qakbot | cbf1d0b742d7aa86cfe97f6aab3708944cff3684f52eddae831a9bb1fd885b69 | Triage

Sharing

General

Target

659104ecb5d09ae0f79672947065ea358ed238228d429b8abae3b944bd64b241
Size

54KB
Sample

220509-sg1d6ageam
MD5

f77bfb6db937e752dac3c97468fb0db8
SHA1

48d8ed2a5d6b8a36fb0b23a50b3a2c923aa21d10
SHA256

cbf1d0b742d7aa86cfe97f6aab3708944cff3684f52eddae831a9bb1fd885b69
SHA512

5907544470ac60363c56ad5ce1af60e18735e74c71640db8dc5d5943871cf9d3f80cb03a5fda61ac45af0439e2729306806c14d3e97498d95b2a2c7387a96c30

Score

10^/10

qakbot obama182 1651756499 banker evasion macro stealer trojan xlm

Malware Config

Extracted

Language

xlm4.0

Source

Extracted

Family

qakbot

Version

403.683

Botnet

obama182

Campaign

1651756499

C2

103.107.113.120:443

80.11.74.81:2222

177.102.2.175:32101

24.178.196.158:2222

91.177.173.10:995

181.208.248.227:443

176.67.56.94:443

202.134.152.2:2222

148.0.57.85:443

179.179.162.9:993

40.134.246.185:995

37.186.54.254:995

196.203.37.215:80

120.150.218.241:995

208.107.221.224:443

113.53.151.59:443

70.46.220.114:443

69.14.172.24:443

108.60.213.141:443

24.55.67.176:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Extracted

Language

xlm4.0

Source

Targets

- Target
  
  Cancellation-1152640575$-May5.xlsb
- Size
  
  65KB
- MD5
  
  b49fa3cc9df9dd2a29628c0c84223230
- SHA1
  
  bb70e2760c1a7ce1ba5f9ce1bda49038fe185ef3
- SHA256
  
  d0d0d39aae1f808e21df5d51847ae538d8399f8455455b2cb75e21c0478bf56f
- SHA512
  
  51536714793ecf4cd4240a2e119d6fbfa7feb15a726dea7c7706064bd0f106dbf6bd92f0d8e1e8311737005fcebddb56e3a55c01fcb25f4132bcf31b1e508248
Score

10^/10

qakbot obama182 1651756499 banker stealer trojan evasion
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Qakbot/Qbot
  Qbot or Qakbot is a sophisticated worm with banking capabilities.
  trojan banker stealer qakbot
- Windows security bypass
  evasion trojan
- Downloads MZ/PE file
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

qakbotobama1821651756499bankerstealertrojan

behavioral2

qakbotobama1821651756499bankerevasionstealertrojan