General

  • Target

    abe0f53debd4571bd4d380b7af102893b09a783ca19846e7d2c089559a70ea69 (1).zip

  • Size

    450KB

  • Sample

    220722-1fckpshhg9

  • MD5

    af86f8ce9bee1b1219817e5a7c07905a

  • SHA1

    86cdf878c7ada73fdbfb14ab31736b3f4f12c04c

  • SHA256

    255595eccc5ef0761bfde60d5cd2c6accea776e14ff7d235ff3d0d15f909b9e6

  • SHA512

    954213c79332f00931a8c3b678854233cc9cf07072baaeb6e25dd172b4842b52f53795602a9db514be09b69ccb785606168381c0f31d23571965686710f03ced

Malware Config

Extracted

Family

qakbot

Version

403.780

Botnet

obama199

Campaign

1657265474

C2

121.7.223.45:2222

67.209.195.198:443

148.64.96.100:443

92.132.132.81:2222

217.128.122.65:2222

47.180.172.159:443

173.174.216.62:443

70.46.220.114:443

32.221.224.140:995

69.14.172.24:443

117.248.109.38:21

94.59.15.180:2222

38.70.253.226:2222

217.165.157.202:995

41.228.22.180:443

67.165.206.193:993

172.115.177.204:2222

186.90.153.162:2222

47.23.89.60:993

120.150.218.241:995

Attributes
  • salt

    jHxastDcds)oMc=jvh7wdUhxcsdt2

Targets

    • Target

      DATA/ASSETS/IMAGES/ICDZ.DAT

    • Size

      670KB

    • MD5

      20ce42b6187940992c37ed0a478deb19

    • SHA1

      d18bd5eca106c6177a5c2bdd15ab837ff57abcbf

    • SHA256

      e82962049ca8b3351dbb9ba33f0cb18797baaea366a3c9625726dd24e30b7fec

    • SHA512

      39ae3e97cecefb4e69f6931b54fd7d59724876a85c69d21e1eb1d557fe3fc571c71ceb5eb920be42a2b208a5b1aa6bd5467393d6024e629d81001cabbae7449a

    • Target

      FXS.LNK

    • Size

      2KB

    • MD5

      b9aa6bb4120f2e1dcb608ff0f16034de

    • SHA1

      173ae8259bba3ebc3aa283f90ad4d1258af83bf3

    • SHA256

      1fcd30ee7f0f63b282a99084932792ef1e3d7d4df15b2e0f59072da0b48afa74

    • SHA512

      231cce7caca844b4eb41e02ec06583450af977e70dcc89b52664d60dd94da888b0581a8e88fbc7074eec90d56faad048af02bc387ee728e4d6ca507e2c66e3a2

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

2
T1053

Persistence

Scheduled Task

2
T1053

Privilege Escalation

Scheduled Task

2
T1053

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks