Overview

overview

10

Static

static

WP.vbs

windows7-x64

10

WP.vbs

windows10-2004-x64

10

metaphysic/behead.ps1

windows7-x64

1

metaphysic/behead.ps1

windows10-2004-x64

1

metaphysic...le.vbs

windows7-x64

3

metaphysic...le.vbs

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JR-820WP.iso

  • Size

    1.2MB

  • Sample

    221201-h6j4csaf6z

  • MD5

    414992545e2ddce67cf1617b0f0148ee

  • SHA1

    f78125879ed549f2dd801f9dc6d5d21c4cb267d3

  • SHA256

    822f96d0c519e560949a9cba3b14dd41b0c354ca07b3ac42d56b21d599acb587

  • SHA512

    c08af2d5dce2b430c15502d4383855497eabb7fe8feb9474e020e1891cb026cb0d958765cf3802ef16ff163a36cccf6ea61259b7e0fd34e0890bbedf2332513b

  • SSDEEP

    24576:gFolOZ7iw5ywfHH3vwLwZ0RV9Z0OEdMd2z52kqAaBJP8fnLJ518VCqoI2ytHS:gFolOZ7iw5ywfHH3vwLwCuDHAHS

Score
10/10
qakbotobama2241669794048bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

404.46

Botnet

obama224

Campaign

1669794048

C2

75.161.233.194:995

216.82.134.218:443

174.104.184.149:443

173.18.126.3:443

87.202.101.164:50000

172.90.139.138:2222

184.153.132.82:443

185.135.120.81:443

24.228.132.224:2222

87.223.84.190:443

178.153.195.40:443

24.64.114.59:2222

77.126.81.208:443

75.99.125.235:2222

173.239.94.212:443

98.145.23.67:443

109.177.245.176:2222

72.200.109.104:443

12.172.173.82:993

82.11.242.219:443
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Targets

    • Target

      WP.vbs

    • Size

      180B

    • MD5

      1021569ca969110a846894243eee3213

    • SHA1

      0de658b7123ee4e1c02d03f5aa4d152367d5eecc

    • SHA256

      d7c43ab4e93c298ab92dcba4882e2960a78aa4530a08bb544580eba26ad83cb9

    • SHA512

      2efe2dea8f2a55b65ea89703200d62dea5529e65f5c889c802db5ee4e2cb1981f2e0c3811a58a25e27996df6b7389b91d0df2b1f2fdce1d325f5080aef615d99

    Score
    10/10
    qakbotobama2241669794048bankerstealertrojan

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

      trojanbankerstealerqakbot

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    behavioral1behavioral2

    • Target

      metaphysic/behead.ps1

    • Size

      363B

    • MD5

      2bb9408a318176b6073db22a8790eab8

    • SHA1

      2799413476122fbd6ac017d56573d8a3940da010

    • SHA256

      ef2d05e7ce17142ed1074187e845f9b2069849c01ceefeda3ff2f48e24f1e9ee

    • SHA512

      2a77fe5f8170c72fdc36450b7dc0772529c7b1afe6cd5bec66b7940f8d46882723632cc67c2b5ba946cea7f1b80c9de41d80a7255db270f95f0772f49ca01ce7

    Score
    1/10
    behavioral3behavioral4

    • Target

      metaphysic/supposable.vbs

    • Size

      180B

    • MD5

      1021569ca969110a846894243eee3213

    • SHA1

      0de658b7123ee4e1c02d03f5aa4d152367d5eecc

    • SHA256

      d7c43ab4e93c298ab92dcba4882e2960a78aa4530a08bb544580eba26ad83cb9

    • SHA512

      2efe2dea8f2a55b65ea89703200d62dea5529e65f5c889c802db5ee4e2cb1981f2e0c3811a58a25e27996df6b7389b91d0df2b1f2fdce1d325f5080aef615d99

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral5behavioral6

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks