Malware sandboxing report by Hatching Triage

Resubmissions

05-12-2022 21:50

221205-1px8rsdf7x 10

05-12-2022 21:36

221205-1fxwmshg72 10

05-12-2022 21:13

221205-z2tknsbd2y 10

02-12-2022 18:49

221202-xgbs1sdc28 10

Sharing

Copy URL

Twitter E-mail

General

Target

Claim_AF63.vhd
Size

2MB
Sample

221205-1fxwmshg72
MD5

ccd285444778719c21abe5f687072149
SHA1

29cdfe69ba447a262787d89b5778c960d7fbd07b
SHA256

c40963bc270afc2d94e76fc822ded2263f45f6c00f4b82459d34df5b632fa790
SHA512

0aae1622967ae55b9d34b1dbeca9b6dbd3a9e30973434d7a33e929b88770e882d5a28ec37f2d32a1c57a510ce69995af31682f874480edb8b5e1cc0b08ba025f
SSDEEP

12288:mV5p/JOIdHcY+7nQfVgWyGWZDZNFkHkmqnfsd5Ja46fDV3+QWc2:q/JZdptOZuHk2JajfRO8

Score

10^/10

Malware Config

Extracted

Family

qakbot

Version

404.46

Botnet

obama225

Campaign

1669974461

85.59.61.52:2222

66.191.69.18:995

186.64.67.9:443

174.104.184.149:443

91.165.188.74:50000

213.22.188.57:2222

173.18.126.3:443

90.89.95.158:2222

172.90.139.138:2222

78.100.230.10:995

184.153.132.82:443

41.100.146.58:443

85.152.152.46:443

75.99.125.235:2222

83.92.85.93:443

173.239.94.212:443

24.64.114.59:2222

74.66.134.24:443

98.145.23.67:443

213.67.255.57:2222

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Targets

- Target
  
  Claim.lnk
- Size
  
  1KB
- MD5
  
  9b3f9ba6670ca4f7462263afea03300d
- SHA1
  
  05a28549badf8b9d83e5a9ea7c960d5a7e5e8a83
- SHA256
  
  a4f4049b71130cd9104cbef4f6aeb3e9d6b10bcf53e154a5148a09e859cf0fa6
- SHA512
  
  1d15aa99644718ba6bfda2e4bc56f7941ff229487601ef07ce0cf03cafbf1f5e80ecb851daa9729a608070d21a82a669d83296ea1a92624f55abef60d99379fa
Score

10^/10

qakbot obama225 1669974461 banker stealer trojan
- Qakbot/Qbot
  Qbot or Qakbot is a sophisticated worm with banking capabilities.
  trojan banker stealer qakbot
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral1 behavioral2
- Target
  
  amended/concavity.cmd
- Size
  
  225B
- MD5
  
  cf605826d7a1358aa8b936a7cdc486e3
- SHA1
  
  5bc66d8b6ba9200873f2c1fc15513c2ec5efce93
- SHA256
  
  be8947e2022457ae17805d261a38cf9379b05480caf94265175672ba86099dd8
- SHA512
  
  d6cc6c256162be004ea67d1a67bd04ca58656746a0268a3e619d197b50adf9d4fb6f2b8f3ab91994146bc0307368273fff8ebfed5b6dac5d495711b07995c613
Score

1^/10
behavioral3 behavioral4
- Target
  
  amended/depressurize.cmd
- Size
  
  294B
- MD5
  
  4478916ab6a542ba83d159f91d65c49a
- SHA1
  
  acf13927bc140cc3ae0e49de3c750adb78600002
- SHA256
  
  36754f9a2fe5f46e64976d49b253894de757a5fc9b1d7a81daf45c450529d0ad
- SHA512
  
  4ac53a5fbc1114095dba189edb0312fb8f1dd98f11dcf765281e10f977434795ccec172e4091187591006e677081a7c2ef100badefd9eb9504ec07ed69ccc558
Score

1^/10
behavioral5 behavioral6
- Target
  
  amended/unwarmed.tmp
- Size
  
  444KB
- MD5
  
  278dcd5147c869e6940e6baba52bb931
- SHA1
  
  cc8b2111b22a72a1d7831751c64ff9b107fc545d
- SHA256
  
  4a6fa75896f4dca8e3ad9c5024037b10b61bd4a723819aaf0ea941f37a763411
- SHA512
  
  2ddd45bbd30a11ac9816aa27053d6b9151468064de3245a46a82e35884814cd1a2dd8decbef540b92b22b106572c4bbe97f92f2a1ec01a5eab592d67c306654f
- SSDEEP
  
  12288:BWyGWZDZNFkHkmqnfsd5Ja46fDV3+QWc2:AOZuHk2JajfRO8
Score

10^/10

qakbot obama225 1669974461 banker stealer trojan
- Qakbot/Qbot
  Qbot or Qakbot is a sophisticated worm with banking capabilities.
  trojan banker stealer qakbot
behavioral7 behavioral8

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Query Registry

T1012

System Information Discovery

T1082

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Targets

Qakbot/Qbot

Checks computer location settings

Qakbot/Qbot

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8