qakbot | 5c203f506be189f0339780ab75e52ab07afdd81c7b257ac04cab8648c911a6d5

General

Target

attachment.zip
Size

391KB
Sample

221019-sdctpacff2
MD5

971a8229d26e980ca8f50c2ce99a4f77
SHA1

a52a69d11cf46e95b60bfc60414d1ccae7ddf9d1
SHA256

5c203f506be189f0339780ab75e52ab07afdd81c7b257ac04cab8648c911a6d5
SHA512

3635bf01bfac8ab92d1b253b63b071a7798cea5a64b3c8b21682c7705a03a7233efa02903db9036da22435521705bdd486bb33a00271df99cdb5d498536e72f7
SSDEEP

12288:TqEYOXeina7gunJNSTe1MxUerU0z06T0VT:TqEZXKEqMxhIg0VT

Score

10^/10

Malware Config

Extracted

Family

qakbot

Version

403.973

Botnet

obama214

Campaign

1666019778

C2

105.96.221.136:443

37.37.80.2:3389

105.154.56.232:995

41.107.116.19:443

105.103.52.189:443

159.192.204.135:443

41.107.58.251:443

177.152.65.142:443

102.47.218.41:443

176.45.35.243:443

70.173.248.13:443

102.159.77.134:995

220.123.29.76:443

82.12.196.197:443

103.156.237.71:443

149.126.159.254:443

176.44.119.153:443

181.56.171.3:995

190.205.229.67:2222

151.251.50.117:443

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Targets

- Target
  
  Calculation.lnk
- Size
  
  1KB
- MD5
  
  9ff4d8fdc5288f2c110d40c80c4dcc25
- SHA1
  
  522c827b70102c114c3efbe0e8dacf71ca7ce2b5
- SHA256
  
  6bcfce0c879a9fb19af5860fc8cad59149dbfe003e6b330f04ee25fd37554ee4
- SHA512
  
  563faf37901162d8e79efcbe94db9123a2e1987e2f1cf22fa9e47722ca019736422c1c1d4fceb14a9f31102acbaf3cba6bf96a83e4f7d6a9ad0b6a077ecf9c00
Score

10^/10

qakbot obama214 1666019778 banker stealer trojan
- Qakbot/Qbot
  Qbot or Qakbot is a sophisticated worm with banking capabilities.
  trojan banker stealer qakbot
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
behavioral1 behavioral2
- Target
  
  vertices/asteroidal.cmd
- Size
  
  332B
- MD5
  
  9e7110cb49cd0ad0737cb98e1b272e33
- SHA1
  
  8737ac297dc9093c06439f45393ff5baadde85f6
- SHA256
  
  6335a5ca91f6ec7212ccae34e63d1f42ab86c56537deb1c5bc3a32f250f3c936
- SHA512
  
  97d06d807e378029580313acabfc31a4490a9318f2bdb9291d3ffa532d5b8040bb4f2b535d447f25b1cb57bcc62b7ce56570edd81b6bd37237be78632c0afe6c
Score

1^/10
behavioral3 behavioral4
- Target
  
  vertices/bombshell.asc
- Size
  
  584KB
- MD5
  
  b4426d8399bf54e510aeceb59c53af19
- SHA1
  
  1c140f009f27988fb4a81fda0889cafa1e207888
- SHA256
  
  e9388e0fbca331b26d097235a83ec3792c97ee6258683978477b1f1c86d458f2
- SHA512
  
  e65523fa2e91aafa9d9015a3ba7c43372712320349da47e4870006059ee9f3c6bdbdd04adb0756e3d8dc754dfe27d144a7fa7e69f102f73a3f505210cb78de34
- SSDEEP
  
  12288:HZBs6eUwpkdFC7dStewcZWOcRerXugaJJkPcpF:5+UwWFew2D8k
Score

10^/10

qakbot obama214 1666019778 banker stealer trojan
- Qakbot/Qbot
  Qbot or Qakbot is a sophisticated worm with banking capabilities.
  trojan banker stealer qakbot
behavioral5 behavioral6

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Qakbot/Qbot

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Qakbot/Qbot

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6