General

  • Target

    Claim_Letter#880486.iso

  • Size

    430KB

  • Sample

    220914-sygy5seddp

  • MD5

    6392e2d2876c1eee43b288e3f57345c8

  • SHA1

    2258b5f546d3059ceb724552bac04fbdbe9e3049

  • SHA256

    e544c99986ba3917404c7a2871e9840f13c5b60af7772f53b41de0be00ec8227

  • SHA512

    b270d8f585450da196903613c6b2b5dfcfb560fffa1805a604a4e7bb6ef4b177b533d88384f586c506544254a2be49d82409fc896b0011cc581f07099aa518c7

  • SSDEEP

    6144:eu8T9zrStWm3C3klS1gqbe5L05kVxVFInAPexY5ixyizO8wj+A:J8ZSg24Vbe5LFVxVFIAPWelSZm

Malware Config

Extracted

Family

qakbot

Version

403.858

Botnet

obama202

Campaign

1663062752

C2

99.232.140.205:2222

41.69.118.117:995

179.111.111.88:32101

37.210.148.30:995

47.146.182.110:443

191.97.234.238:995

64.207.215.69:443

88.233.194.154:2222

81.131.161.131:2078

86.98.156.176:993

200.161.62.126:32101

88.244.84.195:443

78.100.254.17:2222

85.114.99.34:443

113.170.216.154:443

194.49.79.231:443

193.3.19.37:443

84.38.133.191:443

175.110.231.67:443

191.84.204.214:995

Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Targets

    • Target

      Claim_Letter.lnk

    • Size

      1KB

    • MD5

      c53b47b2e0791335f27db7d2bc8a1840

    • SHA1

      4ccca8b640e34f78105030230df75071fe6e79a5

    • SHA256

      f4fb6388e14d3108d5a422c26a504433700593760ff0de87eabec97841d70d09

    • SHA512

      56c99109bbcaf12d458beb1769d72184dcf9095e5f29e7382157b1f5853f79aff1b992660a84a4ec0157270f10d9206c7640391c84e257adaea7e7777515780f

    Score
    3/10
    • Target

      about/doGive.bat

    • Size

      42B

    • MD5

      d8996b265c0c47c59bf8f9188f4a8827

    • SHA1

      0f1488177c0d4ac8f290f8272c33a4373bfe3cec

    • SHA256

      1f568e59207d9cd0ab504cf40f59a5f5bea5c1ff0dcf93755c508ac565c6b8e7

    • SHA512

      584d2903a44e05f34a39ba511437ebd4ed8fe0bbef0a842f317f4cfe3b68f09fe1ca60abb64476801067ab93c4bf64ad1afadbc6c518ceb4e822ab6dd7c78548

    Score
    1/10
    • Target

      about/justFirst.db

    • Size

      368KB

    • MD5

      aaabcb8c5464c4fdb6d72816f77f3b65

    • SHA1

      7397d48671bde4ef13ae59f3427f0c1a1e7977d4

    • SHA256

      1cbd5c3072fd99bff1408bc1f8a3b09206322de8b83b743a57efa24adefdb44f

    • SHA512

      c5165a9e1f8185a94256bb67cf89d035f743e461795f0444208ee116df53bec5633673527cf52727462a8c543286c2f05f74dcc16078e5a1d2689ea434876546

    • SSDEEP

      6144:0u8T9zrStWm3C3klS1gqbe5L05kVxVFInAPexY5ixyizO8wj+A:/8ZSg24Vbe5LFVxVFIAPWelSZm

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • Loads dropped DLL

    • Drops file in System32 directory

    • Target

      about/wellThing.js

    • Size

      208B

    • MD5

      5f60c99c6a73734338667bf85b2b2b51

    • SHA1

      b9f42f5957d21acd3dbb25d3e5fe56e939e77ca7

    • SHA256

      f53db0cabdb1d9610afcd83f825b126a0f82175bcafbdbd422aeeb15d7f58aa3

    • SHA512

      15c5d182c4687a3e2a34f86dbeebcdf4793ba0bb9894f2a87d02c5a4211f27417f5c5e8cd9ca0e40b640faf5061c15eeb582ef14296941e3c31098aeaeab04cd

    Score
    3/10

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Discovery

System Information Discovery

2
T1082

Tasks