General

  • Target

    06917 Dec 01.zip

  • Size

    446KB

  • Sample

    221202-znkevach42

  • MD5

    d6acf3aa035f91d975d6984657eb0bfc

  • SHA1

    f54c55f28ad5b15e5bb66ea75ae147401d91b10a

  • SHA256

    844f2588bf76fe8d569615b68eb3aaac049d744d476a0f575a2e577bea67c90e

  • SHA512

    e52d33f468abc2425be82016276f1240f33ba7a1c9ad237a0845b31ac0741b94f6b929dbe60d69023adce0f9fde5ccd225dee459f45aa4c0957602f7b0c83adb

  • SSDEEP

    12288:WWgAkv/QjPoJU6cuIHn1s0pnSeGqlj7I+WzbVth:9gXG0tDQqMnSnqjZWzbVth

Malware Config

Extracted

Family

qakbot

Version

404.46

Botnet

obama224

Campaign

1669794048

C2

75.161.233.194:995

216.82.134.218:443

174.104.184.149:443

173.18.126.3:443

87.202.101.164:50000

172.90.139.138:2222

184.153.132.82:443

185.135.120.81:443

24.228.132.224:2222

87.223.84.190:443

178.153.195.40:443

24.64.114.59:2222

77.126.81.208:443

75.99.125.235:2222

173.239.94.212:443

98.145.23.67:443

109.177.245.176:2222

72.200.109.104:443

12.172.173.82:993

82.11.242.219:443

Attributes
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Targets

    • Target

      current/06917 Dec 01.vhd

    • Size

      80MB

    • MD5

      f4ed665db2ecb280438c77022ddf3af4

    • SHA1

      dce99de2190a63d03a1bf6d03846ec193f6b45d7

    • SHA256

      7bcc44f09b8906e6b5a150127b016a6552ee00588e93a63ca62115bb2b1f0155

    • SHA512

      eaea1f063663770d86a353e7ddfea631543ac64faa949190621b3a8b4f6bce44be6ce18386f9ea944bef8a49e5c305d64f0f29dd3e61dd3da2e21008048d106b

    • SSDEEP

      12288:/SUUEfo5I6/o2qgkpUdw9Msme0CWUdOWk4F:/STiWDvL8Rme0C0Wk4

    Score
    1/10
    • Target

      06917 Dec 01.lnk

    • Size

      953B

    • MD5

      9ffcb1e433c7e487898866ad9b514dac

    • SHA1

      ecfef94f8895dbf4771a2e812a7b9da4fc4a96c1

    • SHA256

      3dd7a3b704f58ba8f2028e246d48868d9937a8bb550a310dbaa7b3a5d62a1e7b

    • SHA512

      f658eeb0a424dd44b61012050bfc36d9d039a8ef994fa7c0d308ea72bfc27b3f8ef4a4d01c24d415c14360d2f825afd2124dbf7757bec18cdd92c04801985b39

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Target

      322.dll

    • Size

      600KB

    • MD5

      36bfb619fb05c2e736e27c870d551de7

    • SHA1

      204998bb8778ace62e586b682479931fee6b3691

    • SHA256

      998baec3eda761286f427dcd37c5252ccb97da257b67667502c367853be886f6

    • SHA512

      a358c654d4c9744aae04a183e37317a14ac5177f7936dd8a81f8c0784ff1fc93025dcc1f2309b76c83d8f2c22bb3fcc63af096d7a35556177e800853f96d9db3

    • SSDEEP

      12288:QSUUEfo5I6/o2qgkpUdw9Msme0CWUdOWk4F:QSTiWDvL8Rme0C0Wk4

    Score
    1/10
    • Target

      System Volume Information/WPSettings.dat

    • Size

      12B

    • MD5

      09d461fdadf39fa702d61cca24e6317e

    • SHA1

      9f257178f279c65d21b91987114075579b95fbef

    • SHA256

      93ac1052dc52572fb6c45ad76360093b64bc0d830379a4d6b3e5a0d53f165d12

    • SHA512

      c99ae5de36b4fbfa768a025453a1f316a3ca7c76a8bbef15e9cfb61114cd2637896167064cfe163769ff7f2aac363a4f99131e2d128ced78e618353661dedff2

    Score
    3/10

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

          Execution

            Exfiltration

              Impact

                Initial Access

                  Lateral Movement

                    Persistence

                      Privilege Escalation

                        Tasks