General

  • Target

    QL63.img

  • Size

    842KB

  • Sample

    221118-qznrzahd96

  • MD5

    91e742988dfaf22dd473b2595a0fb1f2

  • SHA1

    537c12d3dd983bddc03aa80e09d7384c575485fe

  • SHA256

    9e1abf9980ebc84d56b0c780b9fce0c401cfacc66e014f3be1d25564d4763477

  • SHA512

    58b63510eb651f7d82b78fd4f3e1eb87784859d73bdddf0ec74f8f6094e74832508306ed3657b93a4335358ca4ef8c1e2e610f6ed48f794051d5dfa9f170d763

  • SSDEEP

    24576:INdpOK8zWcCTisQsC3BbYGQajBp6Pi1YWaw4:EQK8Ie3BbzQaNpx1Da

Malware Config

Extracted

Family

qakbot

Version

404.30

Botnet

BB06

Campaign

1668752705

C2

98.147.155.235:443

49.175.72.56:443

82.31.37.241:443

73.36.196.11:443

2.84.98.228:2222

188.54.79.88:995

184.153.132.82:443

74.66.134.24:443

172.117.139.142:995

12.172.173.82:990

24.64.114.59:3389

12.172.173.82:2087

78.92.133.215:443

24.64.114.59:2222

50.68.204.71:995

105.184.161.242:443

12.172.173.82:22

221.161.103.6:443

98.145.23.67:443

73.161.176.218:443

Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Targets

    • Target

      QL63.img

    • Size

      842KB

    • MD5

      91e742988dfaf22dd473b2595a0fb1f2

    • SHA1

      537c12d3dd983bddc03aa80e09d7384c575485fe

    • SHA256

      9e1abf9980ebc84d56b0c780b9fce0c401cfacc66e014f3be1d25564d4763477

    • SHA512

      58b63510eb651f7d82b78fd4f3e1eb87784859d73bdddf0ec74f8f6094e74832508306ed3657b93a4335358ca4ef8c1e2e610f6ed48f794051d5dfa9f170d763

    • SSDEEP

      24576:INdpOK8zWcCTisQsC3BbYGQajBp6Pi1YWaw4:EQK8Ie3BbzQaNpx1Da

    Score
    3/10
    • Target

      SK.js

    • Size

      9KB

    • MD5

      dcbdc839a5daa5983faad41f1940b3bd

    • SHA1

      a43dd88fdf7650c7953899d3fe24bd737ce12659

    • SHA256

      464794501188c3ac9b5c39efd9bb6d40dc71c03be8a710e07a1302256caea862

    • SHA512

      8438047899987b773ef1a6f39bcf4e00dc1ec79b62eae6e5a87bc46b567f469a8dd7dd29d0f3335cb1989cad2d8bb66d5c838e0a61d82c6b6b12c3eee443b134

    • SSDEEP

      192:cCuSLj50Tavgx685UIhpHKbP2KTMhS0OGYm9lWVjAvNzAWM5Evk7MgG+r5AJ:h52k785UIhp/KTMhSeYmn2jiu5EjP+rs

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Target

      manacle/tries.temp

    • Size

      372KB

    • MD5

      2a5478a1ef939186ec0d7ed9ed094aee

    • SHA1

      d803959b8d4e25ad603b89ddd6c07a8373b711fa

    • SHA256

      08a4fc568d110346918e516ee3d3d3f7ca3b9b362735ffeed562996842f6cfc4

    • SHA512

      791ffd995f3e67a7a18765f334ead06530409b1c188431bf748e18221dcb28a17f0395cc663d1ac05588e195441a82e5e7a01470fbf02f1f414a27e0635fbd16

    • SSDEEP

      6144:l1eKK1u77wiWjvM9gaYhWawPSxipTR9K1/XkeDA+sqKD9oqHs9Dz/RJhKXuz:mKzMD2gaSWcxITi/XkZ+s7pohvRJhr

MITRE ATT&CK Enterprise v6

Tasks