General

  • Target

    PJ-481.iso

  • Size

    690KB

  • Sample

    221129-y9e7ksdd36

  • MD5

    8497ea27c241c9004dd1f8d8fbf43c56

  • SHA1

    7e51aa6f90af005522a2ef5fff2f9b9ba2068db4

  • SHA256

    faacab70e93599e4bd87bb16be40e6aab5034e913986aa11aa6392f3c4e7af6f

  • SHA512

    f93767e35ae00b931016fb5d711dfea8d2f24e43f6bc908c18a8eee8559a471e0884a511654d514fe3218e46bc9a12a2e9811223df1c65d78fe0b0e774e45e8c

  • SSDEEP

    12288:Vm1Mcw5EO6dHvDe0P3lx5EBto8BkfzNbuTyGrC6N2c2mcsAMzRGBRA4cZDA:WMFEO6dHvDe0P335EXpUNSleQ2cYCGLx

Malware Config

Extracted

Family

qakbot

Version

404.46

Botnet

BB08

Campaign

1669628564

C2

98.147.155.235:443

85.52.73.34:2222

75.158.15.211:443

2.91.184.252:995

92.106.70.62:2222

85.152.152.46:443

86.159.48.25:2222

217.128.91.196:2222

92.11.189.236:2222

83.92.85.93:443

2.83.62.105:443

93.24.192.142:20

76.20.42.45:443

24.64.114.59:2078

73.36.196.11:443

130.43.99.103:995

172.117.139.142:995

100.16.107.117:443

12.172.173.82:22

176.151.15.101:443

Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Targets

    • Target

      AS.js

    • Size

      132B

    • MD5

      a7ed5526d693f7ec3c6a25d2860a8448

    • SHA1

      a7e481e4eb45adc0675023f042a600292bcb6293

    • SHA256

      a338a607c99311a3c1e3bdf4530a419b4217599e0fcd276c02191056154c3be1

    • SHA512

      8c5ff00a934b75f8c38cc3218e635bd42e7f3088f17daaf5ad935082ab8e3c4cc8d47bd6325d5683b074d0037da1e3ae6044043a3ae3c6aa4d7242e5e0378cbd

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Target

      fix/archery.ps1

    • Size

      379B

    • MD5

      b29c2088d8e08cdbcf8a6986f30157b7

    • SHA1

      f8463b7e9f83c3e77234e7fe066855a752de713a

    • SHA256

      f3624087293ba86bbb2c2f619f012a8287c1b4b0aeead16ede208fa88fbdc6f5

    • SHA512

      039c024ab4cd0938fc18b365ff7b9e38dd40cd474d3f76ced69f1079a6d3e6335508d93a4d79ef444d59fc4036be8c1bbb93e8cf414c14ab260d1d8b2dbfd0bd

    Score
    1/10
    • Target

      fix/collapses.js

    • Size

      132B

    • MD5

      a7ed5526d693f7ec3c6a25d2860a8448

    • SHA1

      a7e481e4eb45adc0675023f042a600292bcb6293

    • SHA256

      a338a607c99311a3c1e3bdf4530a419b4217599e0fcd276c02191056154c3be1

    • SHA512

      8c5ff00a934b75f8c38cc3218e635bd42e7f3088f17daaf5ad935082ab8e3c4cc8d47bd6325d5683b074d0037da1e3ae6044043a3ae3c6aa4d7242e5e0378cbd

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

2
T1012

System Information Discovery

4
T1082

Tasks