Overview

overview

10

Static

static

b728b6fa-c...3.html

windows10-2004-x64

10

Resubmissions

30-11-2022 02:05

221130-ch7lvscb8z 10

30-11-2022 02:01

221130-cfxzmsca4x 1

30-11-2022 01:51

221130-b9x13agc22 6

30-11-2022 01:32

221130-byfbwaaf51 1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b728b6fa-ca97-43da-bf3f-13f86b8ee983.html

  • Size

    637KB

  • Sample

    221130-ch7lvscb8z

  • MD5

    2d9fc73397ec9f722163ca97db847b68

  • SHA1

    ba3dabc812f0e9805d27e750e2f041ac0db06a11

  • SHA256

    1144f930260c12b3931b944435967789584da516d019578541b6877068fca3e7

  • SHA512

    7348b5c4456b56d3678d8a8df7f66abde07acd0e4bc6414c661e9ef9e73395c7ef87f24451ac72ac64f4d6c173689e361bb57d18ce529f980920198d7bb035db

  • SSDEEP

    12288:FKlxGaDKqDLoaZghNHbq7tp8dgJvrKoKiLGD:FKlxG4KqDLoBNHiT4q2iq

Score
10/10
qakbotobama2231668757345bankerpersistencestealertrojan

Malware Config

Extracted

Family

qakbot

Version

404.30

Botnet

obama223

Campaign

1668757345

C2

68.47.128.161:443

87.65.160.87:995

172.90.139.138:2222

86.175.128.143:443

12.172.173.82:465

71.247.10.63:2083

47.41.154.250:443

91.254.215.167:443

71.31.101.183:443

81.229.117.95:2222

24.4.239.157:443

41.99.177.175:443

92.149.205.238:2222

73.230.28.7:443

47.229.96.60:443

186.188.2.193:443

174.112.25.29:2078

84.35.26.14:995

86.130.9.167:2222

116.74.163.221:443
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Targets

    • Target

      b728b6fa-ca97-43da-bf3f-13f86b8ee983.html

    • Size

      637KB

    • MD5

      2d9fc73397ec9f722163ca97db847b68

    • SHA1

      ba3dabc812f0e9805d27e750e2f041ac0db06a11

    • SHA256

      1144f930260c12b3931b944435967789584da516d019578541b6877068fca3e7

    • SHA512

      7348b5c4456b56d3678d8a8df7f66abde07acd0e4bc6414c661e9ef9e73395c7ef87f24451ac72ac64f4d6c173689e361bb57d18ce529f980920198d7bb035db

    • SSDEEP

      12288:FKlxGaDKqDLoaZghNHbq7tp8dgJvrKoKiLGD:FKlxG4KqDLoBNHiT4q2iq

    Score
    10/10
    qakbotobama2231668757345bankerpersistencestealertrojan

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

      trojanbankerstealerqakbot

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

4
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

2
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks