Overview

overview

10

Static

static

718c0ae260...6d.exe

windows7-x64

10

718c0ae260...6d.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7740876126.zip

  • Size

    613KB

  • Sample

    220715-r6t31abec4

  • MD5

    2b998c3a5a3f8b9f649a1b9845802344

  • SHA1

    1347f50bc2f3c4d6722279283b4252e9fdaa278f

  • SHA256

    8605debb4d016c1466956c6520b20afa78f3ebf6a005c97a849096bad00c103d

  • SHA512

    5d3559af1b2706248d0eaf1e60007ea82a0169d3ce34ea617268f0a44c284793dd6073bd45561be509c35b338264a82224bc5a57d6fb4e2600350bf3b9a6bfbf

Score
10/10
qakbot1566230092bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

323.49

Campaign

1566230092

Credentials

  • Protocol:     ftp
  • Host:
    192.185.5.208
  • Port:
    21
  • Username:
    logger@dustinkeeling.com
  • Password:
    NxdkxAp4dUsY

  • Protocol:     ftp
  • Host:
    162.241.218.118
  • Port:
    21
  • Username:
    logger@misterexterior.com
  • Password:
    EcOV0DyGVgVN

  • Protocol:     ftp
  • Host:
    69.89.31.139
  • Port:
    21
  • Username:
    cpanel@vivekharris-architects.com
  • Password:
    fcR7OvyLrMW6!

  • Protocol:     ftp
  • Host:
    169.207.67.14
  • Port:
    21
  • Username:
    cpanel@dovetailsolar.com
  • Password:
    eQyicNLzzqPN
C2

24.180.7.155:443

72.255.200.129:443

67.200.146.98:2222

98.173.34.212:995

75.71.201.170:443

69.170.21.98:443

65.116.179.83:443

68.174.15.223:443

96.20.238.2:2078

64.229.194.89:995

206.51.202.106:50003

98.17.133.209:995

67.71.130.80:2222

216.221.88.160:443

47.153.115.154:443

162.244.224.166:443

65.94.90.23:3389

209.222.185.155:990

98.233.116.181:443

70.53.246.156:995

Targets

    • Target

      718c0ae260ecee2538564a2a55af22b53f39a24013f008251f443d6dbc8eb06d

    • Size

      640KB

    • MD5

      b566458411258f397f6c836d26204b3e

    • SHA1

      f9f7f315306eb85c3525210093b3832bcb4c247b

    • SHA256

      718c0ae260ecee2538564a2a55af22b53f39a24013f008251f443d6dbc8eb06d

    • SHA512

      202574ceb2777c4bb54156b95f0fd354bface83255d4d5e51444104034231651d241761c0af34681247d5792163ed7144caa89d9177bac716835fcb5e6f6bfa0

    Score
    10/10
    qakbot1566230092bankerstealertrojan

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

      trojanbankerstealerqakbot

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks