qakbot | 566a9acc2dc021dea88e87291b6a384066ac91b4b04cb4cb13dbe69287f982a9

General

Target

Details4373.iso
Size

724KB
Sample

221031-mw29eaafg3
MD5

c5c8f78c469c4f9eb90712e9b0214e4c
SHA1

672a55028d94fe8983360323cd68445f3090b2ac
SHA256

566a9acc2dc021dea88e87291b6a384066ac91b4b04cb4cb13dbe69287f982a9
SHA512

11cf23e27632a16f650697009d51789c05656a376da535d70d7d5698a1d7a1bd52a55539211afe6e068201b0e216541aefd8496b965ff19ce166c0752f884b9b
SSDEEP

12288:u3wdOcUwDOMHHCgOWeOaqdD/sblafl4M/8toGXJZ6diNjqo8Ywr6t57AKC:Ow4wrHHCgOWeOaqdclafl4eGXuiNZ8Y8

Score

10^/10

Malware Config

Extracted

Family

qakbot

Version

404.2

Botnet

BB04

Campaign

1666863946

C2

27.110.134.202:995

1.156.220.47:17155

186.188.80.134:443

1.190.199.101:9480

187.1.1.181:42178

118.200.83.226:443

187.0.1.144:51727

193.3.19.137:443

1.201.68.209:12157

188.49.56.189:443

187.0.1.14:58271

190.74.248.136:443

201.210.92.3:2222

187.0.1.105:40325

64.123.103.123:443

41.97.169.44:443

72.88.245.71:443

187.0.1.45:59049

41.100.163.127:443

187.0.1.83:62527

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Targets

- Target
  
  Details.lnk
- Size
  
  1KB
- MD5
  
  650ab02e3958983f7f94f53f5f7577ad
- SHA1
  
  67f7feb7162ed825e27c69d36435fa9976fddd75
- SHA256
  
  6793028a0e990e74e4283d13a1ca3f4f41f3917eb38ce43b9baebe8e040b4ee2
- SHA512
  
  ea96c138ea9d262df35e0d70af6531e1a6246796e5ee4118718555ff88af7c76fc92dc40b1c4ea015772cd2c18fb95d6eb9d7200ab5e07b2ec09482a46b80c06
Score

10^/10

qakbot bb04 1666863946 banker stealer trojan
- Qakbot/Qbot
  Qbot or Qakbot is a sophisticated worm with banking capabilities.
  trojan banker stealer qakbot
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
behavioral1 behavioral2
- Target
  
  disallowable/missives.cmd
- Size
  
  384B
- MD5
  
  cc23679a6d228423e5425de92a61818f
- SHA1
  
  b44361210f5717575cacd871deda59ae14bb052a
- SHA256
  
  0d54088373e1d0ff51f7f9b90ddaf3cc2c973dc7d5b1d5b5ef18a2e496a1059e
- SHA512
  
  c404ed7fffd1c0a62aef71b840b357d9044e16a73ab452b7dc5600d2cb8d25e5c4b152cbbdb461aecaa90ae76e3dfa9a3a9ff72a687116c64da9d379dbf6191d
Score

1^/10
behavioral3 behavioral4
- Target
  
  disallowable/unstrap.dat
- Size
  
  422KB
- MD5
  
  a989f5efe8fa1653bb98b7c2265900af
- SHA1
  
  f5925cf7d38626d13694ef180e811f25ae583cf6
- SHA256
  
  5679c1eedb7d456cd5dd32cba5bed141787d354a384f4961f16bd96eb2ea383b
- SHA512
  
  b8af781775c310ae4442d6d3f766b86e196da277e3ed1496e47d2103f469c42f4d74df917811cc505eb1c9ff3063ceee5257041ebd3018ce27260d85cef62c0c
- SSDEEP
  
  12288:eqdD/sblafl4M/8toGXJZ6diNjqo8Ywr6t57AKC:eqdclafl4eGXuiNZ8Ye6c
Score

10^/10

qakbot bb04 1666863946 banker stealer trojan
- Qakbot/Qbot
  Qbot or Qakbot is a sophisticated worm with banking capabilities.
  trojan banker stealer qakbot
behavioral5 behavioral6

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Qakbot/Qbot

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Qakbot/Qbot

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6