General
-
Target
mpver.exe
-
Size
36.5MB
-
Sample
210719-rp1l7bgr7x
-
MD5
07a25e7f4f3a756e64c07c07d82591a4
-
SHA1
ff3f1f7e82d1721fa0d28cad127bca6d799f40b8
-
SHA256
6f5d3879c4a516661a93499e64d7595333fb51d6a87677de25d9b7a19b41b362
-
SHA512
efd1acbc61603c810b5048d5f71cfaddba3430ecf49e6a815f76b7ffa9fc48a91e1d371986199569bc15cd8051d0a67c24e8d6c6c3303ffcac0448395233b5d4
Malware Config
Extracted
https://www.allens-treasure-house.com/books_files/001.ps1
Extracted
qakbot
322.109
1515090054
Protocol: ftp- Host:
66.96.133.9 - Port:
21 - Username:
help - Password:
eT5TerAcnFe6~
Protocol: ftp- Host:
174.123.38.58 - Port:
21 - Username:
log@thebrainregistry.com - Password:
4BQ1MeeRAwNZEVu
Protocol: ftp- Host:
61.221.12.26 - Port:
21 - Username:
logger@ostergift.com - Password:
346HZGCMlwecz9S
Protocol: ftp- Host:
67.222.137.18 - Port:
21 - Username:
logger@grupocrepusculo.net - Password:
p4a8k6fE1FtA3pR
Protocol: ftp- Host:
107.6.152.61 - Port:
21 - Username:
logger@trussedup.com - Password:
RoP4Af0RKAAQ74V
151.202.46.113:443
108.58.129.90:995
96.85.138.153:443
108.35.21.79:443
68.83.130.163:443
75.83.30.135:443
216.201.159.118:443
76.98.128.87:443
65.73.215.139:990
50.195.161.2:995
216.187.170.2:443
74.93.207.181:993
75.97.144.106:995
73.186.100.187:443
86.27.41.234:443
96.70.92.177:465
68.173.55.51:443
165.225.38.208:443
71.190.202.120:443
117.195.250.175:443
Extracted
https://www.allens-treasure-house.com/books_files/001.ps1
Targets
-
-
Target
mpver.exe
-
Size
36.5MB
-
MD5
07a25e7f4f3a756e64c07c07d82591a4
-
SHA1
ff3f1f7e82d1721fa0d28cad127bca6d799f40b8
-
SHA256
6f5d3879c4a516661a93499e64d7595333fb51d6a87677de25d9b7a19b41b362
-
SHA512
efd1acbc61603c810b5048d5f71cfaddba3430ecf49e6a815f76b7ffa9fc48a91e1d371986199569bc15cd8051d0a67c24e8d6c6c3303ffcac0448395233b5d4
Score10/10-
Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-