General

  • Target

    Documentr#480792.iso

  • Size

    1.2MB

  • Sample

    220915-p2xl8agggk

  • MD5

    5f63b8d62697471b23cf5dbc03b7bc26

  • SHA1

    d1a603a4b8785be30dbbeac2f161b751775fae32

  • SHA256

    c0d3dfc1e72066434b51f0d18d4b94adb6d7dbc03dfd4dc4955b1ed3487700ee

  • SHA512

    c11fbe8699108a9c0162d7245c861d7ef6760eb79fad19cb8c26266a0d64356294802e3a854dad2f9ee4c822decbff2d63170630cddaae4ff7fcbbf73eaef705

  • SSDEEP

    24576:onkh72GTWnuJAww1eWzqheg4deXBr+HSAww1eWzqhegdS:Rh7TWneFAqMg+eESFAqMgd

Malware Config

Extracted

Family

qakbot

Version

403.862

Botnet

BB

Campaign

1663053540

C2

194.49.79.231:443

193.3.19.37:443

99.232.140.205:2222

47.146.182.110:443

84.38.133.191:443

191.97.234.238:995

37.210.148.30:995

64.207.215.69:443

200.161.62.126:32101

88.245.103.132:2222

86.98.156.176:993

175.110.231.67:443

78.100.254.17:2222

191.84.204.214:995

123.240.131.1:443

197.94.210.133:443

196.92.172.24:8443

186.50.245.74:995

70.51.132.197:2222

100.1.5.250:995

Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Targets

    • Target

      Document.lnk

    • Size

      1KB

    • MD5

      9941408a2089b361a48f93567439eaff

    • SHA1

      81f441f134fe1608337beee0343eebe0325f75d9

    • SHA256

      0117e9ff86837fc18fb35dfbffdfb8e647dc17c0f19a699cfff416c9dd4473b8

    • SHA512

      91d57d127c46a5e55b1a16a19338bf92365e35ad73b85541025b7d2d2dc34af095fae382617b7fa93c61f2428b377057c26eacfa8649668f943fdaf4c25002b3

    Score
    3/10
    • Target

      him/theUp.bat

    • Size

      37B

    • MD5

      5ba277dc95491ad3f15853e6bb95ef85

    • SHA1

      44833890a5426f890b7f46d9f1459932af523a9f

    • SHA256

      ecc1e3199bfabe872cb9252f6ece6064799e232a3f5ac3629b2425ed3be62230

    • SHA512

      c1450b9e619a0fc68b56c401d3c167e90f8de70e1891960d8968bb4bea6ce35013b40a9ad991e0391d6b22daca302343f0fa778f504e84bb2dc42c821f135607

    Score
    1/10
    • Target

      him/thenThat.js

    • Size

      135B

    • MD5

      b933f9c3135207256cb6a84c1934601f

    • SHA1

      f372b32eb91483356f0a717d02e22cf421e514b0

    • SHA256

      a5b3ed84b6b575da7fa2b59bf3906ca5e03b4e55cff64f1d0330d6873b8a63f6

    • SHA512

      742c665da9ace55bcb6fb24f00b060412186dcefb4bcf0aab2cfab5b02d74bf838866e2a0550c576d7cdc38f291ad9fdda9f6b15b7a39e7f1f0aca962474232b

    Score
    3/10
    • Target

      him/whatAt.db

    • Size

      370KB

    • MD5

      3af4a4a28dafbb10a6637e59059015fe

    • SHA1

      224443e988d68a3e020d539854f609b32c5067e7

    • SHA256

      8b59e2de999068c78d352cb591dbae7e4495ce989615eb35607475648356ef11

    • SHA512

      dac98357101162a38de5fb3ff0bfaa2399f3b28288d7a99cb19719fd287070b0dbedf6b7fc6e39649c15e29826f3ad6d1e07e502358bb46340ec8714e64c202a

    • SSDEEP

      6144:0W94f4+mWoAwI55fMC/sLv2S2UBNlAzm+LNq6mpPh9HTk3upTfCUp:D4w1AwSpZ1S2kNWzmjDh9zk3gD

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • Loads dropped DLL

    • Drops file in System32 directory

    • Target

      of/firstOnly.bat

    • Size

      39B

    • MD5

      961b9fa9d558e479ad31dba33d13a6b7

    • SHA1

      af14e4794caa898c9c6d4ccd645954665ce9f20a

    • SHA256

      68b912125b7356126db9bd10042a6a3a4a4c53381a71340eb43a1e663ac24d89

    • SHA512

      ecad04afa9f877d8a85b3ba1e6b7c253fbffa8753254dbdbc937b309caf0f996991b56a2e51b0e53f20028fc6a81d481158cf382aa5897d265a6bbd73d06354d

    Score
    1/10
    • Target

      of/thanAlso.js

    • Size

      138B

    • MD5

      61398891ac7f709e1ffd5bc34674a2d0

    • SHA1

      af927a51d3435c133e3a155718769281f7b138b3

    • SHA256

      0655400d9b638c6b2af5138ea28b758048d1316e156826a7df936e56acc52aa4

    • SHA512

      214b19bfdcbf6d06830bcfd0e2f4f2c4209844cf70f2e175df14690276d9f20c875501ed5b9759359f5fc30544604b6ca243828ff9330abb8f6090e0887a0618

    Score
    3/10
    • Target

      one/aboutNo.db

    • Size

      370KB

    • MD5

      3af4a4a28dafbb10a6637e59059015fe

    • SHA1

      224443e988d68a3e020d539854f609b32c5067e7

    • SHA256

      8b59e2de999068c78d352cb591dbae7e4495ce989615eb35607475648356ef11

    • SHA512

      dac98357101162a38de5fb3ff0bfaa2399f3b28288d7a99cb19719fd287070b0dbedf6b7fc6e39649c15e29826f3ad6d1e07e502358bb46340ec8714e64c202a

    • SSDEEP

      6144:0W94f4+mWoAwI55fMC/sLv2S2UBNlAzm+LNq6mpPh9HTk3upTfCUp:D4w1AwSpZ1S2kNWzmjDh9zk3gD

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • Loads dropped DLL

    • Drops file in System32 directory

    • Target

      one/lookWay.js

    • Size

      137B

    • MD5

      9f9be4989a96cd00f353ed99b2a34979

    • SHA1

      64fa5add5da08cf0a829392ef06ef82e7e1ce009

    • SHA256

      519f112b75dc648086aaa81afe9312ce37d15e3531ed421ad0b334be99df4ac1

    • SHA512

      055da0c436b6dc097a718763c31fc93eb34a165589365a3ca2eb70e6242eb0e6bc76bb8fbbcf84bfa35591a06d37be38bf8e6eec7e0b43a02d7621366e120f00

    Score
    3/10
    • Target

      one/thisSee.bat

    • Size

      38B

    • MD5

      1fe46ce8e6b40b47156089326574a875

    • SHA1

      7bca2f63c5e284bd555f23a25431d69d6332c086

    • SHA256

      adf18ec34361bc635f771e246b86d1d8d620ddfab814173279a648207cde9947

    • SHA512

      607b42b627f3237c50649ad83d77c70f76c0954b938805df51aabe8620d734b948d9190aa8d144d87944e7a175a3f9a3c67c6540bfdea2a7b71f495b8a0457d6

    Score
    1/10

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

2
T1053

Persistence

Scheduled Task

2
T1053

Privilege Escalation

Scheduled Task

2
T1053

Discovery

System Information Discovery

4
T1082

Tasks