Overview

overview

10

Static

static

019338921.dll

windows7-x64

10

019338921.dll

windows10-2004-x64

10

01970422_890527.lnk

windows7-x64

10

01970422_890527.lnk

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    17_aug.zip

  • Size

    652KB

  • Sample

    220818-rd8exsfdeq

  • MD5

    d9878441c1e12923e3afd10c982d2e3b

  • SHA1

    2736b9a59fa1bc605ea142867d930eac1d84068f

  • SHA256

    30bef9a5f75a235e9823beb54267c1bb7faacc9e067bcb4bea367df702ce997e

  • SHA512

    68c5fced55de53c96c43376f9cfb2aaaae2837ba65e73d91632e207216bca64ec168e11d9b99fbd84efbfd88adcb0d36eb59b15337bfc48407c2fb9f2f896fb9

  • SSDEEP

    12288:668cXe1AZwXVfSMFgFXWHp5gI6CnslK3t5ZxXx7wuCJ1oVp6WrhKU:6mXyAZI6MFgVip5gjlMXx7ZCJKx

Score
10/10
qakbotobama1861654596660bankerevasionstealertrojan

Malware Config

Extracted

Family

qakbot

Version

403.694

Botnet

obama186

Campaign

1654596660

C2

67.165.206.193:993

63.143.92.99:995

74.14.5.179:2222

182.191.92.203:995

197.89.8.51:443

89.101.97.139:443

86.97.9.190:443

124.40.244.115:2222

80.11.74.81:2222

41.215.153.104:995

179.100.20.32:32101

31.35.28.29:443

202.134.152.2:2222

109.12.111.14:443

93.48.80.198:995

120.150.218.241:995

41.38.167.179:995

177.94.57.126:32101

173.174.216.62:443

1.161.101.20:443
Attributes
  • salt

    jHxastDcds)oMc=jvh7wdUhxcsdt2

Targets

    • Target

      019338921.dll

    • Size

      1.4MB

    • MD5

      7bbeafc1ab9f9d1a48a99338ffec561c

    • SHA1

      a4ce6de223addbdc66e747d3abd00b9f190fb5cb

    • SHA256

      fca807ab91e7328195cafebe5761402f4d7066aef4c766c78a37f2c27fcf812c

    • SHA512

      a32b34d9c03b6a1eaa1d409968d6d211a22320cc8b46955f8cda156f4956ea4a3d2e6d0a5fd8578e274e67db36e2696a7e8722647313333d3b7825d3e3a2c263

    • SSDEEP

      24576:a80Ra7rJwVXWqZLSPZF5BQjaM+R4YENZrfrzfQzD6CJ0:at8kRKZ29+I4zDLJ

    Score
    10/10
    qakbotobama1861654596660bankerevasionstealertrojan

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

      trojanbankerstealerqakbot

    • Windows security bypass

      evasiontrojan

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral1behavioral2

    • Target

      01970422_890527.lnk

    • Size

      1KB

    • MD5

      76390978f26d3c6d7f799257542796ce

    • SHA1

      4d3efb8f9db9519160fe13f79ef5be1c041eed0e

    • SHA256

      03160be7cb698e1684f47071cb441ff181ff299cb38429636d11542ba8d306ae

    • SHA512

      8c6243c7a93974dbf1a6878fbb2ad89861a4b960fb5262ba6c0e6274f78fcf93c90e80d1f007b9a6e3deafd53969fffb8f2e66adfd0e10c19fe7f65e4c597779

    Score
    10/10
    qakbotobama1861654596660bankerevasionstealertrojan

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

      trojanbankerstealerqakbot

    • Windows security bypass

      evasiontrojan

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

2
T1053

Persistence

Scheduled Task

2
T1053

Privilege Escalation

Scheduled Task

2
T1053

Defense Evasion

Disabling Security Tools

2
T1089

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks