Malware sandboxing report by Hatching Triage

Resubmissions

06-12-2022 06:15

221206-gzxv7sbc77 3

02-12-2022 17:00

221202-vjcrzsbc51 10

Sharing

Copy URL

Twitter E-mail

General

Target

Claim_PE84.vhd
Size

2MB
Sample

221202-vjcrzsbc51
MD5

2fe68553beb0a7b084f1b349d6551d9c
SHA1

c7e8f7b9313e876b10623840989fb07c00203930
SHA256

edcb8d8e80eb826ec95ed9ccdc1d4470c3edd1782350187fc9bcd776c6d96095
SHA512

cf9d306a0948217c32dd865a1926c18405cb0e24aef2eadd4bdd81bf9376783fa1a44de90ddc0926e4e6f41094cff99869b325b6d22a200f8f8161ee177fc0a1
SSDEEP

24576:/wWw8wewswUwBw6gwsw3wTOZqHk2JajfRO8:/wWw8wewswUwBw6gwsw3waZaUY8

Score

10^/10

Malware Config

Extracted

Family	qakbot
Version	404.46
Botnet	obama225
Campaign	1669974461
C2	85.59.61.52:2222 66.191.69.18:995 186.64.67.9:443 174.104.184.149:443 91.165.188.74:50000 213.22.188.57:2222 173.18.126.3:443 90.89.95.158:2222 172.90.139.138:2222 78.100.230.10:995 184.153.132.82:443 41.100.146.58:443 85.152.152.46:443 75.99.125.235:2222 83.92.85.93:443 173.239.94.212:443 24.64.114.59:2222 74.66.134.24:443 98.145.23.67:443 213.67.255.57:2222 92.24.200.226:995 91.68.227.219:443 12.172.173.82:993 70.120.228.205:2083 216.196.245.102:2078 176.142.207.63:443 217.128.91.196:2222 24.228.132.224:2222 69.119.123.159:2222 201.208.139.250:2222 91.169.12.198:32100 64.121.161.102:443 87.221.197.110:2222 86.159.48.25:2222 103.141.50.117:995 41.62.182.1:443 92.186.69.229:2222 37.14.229.220:2222 123.3.240.16:995 70.160.80.210:443 176.128.178.251:443 12.172.173.82:995 94.63.65.146:443 78.163.33.44:443 74.92.243.113:50000 75.98.154.19:443 197.204.18.30:443 121.122.99.223:995 58.247.115.126:995 78.69.251.252:2222 213.91.235.146:443 76.80.180.154:995 130.43.99.103:995 93.156.103.241:443 93.24.192.142:20 41.62.220.86:995 12.172.173.82:465 92.185.204.18:2078 75.143.236.149:443 90.119.197.132:2222 80.13.179.151:2222 47.41.154.250:443 81.229.117.95:2222 92.189.214.236:2222 108.162.6.34:443 72.68.175.55:2222 84.35.26.14:995 12.172.173.82:990 188.54.99.243:995 92.239.81.124:443 92.27.86.48:2222 83.114.60.6:2222 216.196.245.102:2083 71.247.10.63:995 58.162.223.233:443 184.155.91.69:443 178.153.195.40:443 116.74.162.186:443 76.100.159.250:443 88.171.156.150:50000 156.216.253.65:995 73.161.176.218:443 70.115.104.126:995 109.159.119.169:2222 24.64.114.59:3389 87.223.89.157:443 89.129.109.27:2222 70.66.199.12:443 183.82.100.110:2222 142.161.27.232:2222 108.6.249.139:443 69.133.162.35:443 76.127.192.23:443 12.172.173.82:21 199.83.165.233:443 174.77.209.5:443 87.202.101.164:50000 90.104.22.28:2222 83.7.54.186:443 184.176.154.83:995 90.116.219.167:2222 92.207.132.174:2222 136.232.184.134:995 92.149.205.238:2222 86.225.214.138:2222 24.64.114.59:61202 198.2.51.242:993 70.51.136.94:2222 12.172.173.82:50001 75.158.15.211:443 85.61.165.153:2222 181.164.194.228:443 47.34.30.133:443 86.195.32.149:2222 41.34.106.203:993 72.200.109.104:443 196.207.146.214:443 24.206.27.39:443 172.117.139.142:995 190.18.236.175:443 85.59.61.52:2222 66.191.69.18:995 186.64.67.9:443 174.104.184.149:443 91.165.188.74:50000 213.22.188.57:2222 173.18.126.3:443 90.89.95.158:2222 172.90.139.138:2222 78.100.230.10:995 184.153.132.82:443 41.100.146.58:443 85.152.152.46:443 75.99.125.235:2222 83.92.85.93:443 173.239.94.212:443 24.64.114.59:2222 74.66.134.24:443 98.145.23.67:443 213.67.255.57:2222 92.24.200.226:995 91.68.227.219:443 12.172.173.82:993 70.120.228.205:2083 216.196.245.102:2078 176.142.207.63:443 217.128.91.196:2222 24.228.132.224:2222 69.119.123.159:2222 201.208.139.250:2222 91.169.12.198:32100 64.121.161.102:443 87.221.197.110:2222 86.159.48.25:2222 103.141.50.117:995 41.62.182.1:443 92.186.69.229:2222 37.14.229.220:2222 123.3.240.16:995 70.160.80.210:443 176.128.178.251:443 12.172.173.82:995 94.63.65.146:443 78.163.33.44:443 74.92.243.113:50000 75.98.154.19:443 197.204.18.30:443 121.122.99.223:995 58.247.115.126:995 78.69.251.252:2222 213.91.235.146:443 76.80.180.154:995 130.43.99.103:995 93.156.103.241:443 93.24.192.142:20 41.62.220.86:995 12.172.173.82:465 92.185.204.18:2078 75.143.236.149:443 90.119.197.132:2222 80.13.179.151:2222 47.41.154.250:443 81.229.117.95:2222 92.189.214.236:2222 108.162.6.34:443 72.68.175.55:2222 84.35.26.14:995 12.172.173.82:990 188.54.99.243:995 92.239.81.124:443 92.27.86.48:2222 83.114.60.6:2222 216.196.245.102:2083 71.247.10.63:995 58.162.223.233:443 184.155.91.69:443 178.153.195.40:443 116.74.162.186:443 76.100.159.250:443 88.171.156.150:50000 156.216.253.65:995 73.161.176.218:443 70.115.104.126:995 109.159.119.169:2222 24.64.114.59:3389 87.223.89.157:443 89.129.109.27:2222 70.66.199.12:443 183.82.100.110:2222 142.161.27.232:2222 108.6.249.139:443 69.133.162.35:443 76.127.192.23:443 12.172.173.82:21 199.83.165.233:443 174.77.209.5:443 87.202.101.164:50000 90.104.22.28:2222 83.7.54.186:443 184.176.154.83:995 90.116.219.167:2222 92.207.132.174:2222 136.232.184.134:995 92.149.205.238:2222 86.225.214.138:2222 24.64.114.59:61202 198.2.51.242:993 70.51.136.94:2222 12.172.173.82:50001 75.158.15.211:443 85.61.165.153:2222 181.164.194.228:443 47.34.30.133:443 86.195.32.149:2222 41.34.106.203:993 72.200.109.104:443 196.207.146.214:443 24.206.27.39:443 172.117.139.142:995 190.18.236.175:443
Attributes	salt SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Targets

- Target
  
  Claim_PE84.vhd
- Size
  
  2MB
- MD5
  
  2fe68553beb0a7b084f1b349d6551d9c
- SHA1
  
  c7e8f7b9313e876b10623840989fb07c00203930
- SHA256
  
  edcb8d8e80eb826ec95ed9ccdc1d4470c3edd1782350187fc9bcd776c6d96095
- SHA512
  
  cf9d306a0948217c32dd865a1926c18405cb0e24aef2eadd4bdd81bf9376783fa1a44de90ddc0926e4e6f41094cff99869b325b6d22a200f8f8161ee177fc0a1
- SSDEEP
  
  24576:/wWw8wewswUwBw6gwsw3wTOZqHk2JajfRO8:/wWw8wewswUwBw6gwsw3waZaUY8
Score

3^/10
behavioral1 behavioral2
- Target
  
  Claim.lnk
- Size
  
  1KB
- MD5
  
  2f8f51992462ce218dfee554c976510e
- SHA1
  
  c92a3e2337bdd16f211299d0ae6b2336f9270a96
- SHA256
  
  e2f568bba1216700f7ac0a6ee76c742298485a90bdc80a2002798ba304e68b3a
- SHA512
  
  3a175e08f0bc6601952cb582e95ecadb0e89d57c5e7d59e27d5f7919056d13d087c424d9f3a32de6a974fd910536f0c9005ef8596fb07b5f4490daabb8f3e072
Score

10^/10

qakbot obama225 1669974461 banker stealer trojan
- Qakbot/Qbot
  Qbot or Qakbot is a sophisticated worm with banking capabilities.
  trojan banker stealer qakbot
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral3 behavioral4
- Target
  
  respondents/advisement.txt
- Size
  
  287KB
- MD5
  
  630a60d58ac49dbdf0beb3c942320326
- SHA1
  
  ddde4b191d395681bc2176bbe9396f5ce23650a7
- SHA256
  
  8596b246ead10fce32b37b9b35b5477b4bd4e1052cbb7213f49fc984bb8dc501
- SHA512
  
  15d21b346578d2a3919b2af6a5e7fc0e43e8e8ba87305ccc18fe05029ccdd1abc45e9651cd6fd40f2c61bebaa85a317d7a3a7320a4f8ea3d89f084477115fbe0
- SSDEEP
  
  6144:zdGSnwpTS3vPwlkBnwcGSvjwiOVgNw8RtSkOhAnwKswruCdwswnFNwu:JwWw8wewiO4wCOAwBw6gwsw3wu
Score

1^/10
behavioral5 behavioral6
- Target
  
  respondents/crossbar.tmp
- Size
  
  444KB
- MD5
  
  5ddfeb10cd4a64cd2534f2d7d5876ffd
- SHA1
  
  270999d10c77d209a9f291f0bdb2596064f190fb
- SHA256
  
  8cb21de414adf9b4f81d2aaac1ba2e947f09a1913b4541d5ff59ef262efefa5d
- SHA512
  
  62422f2700c83f13c4480b54dc63373370764903a017f375afd590ba0ba5498f0c919ebc13732bbddab44b03c4340a2876320e95d505a728c9c62dee65420151
- SSDEEP
  
  12288:BWyGWZDZVFkHkmqnfsd5Ja46fDV3+QWc2:AOZqHk2JajfRO8
Score

10^/10

qakbot obama225 1669974461 banker stealer trojan
- Qakbot/Qbot
  Qbot or Qakbot is a sophisticated worm with banking capabilities.
  trojan banker stealer qakbot
behavioral7 behavioral8
- Target
  
  respondents/ibidem.cmd
- Size
  
  225B
- MD5
  
  44aa33a9891f351cf4be4105b0c343f5
- SHA1
  
  540533433c3eb095d8974ce5f7ef7986ef338ee7
- SHA256
  
  7a676b74f870a8e12a49d62a89f5fa13cc3b1f6e43d160436f4bec08dbfe6101
- SHA512
  
  e93c0876e485fd4d6e5456215a64fc550cb335f32fcfb914d1b205bb17bc63c5ee7333af225f46b34947731a369ab2e46c90a9892db9a03509f2ddec89a817d3
Score

1^/10
behavioral10 behavioral9
- Target
  
  respondents/suspect.cmd
- Size
  
  283B
- MD5
  
  99838a4fa2fbb0955a78f3fe97212626
- SHA1
  
  32a16917424cf9f98ffac8737b8293d268c27aec
- SHA256
  
  6ce73c1af6962cd08164173eeab0c367c069c2d0a583ef7f92ddbf3ef3a5bfa9
- SHA512
  
  1317ab6f713d897c5f4a445ee476440fe3140b13cc6f40fee4cdbe3f1d6d04c14c7f0ef8f2e83bdecacac1a54e55e87a1ee7547dae49520439379fd99a5215a7
Score

1^/10
behavioral11 behavioral12

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Targets

Qakbot/Qbot

Checks computer location settings

Qakbot/Qbot

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12