Overview

overview

10

Static

static

9

detectiv_1.exe

windows7_x64

10

detectiv_1.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    detectiv_1

  • Size

    2.0MB

  • Sample

    201113-vqspahkht6

  • MD5

    fdb6187536274ff2890d75909d2b05c5

  • SHA1

    c8be850f5e198618768c7065fb4b2610739a7138

  • SHA256

    00734aaab14a7f28395144dc472490d84cdc3e1931ebdee35ddd6411221cff18

  • SHA512

    25cb745ece3534fbfb84927a0b1286eb0e0087ac40c7c74525aaa67d04f2393f9edd8c850687ffd09fc3c22c0c2add2adc80f11c7e1d89a4461e6d5c798a969f

Score
10/10
qakbotspx1121588678797bankercryptoneevasionpackerstealertrojan

Malware Config

Extracted

Family

qakbot

Botnet

spx112

Campaign

1588678797

C2

81.133.234.36:2222

31.5.21.66:443

41.233.43.51:995

96.37.113.36:443

86.233.4.153:2222

98.118.156.172:443

89.34.214.130:443

79.116.237.126:443

72.16.212.107:465

72.36.59.46:2222

5.74.188.119:995

67.209.195.198:3389

98.32.60.217:443

24.46.40.189:2222

77.159.149.74:443

174.30.24.61:443

98.115.138.61:443

189.159.82.203:995

108.21.54.174:443

81.103.144.77:443

Targets

    • Target

      detectiv_1

    • Size

      2.0MB

    • MD5

      fdb6187536274ff2890d75909d2b05c5

    • SHA1

      c8be850f5e198618768c7065fb4b2610739a7138

    • SHA256

      00734aaab14a7f28395144dc472490d84cdc3e1931ebdee35ddd6411221cff18

    • SHA512

      25cb745ece3534fbfb84927a0b1286eb0e0087ac40c7c74525aaa67d04f2393f9edd8c850687ffd09fc3c22c0c2add2adc80f11c7e1d89a4461e6d5c798a969f

    Score
    10/10
    qakbotspx1121588678797bankercryptoneevasionpackerstealertrojan

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

      trojanbankerstealerqakbot

    • Turns off Windows Defender SpyNet reporting

      evasion

    • Windows security bypass

      evasiontrojan

    • CryptOne packer

      Detects CryptOne packer defined in NCC blogpost.

      cryptonepacker

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Disabling Security Tools

2
T1089

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks