lhuft.exe

General
Target

lhuft.exe

Size

717KB

Sample

200109-pvvhk66ab2

Score
10 /10
MD5

fb95f25c5c1b96f226c78f614509f1f7

SHA1

e43db8ac3015dd16a9a74eed6642b9b85dfd1c92

SHA256

7f90029d8bb4d49d1001a65f4d139f1a2b630b420e5caf4315e5d3da43d603b2

SHA512

ae1c4c93dc5ad50a9a3d7a5d70ef3ab405f8f6b936b56324034329318699124c746a6440fdd61f1df4531e86fc67f4f243e772fc2df7f70947eca6f1d7fecfe2

Malware Config

Extracted

Family qakbot
Campaign 1577715876
C2

80.14.209.42:2222

207.237.1.152:443

74.96.151.6:443

137.99.224.198:443

172.221.45.151:443

71.30.56.170:443

184.191.62.78:443

73.195.20.237:443

173.3.132.17:995

71.88.220.181:443

64.19.74.29:995

47.23.101.26:465

208.126.142.17:443

66.214.75.176:443

75.97.151.96:995

45.45.105.94:995

71.226.140.73:443

45.45.105.94:443

24.229.245.124:995

76.180.69.236:443

138.122.5.214:443

174.101.35.214:443

206.51.202.106:50002

162.244.224.166:443

24.32.119.146:443

130.93.11.211:443

73.133.46.105:995

98.118.162.34:443

12.5.37.3:443

71.77.231.251:443

172.242.9.118:995

75.165.141.78:443

12.5.37.3:995

108.227.161.27:443

162.244.225.30:443

100.1.47.98:443

24.229.150.54:995

72.187.35.131:443

46.248.61.176:995

68.49.120.179:443

24.191.227.91:2222

98.252.150.180:443

184.167.2.251:2222

67.214.21.207:443

47.180.66.10:443

72.190.101.70:443

70.124.29.226:443

100.38.164.182:443

100.40.48.96:443

47.182.89.157:443
Targets
Target

lhuft.exe

MD5

fb95f25c5c1b96f226c78f614509f1f7

Filesize

717KB

Score
10 /10
SHA1

e43db8ac3015dd16a9a74eed6642b9b85dfd1c92

SHA256

7f90029d8bb4d49d1001a65f4d139f1a2b630b420e5caf4315e5d3da43d603b2

SHA512

ae1c4c93dc5ad50a9a3d7a5d70ef3ab405f8f6b936b56324034329318699124c746a6440fdd61f1df4531e86fc67f4f243e772fc2df7f70947eca6f1d7fecfe2

Tags

Signatures

  • Qakbot/Qbot

    Description

    Qbot or Qakbot is a sophisticated worm with banking capabilities

    Tags

  • Windows security bypass

    Tags

    TTPs

    Disabling Security Tools Modify Registry

  • Executes dropped EXE

  • Turn off Windows Defender SpyNet reporting

  • Loads dropped DLL

  • Adds Run entry to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry

Related Tasks

task1 task2
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                  Privilege Escalation