qakbot | 4ad572b9bedf20ebef58e8db142faa6f238a844e4fe959ef56a3ac6be2bf73fc

General

Target

Cancellation#3035.iso
Size

1.1MB
Sample

221026-x6f42aggd8
MD5

15f9cd0f977a5d397a8694624f66066c
SHA1

faed265cf0d00b3379802bca8158f42f51c5e49d
SHA256

4ad572b9bedf20ebef58e8db142faa6f238a844e4fe959ef56a3ac6be2bf73fc
SHA512

b6203bf7fecc4ce43a66c6cde2d9964938ee2e606e26d4f4c5fd4679bc1ffef1201c0f95faf924a31de12d757b84cb5f093fb10d868236d50e9d4e35a87a88d9
SSDEEP

24576:bJGco/THHWHgHHMw0wywOw0wJHwAHy2w9xwUw0HSwVwYwmCdhZtZQefT+K:3ATHHWHgHHMw0wywOw0wJHwAHy2w9xw7

Score

10^/10

Malware Config

Extracted

Family

qakbot

Version

403.1051

Botnet

obama217

Campaign

1666765529

C2

197.204.53.242:443

105.106.60.149:443

102.159.110.79:995

64.207.237.118:443

156.216.134.70:995

180.151.116.67:443

190.199.97.108:993

206.1.203.0:443

186.188.96.197:443

206.1.128.203:443

201.249.100.208:995

190.75.151.66:2222

198.2.51.242:993

90.165.109.4:2222

71.199.168.185:443

181.56.171.3:995

43.241.159.148:443

41.103.1.16:443

24.207.97.117:443

105.157.86.118:443

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Targets

- Target
  
  Cancellation.lnk
- Size
  
  1KB
- MD5
  
  2037c68349dfc3a5066705e1ae53420c
- SHA1
  
  7bf1cfc4ae9f04a63b947169fcc9feac62e4fee1
- SHA256
  
  5176ca11cd6fb9724ab4d3f7670b22580f9c65237f9ebeafd6dc7bc09b269832
- SHA512
  
  a3fade1b91ed529a277ce4600e886729a651df62458dfc438e878382791ae61b88ce12d7e333d524d108d067270f005f7154af2125894e69ccb8fad7c6267eda
Score

10^/10

qakbot obama217 1666765529 banker stealer trojan
- Qakbot/Qbot
  Qbot or Qakbot is a sophisticated worm with banking capabilities.
  trojan banker stealer qakbot
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
behavioral1 behavioral2
- Target
  
  inexhaustive/grammarian.dat
- Size
  
  420KB
- MD5
  
  00d3a6918706f4a5c38866020225487b
- SHA1
  
  5e8f72c0291a9ef8be9fae849477036846d9ef73
- SHA256
  
  23dce314bf0cfcc9f1542f62415604189cf86913de2ea2001f1b243494866f94
- SHA512
  
  6c10a6422899207b7611531f60534fc06678dabdc713e14c781e841e3e29ced736a294b6d558c0c94de2672065ddf16e65c729b171623f7d3e6cb41ff63c7eef
- SSDEEP
  
  6144:5MVSKlGqB/JXPX+cHBLrgq/6qot7FZyRxJt2gRxhYU1sNmcvVR2l2HM+LJUaoF2:OVPlBJXWcFkq/GNU1E1T5Hb1
Score

10^/10

qakbot obama217 1666765529 banker stealer trojan
- Qakbot/Qbot
  Qbot or Qakbot is a sophisticated worm with banking capabilities.
  trojan banker stealer qakbot
behavioral3 behavioral4
- Target
  
  inexhaustive/steadfastly.cmd
- Size
  
  328B
- MD5
  
  49098a39c5da23ede00e6997c918417f
- SHA1
  
  87a733e39b43e14b585abedbfcb44ba629e73f73
- SHA256
  
  05fea8f7eb610a2e075cfbd4e232bc7c0990e566f10542ef69e695ffe8193abe
- SHA512
  
  93436092626d52bcfdb3afe8b3e4e09cc4d46461baf2bf055695e874e469417dec2b33b81981a8bd6d10a7801da3566b90257f2f2e7880a63f6204dbff79c0d7
Score

1^/10
behavioral5 behavioral6

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Qakbot/Qbot

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Qakbot/Qbot

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6