qakbot | 4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4

General

Target

4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4
Size

616KB
Sample

220714-ea1jpaeha6
MD5

adab2a637738b6780e74b74dcabbb96f
SHA1

0614b295d8f8486ea42c89be35b3e44926a943c0
SHA256

4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4
SHA512

72d5f1034bc442533403b836b5c47bbe2c895f2d32eadc1cbc3982b446eb011d871cc38b17ea471e8fe09a4c30f951f411004779fbc5f7fe87a663474be49b9d

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://www.dropbox.com/s/41zf98knyy5atko/001_01.ps1?dl=1

ps1.dropper

https://www.dropbox.com/s/dh8flnrogfq1h1w/001.ps1?dl=1

Extracted

Family

qakbot

Version

322.368

Campaign

1532427880

Credentials

Protocol: ftp
Host:
37.60.244.211
Port:
21
Username:
[email protected]
Password:
4AsEzIaMwi2d

Protocol: ftp
Host:
198.38.77.162
Port:
21
Username:
[email protected]
Password:
kJm6DKVPfyiv

Protocol: ftp
Host:
61.221.12.26
Port:
21
Username:
[email protected]
Password:
346HZGCMlwecz9S

Protocol: ftp
Host:
67.222.137.18
Port:
21
Username:
[email protected]
Password:
p4a8k6fE1FtA3pR

Protocol: ftp
Host:
107.6.152.61
Port:
21
Username:
[email protected]
Password:
RoP4Af0RKAAQ74V

C2

216.218.74.196:443

185.219.83.73:443

50.198.141.161:2078

70.118.18.242:443

68.113.142.24:465

72.193.162.108:443

98.225.141.232:443

216.201.159.118:443

73.130.229.200:443

76.73.202.82:443

67.197.97.144:443

71.77.22.206:443

47.40.29.239:443

65.116.179.83:443

96.248.15.254:995

47.134.236.166:443

173.81.42.136:20

73.106.122.121:443

98.103.2.226:443

181.93.205.181:443

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://www.dropbox.com/s/41zf98knyy5atko/001_01.ps1?dl=1

ps1.dropper

https://www.dropbox.com/s/dh8flnrogfq1h1w/001.ps1?dl=1

Targets

- Target
  
  4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4
- Size
  
  616KB
- MD5
  
  adab2a637738b6780e74b74dcabbb96f
- SHA1
  
  0614b295d8f8486ea42c89be35b3e44926a943c0
- SHA256
  
  4845e632325c892c3da2de6fca61624f914f0f340643174bdd34b89b38cd7fa4
- SHA512
  
  72d5f1034bc442533403b836b5c47bbe2c895f2d32eadc1cbc3982b446eb011d871cc38b17ea471e8fe09a4c30f951f411004779fbc5f7fe87a663474be49b9d
Score

10^/10

qakbot 1532427880 banker persistence stealer trojan
- Qakbot/Qbot
  Qbot or Qakbot is a sophisticated worm with banking capabilities.
  trojan banker stealer qakbot
- Blocklisted process makes network request
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2