qakbot | 6e786f6d3be969f0034576dbbe865bb396c03494a7399123a9c82c429563724d

General

Target

document-76992.iso
Size

926KB
Sample

221101-xrle7secg5
MD5

ad84f36ef9b66757505423b5b393da6a
SHA1

3b67f1e6f20ba4dac2fa65530bed61d71997b5d5
SHA256

6e786f6d3be969f0034576dbbe865bb396c03494a7399123a9c82c429563724d
SHA512

7de464d6ff55a77ecd7fefe5048e4f872d4ed31f4b7e0775c82ee1043b701e02579fca35f2902c28b32e211380d5e6e9f42544f501d31fc226dbefb4240be529
SSDEEP

12288:Pkpde329VEdv++607q6YP4uo7N9SIegv8JowUShUPw0bcbA4k7pvLCmii4:Pudy29ChzEoaQ0Uw1bdSFOI4

Score

10^/10

Malware Config

Extracted

Family

qakbot

Version

404.20

Botnet

BB05

Campaign

1667294768

C2

136.232.184.134:995

1.65.20.175:53249

187.0.1.154:63263

50.68.204.71:995

74.92.243.113:50000

1.149.126.159:57345

187.0.1.182:17093

123.3.240.16:995

76.68.34.167:2222

172.219.147.156:3389

94.49.5.116:443

187.0.1.181:14507

206.1.223.234:2087

187.0.1.186:18828

131.23.1.187:1

23.233.254.195:443

76.125.91.160:443

187.0.1.90:42349

70.51.139.148:2222

187.0.1.76:47526

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Targets

- Target
  
  documents-5914.lnk
- Size
  
  2KB
- MD5
  
  394695eb51255c8456e126164a88f5b7
- SHA1
  
  0de0a75f440277f21da82f4c857fa1e327376e19
- SHA256
  
  b0bbf09ed3b4cd27993120bd6858a8627f2eed6faeaba2149d10b2d68b64f8a0
- SHA512
  
  5ef1d6567cc71b68cabe9d92f0ed05fe280d7c8268d5c463c3e1557bccda89d7411122a2103ec2df7d60a6d38aafefabf283ff650bf5028382d6338c593d9e5a
Score

8^/10
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
behavioral1 behavioral2
- Target
  
  templates117.png
- Size
  
  421KB
- MD5
  
  6357313411883e697906ed776e50333f
- SHA1
  
  c38dfd229653231d3284ac4dfbda860c06ea6606
- SHA256
  
  5467c27a047c728562781e46d7c10960617a7579c70ac487f371b8888b4e5ae9
- SHA512
  
  84262b84958471ce4784e742ab8bb1c55a19054b3676ab2b6f1eae6b9b198fc60924b5b9a7fe2ae00e20fd511f68fea5d04f0614681c7d398a6749215352a6ca
- SSDEEP
  
  12288:Pkpde329VEdv++607q6YP4uo7N9SIegv8JowUShUPw:Pudy29ChzEoaQ0Uw
Score

10^/10

qakbot bb05 1667294768 banker stealer trojan
- Qakbot/Qbot
  Qbot or Qakbot is a sophisticated worm with banking capabilities.
  trojan banker stealer qakbot
behavioral3 behavioral4
- Target
  
  untunnelled.cmd
- Size
  
  708B
- MD5
  
  a7b475df5a324cc53d9f39db000a8ad8
- SHA1
  
  17e5af29344d7dc707c5b1182a29d21461f1a681
- SHA256
  
  fd9a182f0d147f9969c47c17b8c420cfef9e8c9459ad85c2d61b587e29b4667e
- SHA512
  
  47ef6f342c1eaccfa5f428c79ca82dd7bf51659ab53b53ced85814092de3a14de05b52ba5682667a150cefad50abfa3245abaa699f37196949b913deb08f6ea9
Score

8^/10
- Executes dropped EXE
- Loads dropped DLL
behavioral5 behavioral6

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Qakbot/Qbot

Executes dropped EXE

Loads dropped DLL

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6