xyjsca.exe

General
Target

xyjsca.exe

Size

3MB

Sample

210218-9s4bs7h566

Score
10 /10
MD5

abddab5ff34dbfae92c8fca7a524a06f

SHA1

6deec6f703c76e34cd415e83e8a574ac2c97751d

SHA256

3d7d056acc758c78d5e3741389d6fa62e551b4738a57d199f171332f4ea8c033

SHA512

29d5b76ccf268bd92d48f79c86c2b037a1fa95c72e0289bfe5d7396f87fe1c5ba0872bc9b15255591f379bab63eab0100b523fb5c7f12fdf0255eb7a01491298

Malware Config

Extracted

Family qakbot
Botnet notset
Campaign 1596817234
Credentials

Protocol: ftp

Host: 192.185.5.208

Port: 21

Username: logger@dustinkeeling.com

Password: NxdkxAp4dUsY

Protocol: ftp

Host: 162.241.218.118

Port: 21

Username: logger@misterexterior.com

Password: EcOV0DyGVgVN

Protocol: ftp

Host: 69.89.31.139

Port: 21

Username: cpanel@vivekharris-architects.com

Password: fcR7OvyLrMW6!

Protocol: ftp

Host: 169.207.67.14

Port: 21

Username: cpanel@dovetailsolar.com

Password: eQyicNLzzqPN

C2

47.44.217.98:443

86.97.146.204:2222

65.60.228.130:443

216.201.162.158:443

94.59.24.79:995

108.46.145.30:443

24.139.132.70:443

47.206.174.82:443

188.52.106.206:20

72.204.242.138:6881

173.173.72.199:443

71.163.224.206:443

63.155.9.141:995

100.34.195.237:443

47.39.177.171:2222

96.20.108.17:2222

115.21.224.117:443

70.164.39.91:443

45.47.65.191:443

207.155.107.111:443

75.82.182.228:2222

108.30.125.94:443

73.227.232.166:443

207.255.161.8:993

24.122.228.88:443

64.130.165.255:443

200.38.254.177:443

100.4.173.223:443

172.242.80.243:443

71.74.12.34:443

174.80.7.235:443

151.205.102.42:443

84.247.55.190:443

201.248.122.51:2078

72.190.101.70:443

108.183.3.41:443

151.213.81.220:995

5.193.178.241:2078

179.14.167.91:443

24.71.28.247:443

100.43.250.74:995

73.60.148.209:443

24.234.86.201:995

95.77.144.238:443

156.213.224.213:993

51.241.113.55:443

86.182.234.245:2222

71.220.191.200:443

199.247.22.145:443

173.245.152.231:443

Targets
Target

xyjsca.exe

MD5

abddab5ff34dbfae92c8fca7a524a06f

Filesize

3MB

Score
10 /10
SHA1

6deec6f703c76e34cd415e83e8a574ac2c97751d

SHA256

3d7d056acc758c78d5e3741389d6fa62e551b4738a57d199f171332f4ea8c033

SHA512

29d5b76ccf268bd92d48f79c86c2b037a1fa95c72e0289bfe5d7396f87fe1c5ba0872bc9b15255591f379bab63eab0100b523fb5c7f12fdf0255eb7a01491298

Tags

Signatures

  • Qakbot/Qbot

    Description

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    Tags

  • Executes dropped EXE

  • Loads dropped DLL

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                    Privilege Escalation