Overview

overview

10

Static

static

HG.lnk

windows7-x64

10

HG.lnk

windows10-2004-x64

10

reveled/aide.dll

windows7-x64

1

reveled/aide.dll

windows10-2004-x64

6

reveled/bl...th.cmd

windows7-x64

1

reveled/bl...th.cmd

windows10-2004-x64

1

reveled/uncoupled.cmd

windows7-x64

1

reveled/uncoupled.cmd

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    NE29.zip

  • Size

    392KB

  • Sample

    221205-q66alaae4s

  • MD5

    085423d2f8804beb21682d8c1a6171fd

  • SHA1

    d44a7e8be351022db63373b7ba1e09a8e57f3bf5

  • SHA256

    c55b0fbb97fd02505e3de699a64fadf5b512389553cdf9a1a3d9da3fe3d42408

  • SHA512

    d061626710b4a93ed2f471f03399712393d30b9094c70d4800cc920da88a1c5cdcb2817e58c6d649a64bb4f0e5e9fad5dd133ad5fd42a25a18ae5fa29e278fca

  • SSDEEP

    12288:dDFN9VEwuewy8omkDT7dZcRrqPPUGP20G:dDFNvE7ewy+kD/cUi0G

Score
10/10
qakbotbb091670238005bankerpersistencestealertrojan

Malware Config

Extracted

Family

qakbot

Version

404.46

Botnet

BB09

Campaign

1670238005

C2

76.100.159.250:443

66.191.69.18:995

186.64.67.9:443

50.90.249.161:443

109.150.179.158:2222

92.149.205.238:2222

86.165.15.180:2222

41.44.19.36:995

78.17.157.5:443

173.18.126.3:443

75.99.125.235:2222

172.90.139.138:2222

27.99.45.237:2222

91.68.227.219:443

12.172.173.82:993

103.144.201.62:2078

12.172.173.82:990

173.239.94.212:443

91.169.12.198:32100

24.64.114.59:2222
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Targets

    • Target

      HG.lnk

    • Size

      1KB

    • MD5

      089bf2810086af31da3af97c358d613e

    • SHA1

      0c07af5537d266a821dcf28a7f235820df490d37

    • SHA256

      d9d21d9ef65883621b3eedf88cae3507c981d7cb1d1a19dfcbf271123ae79731

    • SHA512

      8ec50063a8b5743c1f3d853eee312f9ae2652d343de0a5054ae9ab9d78b398639489ca1908d9b648f22f43e4c29f0a7ddc0fe34cc9c23be6b9ae8bbf4b513b14

    Score
    10/10
    qakbotbb091670238005bankerstealertrojan

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

      trojanbankerstealerqakbot

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral1behavioral2

    • Target

      reveled/aide.tmp

    • Size

      667KB

    • MD5

      c498b31fddb2b85708fcb3eead642ac4

    • SHA1

      28b1f81c717ab08b699ce00de6acd4417dde4608

    • SHA256

      3be09d5c330cc1165e5270a0ee827d8d0ebc36089d96d88fd747b3d3d41ed2ab

    • SHA512

      1fac331a146439c4aa8a9e330e2a076e925c882565873c51c7443d0c27201a450d624e18dbd5840a629b95b226cbcb7734ce7f57b3f80c628a0f699529030003

    • SSDEEP

      6144:JxE9vbMKBWrQXhjXNkXWaw0SeUK/SZmtoLOAuUWjxSY2H6+5tjesNMjuX+yM3H59:nV6Wrg9NqGcUKaUSYu5tjz5niH9km

    Score
    6/10
    persistence

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral3behavioral4

    • Target

      reveled/blacksmith.cmd

    • Size

      201B

    • MD5

      1a1747d0bb586fdae53ee9168ee97871

    • SHA1

      ee45236fb79895f28bd24361d7d3fbe1aaafd93b

    • SHA256

      757e47a6aa3badf00396ecb9d17dd5386c718aa3b7ccdcef4909716196017ce5

    • SHA512

      b0474e952fda57a70c2bfcdfbb32ecdf71bb6fb0c447b50e89b1e93c4cb535125d02e5caa17e1d7036c14b9044b45efaa9332b1f26e94939a47653d5fecd2133

    Score
    1/10
    behavioral5behavioral6

    • Target

      reveled/uncoupled.cmd

    • Size

      307B

    • MD5

      55a39acb4148f671a9d7e457c0bf6efd

    • SHA1

      145347e9bc00fe8cacfdff2af95582b3e0b146b6

    • SHA256

      1b132cf4ca8153b514f1b468f1c8d3be24a5f9c16284512cc0b32854d4570001

    • SHA512

      6dfaf61dfd1036efad3eff7c0f9d19d66cd058a9aa2bd7dd41e93ddec052e8ff120cd0e2215c14ac6e78025756c3d18bdc071e523b2a0bc8077c5c9c1223c4eb

    Score
    1/10
    behavioral7behavioral8

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks