General

  • Target

    8409557411.zip

  • Size

    646KB

  • Sample

    221117-x85keabd5z

  • MD5

    f0e9fbef389f57b29566a2b124a74030

  • SHA1

    530ce016c4dfbbd2ce4c9e5cf70b419cd64bc046

  • SHA256

    c71fea377c4d748bfa475d91fe17ce6f53fcfdd5abd6c54641eb7a25d0827165

  • SHA512

    b41e96503376a9cb5885a942e059ace8f59ad2ff55ef960aaadf1b754f052762684eb0f80aafcf41cacfb5a184d178677eb82a880f658248515da7603f75f4e3

  • SSDEEP

    12288:SsGCtcjnMWnymZN75eTbpks8wH30cd2aLrO8SYFuam1ZXwChhy:VGCtnWpjeJ8wH30ifrO8ZFuLXwKhy

Malware Config

Extracted

Family

qakbot

Version

403.914

Botnet

obama209

Campaign

1664963577

C2

197.94.67.207:443

197.11.134.255:443

45.227.251.167:2222

68.83.169.91:443

41.107.77.67:443

197.204.247.7:443

197.158.89.85:443

186.64.67.6:443

41.251.121.35:443

113.169.187.159:443

41.109.11.80:443

42.189.12.36:80

134.35.9.209:443

181.164.194.228:443

82.12.196.197:443

163.182.177.80:443

41.97.65.51:443

61.166.221.46:995

105.158.118.241:8443

186.86.212.138:443

Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Targets

    • Target

      c39dd6590774e2d5d2f9bc94cfa6c812a4918a8e8df96337e268b516349483e2

    • Size

      902KB

    • MD5

      995ee1df4bc961a577adc65e9bf07ecc

    • SHA1

      09c76b23acf21dd34e4f3dfdbebb4c8cea68191c

    • SHA256

      c39dd6590774e2d5d2f9bc94cfa6c812a4918a8e8df96337e268b516349483e2

    • SHA512

      36b41ee70fee8ff38f75642eb5b8ec6ac695aa9f4196f860fd3d0206fe8fa48613764af2980ef71b02d357e49c764272dd624553dc7af392f76880cfd09173f6

    • SSDEEP

      12288:wv7zjNSEZKn6FexYXe6Vra47uSvhwldvtIFQloQ0t7GbMXaP1GMZXiR:ezx4RxCzVqjl5eCMX6GM9o

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v6

Tasks