 47.180.66.10:443 184.191.62.78:443 72.142.106.198:465 207.162.184.228:443 62.0.67.88:443 206.51.202.106:50002 2.179.34.174:443 67.174.112.185:443 96.37.137.42:443 47.23.101.26:993 67.10.18.112:993 74.71.216.1:443 5.182.39.156:443 50.78.93.74:995 162.244.224.166:443 75.130.117.134:443 75.110.90.106:443 196.194.65.30:443 96.35.170.82:2222 184.180.157.203:2222 98.173.34.212:995 74.134.4.236:443 71.84.5.114:995 24.111.196.195:443 75.131.72.82:443 72.16.212.107:465 24.184.6.58:2222 104.32.185.213:2222 47.153.115.154:995 73.226.220.56:443 68.174.15.223:443 68.238.144.55:443 75.131.72.82:995 72.224.159.224:2222 174.80.124.136:443 196.194.65.30:2222 95.67.239.102:21 103.120.189.218:443 62.103.70.217:995 201.152.199.66:995 71.30.56.170:443 107.12.131.249:443 70.164.39.91:443 23.240.185.215:443 201.188.77.21:443 172.78.87.180:995 47.23.101.26:465 166.62.180.194:2078 75.165.181.122:443 108.160.123.244:443 47.214.144.253:443 27.4.74.205:443 62.47.252.79:993 2.50.157.249:443 71.226.140.73:443 47.146.169.85:443 162.244.225.30:443 47.137.243.80:443 50.246.229.50:443 67.87.38.242:2222 173.22.120.11:2222 71.222.30.198:443 184.100.227.57:443 75.70.218.193:443 187.163.139.94:993 68.83.59.107:443 111.125.70.30:2222 70.124.29.226:443 76.174.122.204:443 74.194.4.181:443 24.201.68.105:2078 104.34.103.46:2222 64.33.68.198:443 172.242.9.118:995 63.230.11.140:995 104.3.91.20:995 45.45.105.94:443 47.202.98.230:443 173.3.132.17:995 64.19.74.29:995 123.252.128.47:443 75.182.214.87:443 116.58.100.130:443 47.144.93.71:443 181.126.80.118:443 12.176.32.146:443 117.204.239.12:995 174.48.72.160:443 68.100.248.78:443 75.166.74.158:443 65.30.12.240:443 68.225.250.136:443 50.247.230.33:995 205.250.79.62:443 66.214.75.176:443 104.175.240.29:443 24.202.42.48:2222 173.172.205.216:443 67.246.16.250:995 47.155.19.205:443 67.160.63.127:443 73.200.219.143:443 72.132.145.25:443 98.148.177.77:443 97.120.78.231:995 172.89.144.89:995 73.137.187.150:443 47.148.143.146:443 92.3.196.234:2222 174.82.131.155:995 73.104.218.229:0 75.165.162.10:443 67.245.56.108:443 97.84.226.90:443 75.165.162.33:443 97.83.66.143:443 24.196.158.28:443 68.39.177.147:995 67.250.76.135:443 96.236.196.34:443 173.172.205.216:995 71.77.231.251:443 75.110.250.89:443 72.190.101.70:443 12.5.37.3:995 68.49.120.179:443 184.74.101.234:995 24.30.71.200:443 100.4.185.8:443 72.218.167.183:443 80.14.209.42:2222 187.206.88.42:995 104.34.122.18:443 81.103.144.77:443 75.110.219.10:443 12.5.37.3:443 74.134.35.54:443 70.183.3.199:443 64.250.55.239:443 75.142.59.167:443 72.29.181.77:2222 24.164.79.147:443 174.131.181.120:995 107.12.140.181:443 24.27.82.216:2222 197.89.42.74:995 198.72.193.198:2222 104.152.16.45:995 208.101.161.39:443 99.250.71.19:443 47.180.66.10:443 184.191.62.78:443 72.142.106.198:465 207.162.184.228:443 62.0.67.88:443 206.51.202.106:50002 2.179.34.174:443 67.174.112.185:443 96.37.137.42:443 47.23.101.26:993 67.10.18.112:993 74.71.216.1:443 5.182.39.156:443 50.78.93.74:995 162.244.224.166:443 75.130.117.134:443 75.110.90.106:443 196.194.65.30:443 96.35.170.82:2222 184.180.157.203:2222 98.173.34.212:995 74.134.4.236:443 71.84.5.114:995 24.111.196.195:443 75.131.72.82:443 72.16.212.107:465 24.184.6.58:2222 104.32.185.213:2222 47.153.115.154:995 73.226.220.56:443 68.174.15.223:443 68.238.144.55:443 75.131.72.82:995 72.224.159.224:2222 174.80.124.136:443 196.194.65.30:2222 95.67.239.102:21 103.120.189.218:443 62.103.70.217:995 201.152.199.66:995 71.30.56.170:443 107.12.131.249:443 70.164.39.91:443 23.240.185.215:443 201.188.77.21:443 172.78.87.180:995 47.23.101.26:465 166.62.180.194:2078 75.165.181.122:443 108.160.123.244:443 47.214.144.253:443 27.4.74.205:443 62.47.252.79:993 2.50.157.249:443 71.226.140.73:443 47.146.169.85:443 162.244.225.30:443 47.137.243.80:443 50.246.229.50:443 67.87.38.242:2222 173.22.120.11:2222 71.222.30.198:443 184.100.227.57:443 75.70.218.193:443 187.163.139.94:993 68.83.59.107:443 111.125.70.30:2222 70.124.29.226:443 76.174.122.204:443 74.194.4.181:443 24.201.68.105:2078 104.34.103.46:2222 64.33.68.198:443 172.242.9.118:995 63.230.11.140:995 104.3.91.20:995 45.45.105.94:443 47.202.98.230:443 173.3.132.17:995 64.19.74.29:995 123.252.128.47:443 75.182.214.87:443 116.58.100.130:443 47.144.93.71:443 181.126.80.118:443 12.176.32.146:443 117.204.239.12:995 174.48.72.160:443 68.100.248.78:443 75.166.74.158:443 65.30.12.240:443 68.225.250.136:443 50.247.230.33:995 205.250.79.62:443 66.214.75.176:443 104.175.240.29:443 24.202.42.48:2222 173.172.205.216:443 67.246.16.250:995 47.155.19.205:443 67.160.63.127:443 73.200.219.143:443 72.132.145.25:443 98.148.177.77:443 97.120.78.231:995 172.89.144.89:995 73.137.187.150:443 47.148.143.146:443 92.3.196.234:2222 174.82.131.155:995 73.104.218.229:0 75.165.162.10:443 67.245.56.108:443 97.84.226.90:443 75.165.162.33:443 97.83.66.143:443 24.196.158.28:443 68.39.177.147:995 67.250.76.135:443 96.236.196.34:443

Target

update.bin

MD5

a74234fff324ecde0028dd860ca0a935

Filesize

645KB

Score

10 ^/10

SHA1

ac7e1a4eb12a7f39ad6334085eda68e125fe3523

SHA256

983ea66816fa3e0a089be5ac33e8f3e2ff92b53e804389805fc591ea12cf09d0

SHA512

c2f8b3521a53142ecb20e49ad3bd5636d228973cad83afe89844e7bd2185f8d8e58b83024f1f16da2389abfecbaf05301a9de750c72ba50f9089b093266ee845

Signatures

Loads dropped DLL
Adds Run entry to start application

Tags

persistence

TTPs

Registry Run Keys / Startup Folder Modify Registry
Executes dropped EXE
Qakbot/Qbot

Description

Qbot or Qakbot is a sophisticated worm with banking capabilities

Tags

trojan banker stealer qakbot
Turn off Windows Defender SpyNet reporting
Windows security bypass

Tags

evasion trojan

TTPs

Disabling Security Tools Modify Registry
Checks system information in the registry

Description

System information is often read in order to detect sandboxing environments.

TTPs

Query Registry System Information Discovery
Windows security modification

Tags

evasion trojan

TTPs

Disabling Security Tools Modify Registry

Related Tasks

task1 task2

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

task1

trojan evasion spreading persistence family qakbot

10^/10

task2

trojan evasion spreading persistence family qakbot

10^/10

Extracted

Tags

Signatures

Loads dropped DLL

Adds Run entry to start application

Tags

TTPs

Executes dropped EXE

Qakbot/Qbot

Description

Tags

Turn off Windows Defender SpyNet reporting

Windows security bypass

Tags

TTPs

Checks system information in the registry

Description

TTPs

Windows security modification

Tags

TTPs

Related Tasks

task1

task2