General

  • Target

    8888888

  • Size

    1.0MB

  • Sample

    201109-ej8cr9zvpj

  • MD5

    187f43c716b1f67efa2e3e98027f497e

  • SHA1

    2076d9ecbcec60b0b4fc181917fd85246037f1cc

  • SHA256

    760e82acfcfdb3f7a2ea01cb32a21562bf98d4855cca19710aabd4af329aa809

  • SHA512

    ce53dc168c27f7359ba5f2fe14dd0852bb2dc7193dd1d8990cf42c22920253088d8ed0f0e0f314f6dc0bdbd0851826e30f9efdcd9eee4ba4afa8a20720ce0ee2

Malware Config

Extracted

Family

qakbot

Botnet

spx140

Campaign

1592218484

C2

141.126.10.226:443

96.35.170.82:2222

67.250.184.157:443

24.42.14.241:995

72.173.20.55:443

173.172.205.216:443

173.3.132.17:995

172.78.30.215:443

207.255.161.8:32103

206.51.202.106:50003

24.152.219.253:995

207.255.161.8:2222

80.14.209.42:2222

72.142.106.198:465

207.255.161.8:2087

142.129.227.86:443

98.219.77.197:443

166.62.180.194:2078

82.127.193.151:2222

24.229.245.124:995

Targets

    • Target

      8888888

    • Size

      1.0MB

    • MD5

      187f43c716b1f67efa2e3e98027f497e

    • SHA1

      2076d9ecbcec60b0b4fc181917fd85246037f1cc

    • SHA256

      760e82acfcfdb3f7a2ea01cb32a21562bf98d4855cca19710aabd4af329aa809

    • SHA512

      ce53dc168c27f7359ba5f2fe14dd0852bb2dc7193dd1d8990cf42c22920253088d8ed0f0e0f314f6dc0bdbd0851826e30f9efdcd9eee4ba4afa8a20720ce0ee2

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • CryptOne packer

      Detects CryptOne packer defined in NCC blogpost.

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Tasks