General

  • Target

    ON-650.iso

  • Size

    690KB

  • Sample

    221129-whrp7aeh41

  • MD5

    503d393f4deee46c653b53eed85d1f3b

  • SHA1

    2005a5452437484dbef956d021d40f5f43b3f26e

  • SHA256

    3ee6f622034116255f6324395d655909c74599769df80804ca458dae91fc587a

  • SHA512

    0dca620aa64ef19e467f80d673509ae530dc840f7323230a5afdcdb9b02146e53eaffde3909af203910f3c0d243ca970ae08975d0109718870ba349a9447417f

  • SSDEEP

    12288:wm1Mcw5EO6dHvDe0P3lx5EBto8BkfzNbuTyGrC6N2c2mcsAMzRGBRA4cZD:zMFEO6dHvDe0P335EXpUNSleQ2cYCGLc

Malware Config

Extracted

Family

qakbot

Version

404.46

Botnet

BB08

Campaign

1669628564

C2

98.147.155.235:443

85.52.73.34:2222

75.158.15.211:443

2.91.184.252:995

92.106.70.62:2222

85.152.152.46:443

86.159.48.25:2222

217.128.91.196:2222

92.11.189.236:2222

83.92.85.93:443

2.83.62.105:443

93.24.192.142:20

76.20.42.45:443

24.64.114.59:2078

73.36.196.11:443

130.43.99.103:995

172.117.139.142:995

100.16.107.117:443

12.172.173.82:22

176.151.15.101:443

Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Targets

    • Target

      AS.js

    • Size

      131B

    • MD5

      39521c01435c268ccf7df64f6f552488

    • SHA1

      3020be5563b2efac7a487b92a375c50c29441fd7

    • SHA256

      8edec93513434225615c88354d220e13e97e072b156ba84d30c8c673d230af5f

    • SHA512

      82f362325dbe52d533c67e17b0be8dd4c6e3bc6a6f2ecb19c6425bcfa73bd294484845180d2c46eea07356b2de72a2526da87a24569550dc7c39965fe73f9d76

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Target

      fix/codify.ps1

    • Size

      374B

    • MD5

      567b9a7715106b12f899c6021a49ab71

    • SHA1

      4439cbe9ca9758c52d93fb30488506a46678b716

    • SHA256

      0cab82af4f083c592a12cf4982e745ddaedf85acb505607157881765de7e7754

    • SHA512

      7bec4d97f505befa9635c842b4f73d2eb16438c805daf6f61a20d41a0ea74014933b592407e9c8c84c7c3632cc3fa6c7e9a6befa7c55a571e71220b8b5cbd09b

    Score
    1/10
    • Target

      fix/vetoing.js

    • Size

      131B

    • MD5

      39521c01435c268ccf7df64f6f552488

    • SHA1

      3020be5563b2efac7a487b92a375c50c29441fd7

    • SHA256

      8edec93513434225615c88354d220e13e97e072b156ba84d30c8c673d230af5f

    • SHA512

      82f362325dbe52d533c67e17b0be8dd4c6e3bc6a6f2ecb19c6425bcfa73bd294484845180d2c46eea07356b2de72a2526da87a24569550dc7c39965fe73f9d76

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

2
T1012

System Information Discovery

4
T1082

Tasks