General

  • Target

    444444.png

  • Size

    2.3MB

  • Sample

    200526-xk49bs3f4x

  • MD5

    f8849261a9db65164958d8c99ebc1f13

  • SHA1

    004818f4c927ba99a0694fd94cc754dd4df731fd

  • SHA256

    ec38eb6ee133958ef6cc3bfa257d9368c615b3182d22282f63d12ca7f2b2c5be

  • SHA512

    7532e2943353bc7c38b54c7c128f27cccc41cfc2e5dfc86cd899de5c50b1af102f2dbd6648086a9d2d8b38797c27b6555fb2803594e2b7d1de266418e0b86bde

Malware Config

Extracted

Family

qakbot

Botnet

spx96

Campaign

1586873043

C2

72.209.191.27:443

173.22.120.11:2222

108.227.161.27:995

172.87.134.226:443

181.197.195.138:995

98.21.52.194:443

76.180.69.236:443

68.98.142.248:443

68.52.164.175:443

39.59.63.142:995

35.142.126.181:443

96.35.170.82:2222

75.111.145.5:443

47.214.144.253:443

74.105.139.160:443

67.8.103.21:443

50.108.212.180:443

83.25.7.201:2222

188.25.237.208:443

184.167.2.251:2222

Targets

    • Target

      444444.png

    • Size

      2.3MB

    • MD5

      f8849261a9db65164958d8c99ebc1f13

    • SHA1

      004818f4c927ba99a0694fd94cc754dd4df731fd

    • SHA256

      ec38eb6ee133958ef6cc3bfa257d9368c615b3182d22282f63d12ca7f2b2c5be

    • SHA512

      7532e2943353bc7c38b54c7c128f27cccc41cfc2e5dfc86cd899de5c50b1af102f2dbd6648086a9d2d8b38797c27b6555fb2803594e2b7d1de266418e0b86bde

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • Windows security bypass

    • Executes dropped EXE

    • Turns off Windows Defender SpyNet reporting

    • Loads dropped DLL

    • Windows security modification

    • Adds Run entry to start application

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Disabling Security Tools

2
T1089

Modify Registry

3
T1112

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Tasks