General

  • Target

    bat.zip

  • Size

    358KB

  • Sample

    221202-cb16haff5t

  • MD5

    3ffb94630ddcb1a81f57294c49f2e51d

  • SHA1

    657e7a0f0bd48ae15172ebbacaa22affb2834534

  • SHA256

    6df17ee2db1e11f4c41f4066dd2a7f3b574d0f1098fcdf2e847d92ff8db95837

  • SHA512

    983a7ea7f4b69fd74a4f40399e4fb4144d3fc94bba14b466f6f52c8c1ff2baa1ad0e11bcf7c8126d1094a7f2336ea49207dcc85ecbf82c1e09eea7e750a546f5

  • SSDEEP

    6144:Lyu+Fuht+YWPF+BVVgbtB+cVOXSLn4RB2oE9MU5hRyceZPW3neDJ0G7I:LWuhteQBVVmV+GeEdsZPAQZ0

Malware Config

Extracted

Family

qakbot

Version

404.46

Botnet

obama224

Campaign

1669794048

C2

75.161.233.194:995

216.82.134.218:443

174.104.184.149:443

173.18.126.3:443

87.202.101.164:50000

172.90.139.138:2222

184.153.132.82:443

185.135.120.81:443

24.228.132.224:2222

87.223.84.190:443

178.153.195.40:443

24.64.114.59:2222

77.126.81.208:443

75.99.125.235:2222

173.239.94.212:443

98.145.23.67:443

109.177.245.176:2222

72.200.109.104:443

12.172.173.82:993

82.11.242.219:443

Attributes
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Targets

    • Target

      bat.zip

    • Size

      358KB

    • MD5

      3ffb94630ddcb1a81f57294c49f2e51d

    • SHA1

      657e7a0f0bd48ae15172ebbacaa22affb2834534

    • SHA256

      6df17ee2db1e11f4c41f4066dd2a7f3b574d0f1098fcdf2e847d92ff8db95837

    • SHA512

      983a7ea7f4b69fd74a4f40399e4fb4144d3fc94bba14b466f6f52c8c1ff2baa1ad0e11bcf7c8126d1094a7f2336ea49207dcc85ecbf82c1e09eea7e750a546f5

    • SSDEEP

      6144:Lyu+Fuht+YWPF+BVVgbtB+cVOXSLn4RB2oE9MU5hRyceZPW3neDJ0G7I:LWuhteQBVVmV+GeEdsZPAQZ0

    Score
    1/10
    • Target

      18014 Dec 01.lnk

    • Size

      953B

    • MD5

      5935879839af4f93eab1f31bf680e383

    • SHA1

      239302f01d02b8792aaf25646f6eb9b397bd9464

    • SHA256

      0cc402542c3376fc2aa7cd0ac1a8b63d1cf702f55d57a3918a4edabd70085fa8

    • SHA512

      f46bea3f46c69d8ddd8c39fe8630aafee234f41716613f904297bf0bf7aac1d5763f780eff404ce713d82623d2fada988d9da8551b18b052094054f4a263ac3c

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Target

      587.dll

    • Size

      600KB

    • MD5

      f5e2e5bc6629db401c96da463a1ce7ed

    • SHA1

      7485b301c1c405df1fedfb28cedfeb21fb531f17

    • SHA256

      456a599f6904b3ce205ff88d015c95f890e6c1b8e9a3177c057bdd4e2358b36c

    • SHA512

      2be0087729f422c7c039955cb79a947959e822db583c68aacf5c2f83856977c4dbb51971b19c6bfff620f60bc6e954d5a6a687aae9eb3fa4ec95c4687c7ce461

    • SSDEEP

      12288:QSUUEfo5I6/o2qgkpUdQ9Msme0CWUdOWk4F:QSTiWDvLgRme0C0Wk4

    Score
    1/10
    • Target

      System Volume Information/IndexerVolumeGuid

    • Size

      76B

    • MD5

      426444c2c08ee779ef8c0ddb220d22a4

    • SHA1

      a1fa468c642c10af2d0287d9e7b8221d20874ed4

    • SHA256

      a1725d843002870af87a9146f1708a3d13e8512cd9a771215c1f90b3191cbddb

    • SHA512

      949eb62ae2d355204c8ccc945501eee2afbb82d7f3989afe85d96b831c44047aa46672d6c352a132d065d698592dd3dcac3cef5d3a2acef9a3e05e8f47c7b841

    Score
    1/10
    • Target

      System Volume Information/WPSettings.dat

    • Size

      12B

    • MD5

      09d461fdadf39fa702d61cca24e6317e

    • SHA1

      9f257178f279c65d21b91987114075579b95fbef

    • SHA256

      93ac1052dc52572fb6c45ad76360093b64bc0d830379a4d6b3e5a0d53f165d12

    • SHA512

      c99ae5de36b4fbfa768a025453a1f316a3ca7c76a8bbef15e9cfb61114cd2637896167064cfe163769ff7f2aac363a4f99131e2d128ced78e618353661dedff2

    Score
    3/10
    • Target

      start.bat

    • Size

      66B

    • MD5

      2c60732fe4eb99bb809c9a84e94abf5c

    • SHA1

      29cc07b5e5387c1b7da47be47f82fac0018d21e0

    • SHA256

      a63f510e28479e24075674f0ff6da4fe0ce0a1f95d48d16db198b361923e5d3d

    • SHA512

      ace4995234033b88e3f4fe7d87a6610a3a549da7fbf25c20973359a22942dca5a848ba25b6ceaf98e81ff27a8a78cab2cb9ac2288357e8683f51daa2400a4456

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

          Execution

            Exfiltration

              Impact

                Initial Access

                  Lateral Movement

                    Persistence

                      Privilege Escalation

                        Tasks