25e4f8f33ec6b1d498b24622f833a2fb2b3a9a470e92759f31cd74d5726f5009

General
Target

25e4f8f33ec6b1d498b24622f833a2fb2b3a9a470e92759f31cd74d5726f5009

Size

830KB

Sample

220521-d7c9zsbhhq

Score
10 /10
MD5

8760a07ac17e0eb381d1d0559a713daa

SHA1

859de08700dc8ed97febe6f4c7bfe26076a39cbe

SHA256

25e4f8f33ec6b1d498b24622f833a2fb2b3a9a470e92759f31cd74d5726f5009

SHA512

25f76da0b99886f5157d11bef9cb30e4c0fab83f5f66dc936e7dc3a9fefc422abc1d16bbb85989b7522b397bd46c9258f76ad383adf5485dca0fd9cca86c0b0b

Malware Config

Extracted

Family qakbot
Version 324.142
Botnet spx142
Campaign 1592381263
C2

173.175.29.210:443

201.248.102.4:2078

182.185.94.24:995

41.97.182.19:443

37.182.238.170:2222

193.248.44.2:2222

188.26.243.186:443

84.247.55.190:443

58.233.220.182:443

82.79.67.68:443

217.162.149.212:443

173.49.122.160:995

117.216.177.27:443

219.92.104.54:443

5.107.220.84:2222

96.41.93.96:443

122.147.204.4:443

117.199.5.99:443

68.60.221.169:465

78.96.192.26:443

78.96.190.54:443

69.11.247.242:443

207.255.161.8:32100

68.204.164.222:443

82.81.172.21:443

78.97.145.242:443

216.163.4.132:443

68.190.152.98:443

73.217.4.42:443

76.116.90.159:443

75.110.250.89:443

35.142.12.163:2222

74.134.46.7:443

80.195.103.146:2222

41.34.91.90:995

39.62.15.131:443

70.93.151.141:443

81.245.66.237:995

86.144.150.29:2222

172.242.243.186:443

59.88.168.3:443

73.200.219.143:443

35.143.205.199:443

24.42.14.241:995

98.121.187.78:443

73.78.149.206:443

81.133.234.36:2222

154.56.71.73:443

188.241.243.175:443

77.69.206.106:443

Targets
Target

DEBT_07854_06162020.vbs

MD5

66222018f11f64892cf65efeaade4e51

Filesize

2MB

Score
10/10
SHA1

c9a4282e5ba84aaeb136bf47b8ae04185f32af86

SHA256

116905c43d121cc4e1fdaa9ef2e89bb2f83a4c89b5fb400024f94c5cb06b9b09

SHA512

1b1fe70395a322e8e7450e881cda37a58ff614146f1f7e66346b4e13bddad66c1a1f7b5f3f7c2aa81e6e58d1379fe9f00eb1f481250fba4af2c6015814e18980

Tags

Signatures

  • Qakbot/Qbot

    Description

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    Tags

  • Turns off Windows Defender SpyNet reporting

    Tags

    TTPs

    Disabling Security ToolsModify Registry
  • Windows security bypass

    Tags

    TTPs

    Disabling Security ToolsModify Registry
  • CryptOne packer

    Description

    Detects CryptOne packer defined in NCC blogpost.

    Tags

  • Blocklisted process makes network request

  • Executes dropped EXE

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery
  • Deletes itself

  • Loads dropped DLL

  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                  Privilege Escalation