General

  • Target

    c8f1fdd8_by_Libranalysis

  • Size

    673KB

  • Sample

    210503-wjxva4kwlx

  • MD5

    c8f1fdd8dd3724f89cef6d9ea9ec85fd

  • SHA1

    30d5e006337e17b512ff5ed878cc1beb1664abb0

  • SHA256

    7ceaaa2ae96ba6400a09c96ae63a472a6b54535833a8eb5a9bba1afa7645c571

  • SHA512

    0dce8b7705707318f8c227e9a9fcf363884b20374c05f233217042f1272ca0921ea637ca435de56f618463cf00cd234cc006de47ac62112047425add28ea1a73

Malware Config

Extracted

Family

qakbot

Version

324.141

Botnet

spx125

Campaign

1590138228

C2

190.75.168.108:2078

93.114.192.211:2222

47.39.76.74:443

182.56.134.44:995

24.201.79.208:2078

207.246.71.122:443

50.244.112.10:443

88.207.27.144:443

72.204.242.138:443

72.204.242.138:2078

72.204.242.138:990

76.187.8.160:443

220.135.31.140:2222

86.126.97.183:2222

86.126.112.153:995

68.49.120.179:443

101.108.125.44:443

203.101.163.187:443

197.165.212.10:443

207.255.161.8:2078

Targets

    • Target

      c8f1fdd8_by_Libranalysis

    • Size

      673KB

    • MD5

      c8f1fdd8dd3724f89cef6d9ea9ec85fd

    • SHA1

      30d5e006337e17b512ff5ed878cc1beb1664abb0

    • SHA256

      7ceaaa2ae96ba6400a09c96ae63a472a6b54535833a8eb5a9bba1afa7645c571

    • SHA512

      0dce8b7705707318f8c227e9a9fcf363884b20374c05f233217042f1272ca0921ea637ca435de56f618463cf00cd234cc006de47ac62112047425add28ea1a73

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • Turns off Windows Defender SpyNet reporting

    • Windows security bypass

    • CryptOne packer

      Detects CryptOne packer defined in NCC blogpost.

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Disabling Security Tools

2
T1089

Modify Registry

2
T1112

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

Remote System Discovery

1
T1018

Tasks