Overview

overview

10

Static

static

WP.vbs

windows7-x64

10

WP.vbs

windows10-2004-x64

10

metaphysic...nt.ps1

windows7-x64

1

metaphysic...nt.ps1

windows10-2004-x64

1

metaphysic...ed.vbs

windows7-x64

3

metaphysic...ed.vbs

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    72244463-c311-4e9d-9c69-52bab6ca999b.zip

  • Size

    648KB

  • Sample

    221130-w9awraha4w

  • MD5

    68f84648430626603534d4d8f9f0e96a

  • SHA1

    d0df540d10e3a0f4d7e415d73660a37e9843ae1e

  • SHA256

    6a58985988d3246160b99a1bb9f0999d3477f3855cca44f1638ffcd2f8c6aaf3

  • SHA512

    4fb534eb5b298aa93041d5ab5cd50293a65d715c5259fdd33d54ebf5dd9d8d359ab0318aa5d011b8741b368d0ad32d09f9d5f772884c40f5b81563a64dcc3f0f

  • SSDEEP

    12288:o/c3oKQy6Ye9/IC31ich+TMS53dmAinCz4LTYdG3Uj4Zvgk:756/VIAZPWiCzw3Upk

Score
10/10
qakbotobama2241669794048bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

404.46

Botnet

obama224

Campaign

1669794048

C2

75.161.233.194:995

216.82.134.218:443

174.104.184.149:443

173.18.126.3:443

87.202.101.164:50000

172.90.139.138:2222

184.153.132.82:443

185.135.120.81:443

24.228.132.224:2222

87.223.84.190:443

178.153.195.40:443

24.64.114.59:2222

77.126.81.208:443

75.99.125.235:2222

173.239.94.212:443

98.145.23.67:443

109.177.245.176:2222

72.200.109.104:443

12.172.173.82:993

82.11.242.219:443
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Targets

    • Target

      WP.vbs

    • Size

      186B

    • MD5

      aba9cfc4959b72d5b3ab8fd19b3c1bd8

    • SHA1

      ae8008b09e32387ad1e1ceffd531848997318bb5

    • SHA256

      79f0f701f54f50947b027e94d7b0634701ac29fd99869b87120f725905635fad

    • SHA512

      e4c65f6708afc3b1d5186acb1332b28d50778a25d5bb5bde99efa452605da4ef48e38e5e068f346e6784fb6b45e03cbde4e73ff9ce784cc665b968b379213ad0

    Score
    10/10
    qakbotobama2241669794048bankerstealertrojan

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

      trojanbankerstealerqakbot

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    behavioral1behavioral2

    • Target

      metaphysic/disgorgement.ps1

    • Size

      362B

    • MD5

      86fa18cb98d18b91e2dde4869cc42d20

    • SHA1

      080a6aee4b507401febfc47b2492b875d7fc636c

    • SHA256

      8c017019a8a028e9956a216b3f66e97d3e813b4a68aaf023def5fa42b6e156ca

    • SHA512

      61b0c616130bbebee39b10deec6ac22f054fa8f5656f7e9f1206609b9f6a55ab4b2c57101ea5452cbb1a912765fa84f013f69f0d31bbedc42862e30c4c3cd9d7

    Score
    1/10
    behavioral3behavioral4

    • Target

      metaphysic/reprimanded.vbs

    • Size

      186B

    • MD5

      aba9cfc4959b72d5b3ab8fd19b3c1bd8

    • SHA1

      ae8008b09e32387ad1e1ceffd531848997318bb5

    • SHA256

      79f0f701f54f50947b027e94d7b0634701ac29fd99869b87120f725905635fad

    • SHA512

      e4c65f6708afc3b1d5186acb1332b28d50778a25d5bb5bde99efa452605da4ef48e38e5e068f346e6784fb6b45e03cbde4e73ff9ce784cc665b968b379213ad0

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral5behavioral6

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks