Resubmissions

12-12-2022 14:44

221212-r4hl7aec7w 10

09-12-2022 20:54

221209-zpzwxshb4y 10

02-12-2022 06:24

221202-g6c5daed8w 10

General

  • Target

    18742 Dec 01.vhd

  • Size

    80MB

  • Sample

    221202-g6c5daed8w

  • MD5

    f997ed3ef5bfa00bfd6407b83083f210

  • SHA1

    6c2b807f32936292251462a9fec2d30f95c2d36f

  • SHA256

    50df969f412391ca19609bbeeac268a4cf97ed8cc605fbfeddcb628373a637d9

  • SHA512

    5eef91ba9f51a0f9c5905bc99de1b2804407fb5e0e7417184044b0b896c0ad4044eacfad25831d219145124276fd91203f2ea790300bf2a098392cd770aa1aba

  • SSDEEP

    12288:qSUUEfo5I6/o2qgkpUdW9Msme0CWUdOWk4F:qSTiWDvLORme0C0Wk4

Malware Config

Extracted

Family

qakbot

Version

404.46

Botnet

obama224

Campaign

1669794048

C2

75.161.233.194:995

216.82.134.218:443

174.104.184.149:443

173.18.126.3:443

87.202.101.164:50000

172.90.139.138:2222

184.153.132.82:443

185.135.120.81:443

24.228.132.224:2222

87.223.84.190:443

178.153.195.40:443

24.64.114.59:2222

77.126.81.208:443

75.99.125.235:2222

173.239.94.212:443

98.145.23.67:443

109.177.245.176:2222

72.200.109.104:443

12.172.173.82:993

82.11.242.219:443

Attributes
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Targets

    • Target

      119.dll

    • Size

      600KB

    • MD5

      86659e53d359999558acaf2de74ceda8

    • SHA1

      76d86cce6c07ad8b1070e555e0e6de68ad01d34d

    • SHA256

      b9c850873402914f5379f21fd04a18e63f2a4638a10bd2bfca005d4d4ed199f9

    • SHA512

      9c3914680e0d9b7ca189c79870067814a4f8d6148da92e81cab3a45ab05c809dc484d32f82d47fc45bcf1ae88e5c4e1c3e1c8376c8bc5bff37fd909c0e37c448

    • SSDEEP

      12288:QSUUEfo5I6/o2qgkpUdW9Msme0CWUdOWk4F:QSTiWDvLORme0C0Wk4

    Score
    1/10
    • Target

      18742 Dec 01.lnk

    • Size

      953B

    • MD5

      098b6e805026f750ef6e214b1cba2866

    • SHA1

      0e05e404a1d7b433ec685a95441c2fd217782666

    • SHA256

      1a15469c33949c1d8dadc4f6b382b93952e7122af7e3b411118244a645f4c071

    • SHA512

      c2b930791809e7c1bb0b23354a186b6f35519fe779ff84d9b3c2c0a3500d7d1b3410776086bacf754996c1778ef931ec569ba01f2f4ded38452a70b4e2a06565

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

          Execution

            Exfiltration

              Impact

                Initial Access

                  Lateral Movement

                    Persistence

                      Privilege Escalation

                        Tasks