Overview

overview

10

Static

static

WP.vbs

windows7-x64

10

WP.vbs

windows10-2004-x64

10

metaphysic...ap.ps1

windows7-x64

1

metaphysic...ap.ps1

windows10-2004-x64

1

metaphysic...nt.vbs

windows7-x64

3

metaphysic...nt.vbs

windows10-2004-x64

7

Resubmissions

09-12-2022 21:29

221209-1b834sed53 10

02-12-2022 06:18

221202-g2rrzaea7z 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    EM-754WP.iso

  • Size

    101.2MB

  • Sample

    221202-g2rrzaea7z

  • MD5

    3c9a8cb33327521508a6358bfbfd3b7f

  • SHA1

    f9708ed11ff7b06607c2f9fa986f2894e507b1df

  • SHA256

    2f7517bb9127d88aa84c804e2a6324203ab0044cb43808973066008fd5ff55ce

  • SHA512

    90dae20e34cd3149490c75824143b5ad6e9ab3abc8e14548eff992586263be77999f83a7b3f8247c77f89e688ab41327a3e88e7cc2c95fe1066af413afff22f1

  • SSDEEP

    24576:3FolOZ7iwiywfHH3vwLwZ0RV9Z0OEdMd9z52kqAaBJP8fnLJ518VCqoI2ytHE:3FolOZ7iwiywfHH3vwLwvuDHAHE

Score
10/10
qakbotobama2241669794048bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

404.46

Botnet

obama224

Campaign

1669794048

C2

75.161.233.194:995

216.82.134.218:443

174.104.184.149:443

173.18.126.3:443

87.202.101.164:50000

172.90.139.138:2222

184.153.132.82:443

185.135.120.81:443

24.228.132.224:2222

87.223.84.190:443

178.153.195.40:443

24.64.114.59:2222

77.126.81.208:443

75.99.125.235:2222

173.239.94.212:443

98.145.23.67:443

109.177.245.176:2222

72.200.109.104:443

12.172.173.82:993

82.11.242.219:443
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Targets

    • Target

      WP.vbs

    • Size

      183B

    • MD5

      aff69cc4acf60a9fd5af0bab07f49eb0

    • SHA1

      957e39a68fad05f0dea30cd54d1622fd8aeae824

    • SHA256

      23e1bc2a1944ef6debd6cb4611c0884be719e54b54d0b1d7de7bac9b656e386b

    • SHA512

      304c1f7797d783f53c2688d9ddc28766af44a2d34a6264f7a2cf5976543387688b27a62715d6a6515f2748ac6fa08040bca9130757b79c8407f10b1690c36049

    Score
    10/10
    qakbotobama2241669794048bankerstealertrojan

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

      trojanbankerstealerqakbot

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    behavioral1behavioral2

    • Target

      metaphysic/bootstrap.ps1

    • Size

      371B

    • MD5

      16f9b6d8274f528af9053feed19895ce

    • SHA1

      74215c7063493e3ece465afcc9884b33f51fb77f

    • SHA256

      b08613e04e946bc1a2e62d88bfde1724430750b9432349a4db865e888ee3b064

    • SHA512

      904802723071e4aa910e4b585ecbda1672783741fcca56947aaa274eb0114a3afd58acbb1690539ecbe0331c4276cb591207269775c508cc136dd0bf7bedb60f

    Score
    1/10
    behavioral3behavioral4

    • Target

      metaphysic/entertainment.vbs

    • Size

      183B

    • MD5

      aff69cc4acf60a9fd5af0bab07f49eb0

    • SHA1

      957e39a68fad05f0dea30cd54d1622fd8aeae824

    • SHA256

      23e1bc2a1944ef6debd6cb4611c0884be719e54b54d0b1d7de7bac9b656e386b

    • SHA512

      304c1f7797d783f53c2688d9ddc28766af44a2d34a6264f7a2cf5976543387688b27a62715d6a6515f2748ac6fa08040bca9130757b79c8407f10b1690c36049

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral5behavioral6

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks