qakbot | 53eafeee2c494c3418d47a25664a414619885cc92447a735657b2ceedad71cde

Sharing

Copy URL

Twitter E-mail

General

Target

TS-795WP.iso
Size

101.2MB
Sample

221130-xlpwfaaa4z
MD5

411a9877eb067f1c56f82e4b7eb296c2
SHA1

9086fbe30ac950d90b8e51a7c2b307b29fc4677e
SHA256

53eafeee2c494c3418d47a25664a414619885cc92447a735657b2ceedad71cde
SHA512

b01e01a4bddd21a8dac6c10145f7be30a2d31e12c809d6d83f9a7becfa350e708b8f563388fb3354f63e84a776f95f4d87a99e1bf54e154d0137c35120cef623
SSDEEP

24576:SFolOZ7iw5WwfHH3vwLwh0RV9Z0OEdMdWz52kqAaBJP8fnLJ518VCqoI2ytHE:SFolOZ7iw5WwfHH3vwLwCuDHAHE

Score

10^/10

Malware Config

Extracted

Family

qakbot

Version

404.46

Botnet

obama224

Campaign

1669794048

75.161.233.194:995

216.82.134.218:443

174.104.184.149:443

173.18.126.3:443

87.202.101.164:50000

172.90.139.138:2222

184.153.132.82:443

185.135.120.81:443

24.228.132.224:2222

87.223.84.190:443

178.153.195.40:443

24.64.114.59:2222

77.126.81.208:443

75.99.125.235:2222

173.239.94.212:443

98.145.23.67:443

109.177.245.176:2222

72.200.109.104:443

12.172.173.82:993

82.11.242.219:443

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Targets

- Target
  
  TS-795WP.iso
- Size
  
  101.2MB
- MD5
  
  411a9877eb067f1c56f82e4b7eb296c2
- SHA1
  
  9086fbe30ac950d90b8e51a7c2b307b29fc4677e
- SHA256
  
  53eafeee2c494c3418d47a25664a414619885cc92447a735657b2ceedad71cde
- SHA512
  
  b01e01a4bddd21a8dac6c10145f7be30a2d31e12c809d6d83f9a7becfa350e708b8f563388fb3354f63e84a776f95f4d87a99e1bf54e154d0137c35120cef623
- SSDEEP
  
  24576:SFolOZ7iw5WwfHH3vwLwh0RV9Z0OEdMdWz52kqAaBJP8fnLJ518VCqoI2ytHE:SFolOZ7iw5WwfHH3vwLwCuDHAHE
Score

3^/10
behavioral1 behavioral2
- Target
  
  WP.vbs
- Size
  
  186B
- MD5
  
  596debe0b1d730aa85934a8513ddcef1
- SHA1
  
  8332a8efe4c52cf1ce1e76731723f5aadd23103a
- SHA256
  
  ecd701720d825629eb26aa23f2390f629639250fc888dcf0b6e4b6a4c53fb81d
- SHA512
  
  3d3ea92ffb4239fcf2b0b3a503f5368c21ea009faf9238c86d986fddca8290116a90aa6ffd082bc838561bfa80a1ae9f194a2e8e88db4496591a5400982b6e3d
Score

10^/10

qakbot obama224 1669794048 banker stealer trojan
- Qakbot/Qbot
  Qbot or Qakbot is a sophisticated worm with banking capabilities.
  trojan banker stealer qakbot
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
behavioral3 behavioral4
- Target
  
  header
- Size
  
  100.0MB
- MD5
  
  5937fb14ca678edd47fca8acbf0f12d0
- SHA1
  
  c1ff9be307e47212d858e3bd534a32e94eba0d75
- SHA256
  
  cd1f2a4b7893d1c70893ed2ba347e140d34bdcd2794097424083d9367fa5caa6
- SHA512
  
  b552f74ee4dc974b9f42feeb7a97a70c7c3bb94817478c571195d6d91156ea7d4d90a426df0fef975c91a549b19763c3a7a87c0a564a11cabc95630ebaf9ff09
- SSDEEP
  
  3:Wttkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkw:Yu
Score

1^/10
behavioral5 behavioral6
- Target
  
  metaphysic/choked.txt
- Size
  
  221KB
- MD5
  
  c6a3f23a15df0367b84fb3233673e85c
- SHA1
  
  3e86493470835ba04db6ccadb77e37bae422fba5
- SHA256
  
  1db1054fbc2158fd8fc73cf92f03d9816d48fc92a5023164c52bea820f71199d
- SHA512
  
  e578dbfe8b7bf719897664f65d28b9fc0461bdab754e665202d48d6e0f3237fec80a908344b22326459f36880dbc0bd25c6b3124f6a7adc26880f2659479f99b
- SSDEEP
  
  3072:XoCkLSl+AMwmeG68MgWMNftCtMiv07iXQQk5:4FulJNxT8RWkf8bv07iw5
Score

1^/10
behavioral7 behavioral8
- Target
  
  metaphysic/imprints.gif
- Size
  
  24KB
- MD5
  
  45a891a5bbc4c25a91a77a06d065ff84
- SHA1
  
  831e6c38e6153f269cbde79d83ba6765421a9ea2
- SHA256
  
  32a6cc08ba7a30f462b37a8dc7f71ec0b40318379040fac318dd3a6d43ef9a17
- SHA512
  
  1287d8c542b45afaf3be53ec6fe00ac1c0c4f1af7a5d95e824afcabf842a7bdbaa2bf86468023c6640f43357a24066f352d24557a7058f943a513f25f7415e89
- SSDEEP
  
  768:vtqRNUQeWOtaMK7MpIIfTgVCQaDbqKab/iLylG:vE8Qeztan7kBTgVC07WLyw
Score

1^/10
behavioral10 behavioral9
- Target
  
  metaphysic/possessively.ps1
- Size
  
  364B
- MD5
  
  fdd112c79808f54c51315a2db79543a3
- SHA1
  
  ed4e556ee19f1066494870a2bb6c4714800dad20
- SHA256
  
  b9efb8b9e271b08de4b59d78720796e7b428a989e8d7cb05f01713ea526b86dd
- SHA512
  
  95c1215833e1490d42fd041f0f3203c0f11bd70e889d4f1017f0e9533318c1c99c7a797c463016022fc79d0b4493198311ffa1b3476a1e29968258d19085a8cf
Score

1^/10
behavioral11 behavioral12
- Target
  
  metaphysic/preyed.txt
- Size
  
  85KB
- MD5
  
  7741772d4a072119b308a292db71fba3
- SHA1
  
  d93d3aa15fbc1031a6c6cf267243cfeb55e43ef3
- SHA256
  
  59220a25e69e43f4af5aa414c5754b1991c2057ce54a8f6642488e3ab7e45738
- SHA512
  
  6235ada0fbf49f004956dcd7e976b78db2beef51b3944b9fd2958d6d7731a6d0c98b7b91586a5b43196e755952596683f4c88eccda7509d0c6445030fd5ffa92
- SSDEEP
  
  1536:xATNwiDtQlNHHoA1Zc/uo64E5clp1ZOVqqXwp17wiHj/t/cW1ZOViL:GwCtQzHHL1ZDaE5cv1ZOPwLwWj/t/V1X
Score

1^/10
behavioral13 behavioral14
- Target
  
  metaphysic/privates.vbs
- Size
  
  186B
- MD5
  
  596debe0b1d730aa85934a8513ddcef1
- SHA1
  
  8332a8efe4c52cf1ce1e76731723f5aadd23103a
- SHA256
  
  ecd701720d825629eb26aa23f2390f629639250fc888dcf0b6e4b6a4c53fb81d
- SHA512
  
  3d3ea92ffb4239fcf2b0b3a503f5368c21ea009faf9238c86d986fddca8290116a90aa6ffd082bc838561bfa80a1ae9f194a2e8e88db4496591a5400982b6e3d
Score

7^/10
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral15 behavioral16
- Target
  
  metaphysic/readme.txt
- Size
  
  770KB
- MD5
  
  93d5daab5e26df8198ff4267ca26b90f
- SHA1
  
  5c31652ed43dd5ef473294b2740784bf0f26b1dc
- SHA256
  
  4f496c506719e69d9f52970fa599c0e04935e7c653f23eae6e61e8f39e2badf6
- SHA512
  
  f7c55eb29e9c82762c067ecbf7f8c21252f205acd32dca01b45fad801eae3a10d09ff72ed3474fe7e6c29eb0cc5da363d0828677199a40f493981c6b60812abe
- SSDEEP
  
  24576:+0RV9Z0OEdMdWz52kqAaBJP8fnLJ518VCqoI2yO:3uDHh
Score

1^/10
behavioral17 behavioral18
- Target
  
  metaphysic/simmers.jpg
- Size
  
  21KB
- MD5
  
  82bee8c359156bcc35acd3b08926b9b1
- SHA1
  
  a63ca0946e30a28c120202ad6e74715dee64d897
- SHA256
  
  e4ff759593a61c06548eae5faf20c7d2090d70807214b1bbd381154f3d35db7e
- SHA512
  
  2887d2156e39d8f9f328165453894e72d79ce6767f947a0c60b14bcc3d36db76cec568c648e1d1f101ef53ab55e1be78025a932bfe6c38e2ff07c538d8ae3bb6
- SSDEEP
  
  384:LZwSODsVmwh2SFoXvNZPvczbwFOJhl6nT0A1nmMtEgeAix1c72yjeDXOIJ+CwcJI:LZwbDsV/clZqpP6nTtnH/nIoP+XOA+C2
Score

3^/10
behavioral19 behavioral20
- Target
  
  metaphysic/typewrite.png
- Size
  
  43KB
- MD5
  
  5522c9e8ef8d4a5a95bb1f3d676fdc5c
- SHA1
  
  ae12bd89d36e46d1e416931d064c7b8c0867250a
- SHA256
  
  81a8fe3499c5cfc66c98b6d4935a8270eb824e1e58f60075846d49e1021c710a
- SHA512
  
  911606b88218f78b53343eea80bdde91c945fb241cecaa6b5e4991206cf966f3d479e0c3cda93734b740286946d6fe0a82f45b76937c88fc8c17a20784f75913
- SSDEEP
  
  768:t18g+tRun0DiF2ZCgX2VkNWTQHCj2qBjMTDGum2p7sc8Z/pcN7OOa48MZdX8encX:nQzICCD6NWdp4fYOBD8cDnYf
Score

3^/10
behavioral21 behavioral22

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Qakbot/Qbot

Checks computer location settings

Loads dropped DLL

Checks computer location settings

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22