C.137675

General
Target

C.137675

Size

3MB

Sample

210218-q9ggc4mgns

Score
10 /10
MD5

4c35956aafde8bc2c58868baa53db923

SHA1

53def6e75c769a4d2e874ccac24aa4b0261d90d1

SHA256

53b4b521ba57363330e4113c1b1883168441d95ed5db2f06438bd2e5e3ddb5e1

SHA512

8d05424d6f01f1139918b17b9986125ad3788c5ddebfce100795767931a4e9f6a1b96a30717487da0730c46fc895832c37d460c27ccab9f31d064982c1054096

Malware Config

Extracted

Family qakbot
Botnet notset
Campaign 1596817234
Credentials

Protocol: ftp

Host: 192.185.5.208

Port: 21

Username: logger@dustinkeeling.com

Password: NxdkxAp4dUsY

Protocol: ftp

Host: 162.241.218.118

Port: 21

Username: logger@misterexterior.com

Password: EcOV0DyGVgVN

Protocol: ftp

Host: 69.89.31.139

Port: 21

Username: cpanel@vivekharris-architects.com

Password: fcR7OvyLrMW6!

Protocol: ftp

Host: 169.207.67.14

Port: 21

Username: cpanel@dovetailsolar.com

Password: eQyicNLzzqPN

C2

47.44.217.98:443

86.97.146.204:2222

65.60.228.130:443

216.201.162.158:443

94.59.24.79:995

108.46.145.30:443

24.139.132.70:443

47.206.174.82:443

188.52.106.206:20

72.204.242.138:6881

173.173.72.199:443

71.163.224.206:443

63.155.9.141:995

100.34.195.237:443

47.39.177.171:2222

96.20.108.17:2222

115.21.224.117:443

70.164.39.91:443

45.47.65.191:443

207.155.107.111:443

75.82.182.228:2222

108.30.125.94:443

73.227.232.166:443

207.255.161.8:993

24.122.228.88:443

64.130.165.255:443

200.38.254.177:443

100.4.173.223:443

172.242.80.243:443

71.74.12.34:443

174.80.7.235:443

151.205.102.42:443

84.247.55.190:443

201.248.122.51:2078

72.190.101.70:443

108.183.3.41:443

151.213.81.220:995

5.193.178.241:2078

179.14.167.91:443

24.71.28.247:443

100.43.250.74:995

73.60.148.209:443

24.234.86.201:995

95.77.144.238:443

156.213.224.213:993

51.241.113.55:443

86.182.234.245:2222

71.220.191.200:443

199.247.22.145:443

173.245.152.231:443

Targets
Target

C.137675

MD5

4c35956aafde8bc2c58868baa53db923

Filesize

3MB

Score
10 /10
SHA1

53def6e75c769a4d2e874ccac24aa4b0261d90d1

SHA256

53b4b521ba57363330e4113c1b1883168441d95ed5db2f06438bd2e5e3ddb5e1

SHA512

8d05424d6f01f1139918b17b9986125ad3788c5ddebfce100795767931a4e9f6a1b96a30717487da0730c46fc895832c37d460c27ccab9f31d064982c1054096

Tags

Signatures

  • Qakbot/Qbot

    Description

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    Tags

  • Executes dropped EXE

  • Loads dropped DLL

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                    Privilege Escalation