qakbot | 5c1eeca485650a1c9d3fc9ba7848ad3be1f64be2776c7487f046eca22bb1fb35

General

Target

00790 Dec 01.vhd
Size

80.0MB
Sample

221201-yf4yvaeb95
MD5

30bc7167d162912facc4bfa7db24ddf1
SHA1

da29018063e0c0766739549ec57c8960edfd2041
SHA256

5c1eeca485650a1c9d3fc9ba7848ad3be1f64be2776c7487f046eca22bb1fb35
SHA512

b7870aca2eabaef2df05e8665981f76d3b1cb644907697dde0437e601d5f6cf6ae1d4a1b43b3c2d7e215126e10ca76a5f5de82dcd6f5d76940426ab234fbda68
SSDEEP

12288:2SUUEfo5I6/o2qgkpUdG9Msme0CWUdOWk4F:2STiWDvLmRme0C0Wk4

Score

10^/10

Malware Config

Extracted

Family

qakbot

Version

404.46

Botnet

obama224

Campaign

1669794048

C2

75.161.233.194:995

216.82.134.218:443

174.104.184.149:443

173.18.126.3:443

87.202.101.164:50000

172.90.139.138:2222

184.153.132.82:443

185.135.120.81:443

24.228.132.224:2222

87.223.84.190:443

178.153.195.40:443

24.64.114.59:2222

77.126.81.208:443

75.99.125.235:2222

173.239.94.212:443

98.145.23.67:443

109.177.245.176:2222

72.200.109.104:443

12.172.173.82:993

82.11.242.219:443

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Targets

- Target
  
  00790 Dec 01.vhd
- Size
  
  80.0MB
- MD5
  
  30bc7167d162912facc4bfa7db24ddf1
- SHA1
  
  da29018063e0c0766739549ec57c8960edfd2041
- SHA256
  
  5c1eeca485650a1c9d3fc9ba7848ad3be1f64be2776c7487f046eca22bb1fb35
- SHA512
  
  b7870aca2eabaef2df05e8665981f76d3b1cb644907697dde0437e601d5f6cf6ae1d4a1b43b3c2d7e215126e10ca76a5f5de82dcd6f5d76940426ab234fbda68
- SSDEEP
  
  12288:2SUUEfo5I6/o2qgkpUdG9Msme0CWUdOWk4F:2STiWDvLmRme0C0Wk4
Score

1^/10
behavioral1
- Target
  
  00790 Dec 01.lnk
- Size
  
  951B
- MD5
  
  88bc566bf7c592d012aa14ce10e8db84
- SHA1
  
  7a68cf80d99259f5979b48a559c64dfd037f7a51
- SHA256
  
  46580b7da7e711bf4de330de90f3d83498508f68f3308378fb219e2045244b01
- SHA512
  
  bfb65e78af45321b5768cd1fcc458c8aeadb48b05ef767fa83aeb5972b903b4fdd5e4bbd52ea591f2b94a18a5200f1f3d8d8bd11338c03bef32bb3a0b97a6f99
Score

10^/10

qakbot obama224 1669794048 banker stealer trojan
- Qakbot/Qbot
  Qbot or Qakbot is a sophisticated worm with banking capabilities.
  trojan banker stealer qakbot
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral2 behavioral3
- Target
  
  48.dll
- Size
  
  600KB
- MD5
  
  5f2f64254193b3e46ad38110af70c191
- SHA1
  
  3c390a854b4bed296d549288e42ab9388a39b42b
- SHA256
  
  cff751c5dc8d9914b185064dd21cbbac5db7768cab5be0eab6bc2ac958559ef6
- SHA512
  
  708d894742bc1cb1c1f855771d364f4a1388aa0abdd920767330509bea6977d2e9c8efab4ba25e60ad61f6320b42840f207d7e25b68e803cc57f28809d35cd2b
- SSDEEP
  
  12288:QSUUEfo5I6/o2qgkpUdG9Msme0CWUdOWk4F:QSTiWDvLmRme0C0Wk4
Score

1^/10
behavioral4 behavioral5

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Targets

Qakbot/Qbot

Checks computer location settings

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5