Overview

overview

10

Static

static

Claim_Letter.lnk

windows7-x64

3

Claim_Letter.lnk

windows10-2004-x64

3

about/butHow.dll

windows7-x64

10

about/butHow.dll

windows10-2004-x64

10

about/doNo.js

windows7-x64

3

about/doNo.js

windows10-2004-x64

1

about/haveLook.bat

windows7-x64

1

about/haveLook.bat

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Claim_Letter#950159(13Sep2022).zip

  • Size

    232KB

  • Sample

    220914-vdvqlseehr

  • MD5

    75fa54c4331abd5b1c78a8c5a9475e38

  • SHA1

    07623257548683e0062146ac286202185144783d

  • SHA256

    903cc93cfa7d9b3dc1bcb01a39ab7a099131077bfdb5dc9179cbaef91d9289e5

  • SHA512

    02a149f9e700686e1ee1e91759f59df3604a675b72b62288679b0c733c83825171acdab43c8b46281d83fc59f7b7f722e3f6dcf90d8a4c8ea99d4f523e6800d1

  • SSDEEP

    6144:OM6Hv0CWfFbOksKUGIzQUCnRft84GntMQU08z70us:OLvXrKUG0iEjf

Score
10/10
qakbotobama2021663062752bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

403.858

Botnet

obama202

Campaign

1663062752

C2

99.232.140.205:2222

41.69.118.117:995

179.111.111.88:32101

37.210.148.30:995

47.146.182.110:443

191.97.234.238:995

64.207.215.69:443

88.233.194.154:2222

81.131.161.131:2078

86.98.156.176:993

200.161.62.126:32101

88.244.84.195:443

78.100.254.17:2222

85.114.99.34:443

113.170.216.154:443

194.49.79.231:443

193.3.19.37:443

84.38.133.191:443

175.110.231.67:443

191.84.204.214:995
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Targets

    • Target

      Claim_Letter.lnk

    • Size

      1KB

    • MD5

      12b68664219e47e6600c757b76315b54

    • SHA1

      e66b64b95f2dfa4fc3b6b97ec9f11687378a5515

    • SHA256

      f464cf7f198b59afb60df94d248c4378225d719f5d035f52f4e80ccc136d6658

    • SHA512

      fad01f9de6e1b86a1a272f182a5521d05448735f4ae51b80803d3aff2e702d1eeb93eaa98e47b5ca64c1873242ac1f33a60c924d0e7af82ce7123ea47191031f

    Score
    3/10
    behavioral1behavioral2

    • Target

      about/butHow.db

    • Size

      368KB

    • MD5

      aaabcb8c5464c4fdb6d72816f77f3b65

    • SHA1

      7397d48671bde4ef13ae59f3427f0c1a1e7977d4

    • SHA256

      1cbd5c3072fd99bff1408bc1f8a3b09206322de8b83b743a57efa24adefdb44f

    • SHA512

      c5165a9e1f8185a94256bb67cf89d035f743e461795f0444208ee116df53bec5633673527cf52727462a8c543286c2f05f74dcc16078e5a1d2689ea434876546

    • SSDEEP

      6144:0u8T9zrStWm3C3klS1gqbe5L05kVxVFInAPexY5ixyizO8wj+A:/8ZSg24Vbe5LFVxVFIAPWelSZm

    Score
    10/10
    qakbotobama2021663062752bankerstealertrojan

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

      trojanbankerstealerqakbot

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral3behavioral4

    • Target

      about/doNo.js

    • Size

      210B

    • MD5

      16ec9cdc118bab96c7220cc9dac173c8

    • SHA1

      08b3ce2035db141b1d5c2085eb3cf27b23393d1b

    • SHA256

      3140d71a10116135e971b4d036ea3005e000de74df0e94e630a34d597910c1f2

    • SHA512

      0183443efe8b4375cf13376d503874a51bdb216344ec5dc48d78a7c62c4ec6f0db1c5eed18640d4dee289d4b1a0a444551e10eb6345ef4a289549b8e6e962626

    Score
    3/10
    behavioral5behavioral6

    • Target

      about/haveLook.bat

    • Size

      39B

    • MD5

      f24fb634a517e59123a6443ff46bfb43

    • SHA1

      db3312dd3fb5eb4002d9ff4ef035753ed14986d8

    • SHA256

      803c398d79fd40c9d2e4b78ca4015f24d6cc84efc6e91c7c842538b0bee788e6

    • SHA512

      200deda27a11029912bf447f0f87ac544bade9cfee602c703638fc4db06d0b365e76c74133972d699ee6feb57279758b4affd9ca74398bf728c4c5c8f950fe7a

    Score
    1/10
    behavioral7behavioral8

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks