General

  • Target

    Claim_Letter#541804.zip

  • Size

    237KB

  • Sample

    220914-t8hh4aaha8

  • MD5

    4324bf871f2946f77eea9ca9a1c6d3c1

  • SHA1

    c78421e611d3b0f3137ac7dada12fe95cf3f3ec8

  • SHA256

    76e2469c7a3140a0766ea651b88495c5ae4cfbdedcc0ec908f24471d0e36584f

  • SHA512

    de31c69d02e48785c2966e2838b54f0f5cae8d0c5b904aa6c0f9eb203265e5032774efebe59131452db92ad7b56c26533aafeb5c296b6c7082988e252fd7a568

  • SSDEEP

    6144:FMV6VZFv0Xzn1DDEXMSW/W8WSUV5qpKS4zK/gG3xAtLVk:FMYf0Xzn+Ydiu5CZ+

Malware Config

Extracted

Family

qakbot

Version

403.858

Botnet

obama202

Campaign

1663062752

C2

99.232.140.205:2222

41.69.118.117:995

179.111.111.88:32101

37.210.148.30:995

47.146.182.110:443

191.97.234.238:995

64.207.215.69:443

88.233.194.154:2222

81.131.161.131:2078

86.98.156.176:993

200.161.62.126:32101

88.244.84.195:443

78.100.254.17:2222

85.114.99.34:443

113.170.216.154:443

194.49.79.231:443

193.3.19.37:443

84.38.133.191:443

175.110.231.67:443

191.84.204.214:995

Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Targets

    • Target

      Claim_Letter.lnk

    • Size

      1KB

    • MD5

      9eafb6b85708e156a32aff880054f1e4

    • SHA1

      762d6dc702c5294d0f22b232c93d7c5ce283496b

    • SHA256

      a76d39a93955d11b4eaca9c24a698e980677335282f9415d1d68cd4cff56a08e

    • SHA512

      115200e27b4c3d477e47b2e06924ead024b5e0cf671365de8161c4d9e8728093d0b8f1915f371545618ed3e78cb7b751b654673f1830ad8f7071f5ce761548a7

    Score
    3/10
    • Target

      about/becauseTo.bat

    • Size

      39B

    • MD5

      a98f6ad172d7d4f955455c9df1e5ca01

    • SHA1

      e9f48c28238f9d4db825109b0c8486848889454e

    • SHA256

      ee8675a75c45a85676c46b93b49ac87583d740d55d837710c8bf6f8bd3231fbf

    • SHA512

      2d3a606858927efd11888abdb4eaffc028db113aac19d5b397fea3926751c358534e55df49afff9f56b21938d27d94a86eed0989983bc75b0610d51951d09a81

    Score
    1/10
    • Target

      about/itThis.db

    • Size

      368KB

    • MD5

      aaabcb8c5464c4fdb6d72816f77f3b65

    • SHA1

      7397d48671bde4ef13ae59f3427f0c1a1e7977d4

    • SHA256

      1cbd5c3072fd99bff1408bc1f8a3b09206322de8b83b743a57efa24adefdb44f

    • SHA512

      c5165a9e1f8185a94256bb67cf89d035f743e461795f0444208ee116df53bec5633673527cf52727462a8c543286c2f05f74dcc16078e5a1d2689ea434876546

    • SSDEEP

      6144:0u8T9zrStWm3C3klS1gqbe5L05kVxVFInAPexY5ixyizO8wj+A:/8ZSg24Vbe5LFVxVFIAPWelSZm

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • Loads dropped DLL

    • Drops file in System32 directory

    • Target

      about/youBe.js

    • Size

      211B

    • MD5

      9e8f367bbef4e0f4327baaed0b3f687f

    • SHA1

      ac694f86cea5c29a08cb581fa341f3408df84468

    • SHA256

      ae415b3061f5a102f0516e1e11a6ebcd9172d29e014d3b69521b94a816aacf3a

    • SHA512

      8534b6f15835b46bf0d70e53a49093ee3a7d328d6314a5fd1e8bd939014e32522c033c967826bdc721797cea7341f4640c6d5fe25bc3bd4d54e8acb275992408

    Score
    3/10

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Discovery

System Information Discovery

2
T1082

Tasks