qakbot | 9d8879758ebe0c5d8f02881ab8202a970ea004271913f1f3047d57ecd79e708e

General

Target

Details7068.iso
Size

724KB
Sample

221028-qqwq8affd5
MD5

57427ba5631b37f85f0a51c237dc01d0
SHA1

1ab217e703e14b9987166f6e45802d353789b9d9
SHA256

9d8879758ebe0c5d8f02881ab8202a970ea004271913f1f3047d57ecd79e708e
SHA512

a9a394ec95c15a4e738d231e4984aa4615cde6ffd466f5f15e9dffc0a90efe8e0bd4407f266005eaef2c7207bf188a1a3bed536505288d9fccf19d46463c344c
SSDEEP

12288:VqdD/sblafl4M/8toGXJZ6diNjJo8Ywr6t57AKCW3wdOcUwDOMHHCgOWeO:Vqdclafl4eGXuiN28Ye6cWw4wrHHCgO+

Score

10^/10

Malware Config

Extracted

Family

qakbot

Version

404.2

Botnet

BB04

Campaign

1666863946

C2

27.110.134.202:995

1.156.220.47:17155

186.188.80.134:443

1.190.199.101:9480

187.1.1.181:42178

118.200.83.226:443

187.0.1.144:51727

193.3.19.137:443

1.201.68.209:12157

188.49.56.189:443

187.0.1.14:58271

190.74.248.136:443

201.210.92.3:2222

187.0.1.105:40325

64.123.103.123:443

41.97.169.44:443

72.88.245.71:443

187.0.1.45:59049

41.100.163.127:443

187.0.1.83:62527

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Targets

- Target
  
  Details.lnk
- Size
  
  1KB
- MD5
  
  5832b3274ec214f750c66efda77d562d
- SHA1
  
  bb5717ff3f64a10f33a5ca394efa9ad325a28bfd
- SHA256
  
  1c42769b4a5a3e07443b7fe6e7f3c29b1ff107b5230e43997207e0bfa22c6ca1
- SHA512
  
  3a245340a6f43063898cfe6c10b1da9016f13d1cf3bd79b080c630c0a5ddb7574ee7a0be3dc6a7d516ca1bdd75a79247c11af8279cdcd593db43057aed7903c1
Score

10^/10

qakbot bb04 1666863946 banker stealer trojan
- Qakbot/Qbot
  Qbot or Qakbot is a sophisticated worm with banking capabilities.
  trojan banker stealer qakbot
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
behavioral1 behavioral2
- Target
  
  disallowable/guam.cmd
- Size
  
  387B
- MD5
  
  3018ed5a9d6a43e1910a3219c93fb409
- SHA1
  
  31dec26fd423717acb681d1503c2cb2fe5a33053
- SHA256
  
  54c1cfd1aa8050d4d542f5ce7e893076f1eed2c5b35cfdfc55f0a595724bc9ad
- SHA512
  
  21efd2fbe75727228a9a32138ed1c2310a932919edad6a881607b62b79bab539afe7b06a526cb14691baa4d05dc453ff7fcdaf0a51222aba279eeb27cede0696
Score

1^/10
behavioral3 behavioral4
- Target
  
  disallowable/oilcans.dat
- Size
  
  422KB
- MD5
  
  8a955785dee54ff41a2072e5b856e407
- SHA1
  
  e2b977765c8cee9108b0159959d96928f2783f0c
- SHA256
  
  0524c9fc7763b024feef4046970146d7060301f8efa18d8ef6606ad602d0627f
- SHA512
  
  bd428a4a56ee8cacfc1c754221af1c7b225c9bfea981bab49d331ee955290e2b776edb4deb323b53b882b0e6e456bfa2bf6d09605a1d86ab710aa70fb6008c86
- SSDEEP
  
  12288:eqdD/sblafl4M/8toGXJZ6diNjJo8Ywr6t57AKC:eqdclafl4eGXuiN28Ye6c
Score

10^/10

qakbot bb04 1666863946 banker stealer trojan
- Qakbot/Qbot
  Qbot or Qakbot is a sophisticated worm with banking capabilities.
  trojan banker stealer qakbot
behavioral5 behavioral6

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Qakbot/Qbot

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Qakbot/Qbot

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6