update.bin

General
Target

update.bin

Size

645KB

Sample

191206-s2wazv1yle

Score
10 /10
MD5

a74234fff324ecde0028dd860ca0a935

SHA1

ac7e1a4eb12a7f39ad6334085eda68e125fe3523

SHA256

983ea66816fa3e0a089be5ac33e8f3e2ff92b53e804389805fc591ea12cf09d0

SHA512

c2f8b3521a53142ecb20e49ad3bd5636d228973cad83afe89844e7bd2185f8d8e58b83024f1f16da2389abfecbaf05301a9de750c72ba50f9089b093266ee845

Malware Config

Extracted

Family qakbot
Campaign 1575272833
C2

173.172.205.216:995

71.77.231.251:443

75.110.250.89:443

72.190.101.70:443

12.5.37.3:995

68.49.120.179:443

184.74.101.234:995

24.30.71.200:443

100.4.185.8:443

72.218.167.183:443

80.14.209.42:2222

187.206.88.42:995

104.34.122.18:443

81.103.144.77:443

75.110.219.10:443

12.5.37.3:443

74.134.35.54:443

70.183.3.199:443

64.250.55.239:443

75.142.59.167:443

72.29.181.77:2222

24.164.79.147:443

174.131.181.120:995

107.12.140.181:443

24.27.82.216:2222

197.89.42.74:995

198.72.193.198:2222

104.152.16.45:995

208.101.161.39:443

99.250.71.19:443

47.180.66.10:443

184.191.62.78:443

72.142.106.198:465

207.162.184.228:443

62.0.67.88:443

206.51.202.106:50002

2.179.34.174:443

67.174.112.185:443

96.37.137.42:443

47.23.101.26:993

67.10.18.112:993

74.71.216.1:443

5.182.39.156:443

50.78.93.74:995

162.244.224.166:443

75.130.117.134:443

75.110.90.106:443

196.194.65.30:443

96.35.170.82:2222

184.180.157.203:2222

Targets
Target

update.bin

MD5

a74234fff324ecde0028dd860ca0a935

Filesize

645KB

Score
10 /10
SHA1

ac7e1a4eb12a7f39ad6334085eda68e125fe3523

SHA256

983ea66816fa3e0a089be5ac33e8f3e2ff92b53e804389805fc591ea12cf09d0

SHA512

c2f8b3521a53142ecb20e49ad3bd5636d228973cad83afe89844e7bd2185f8d8e58b83024f1f16da2389abfecbaf05301a9de750c72ba50f9089b093266ee845

Tags

Signatures

  • Qakbot/Qbot

    Description

    Qbot or Qakbot is a sophisticated worm with banking capabilities

    Tags

  • Windows security bypass

    Tags

    TTPs

    Disabling Security Tools Modify Registry
  • Executes dropped EXE

  • Turn off Windows Defender SpyNet reporting

  • Loads dropped DLL

  • Windows security modification

    Tags

    TTPs

    Disabling Security Tools Modify Registry
  • Adds Run entry to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Checks system information in the registry

    Description

    System information is often read in order to detect sandboxing environments.

    TTPs

    Query Registry System Information Discovery

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation