qakbot | 2cfd061b305b2a84dc3cb0be6efc34bf745ac17b3eebec5d7261ccff5826a471

General

Target

Payment-717642397-09222021.zip
Size

365KB
Sample

210922-zqzbsagdhl
MD5

f28e80c5f2224aadf42e343a56ec3a47
SHA1

d483bae931bef3834547d9cf37173759fd4cb8a2
SHA256

2cfd061b305b2a84dc3cb0be6efc34bf745ac17b3eebec5d7261ccff5826a471
SHA512

fcac0906a3c5f0165191c3cf7092ed23cde1aeae8a94a3f11386ce8458c2df9a15629fab2680cda825b8d4babbc9c7436cc1fd3763f69779c1f810eda53c6a2d

Score

10^/10

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

http://188.165.62.10/44461.9575523148.dat

xlm40.dropper

http://185.82.202.248/44461.9575523148.dat

xlm40.dropper

http://84.246.85.241/44461.9575523148.dat

Extracted

Family

qakbot

Version

402.318

Botnet

obama102

Campaign

1632302707

C2

120.150.218.241:995

47.22.148.6:443

105.198.236.99:443

95.77.223.148:443

140.82.49.12:443

27.223.92.142:995

73.151.236.31:443

136.232.34.70:443

144.139.47.206:443

45.46.53.140:2222

76.25.142.196:443

173.21.10.71:2222

75.188.35.168:443

71.74.12.34:443

96.37.113.36:993

67.165.206.193:993

189.210.115.207:443

72.252.201.69:443

24.139.72.117:443

24.229.150.54:995

Targets

- Target
  
  Payment-717642397-09222021.xls
- Size
  
  410KB
- MD5
  
  6914ea6d7958fff64c588be284e972a5
- SHA1
  
  4c8e33fcd0c9418817a984486368c1c92e6198ec
- SHA256
  
  7342103dcccaef9a164f7effea9b0c48e76409bfa163fc137803b03f3d539b3b
- SHA512
  
  e7dc8c20609456c95406f53811a788763d33647ca4b4880bea4188a08b485495c44b1db071402c311cefcb4df266866f59c756aa32b8487a0aafc7adacfb962f
Score

10^/10

qakbot obama102 1632302707 banker stealer trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Qakbot/Qbot
  Qbot or Qakbot is a sophisticated worm with banking capabilities.
  trojan banker stealer qakbot
- Downloads MZ/PE file
- Loads dropped DLL
behavioral1