Static task
static1
Behavioral task
behavioral1
Sample
otokfgf.exe
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
otokfgf.exe
Resource
win10v2004-en-20220112
General
-
Target
otokfgf.exe
-
Size
560KB
-
MD5
10b77750d1d656f0e36f97b88a029c4b
-
SHA1
3999306417352fc9628d936f5061a37fc8432229
-
SHA256
9668d6b2a50e0ae7476c325b09ad36a1d9284ece981f63cea884763e6cab468c
-
SHA512
18d6062065b2c4c6408b323680e396063eb9e46463fdabedd8a2bc3b18d29c3e659d5ee6767ba0c367eea79ce94823ae273783076c1689b3e31d7d1bd81b3c3a
-
SSDEEP
12288:xbBFzCw9/TrcIINuWOxcSXe0/IDsy9dU4tt0tHu+5U:xbLCw5TrcIHWOHbIc4tSOM
Malware Config
Extracted
qakbot
323.91
1571042641
Protocol: ftp- Host:
192.185.5.208 - Port:
21 - Username:
logger@dustinkeeling.com - Password:
NxdkxAp4dUsY
Protocol: ftp- Host:
162.241.218.118 - Port:
21 - Username:
logger@misterexterior.com - Password:
EcOV0DyGVgVN
Protocol: ftp- Host:
69.89.31.139 - Port:
21 - Username:
cpanel@vivekharris-architects.com - Password:
fcR7OvyLrMW6!
Protocol: ftp- Host:
169.207.67.14 - Port:
21 - Username:
cpanel@dovetailsolar.com - Password:
eQyicNLzzqPN
98.186.90.192:995
2.50.170.151:443
74.194.4.181:443
70.74.159.126:2222
75.70.218.193:443
96.59.11.86:443
168.245.228.71:443
173.22.120.11:2222
71.77.231.251:443
24.184.6.58:2222
108.5.32.66:443
64.19.74.29:995
68.83.59.107:443
104.3.91.20:995
100.4.185.8:443
96.20.238.2:2087
99.228.242.183:995
206.255.212.179:443
50.247.230.33:443
108.55.23.221:443
105.246.79.97:995
172.78.185.176:443
47.23.101.26:993
68.238.56.27:443
72.213.98.233:443
74.88.112.250:2222
174.16.234.171:993
173.161.148.169:995
50.78.93.74:995
111.125.70.30:2222
47.202.98.230:443
222.195.69.36:2078
217.162.149.212:443
47.23.101.26:465
98.186.155.8:443
70.183.177.71:443
96.20.238.2:2222
69.119.185.172:995
104.152.16.45:995
199.126.92.231:995
174.82.131.155:995
96.20.238.2:2083
24.180.7.155:443
187.202.57.9:995
67.214.8.102:443
123.252.128.47:443
108.160.123.244:443
66.214.75.176:443
96.20.238.2:61201
79.106.13.119:995
176.205.62.156:443
64.20.68.35:2083
76.80.66.226:443
181.90.124.162:443
96.22.239.27:2222
96.20.238.2:2078
108.184.57.213:8443
173.178.129.3:443
12.5.37.3:443
75.69.3.12:443
70.169.2.228:21
207.179.194.91:443
67.10.18.112:993
184.191.62.78:443
72.29.181.77:2083
207.162.184.228:443
206.51.202.106:50002
75.131.72.82:2087
190.120.196.18:443
65.30.12.240:995
71.30.56.170:443
47.214.144.253:443
172.78.45.13:995
110.12.60.117:443
173.247.186.90:990
173.247.186.90:995
174.131.181.120:995
80.14.209.42:2222
76.181.237.223:443
50.246.229.50:443
78.94.55.26:50003
71.197.126.250:443
24.30.69.9:443
68.225.250.136:443
174.48.72.160:443
107.12.140.181:443
75.110.250.89:443
166.62.180.194:2078
173.247.186.90:22
108.45.183.59:443
98.165.206.64:443
62.103.70.217:995
12.176.32.146:443
47.153.115.154:443
68.174.15.223:443
71.93.60.90:443
76.116.128.81:443
162.244.224.166:443
181.126.80.118:443
184.74.101.234:995
75.131.72.82:995
47.146.169.85:443
47.153.115.154:995
75.81.25.223:995
193.154.185.19:995
173.247.186.90:993
172.250.91.246:443
196.194.84.165:2222
2.177.115.198:443
159.118.173.115:995
197.82.208.249:995
192.24.181.185:443
72.16.212.107:995
203.192.232.72:443
86.98.7.248:443
162.244.225.30:443
65.116.179.83:443
70.120.151.69:443
184.180.157.203:2222
104.32.185.213:2222
72.142.106.198:465
23.240.185.215:443
196.194.84.165:0
117.208.254.113:995
104.34.122.18:443
75.110.90.155:443
179.36.9.109:443
47.180.66.10:443
73.137.187.150:443
64.201.125.172:443
47.180.66.10:995
73.138.178.6:443
187.156.73.46:995
69.245.144.167:443
76.174.122.204:443
68.206.128.75:443
75.165.132.69:443
75.165.181.122:443
35.136.74.103:443
96.29.219.77:443
64.150.136.45:443
1.173.254.97:443
72.218.137.100:443
50.46.139.220:443
201.152.122.180:995
200.104.40.85:443
75.110.101.34:443
24.196.158.28:443
190.120.196.18:1194
201.188.97.244:443
Signatures
-
Qakbot family
Files
-
otokfgf.exe.exe windows x86
510fcd1c61673b9a48954b01d659ae75
Code Sign
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
msvcrt
strncpy
_ftol2_sse
_ltoa
_except_handler3
strchr
_wtol
memcpy
memset
userenv
GetUserProfileDirectoryW
shlwapi
wvnsprintfA
wvnsprintfW
StrStrW
StrStrIW
StrStrIA
PathUnquoteSpacesW
ole32
CoInitialize
CoCreateInstance
CoUninitialize
CoSetProxyBlanket
CoInitializeSecurity
CoInitializeEx
shell32
CommandLineToArgvW
ShellExecuteW
SHGetFolderPathW
setupapi
SetupDiGetDeviceRegistryPropertyA
SetupDiGetClassDevsA
SetupDiEnumDeviceInfo
SetupDiDestroyDeviceInfoList
kernel32
SystemTimeToFileTime
GetSystemTime
Sleep
lstrcpynW
CloseHandle
SetEvent
SleepEx
OpenEventA
GetCurrentProcessId
GetLastError
lstrcmpiW
FreeLibrary
GetProcAddress
LoadLibraryA
GetModuleHandleA
WaitForSingleObject
CreateEventA
ExitProcess
GetDriveTypeW
lstrcmpA
CopyFileW
GetCommandLineW
lstrlenW
lstrlenA
lstrcmpiA
GetSystemTimeAsFileTime
HeapCreate
HeapAlloc
HeapFree
GetExitCodeProcess
TerminateProcess
ResumeThread
WideCharToMultiByte
MultiByteToWideChar
lstrcatA
lstrcatW
lstrcpyA
GetLocalTime
GetEnvironmentVariableA
GetEnvironmentVariableW
GetFileSize
VirtualAlloc
CreateMutexA
OpenMutexA
ReleaseMutex
GetCurrentProcess
GetCurrentThread
LocalAlloc
LoadResource
SizeofResource
FindResourceA
GetVolumeInformationW
GetComputerNameW
GetSystemInfo
GetVersionExA
GetModuleFileNameW
SetEnvironmentVariableA
SetEnvironmentVariableW
GetWindowsDirectoryW
GetTickCount
GetModuleFileNameA
ExpandEnvironmentStringsW
GetThreadContext
TerminateThread
CreateThread
OpenProcess
VirtualFree
DeleteFileW
GetFileAttributesA
GetFileAttributesW
LocalFree
lstrcpyW
CreateDirectoryW
user32
CharUpperBuffA
CharUpperBuffW
MessageBoxA
advapi32
RegisterServiceCtrlHandlerA
StartServiceCtrlDispatcherA
SetServiceStatus
EqualSid
LookupAccountNameW
OpenProcessToken
OpenThreadToken
GetTokenInformation
LookupPrivilegeValueA
ConvertSidToStringSidW
RegLoadKeyW
RegUnLoadKeyW
RegSetValueExW
RegQueryValueExW
SetFileSecurityW
RegDeleteValueW
RegOpenKeyExW
RegQueryInfoKeyW
RegCloseKey
RegEnumValueW
LookupAccountSidW
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
GetSidSubAuthorityCount
GetSidSubAuthority
CreateProcessAsUserW
netapi32
NetApiBufferFree
NetUserEnum
NetGetDCName
Sections
.text Size: 79KB - Virtual size: 79KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 33KB - Virtual size: 32KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 6KB - Virtual size: 14KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rsrc Size: 436KB - Virtual size: 436KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 4KB - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ