Overview

overview

10

Static

static

RNP_288810...22.lnk

windows7-x64

3

RNP_288810...22.lnk

windows10-2004-x64

10

control.exe

windows7-x64

control.exe

windows10-2004-x64

10

edputil.dll

windows7-x64

10

edputil.dll

windows10-2004-x64

10

msoffice32.dll

windows7-x64

10

msoffice32.dll

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    test.zip

  • Size

    424KB

  • Sample

    221116-wcpzeagb8v

  • MD5

    8cd575769e412a7cf28ef70b8f3ab1c9

  • SHA1

    9474a7256cbdc306b2d3de04824a7edc87c32b64

  • SHA256

    5f0cdcfe36aa34841f19c2091798f0d060b06cc0b2dde73c2509db96c6fea951

  • SHA512

    bb94bf7960a9e811164b57776f034e491183dee71993906aca3a02a47890bc01a8a83518477e3e78f7fe77f24948cbe3a8adae18b5fd18185c7f6c5c5830df01

  • SSDEEP

    12288:48bINcnBLL4so7waIZu5UoMyVnKAW+1O4ruVFvS+Je:48EkLLnXTUMyBKAjyrNe

Score
10/10
qakbotobama2211667915095bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

404.27

Botnet

obama221

Campaign

1667915095

C2

199.83.165.233:443

24.142.218.202:443

79.166.120.168:995

92.24.200.226:995

151.32.168.124:443

72.88.245.71:443

46.229.194.17:443

142.119.40.220:2222

177.205.114.49:2222

174.104.184.149:443

86.167.26.227:2222

94.15.58.251:443

82.155.111.187:443

2.84.98.228:2222

69.133.162.35:443

92.189.214.236:2222

190.74.23.139:443

47.34.30.133:443

80.103.77.44:2222

82.34.170.37:443
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Targets

    • Target

      RNP_28881065_14112022.lnk

    • Size

      1KB

    • MD5

      3aa9a78f1c7bcb0a2dd129d22971d62d

    • SHA1

      8ce7a3d6bdd08e154876a63b6cc6adb7de8d71f9

    • SHA256

      9a1ca6dfeb4569205778633ba1357bd14db2afe5da2dce9c54778eef0bbe8d1f

    • SHA512

      31765b3f2dc42b7542f24d5563411ec34fcc8660e5af6543b921cbd79605b077f1e90ed461a9765b39c7147ce886a04a32094fe07a151a24325c2a13a2bf5bef

    Score
    10/10
    qakbotobama2211667915095bankerstealertrojan

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

      trojanbankerstealerqakbot

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral1behavioral2

    • Target

      control.exe

    • Size

      146KB

    • MD5

      ebc29aa32c57a54018089cfc9cacafe8

    • SHA1

      0ac68652f6b5022d9e6d1edda5995efb253b984b

    • SHA256

      9799c9bf478bde688a8dd2096290d03af2ba059d718c2e5e36e500a005902bdc

    • SHA512

      af2cd9f3db78bd843ff3953ec0b6f2c519a6636d4ee78f74fbf5225dfe2b4e7c533613cc4d7cef154da40d326e5fb0969e298ab110b34e63aefecea3f1d8a1ac

    • SSDEEP

      3072:7yjxDJHjUfMeC2l7tq7Sp5+1k12b/Af885RK:+t9HLQ747+5+1kf15

    Score
    10/10
    qakbotobama2211667915095bankerstealertrojan
    behavioral3behavioral4

    • Target

      edputil.dll

    • Size

      8KB

    • MD5

      0b80e4b4e277592aae87bcb5e30f3f22

    • SHA1

      73c073b9f198d070224fcbe700785aa7b69effdf

    • SHA256

      21ed5c8e2dcd69811603570d5f9e90f8850c2d377a7130a685f4578197151102

    • SHA512

      33ad8d76d8f4deff88f6de5aae644cd39cc76e0a772134712908239bacf631b356e5c7b32c77fb430359d6a52434cbc5884b76e7cd5f31febac10d74ab27b498

    • SSDEEP

      96:cjpI5fAtu0nJd5VzxB0SSDpzd4tOeY7Rxm:cjSfQ3JdntY

    Score
    10/10
    qakbotobama2211667915095bankerstealertrojan
    behavioral5behavioral6

    • Target

      msoffice32.dll

    • Size

      593KB

    • MD5

      12f62a3db68ac9d6f2027c84207c2f0c

    • SHA1

      18e5049ee66cad77cc784a5bcf2052d67e3e7d94

    • SHA256

      9057a567225ad2371f99b8283ec3c681a12e84298faf64abdcad18d61934f170

    • SHA512

      997268dfcddd98e69ed6557d166b65ae854e53f8ba0d0e066fd8f20bfcfd3ae9b1733c27201add543fc979fffbe91ed23088a2ef138b096712c60df5e9ae34c4

    • SSDEEP

      12288:rnbfdUgz1clr4FgZMsA568cUMwvLVh5VPnbbb:rbfdUggAM8vMsL5dPb

    Score
    10/10
    qakbotobama2211667915095bankerstealertrojan
    behavioral7behavioral8

MITRE ATT&CK Enterprise v6

Tasks