Resubmissions

15-09-2022 09:32

220915-lhzqpagcdq 10

14-09-2022 17:42

220914-v93q4aahg3 10

General

  • Target

    Claim_Letter#119865(13Sep2022).zip

  • Size

    231KB

  • Sample

    220915-lhzqpagcdq

  • MD5

    704a58b3e472324590000a7774fb5d52

  • SHA1

    487ecfb9b915e670abe2d3ae9f2e926fa5907d89

  • SHA256

    338dc690bc5a6e3f17334c52b27abbb7de9332f1977d7f70bdf9a92c82f8de04

  • SHA512

    e3308e3e0e6cfc2add614219168e0385a23943584747df605d9621174ed55e471cdc6182e8f7ed6fcdfd5d34db5ae57bbea595926df91164be733dda87932872

  • SSDEEP

    3072:BycWhv9zfjjLSE57qXy7/QMx5vCNYQPTuRIeROBZntkM2TaXKpYnkUBgFzpKNBTp:ByD1z9v7/53vYTPmROBZSVhFdKfOK

Malware Config

Extracted

Family

qakbot

Version

403.858

Botnet

obama202

Campaign

1663062752

C2

99.232.140.205:2222

41.69.118.117:995

179.111.111.88:32101

37.210.148.30:995

47.146.182.110:443

191.97.234.238:995

64.207.215.69:443

88.233.194.154:2222

81.131.161.131:2078

86.98.156.176:993

200.161.62.126:32101

88.244.84.195:443

78.100.254.17:2222

85.114.99.34:443

113.170.216.154:443

194.49.79.231:443

193.3.19.37:443

84.38.133.191:443

175.110.231.67:443

191.84.204.214:995

Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Targets

    • Target

      Claim_Letter.lnk

    • Size

      1KB

    • MD5

      577f33f068c93c4727316b72564ef42e

    • SHA1

      ca4f47d5550c990c09eaab46d8eb3f2b1e36fb47

    • SHA256

      5097f1580643d87094f58a4078c455e3bf17bdcb3548087b21a81e1a0bed358b

    • SHA512

      fecd1c985ed3fe9019525763eccbc72c01cf461e11352d6e06708ad12aa94832a80e871df9eceee9c285f662cf0a48a37a8a684eabe6acffaf94c83678cf9fcf

    Score
    3/10
    • Target

      about/aboutYou.bat

    • Size

      42B

    • MD5

      e5d2733536888cd6a1cc996d691d613f

    • SHA1

      2a9a515ef15225677635eec783d8e728a80198a5

    • SHA256

      34a22d4ce2234e5d3714106c546b70b47aa9bbaad3fe47e9ca002cfc53cdc6e0

    • SHA512

      85a14fcbe1ef94f00ef42e74e0a2998c914b6efe54cfe985792998e7e6fb77742247cd3baf3488b757e66a34a96e702da50c35e00e0488b86266f7c59c39d72d

    Score
    1/10
    • Target

      about/butPeople.db

    • Size

      368KB

    • MD5

      aaabcb8c5464c4fdb6d72816f77f3b65

    • SHA1

      7397d48671bde4ef13ae59f3427f0c1a1e7977d4

    • SHA256

      1cbd5c3072fd99bff1408bc1f8a3b09206322de8b83b743a57efa24adefdb44f

    • SHA512

      c5165a9e1f8185a94256bb67cf89d035f743e461795f0444208ee116df53bec5633673527cf52727462a8c543286c2f05f74dcc16078e5a1d2689ea434876546

    • SSDEEP

      6144:0u8T9zrStWm3C3klS1gqbe5L05kVxVFInAPexY5ixyizO8wj+A:/8ZSg24Vbe5LFVxVFIAPWelSZm

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • Loads dropped DLL

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Command-Line Interface

1
T1059

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Discovery

System Information Discovery

2
T1082

Remote System Discovery

1
T1018

Tasks