Malware sandboxing report by Hatching Triage

Sharing

Copy URL

Twitter E-mail

General

Target

bat.zip
Size

358KB
Sample

221202-cb16haff5t
MD5

3ffb94630ddcb1a81f57294c49f2e51d
SHA1

657e7a0f0bd48ae15172ebbacaa22affb2834534
SHA256

6df17ee2db1e11f4c41f4066dd2a7f3b574d0f1098fcdf2e847d92ff8db95837
SHA512

983a7ea7f4b69fd74a4f40399e4fb4144d3fc94bba14b466f6f52c8c1ff2baa1ad0e11bcf7c8126d1094a7f2336ea49207dcc85ecbf82c1e09eea7e750a546f5
SSDEEP

6144:Lyu+Fuht+YWPF+BVVgbtB+cVOXSLn4RB2oE9MU5hRyceZPW3neDJ0G7I:LWuhteQBVVmV+GeEdsZPAQZ0

Score

10^/10

Malware Config

Extracted

Family	qakbot
Version	404.46
Botnet	obama224
Campaign	1669794048
C2	75.161.233.194:995 216.82.134.218:443 174.104.184.149:443 173.18.126.3:443 87.202.101.164:50000 172.90.139.138:2222 184.153.132.82:443 185.135.120.81:443 24.228.132.224:2222 87.223.84.190:443 178.153.195.40:443 24.64.114.59:2222 77.126.81.208:443 75.99.125.235:2222 173.239.94.212:443 98.145.23.67:443 109.177.245.176:2222 72.200.109.104:443 12.172.173.82:993 82.11.242.219:443 92.149.205.238:2222 183.82.100.110:2222 176.142.207.63:443 92.24.200.226:995 69.119.123.159:2222 91.169.12.198:32100 64.121.161.102:443 124.122.55.68:443 12.172.173.82:995 85.231.105.49:2222 94.63.65.146:443 176.133.4.230:995 213.67.255.57:2222 90.89.95.158:2222 156.217.158.177:995 88.126.94.4:50000 87.57.13.215:443 102.159.83.36:443 121.122.99.223:995 216.196.245.102:2222 12.172.173.82:465 78.69.251.252:2222 76.80.180.154:995 75.143.236.149:443 109.11.175.42:2222 221.161.103.6:443 74.92.243.113:50000 75.98.154.19:443 47.41.154.250:443 49.175.72.56:443 81.229.117.95:2222 92.189.214.236:2222 83.92.85.93:443 108.162.6.34:443 84.35.26.14:995 136.232.184.134:995 188.54.99.243:995 93.24.192.142:20 75.84.234.68:443 71.31.101.183:443 80.13.179.151:2222 184.155.91.69:443 76.100.159.250:443 24.64.114.59:3389 46.246.245.152:995 70.115.104.126:995 197.2.209.208:995 50.90.249.161:443 70.66.199.12:443 216.196.245.102:2083 182.66.197.35:443 142.161.27.232:2222 76.127.192.23:443 92.207.132.174:2222 174.77.209.5:443 12.172.173.82:21 199.83.165.233:443 74.66.134.24:443 77.86.98.236:443 90.104.22.28:2222 71.247.10.63:50003 108.6.249.139:443 184.176.154.83:995 81.198.136.151:995 80.0.74.165:443 71.247.10.63:995 174.58.146.57:443 69.133.162.35:443 50.68.204.71:995 24.64.114.59:61202 47.34.30.133:443 12.172.173.82:50001 75.158.15.211:443 216.196.245.102:2078 181.164.194.228:443 193.154.207.221:443 213.191.164.70:443 197.92.135.188:443 172.117.139.142:995 76.20.42.45:443 24.64.114.59:2078 73.36.196.11:443 58.247.115.126:995 73.155.10.79:443 92.98.72.220:2222 84.113.121.103:443 2.50.47.109:443 12.172.173.82:990 106.212.18.255:995 98.147.155.235:443 92.106.70.62:2222 108.44.207.232:443 24.206.27.39:443 130.43.99.103:995 50.68.204.71:993 71.46.234.171:443 108.162.6.34:995 24.142.218.202:443 166.62.145.54:443 75.161.233.194:995 216.82.134.218:443 174.104.184.149:443 173.18.126.3:443 87.202.101.164:50000 172.90.139.138:2222 184.153.132.82:443 185.135.120.81:443 24.228.132.224:2222 87.223.84.190:443 178.153.195.40:443 24.64.114.59:2222 77.126.81.208:443 75.99.125.235:2222 173.239.94.212:443 98.145.23.67:443 109.177.245.176:2222 72.200.109.104:443 12.172.173.82:993 82.11.242.219:443 92.149.205.238:2222 183.82.100.110:2222 176.142.207.63:443 92.24.200.226:995 69.119.123.159:2222 91.169.12.198:32100 64.121.161.102:443 124.122.55.68:443 12.172.173.82:995 85.231.105.49:2222 94.63.65.146:443 176.133.4.230:995 213.67.255.57:2222 90.89.95.158:2222 156.217.158.177:995 88.126.94.4:50000 87.57.13.215:443 102.159.83.36:443 121.122.99.223:995 216.196.245.102:2222 12.172.173.82:465 78.69.251.252:2222 76.80.180.154:995 75.143.236.149:443 109.11.175.42:2222 221.161.103.6:443 74.92.243.113:50000 75.98.154.19:443 47.41.154.250:443 49.175.72.56:443 81.229.117.95:2222 92.189.214.236:2222 83.92.85.93:443 108.162.6.34:443 84.35.26.14:995 136.232.184.134:995 188.54.99.243:995 93.24.192.142:20 75.84.234.68:443 71.31.101.183:443 80.13.179.151:2222 184.155.91.69:443 76.100.159.250:443 24.64.114.59:3389 46.246.245.152:995 70.115.104.126:995 197.2.209.208:995 50.90.249.161:443 70.66.199.12:443 216.196.245.102:2083 182.66.197.35:443 142.161.27.232:2222 76.127.192.23:443 92.207.132.174:2222 174.77.209.5:443 12.172.173.82:21 199.83.165.233:443 74.66.134.24:443 77.86.98.236:443 90.104.22.28:2222 71.247.10.63:50003 108.6.249.139:443 184.176.154.83:995 81.198.136.151:995 80.0.74.165:443 71.247.10.63:995 174.58.146.57:443 69.133.162.35:443 50.68.204.71:995 24.64.114.59:61202 47.34.30.133:443 12.172.173.82:50001 75.158.15.211:443 216.196.245.102:2078 181.164.194.228:443 193.154.207.221:443 213.191.164.70:443 197.92.135.188:443 172.117.139.142:995 76.20.42.45:443 24.64.114.59:2078 73.36.196.11:443 58.247.115.126:995 73.155.10.79:443 92.98.72.220:2222 84.113.121.103:443 2.50.47.109:443 12.172.173.82:990 106.212.18.255:995 98.147.155.235:443 92.106.70.62:2222 108.44.207.232:443 24.206.27.39:443 130.43.99.103:995 50.68.204.71:993 71.46.234.171:443 108.162.6.34:995 24.142.218.202:443 166.62.145.54:443
Attributes	salt SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Targets

- Target
  
  bat.zip
- Size
  
  358KB
- MD5
  
  3ffb94630ddcb1a81f57294c49f2e51d
- SHA1
  
  657e7a0f0bd48ae15172ebbacaa22affb2834534
- SHA256
  
  6df17ee2db1e11f4c41f4066dd2a7f3b574d0f1098fcdf2e847d92ff8db95837
- SHA512
  
  983a7ea7f4b69fd74a4f40399e4fb4144d3fc94bba14b466f6f52c8c1ff2baa1ad0e11bcf7c8126d1094a7f2336ea49207dcc85ecbf82c1e09eea7e750a546f5
- SSDEEP
  
  6144:Lyu+Fuht+YWPF+BVVgbtB+cVOXSLn4RB2oE9MU5hRyceZPW3neDJ0G7I:LWuhteQBVVmV+GeEdsZPAQZ0
Score

1^/10
behavioral1 behavioral2
- Target
  
  18014 Dec 01.lnk
- Size
  
  953B
- MD5
  
  5935879839af4f93eab1f31bf680e383
- SHA1
  
  239302f01d02b8792aaf25646f6eb9b397bd9464
- SHA256
  
  0cc402542c3376fc2aa7cd0ac1a8b63d1cf702f55d57a3918a4edabd70085fa8
- SHA512
  
  f46bea3f46c69d8ddd8c39fe8630aafee234f41716613f904297bf0bf7aac1d5763f780eff404ce713d82623d2fada988d9da8551b18b052094054f4a263ac3c
Score

10^/10

qakbot obama224 1669794048 banker stealer trojan
- Qakbot/Qbot
  Qbot or Qakbot is a sophisticated worm with banking capabilities.
  trojan banker stealer qakbot
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral3 behavioral4
- Target
  
  587.dll
- Size
  
  600KB
- MD5
  
  f5e2e5bc6629db401c96da463a1ce7ed
- SHA1
  
  7485b301c1c405df1fedfb28cedfeb21fb531f17
- SHA256
  
  456a599f6904b3ce205ff88d015c95f890e6c1b8e9a3177c057bdd4e2358b36c
- SHA512
  
  2be0087729f422c7c039955cb79a947959e822db583c68aacf5c2f83856977c4dbb51971b19c6bfff620f60bc6e954d5a6a687aae9eb3fa4ec95c4687c7ce461
- SSDEEP
  
  12288:QSUUEfo5I6/o2qgkpUdQ9Msme0CWUdOWk4F:QSTiWDvLgRme0C0Wk4
Score

1^/10
behavioral5 behavioral6
- Target
  
  System Volume Information/IndexerVolumeGuid
- Size
  
  76B
- MD5
  
  426444c2c08ee779ef8c0ddb220d22a4
- SHA1
  
  a1fa468c642c10af2d0287d9e7b8221d20874ed4
- SHA256
  
  a1725d843002870af87a9146f1708a3d13e8512cd9a771215c1f90b3191cbddb
- SHA512
  
  949eb62ae2d355204c8ccc945501eee2afbb82d7f3989afe85d96b831c44047aa46672d6c352a132d065d698592dd3dcac3cef5d3a2acef9a3e05e8f47c7b841
Score

1^/10
behavioral7 behavioral8
- Target
  
  System Volume Information/WPSettings.dat
- Size
  
  12B
- MD5
  
  09d461fdadf39fa702d61cca24e6317e
- SHA1
  
  9f257178f279c65d21b91987114075579b95fbef
- SHA256
  
  93ac1052dc52572fb6c45ad76360093b64bc0d830379a4d6b3e5a0d53f165d12
- SHA512
  
  c99ae5de36b4fbfa768a025453a1f316a3ca7c76a8bbef15e9cfb61114cd2637896167064cfe163769ff7f2aac363a4f99131e2d128ced78e618353661dedff2
Score

3^/10
behavioral10 behavioral9
- Target
  
  start.bat
- Size
  
  66B
- MD5
  
  2c60732fe4eb99bb809c9a84e94abf5c
- SHA1
  
  29cc07b5e5387c1b7da47be47f82fac0018d21e0
- SHA256
  
  a63f510e28479e24075674f0ff6da4fe0ce0a1f95d48d16db198b361923e5d3d
- SHA512
  
  ace4995234033b88e3f4fe7d87a6610a3a549da7fbf25c20973359a22942dca5a848ba25b6ceaf98e81ff27a8a78cab2cb9ac2288357e8683f51daa2400a4456
Score

10^/10

qakbot obama224 1669794048 banker stealer trojan
- Qakbot/Qbot
  Qbot or Qakbot is a sophisticated worm with banking capabilities.
  trojan banker stealer qakbot
behavioral11 behavioral12

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Tasks

Sharing

General

Malware Config

Extracted

Targets

Qakbot/Qbot

Checks computer location settings

Qakbot/Qbot

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12