qakbot | 23f7d8a6ca41d447cb9c1732dfe9735f88c572b1f26c7c2437dd5345a948f215

General

Target

Cancellation#1723.iso
Size

1.1MB
Sample

221027-bfdekaaca2
MD5

ac525d186b9f78d737f62a13862e6877
SHA1

94ded9e84a1c40165516888a143544b3cec9e8de
SHA256

23f7d8a6ca41d447cb9c1732dfe9735f88c572b1f26c7c2437dd5345a948f215
SHA512

4b608d19478e85f5dd8c9f67f7f751af73f3e3fd994933655af0fefbc1060beca4470f06bd542e07e45582f3409cb234aa5837a6b34ec43381193bd41145230e
SSDEEP

24576:rHHWHgHHMw0wywOw0wJHwAHy2w9xwUw0HSwVwHJGcg/LwmCdhZtZQefT+K:rHHWHgHHMw0wywOw0wJHwAHy2w9xwUwb

Score

10^/10

Malware Config

Extracted

Family

qakbot

Version

403.1051

Botnet

obama217

Campaign

1666765529

C2

197.204.53.242:443

105.106.60.149:443

102.159.110.79:995

64.207.237.118:443

156.216.134.70:995

180.151.116.67:443

190.199.97.108:993

206.1.203.0:443

186.188.96.197:443

206.1.128.203:443

201.249.100.208:995

190.75.151.66:2222

198.2.51.242:993

90.165.109.4:2222

71.199.168.185:443

181.56.171.3:995

43.241.159.148:443

41.103.1.16:443

24.207.97.117:443

105.157.86.118:443

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Targets

- Target
  
  Cancellation.lnk
- Size
  
  1KB
- MD5
  
  51e70c3c633610c920d8b108e79a3a7e
- SHA1
  
  f0a178ee7e3250d0cbc604f3a8683ca75ef400aa
- SHA256
  
  32d5743f82d0f130ebdd9d939d125d5c94861b110af73ef6d35028914198e217
- SHA512
  
  81a0415b2fbf7b4d8b0ef8f750ef6b38d93991860fc6c775237716e413cb412bf411a856158698170d2d5a1dfdfeea67781f65bc300dd20e879b9459971c5990
Score

10^/10

qakbot obama217 1666765529 banker stealer trojan
- Qakbot/Qbot
  Qbot or Qakbot is a sophisticated worm with banking capabilities.
  trojan banker stealer qakbot
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
behavioral1 behavioral2
- Target
  
  inexhaustive/german.cmd
- Size
  
  323B
- MD5
  
  4e9ca6829429565996e5353dfc01cdbe
- SHA1
  
  38850389bc765c15fdf99bcb3b68d60a6c6873c2
- SHA256
  
  3067d0ab77781053f17efa2d857ada09e41ca4caa89feae5f05253680e4eba51
- SHA512
  
  76a7da29e1a3a9bb2d10053e950b81592715f5ac2aeefe5279027d91e86bdf8f89c91ba56f43fa7e4acd61a20856e20c54f9b99d889b6df36f5c48bfc45acf6c
Score

1^/10
behavioral3 behavioral4
- Target
  
  inexhaustive/ladyship.dat
- Size
  
  420KB
- MD5
  
  ff252ecbd74245ad1afaf8acf53f6b74
- SHA1
  
  df09264fdc65c73221132fdaa3c9c31285755b1b
- SHA256
  
  60d7e56dc00a81a2d37fb5afd1af4a2c1178d4f8c75980a931b0fe4687a96752
- SHA512
  
  8fb07e16718dba09db192c8266465a7135a1ecfb10b6f01dd1acb13ccba78003e3c4adede93a751658d713b3f054d408fa491a0375ee2befa2894db6b18336ab
- SSDEEP
  
  6144:5MVSKlGqB/JXPX+cvBLrgq/6qot7FZyRxJt2gRxhYU1sNmcvVR2l2HM+LJUaoF2:OVPlBJXWctkq/GNU1E1T5Hb1
Score

10^/10

qakbot obama217 1666765529 banker stealer trojan
- Qakbot/Qbot
  Qbot or Qakbot is a sophisticated worm with banking capabilities.
  trojan banker stealer qakbot
behavioral5 behavioral6

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Qakbot/Qbot

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Qakbot/Qbot

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6