qakbot | 60abb8176e0ea3f2f85fa12a931f61930e052110de2d5aef79c390d96f841f2f | Triage

Sharing

General

Target

60abb8176e0ea3f2f85fa12a931f61930e052110de2d5aef79c390d96f841f2f
Size

1.8MB
Sample

220201-gw38taade5
MD5

c1d3de25723952a6f889f0e0e48e1f80
SHA1

0b25bbd05aee3acaa75622305bbecf4ec2403e62
SHA256

60abb8176e0ea3f2f85fa12a931f61930e052110de2d5aef79c390d96f841f2f
SHA512

5f3e905e0161c7d5ff675ab886584679660871416a043d1f8a892c9dca68ae2833e35aa8c4149625e2b567ffc93431e60a2fb69fbfb3549f70beef5b9c6b5d28

Score

10^/10

qakbot spx84 1585124895 banker cryptone evasion packer persistence stealer trojan

Malware Config

Extracted

Family

qakbot

Version

324.70

Botnet

spx84

Campaign

1585124895

C2

99.228.5.106:995

71.241.247.189:443

173.245.152.231:443

79.113.219.121:443

24.44.180.236:2222

80.11.10.151:990

78.96.148.177:443

75.137.60.81:443

68.46.142.48:995

24.32.119.146:443

35.143.248.234:443

35.142.24.147:2222

71.68.197.202:995

96.57.237.162:443

74.138.18.247:443

174.110.39.220:443

62.231.93.154:443

70.164.39.91:443

74.194.4.181:443

67.190.189.217:443

Targets

- Target
  
  60abb8176e0ea3f2f85fa12a931f61930e052110de2d5aef79c390d96f841f2f
- Size
  
  1.8MB
- MD5
  
  c1d3de25723952a6f889f0e0e48e1f80
- SHA1
  
  0b25bbd05aee3acaa75622305bbecf4ec2403e62
- SHA256
  
  60abb8176e0ea3f2f85fa12a931f61930e052110de2d5aef79c390d96f841f2f
- SHA512
  
  5f3e905e0161c7d5ff675ab886584679660871416a043d1f8a892c9dca68ae2833e35aa8c4149625e2b567ffc93431e60a2fb69fbfb3549f70beef5b9c6b5d28
Score

10^/10

qakbot spx84 1585124895 banker stealer trojan cryptone evasion packer persistence
- Qakbot/Qbot
  Qbot or Qakbot is a sophisticated worm with banking capabilities.
  trojan banker stealer qakbot
- Turns off Windows Defender SpyNet reporting
  evasion
- Windows security bypass
  evasion trojan
- CryptOne packer
  Detects CryptOne packer defined in NCC blogpost.
  cryptone packer
- Executes dropped EXE
- Sets service image path in registry
  persistence
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Peripheral Device Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

qakbotspx841585124895bankerstealertrojan

behavioral2

qakbotspx841585124895bankercryptoneevasionpackerpersistencestealertrojan