Overview

overview

10

Static

static

DEBT_07854...20.vbs

windows7_x64

10

DEBT_07854...20.vbs

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    25e4f8f33ec6b1d498b24622f833a2fb2b3a9a470e92759f31cd74d5726f5009

  • Size

    830KB

  • Sample

    220521-d7c9zsbhhq

  • MD5

    8760a07ac17e0eb381d1d0559a713daa

  • SHA1

    859de08700dc8ed97febe6f4c7bfe26076a39cbe

  • SHA256

    25e4f8f33ec6b1d498b24622f833a2fb2b3a9a470e92759f31cd74d5726f5009

  • SHA512

    25f76da0b99886f5157d11bef9cb30e4c0fab83f5f66dc936e7dc3a9fefc422abc1d16bbb85989b7522b397bd46c9258f76ad383adf5485dca0fd9cca86c0b0b

Score
10/10
qakbotspx1421592381263bankercryptoneevasionpackerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

324.142

Botnet

spx142

Campaign

1592381263

C2

173.175.29.210:443

201.248.102.4:2078

182.185.94.24:995

41.97.182.19:443

37.182.238.170:2222

193.248.44.2:2222

188.26.243.186:443

84.247.55.190:443

58.233.220.182:443

82.79.67.68:443

217.162.149.212:443

173.49.122.160:995

117.216.177.27:443

219.92.104.54:443

5.107.220.84:2222

96.41.93.96:443

122.147.204.4:443

117.199.5.99:443

68.60.221.169:465

78.96.192.26:443

Targets

    • Target

      DEBT_07854_06162020.vbs

    • Size

      2.6MB

    • MD5

      66222018f11f64892cf65efeaade4e51

    • SHA1

      c9a4282e5ba84aaeb136bf47b8ae04185f32af86

    • SHA256

      116905c43d121cc4e1fdaa9ef2e89bb2f83a4c89b5fb400024f94c5cb06b9b09

    • SHA512

      1b1fe70395a322e8e7450e881cda37a58ff614146f1f7e66346b4e13bddad66c1a1f7b5f3f7c2aa81e6e58d1379fe9f00eb1f481250fba4af2c6015814e18980

    Score
    10/10
    qakbotspx1421592381263bankercryptonepackerstealertrojanevasion

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

      trojanbankerstealerqakbot

    • Turns off Windows Defender SpyNet reporting

      evasion

    • Windows security bypass

      evasiontrojan

    • CryptOne packer

      Detects CryptOne packer defined in NCC blogpost.

      cryptonepacker

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Disabling Security Tools

2
T1089

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks