General
-
Target
eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa
-
Size
502KB
-
Sample
220201-c9vrdafefp
-
MD5
98ae6e7fbcd391e42a2a36b7bd53f99e
-
SHA1
9bf453f13814727bb17a3fe2e33de9886c059135
-
SHA256
eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa
-
SHA512
ff23798583f689fc0a94409ef9fa87447e26f39570a32df2c02cb390ef2828269f9b6bf2a46fb0a8a0f809344d2955a0143ce3776d852282ab8c85b385e4f89e
Malware Config
Extracted
qakbot
322.731
hhh07
1552409511
Protocol: ftp- Host:
192.185.5.208 - Port:
21 - Username:
logger@dustinkeeling.com - Password:
NxdkxAp4dUsY
Protocol: ftp- Host:
162.241.218.118 - Port:
21 - Username:
logger@misterexterior.com - Password:
EcOV0DyGVgVN
Protocol: ftp- Host:
69.89.31.139 - Port:
21 - Username:
cpanel@vivekharris-architects.com - Password:
fcR7OvyLrMW6!
Protocol: ftp- Host:
169.207.67.14 - Port:
21 - Username:
cpanel@dovetailsolar.com - Password:
eQyicNLzzqPN
71.80.84.55:443
70.25.63.178:2222
190.120.196.18:443
192.226.157.108:993
76.122.104.20:443
50.247.230.33:443
69.249.141.152:443
69.70.37.246:465
45.50.227.169:995
199.36.199.104:443
66.171.24.252:443
96.20.84.208:443
24.200.91.146:2222
98.225.141.232:443
76.98.158.47:443
74.68.50.163:443
68.59.209.183:995
69.254.30.75:443
78.94.55.26:50003
216.221.73.45:993
Targets
-
-
Target
eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa
-
Size
502KB
-
MD5
98ae6e7fbcd391e42a2a36b7bd53f99e
-
SHA1
9bf453f13814727bb17a3fe2e33de9886c059135
-
SHA256
eeb4645f23f84d8aece99cb4bdb32f735e69582e5f84c451d87d1e2e21d1a5fa
-
SHA512
ff23798583f689fc0a94409ef9fa87447e26f39570a32df2c02cb390ef2828269f9b6bf2a46fb0a8a0f809344d2955a0143ce3776d852282ab8c85b385e4f89e
Score10/10-
Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-