General

  • Target

    4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4

  • Size

    616KB

  • Sample

    220714-ea1jpaeha6

  • MD5

    adab2a637738b6780e74b74dcabbb96f

  • SHA1

    0614b295d8f8486ea42c89be35b3e44926a943c0

  • SHA256

    4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4

  • SHA512

    72d5f1034bc442533403b836b5c47bbe2c895f2d32eadc1cbc3982b446eb011d871cc38b17ea471e8fe09a4c30f951f411004779fbc5f7fe87a663474be49b9d

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://www.dropbox.com/s/41zf98knyy5atko/001_01.ps1?dl=1

ps1.dropper

https://www.dropbox.com/s/dh8flnrogfq1h1w/001.ps1?dl=1

Extracted

Family

qakbot

Version

322.368

Campaign

1532427880

Credentials

  • Protocol:
    ftp
  • Host:
    37.60.244.211
  • Port:
    21
  • Username:
    backup_manager@garciasdrywall.com
  • Password:
    4AsEzIaMwi2d

  • Protocol:
    ftp
  • Host:
    198.38.77.162
  • Port:
    21
  • Username:
    backup_manager@worldexpresscargo.com
  • Password:
    kJm6DKVPfyiv

  • Protocol:
    ftp
  • Host:
    61.221.12.26
  • Port:
    21
  • Username:
    logger@ostergift.com
  • Password:
    346HZGCMlwecz9S

  • Protocol:
    ftp
  • Host:
    67.222.137.18
  • Port:
    21
  • Username:
    logger@grupocrepusculo.net
  • Password:
    p4a8k6fE1FtA3pR

  • Protocol:
    ftp
  • Host:
    107.6.152.61
  • Port:
    21
  • Username:
    logger@trussedup.com
  • Password:
    RoP4Af0RKAAQ74V
C2

216.218.74.196:443

185.219.83.73:443

50.198.141.161:2078

70.118.18.242:443

68.113.142.24:465

72.193.162.108:443

98.225.141.232:443

216.201.159.118:443

73.130.229.200:443

76.73.202.82:443

67.197.97.144:443

71.77.22.206:443

47.40.29.239:443

65.116.179.83:443

96.248.15.254:995

47.134.236.166:443

173.81.42.136:20

73.106.122.121:443

98.103.2.226:443

181.93.205.181:443

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://www.dropbox.com/s/41zf98knyy5atko/001_01.ps1?dl=1

ps1.dropper

https://www.dropbox.com/s/dh8flnrogfq1h1w/001.ps1?dl=1

Targets

    • Target

      4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4

    • Size

      616KB

    • MD5

      adab2a637738b6780e74b74dcabbb96f

    • SHA1

      0614b295d8f8486ea42c89be35b3e44926a943c0

    • SHA256

      4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4

    • SHA512

      72d5f1034bc442533403b836b5c47bbe2c895f2d32eadc1cbc3982b446eb011d871cc38b17ea471e8fe09a4c30f951f411004779fbc5f7fe87a663474be49b9d

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Remote System Discovery

1
T1018

Tasks