Resubmissions

25-05-2020 16:07

200525-ddd1ggsbdj 10

General

  • Target

    Kaufvertrag_3103078_21052020.zip

  • Size

    186KB

  • Sample

    200525-ddd1ggsbdj

  • MD5

    bbbf7ba98f5cca9068f56109a6dd986b

  • SHA1

    7239e35de90e64d1f94698f334edff15aa18a4d3

  • SHA256

    2e774230640debe52a0ff7f4aa9ccdc5b2b271192492b773b41b827ef41f4674

  • SHA512

    9c519a6b79dcb201261f649c0b29dae8d633ffe0b9fa3b501f8f684193348a9a4156c528e06be09c0335856f00e99f0c02ff9cb32447d1ce8dcbdcf444547ffc

Malware Config

Extracted

Family

qakbot

Botnet

spx125

Campaign

1590138228

C2

190.75.168.108:2078

93.114.192.211:2222

47.39.76.74:443

182.56.134.44:995

24.201.79.208:2078

207.246.71.122:443

50.244.112.10:443

88.207.27.144:443

72.204.242.138:443

72.204.242.138:2078

72.204.242.138:990

76.187.8.160:443

220.135.31.140:2222

86.126.97.183:2222

86.126.112.153:995

68.49.120.179:443

101.108.125.44:443

203.101.163.187:443

197.165.212.10:443

207.255.161.8:2078

Extracted

Family

qakbot

Botnet

notset

Campaign

1588850855

Credentials

  • Protocol:
    ftp
  • Host:
    192.185.5.208
  • Port:
    21
  • Username:
    logger@dustinkeeling.com
  • Password:
    NxdkxAp4dUsY

  • Protocol:
    ftp
  • Host:
    162.241.218.118
  • Port:
    21
  • Username:
    logger@misterexterior.com
  • Password:
    EcOV0DyGVgVN

  • Protocol:
    ftp
  • Host:
    69.89.31.139
  • Port:
    21
  • Username:
    cpanel@vivekharris-architects.com
  • Password:
    fcR7OvyLrMW6!

  • Protocol:
    ftp
  • Host:
    169.207.67.14
  • Port:
    21
  • Username:
    cpanel@dovetailsolar.com
  • Password:
    eQyicNLzzqPN
C2

24.110.14.40:443

96.35.170.82:2222

50.78.93.74:443

76.187.97.98:2222

202.77.4.37:443

89.38.171.30:443

66.26.160.37:443

58.108.188.231:443

67.83.54.76:2222

102.41.116.213:995

78.96.245.58:443

176.193.14.165:2222

73.1.68.242:443

96.37.113.36:443

98.22.234.245:443

76.15.41.32:443

95.77.235.132:0

24.226.137.154:443

24.99.180.247:443

24.43.22.220:995

Targets

    • Target

      Kaufvertrag_648230011400_21052020.vbs

    • Size

      36.3MB

    • MD5

      86d77e33adbd08281bde87c925026219

    • SHA1

      62393354f0037c8f56ebc33606b43ee71de3079b

    • SHA256

      bfca22cf77eb45df30fa08fa3995163683633919c30332d60d015eaf23544194

    • SHA512

      d1a0dc4c63e8e309366eb48bf9d124a546dfa689636880d968b80ddb92548f3d21043cd2fe22b8ea5673648c0ee1ee0c533323062579cd5bd7960a4a6e694368

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • Turns off Windows Defender SpyNet reporting

    • Windows security bypass

    • CryptOne packer

      Detects CryptOne packer defined in NCC blogpost.

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Disabling Security Tools

2
T1089

Modify Registry

4
T1112

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Remote System Discovery

1
T1018

Tasks