General

  • Target

    xyjsca.exe

  • Size

    3MB

  • Sample

    210218-9s4bs7h566

  • MD5

    abddab5ff34dbfae92c8fca7a524a06f

  • SHA1

    6deec6f703c76e34cd415e83e8a574ac2c97751d

  • SHA256

    3d7d056acc758c78d5e3741389d6fa62e551b4738a57d199f171332f4ea8c033

  • SHA512

    29d5b76ccf268bd92d48f79c86c2b037a1fa95c72e0289bfe5d7396f87fe1c5ba0872bc9b15255591f379bab63eab0100b523fb5c7f12fdf0255eb7a01491298

Malware Config

Extracted

Family

qakbot

Botnet

notset

Campaign

1596817234

Credentials

  • Protocol:
    ftp
  • Host:
    192.185.5.208
  • Port:
    21
  • Username:
    logger@dustinkeeling.com
  • Password:
    NxdkxAp4dUsY

  • Protocol:
    ftp
  • Host:
    162.241.218.118
  • Port:
    21
  • Username:
    logger@misterexterior.com
  • Password:
    EcOV0DyGVgVN

  • Protocol:
    ftp
  • Host:
    69.89.31.139
  • Port:
    21
  • Username:
    cpanel@vivekharris-architects.com
  • Password:
    fcR7OvyLrMW6!

  • Protocol:
    ftp
  • Host:
    169.207.67.14
  • Port:
    21
  • Username:
    cpanel@dovetailsolar.com
  • Password:
    eQyicNLzzqPN
C2

47.44.217.98:443

86.97.146.204:2222

65.60.228.130:443

216.201.162.158:443

94.59.24.79:995

108.46.145.30:443

24.139.132.70:443

47.206.174.82:443

188.52.106.206:20

72.204.242.138:6881

173.173.72.199:443

71.163.224.206:443

63.155.9.141:995

100.34.195.237:443

47.39.177.171:2222

96.20.108.17:2222

115.21.224.117:443

70.164.39.91:443

45.47.65.191:443

207.155.107.111:443

Targets

    • Target

      xyjsca.exe

    • Size

      3MB

    • MD5

      abddab5ff34dbfae92c8fca7a524a06f

    • SHA1

      6deec6f703c76e34cd415e83e8a574ac2c97751d

    • SHA256

      3d7d056acc758c78d5e3741389d6fa62e551b4738a57d199f171332f4ea8c033

    • SHA512

      29d5b76ccf268bd92d48f79c86c2b037a1fa95c72e0289bfe5d7396f87fe1c5ba0872bc9b15255591f379bab63eab0100b523fb5c7f12fdf0255eb7a01491298

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Tasks