Overview

overview

10

Static

static

WP#3272.html

windows7-x64

8

WP#3272.html

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    WP#3272.html

  • Size

    1.3MB

  • Sample

    221201-q5jp7sha5z

  • MD5

    bde0e3672c5de82a86f83c6315c2eb95

  • SHA1

    57dca61336755ce5631248e8b56642a369ffecc0

  • SHA256

    65ccb33e111a2bfe4e74dafd5c3cb62f8dc4cfedb4492785dfc2d0838841b10e

  • SHA512

    267bf372fa88917e928c5a65907fab19a9365f8f82532ea63c0edd221cd9f5882114163d9d0c31992057d5ab247bcb0dcb6e98662e18fb16e925938f5f338c45

  • SSDEEP

    12288:swiSePqm22VGDFKObVwAfqmRw696LzA9kKS9EOIWV4T9OaJn267hjmFPpQx90DLz:mJ2P9Bfq+cGNrOIWyBOD6F0o4ghBgP

Score
10/10
qakbotobama2241669794048bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

404.46

Botnet

obama224

Campaign

1669794048

C2

75.161.233.194:995

216.82.134.218:443

174.104.184.149:443

173.18.126.3:443

87.202.101.164:50000

172.90.139.138:2222

184.153.132.82:443

185.135.120.81:443

24.228.132.224:2222

87.223.84.190:443

178.153.195.40:443

24.64.114.59:2222

77.126.81.208:443

75.99.125.235:2222

173.239.94.212:443

98.145.23.67:443

109.177.245.176:2222

72.200.109.104:443

12.172.173.82:993

82.11.242.219:443
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Targets

    • Target

      WP#3272.html

    • Size

      1.3MB

    • MD5

      bde0e3672c5de82a86f83c6315c2eb95

    • SHA1

      57dca61336755ce5631248e8b56642a369ffecc0

    • SHA256

      65ccb33e111a2bfe4e74dafd5c3cb62f8dc4cfedb4492785dfc2d0838841b10e

    • SHA512

      267bf372fa88917e928c5a65907fab19a9365f8f82532ea63c0edd221cd9f5882114163d9d0c31992057d5ab247bcb0dcb6e98662e18fb16e925938f5f338c45

    • SSDEEP

      12288:swiSePqm22VGDFKObVwAfqmRw696LzA9kKS9EOIWV4T9OaJn267hjmFPpQx90DLz:mJ2P9Bfq+cGNrOIWyBOD6F0o4ghBgP

    Score
    10/10
    qakbotobama2241669794048bankerstealertrojan

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

      trojanbankerstealerqakbot

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

4
T1012

System Information Discovery

6
T1082

Peripheral Device Discovery

1
T1120

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks