qakbot | 9a163f08baa5283bf4b87e4a1d7eb2b83c5780ec7767a6af1359042138f63aaf

General

Target

whatever.zip
Size

193KB
Sample

210929-npjzxsegd8
MD5

0fcc679ab6e866ef8a83eead78573dae
SHA1

fa852f5739cf764984787decec49a8962adcfd31
SHA256

9a163f08baa5283bf4b87e4a1d7eb2b83c5780ec7767a6af1359042138f63aaf
SHA512

2190391be62c593020639e2c3c479aa45d624d4117edd51ca64d0de4c000d3cf920b12d75ff96f376e5f6d0edb949e9e76b8e202f3dbb1d3d05b8563509bb5cc

Score

10^/10

qakbot tr 1632817399 banker stealer trojan

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

https://gillcart.com/Cdpmoyhr/key.xml

xlm40.dropper

https://geit.in/MeOlE9Xxd/key.xml

xlm40.dropper

https://mercanets.com/9DPZqAfZdq5z/key.xml

Extracted

Family

qakbot

Version

402.363

Botnet

tr

Campaign

1632817399

C2

105.198.236.99:443

140.82.49.12:443

37.210.152.224:995

89.101.97.139:443

81.241.252.59:2078

27.223.92.142:995

81.250.153.227:2222

73.151.236.31:443

47.22.148.6:443

122.11.220.212:2222

120.151.47.189:443

199.27.127.129:443

216.201.162.158:443

136.232.34.70:443

76.25.142.196:443

181.118.183.94:443

120.150.218.241:995

185.250.148.74:443

95.77.223.148:443

75.66.88.33:443

Targets

- Target
  
  recital-1267320846.xls
- Size
  
  244KB
- MD5
  
  fa6369788a5f5490d4c506e65b82a166
- SHA1
  
  f12d615a708cd6e83c669e3a16c1bebbf2510718
- SHA256
  
  3f3f21189390158abe6d01848ce995c762f3b0e908ea27192778effb160a6014
- SHA512
  
  a0cf692797d8a9c232de08f15fe251380cdeb54835f5025a5605782d5a55fe4975a0d3fc2174093350b7d533a55ac2bbbea7dbf443a3389abf8c559c1e0f63e9
Score

10^/10

qakbot tr 1632817399 banker stealer trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Qakbot/Qbot
  Qbot or Qakbot is a sophisticated worm with banking capabilities.
  trojan banker stealer qakbot
- Loads dropped DLL
behavioral1 behavioral2