General

  • Target

    7104244c41fb6d9f8a38cbca6c5e875dca05848b7c6f209f947482dc065c4c83

  • Size

    1.9MB

  • Sample

    220725-esaqzsebc5

  • MD5

    c8ab0597cb68100b45b9599957c18e1f

  • SHA1

    cc9ab701c0f9d809ad084b4fec63a94871fd6209

  • SHA256

    7104244c41fb6d9f8a38cbca6c5e875dca05848b7c6f209f947482dc065c4c83

  • SHA512

    1f381bb9871f2bf9b30a037262a7657bc90728db080168c1becf26be7157a4b786d33244940667d72d03b476537bc57acfdd3249877e7a0d78c0d6f2974907ad

Malware Config

Extracted

Family

qakbot

Version

323.91

Botnet

spx24

Campaign

1571222456

C2

207.179.194.91:443

47.214.144.253:443

69.119.185.172:995

72.29.181.77:2083

174.131.181.120:995

137.119.216.25:443

207.162.184.228:443

65.30.12.240:995

190.120.196.18:443

206.51.202.106:50002

80.14.209.42:2222

76.80.66.226:443

173.178.129.3:443

181.90.124.162:443

96.22.239.27:2222

78.94.55.26:50003

24.201.68.105:2078

197.89.78.191:995

108.184.57.213:8443

181.126.80.118:443

Targets

    • Target

      7104244c41fb6d9f8a38cbca6c5e875dca05848b7c6f209f947482dc065c4c83

    • Size

      1.9MB

    • MD5

      c8ab0597cb68100b45b9599957c18e1f

    • SHA1

      cc9ab701c0f9d809ad084b4fec63a94871fd6209

    • SHA256

      7104244c41fb6d9f8a38cbca6c5e875dca05848b7c6f209f947482dc065c4c83

    • SHA512

      1f381bb9871f2bf9b30a037262a7657bc90728db080168c1becf26be7157a4b786d33244940667d72d03b476537bc57acfdd3249877e7a0d78c0d6f2974907ad

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Remote System Discovery

1
T1018

Tasks