Overview

overview

10

Static

static

WP.vbs

windows7-x64

10

WP.vbs

windows10-2004-x64

10

metaphysic...ed.ps1

windows7-x64

1

metaphysic...ed.ps1

windows10-2004-x64

1

metaphysic/goodly.vbs

windows7-x64

3

metaphysic/goodly.vbs

windows10-2004-x64

7

Resubmissions

09-12-2022 21:27

221209-1aq6xaed45 10

07-12-2022 11:05

221207-m678eaah33 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0b39b5ad19dee91667016b3b3534416bd6e5a20bba3edcb4aab80f43bec0d4d9

  • Size

    101.2MB

  • Sample

    221209-1aq6xaed45

  • MD5

    7ca4a17c8066f223091557c7ad4fc5b6

  • SHA1

    0e44537757ed0c3c0a4ea2c71d531e07392fdfe9

  • SHA256

    0b39b5ad19dee91667016b3b3534416bd6e5a20bba3edcb4aab80f43bec0d4d9

  • SHA512

    82aba51da9e9e9521c282f383f1ce0d29cf41cdf6014067c6a5ba9af856107b20746c19a42fe9bfc8ee0d93f96ba05181125d797100ec8ad9cd43b39fa712ff6

  • SSDEEP

    24576:eFolOZ7iwXywfHH3vwLwZ0RV9Z0OEdMdPz52kqAaBJP8fnLJ518VCqoI2ytHE:eFolOZ7iwXywfHH3vwLwhuDHAHE

Score
10/10
qakbotobama2241669794048bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

404.46

Botnet

obama224

Campaign

1669794048

C2

75.161.233.194:995

216.82.134.218:443

174.104.184.149:443

173.18.126.3:443

87.202.101.164:50000

172.90.139.138:2222

184.153.132.82:443

185.135.120.81:443

24.228.132.224:2222

87.223.84.190:443

178.153.195.40:443

24.64.114.59:2222

77.126.81.208:443

75.99.125.235:2222

173.239.94.212:443

98.145.23.67:443

109.177.245.176:2222

72.200.109.104:443

12.172.173.82:993

82.11.242.219:443
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Targets

    • Target

      WP.vbs

    • Size

      181B

    • MD5

      36b42aaf5625df1c195e9c6d21e47287

    • SHA1

      797ad22a5570daaabbce770aae647d08ca4155d0

    • SHA256

      2fdf9677d4bfd71b17e349931b1377943c20a2689466038b9a67774270559082

    • SHA512

      2908c58ea798c3f5fcc6a31a739dfb7b5e26528a0ef68e18e533e549fdb1decb3c0667579606f72c54c138b1a6fc0c2eda4e47d06b4290460b096f77bff822d5

    Score
    10/10
    qakbotobama2241669794048bankerstealertrojan

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

      trojanbankerstealerqakbot

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    behavioral1behavioral2

    • Target

      metaphysic/clumped.ps1

    • Size

      370B

    • MD5

      5c6752386f0d0998e473c07477426a5e

    • SHA1

      f12c4cd2257af6b248571bf390784ada9cca3e4b

    • SHA256

      9b626bf28a18833d5a1d9a67a8e884111838574d7e69d2688de3a11fcd514079

    • SHA512

      d372a20e56dbe572b2893a4c480f7ef2218c2462b4b9bcda8d157eaa76464b4deebe2c1b46d1026fc8e2587b947074246752b4e383143ad7d125284d92b4bc25

    Score
    1/10
    behavioral3behavioral4

    • Target

      metaphysic/goodly.vbs

    • Size

      181B

    • MD5

      36b42aaf5625df1c195e9c6d21e47287

    • SHA1

      797ad22a5570daaabbce770aae647d08ca4155d0

    • SHA256

      2fdf9677d4bfd71b17e349931b1377943c20a2689466038b9a67774270559082

    • SHA512

      2908c58ea798c3f5fcc6a31a739dfb7b5e26528a0ef68e18e533e549fdb1decb3c0667579606f72c54c138b1a6fc0c2eda4e47d06b4290460b096f77bff822d5

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral5behavioral6

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

5
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks