Resubmissions

05-12-2022 21:50

221205-1px8rsdf7x 10

05-12-2022 21:36

221205-1fxwmshg72 10

05-12-2022 21:13

221205-z2tknsbd2y 10

02-12-2022 18:49

221202-xgbs1sdc28 10

General

  • Target

    Claim_AF63.vhd

  • Size

    2MB

  • Sample

    221205-1fxwmshg72

  • MD5

    ccd285444778719c21abe5f687072149

  • SHA1

    29cdfe69ba447a262787d89b5778c960d7fbd07b

  • SHA256

    c40963bc270afc2d94e76fc822ded2263f45f6c00f4b82459d34df5b632fa790

  • SHA512

    0aae1622967ae55b9d34b1dbeca9b6dbd3a9e30973434d7a33e929b88770e882d5a28ec37f2d32a1c57a510ce69995af31682f874480edb8b5e1cc0b08ba025f

  • SSDEEP

    12288:mV5p/JOIdHcY+7nQfVgWyGWZDZNFkHkmqnfsd5Ja46fDV3+QWc2:q/JZdptOZuHk2JajfRO8

Malware Config

Extracted

Family

qakbot

Version

404.46

Botnet

obama225

Campaign

1669974461

C2

85.59.61.52:2222

66.191.69.18:995

186.64.67.9:443

174.104.184.149:443

91.165.188.74:50000

213.22.188.57:2222

173.18.126.3:443

90.89.95.158:2222

172.90.139.138:2222

78.100.230.10:995

184.153.132.82:443

41.100.146.58:443

85.152.152.46:443

75.99.125.235:2222

83.92.85.93:443

173.239.94.212:443

24.64.114.59:2222

74.66.134.24:443

98.145.23.67:443

213.67.255.57:2222

Attributes
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Targets

    • Target

      Claim.lnk

    • Size

      1KB

    • MD5

      9b3f9ba6670ca4f7462263afea03300d

    • SHA1

      05a28549badf8b9d83e5a9ea7c960d5a7e5e8a83

    • SHA256

      a4f4049b71130cd9104cbef4f6aeb3e9d6b10bcf53e154a5148a09e859cf0fa6

    • SHA512

      1d15aa99644718ba6bfda2e4bc56f7941ff229487601ef07ce0cf03cafbf1f5e80ecb851daa9729a608070d21a82a669d83296ea1a92624f55abef60d99379fa

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Target

      amended/concavity.cmd

    • Size

      225B

    • MD5

      cf605826d7a1358aa8b936a7cdc486e3

    • SHA1

      5bc66d8b6ba9200873f2c1fc15513c2ec5efce93

    • SHA256

      be8947e2022457ae17805d261a38cf9379b05480caf94265175672ba86099dd8

    • SHA512

      d6cc6c256162be004ea67d1a67bd04ca58656746a0268a3e619d197b50adf9d4fb6f2b8f3ab91994146bc0307368273fff8ebfed5b6dac5d495711b07995c613

    Score
    1/10
    • Target

      amended/depressurize.cmd

    • Size

      294B

    • MD5

      4478916ab6a542ba83d159f91d65c49a

    • SHA1

      acf13927bc140cc3ae0e49de3c750adb78600002

    • SHA256

      36754f9a2fe5f46e64976d49b253894de757a5fc9b1d7a81daf45c450529d0ad

    • SHA512

      4ac53a5fbc1114095dba189edb0312fb8f1dd98f11dcf765281e10f977434795ccec172e4091187591006e677081a7c2ef100badefd9eb9504ec07ed69ccc558

    Score
    1/10
    • Target

      amended/unwarmed.tmp

    • Size

      444KB

    • MD5

      278dcd5147c869e6940e6baba52bb931

    • SHA1

      cc8b2111b22a72a1d7831751c64ff9b107fc545d

    • SHA256

      4a6fa75896f4dca8e3ad9c5024037b10b61bd4a723819aaf0ea941f37a763411

    • SHA512

      2ddd45bbd30a11ac9816aa27053d6b9151468064de3245a46a82e35884814cd1a2dd8decbef540b92b22b106572c4bbe97f92f2a1ec01a5eab592d67c306654f

    • SSDEEP

      12288:BWyGWZDZNFkHkmqnfsd5Ja46fDV3+QWc2:AOZuHk2JajfRO8

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

          Execution

            Exfiltration

              Impact

                Initial Access

                  Lateral Movement

                    Persistence

                      Privilege Escalation

                        Tasks