General

  • Target

    Claim_Letter#340840(13Sep2022).html

  • Size

    532KB

  • Sample

    220916-nc8grabcfj

  • MD5

    1f834c0ef4f1ad023bf8274519b63310

  • SHA1

    4e18f9308eea49be2361a3e260b005502efd7e1a

  • SHA256

    750dc3b930616e3132b5b83fc4136b196299569652e3e6674186697a5a6ca8f1

  • SHA512

    c01087b31f81b7280077152bf9d4b8ac58b2ada9777089a50fdb707b6ac96e56ad1043f3267de7a5c8bbd1e33df9336ab4eb2037c0a7dda0de6f1a332437ba51

  • SSDEEP

    6144:bmG04xlIE4w2SJrjY82oULCyIK9lVLMf/3vVelb3qj309t0G42m3J1Ub5bO3+Hd/:zeVL68ukJ1+JKbY3+HNmTq

Malware Config

Extracted

Family

qakbot

Version

403.858

Botnet

obama202

Campaign

1663062752

C2

99.232.140.205:2222

41.69.118.117:995

179.111.111.88:32101

37.210.148.30:995

47.146.182.110:443

191.97.234.238:995

64.207.215.69:443

88.233.194.154:2222

81.131.161.131:2078

86.98.156.176:993

200.161.62.126:32101

88.244.84.195:443

78.100.254.17:2222

85.114.99.34:443

113.170.216.154:443

194.49.79.231:443

193.3.19.37:443

84.38.133.191:443

175.110.231.67:443

191.84.204.214:995

Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Targets

    • Target

      Claim_Letter#340840(13Sep2022).html

    • Size

      532KB

    • MD5

      1f834c0ef4f1ad023bf8274519b63310

    • SHA1

      4e18f9308eea49be2361a3e260b005502efd7e1a

    • SHA256

      750dc3b930616e3132b5b83fc4136b196299569652e3e6674186697a5a6ca8f1

    • SHA512

      c01087b31f81b7280077152bf9d4b8ac58b2ada9777089a50fdb707b6ac96e56ad1043f3267de7a5c8bbd1e33df9336ab4eb2037c0a7dda0de6f1a332437ba51

    • SSDEEP

      6144:bmG04xlIE4w2SJrjY82oULCyIK9lVLMf/3vVelb3qj309t0G42m3J1Ub5bO3+Hd/:zeVL68ukJ1+JKbY3+HNmTq

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v6

Tasks