General

  • Target

    aatnj.exe

  • Size

    39MB

  • Sample

    201228-v895ds2qm2

  • MD5

    2cf766692a75309734b08b3bd8cc36df

  • SHA1

    a003224582db124237e8c879d795aefe8d23b22b

  • SHA256

    1ee6f8e9bbc53afa81c39326d5748c6c4322d2501c42adcb34f5b71bc34ae48b

  • SHA512

    a28bf5af4c30152bd89d23e5295e9a6faa23eac6f312d7841bfb4664fe725bf42fed2fe4bb65c164709d6aa98a5ff66cbb78ed86396be975d2aeb1386afcda2c

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://www.allens-treasure-house.com/books_files/001.ps1

Extracted

Family

qakbot

Campaign

1513068643

Credentials

  • Protocol:
    ftp
  • Host:
    66.96.133.9
  • Port:
    21
  • Username:
    help
  • Password:
    eT5TerAcnFe6~

  • Protocol:
    ftp
  • Host:
    174.123.38.58
  • Port:
    21
  • Username:
    log@thebrainregistry.com
  • Password:
    4BQ1MeeRAwNZEVu

  • Protocol:
    ftp
  • Host:
    61.221.12.26
  • Port:
    21
  • Username:
    logger@ostergift.com
  • Password:
    346HZGCMlwecz9S

  • Protocol:
    ftp
  • Host:
    67.222.137.18
  • Port:
    21
  • Username:
    logger@grupocrepusculo.net
  • Password:
    p4a8k6fE1FtA3pR

  • Protocol:
    ftp
  • Host:
    107.6.152.61
  • Port:
    21
  • Username:
    logger@trussedup.com
  • Password:
    RoP4Af0RKAAQ74V
C2

1.1.192.123:443

160.3.251.154:995

75.127.141.50:995

108.49.159.2:990

96.70.92.177:1194

70.184.255.4:443

73.171.50.80:443

98.201.98.191:443

104.159.220.171:443

100.8.244.14:443

66.76.136.65:443

24.45.150.163:443

216.201.159.118:443

66.76.136.65:1194

160.3.251.154:443

27.3.93.3:443

58.108.210.165:995

96.70.92.177:993

108.58.44.6:443

117.195.243.76:443

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://www.allens-treasure-house.com/books_files/001.ps1

Targets

    • Target

      aatnj.exe

    • Size

      39MB

    • MD5

      2cf766692a75309734b08b3bd8cc36df

    • SHA1

      a003224582db124237e8c879d795aefe8d23b22b

    • SHA256

      1ee6f8e9bbc53afa81c39326d5748c6c4322d2501c42adcb34f5b71bc34ae48b

    • SHA512

      a28bf5af4c30152bd89d23e5295e9a6faa23eac6f312d7841bfb4664fe725bf42fed2fe4bb65c164709d6aa98a5ff66cbb78ed86396be975d2aeb1386afcda2c

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Tasks