General

  • Target

    LF67.img

  • Size

    848KB

  • Sample

    221117-vdthjsah9x

  • MD5

    0f1178d8bab4a0d5e9e23da170eb0d05

  • SHA1

    2323d5c811d8905b37286b099d5ac5cefc393550

  • SHA256

    ed21514ae63b5f636e7b9a84129a6065e4783ce4e510b8d532efbedca5152938

  • SHA512

    810afe1144d1c78583f1e3d0692e19883d3ea08a3e2b1494358f7c46ad197df51edeaf6c6ad926f94dbf3c916516313eb51ba4a07f3214c6cabf3690e8e572c5

  • SSDEEP

    12288:qoNjGfBl5YUWlaVxbYUGOpGPq1Tu/VxdZlUP9Xq4F/9QVN9:qoNjkLW8wWpD9u/VLM9Xq4nQVN9

Malware Config

Extracted

Family

qakbot

Version

404.30

Botnet

BB06

Campaign

1668683197

C2

23.240.47.58:995

12.172.173.82:465

91.169.12.198:32100

94.63.65.146:443

80.13.179.151:2222

64.207.237.118:443

24.206.27.39:443

83.114.60.6:2222

86.171.75.63:443

86.195.32.149:2222

170.253.25.35:443

92.185.204.18:2078

157.231.42.190:995

170.249.59.153:443

174.101.111.4:443

116.74.163.152:443

76.80.180.154:995

180.151.104.143:443

86.130.9.167:2222

86.99.15.243:2222

Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Targets

    • Target

      LF67.img

    • Size

      848KB

    • MD5

      0f1178d8bab4a0d5e9e23da170eb0d05

    • SHA1

      2323d5c811d8905b37286b099d5ac5cefc393550

    • SHA256

      ed21514ae63b5f636e7b9a84129a6065e4783ce4e510b8d532efbedca5152938

    • SHA512

      810afe1144d1c78583f1e3d0692e19883d3ea08a3e2b1494358f7c46ad197df51edeaf6c6ad926f94dbf3c916516313eb51ba4a07f3214c6cabf3690e8e572c5

    • SSDEEP

      12288:qoNjGfBl5YUWlaVxbYUGOpGPq1Tu/VxdZlUP9Xq4F/9QVN9:qoNjkLW8wWpD9u/VLM9Xq4nQVN9

    Score
    3/10
    • Target

      WW.js

    • Size

      9KB

    • MD5

      300c07b4ca5e18c9621740996fea1895

    • SHA1

      497c344e018e7ebd57a65fc364e1989aa291dfc0

    • SHA256

      efdc577578e3289d8a2f45ae8795ae150d7418a6d6c1ce2500e3d2c2c3f3148f

    • SHA512

      afadd2dc8476fb1ecc4177f55219729c5d30328b291b3eb38c1bbf2803588577b1bcf6ae3007235d66c4ca58786888112f6a9767281ed483cbbe600cad0cfa86

    • SSDEEP

      192:j9SLjDJq0Tavgx685UIroAKbP2KTMhS0OGYm5llWVjAvNzAWMuEvk7MgG+r5A6:sVq2k785UIro8KTMhSeYm5P2jiuuEjP4

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Target

      port/harmonica.tmp

    • Size

      691KB

    • MD5

      90103b12495b7769cdea460b9b20fa03

    • SHA1

      b3da0cb63f2f0329f63cd36e2d92dc78d35aeaba

    • SHA256

      bf628dba02d4181a7c5fc10f67b99c4e26b13a92ea92470f38adc4e57886b2fc

    • SHA512

      af5fb4e7f79a0365aba33e38a83041e1431d976352b1505c0e3aebbcdb6bf730b5a37bc5e930150913aea612120be7a8eb94db9dbc5b58901c6fff14c5b8e0b1

    • SSDEEP

      12288:sjGfBl5YUWlaVxbYUGOpGPq1Tu/VxdZlUP9Xq4F/9:sjkLW8wWpD9u/VLM9Xq4n

MITRE ATT&CK Enterprise v6

Tasks