Overview

overview

10

Static

static

1270.dll

windows7-x64

1

1270.dll

windows10-2004-x64

1

17847 Dec 01.lnk

windows7-x64

10

17847 Dec 01.lnk

windows10-2004-x64

10

Resubmissions

09-12-2022 21:29

221209-1bvkqaed47 10

01-12-2022 21:11

221201-z1slzseg6v 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    17847 Dec 01.vhd

  • Size

    80.0MB

  • Sample

    221209-1bvkqaed47

  • MD5

    70f48a9a84cf0a043dd6c561e35e3483

  • SHA1

    8249a92320984e5fa5f5114406d7eb3247d67344

  • SHA256

    f071b3ecc96c80963115cd6f6fce57e861fa2934d4ef5b6612f66940daba18cb

  • SHA512

    853a8614ed647955ffb1bb54661fd7b8f36602c09c8d40ede7683c43df226ff89b231bb574334f0995807ee504366dddb240a3f3d9e2dafd41ef20c38f42c0f1

  • SSDEEP

    12288:HSUUEfo5I6/o2qgkpUdh9Msme0CWUdOWk4F:HSTiWDvL1Rme0C0Wk4

Score
10/10
qakbotobama2241669794048bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

404.46

Botnet

obama224

Campaign

1669794048

C2

75.161.233.194:995

216.82.134.218:443

174.104.184.149:443

173.18.126.3:443

87.202.101.164:50000

172.90.139.138:2222

184.153.132.82:443

185.135.120.81:443

24.228.132.224:2222

87.223.84.190:443

178.153.195.40:443

24.64.114.59:2222

77.126.81.208:443

75.99.125.235:2222

173.239.94.212:443

98.145.23.67:443

109.177.245.176:2222

72.200.109.104:443

12.172.173.82:993

82.11.242.219:443
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Targets

    • Target

      1270.dll

    • Size

      600KB

    • MD5

      21c907826867ea3e1453ff6c773e1dce

    • SHA1

      aa35fbe2a28c36cd76916d3d23792b5d3b35af5e

    • SHA256

      1612e086fe01d5a31287188fe4c373e5b2f30d10bc165f8e53bab5ab6ec3d458

    • SHA512

      dc3b35a7218f520e64e83982a791dc34b272aaafc8ef6591bd6a2b4d5947363e2188ced5825b950ef2db45eaf5f9875b07a73bb6caa37b91c162915d6e8d40d5

    • SSDEEP

      12288:QSUUEfo5I6/o2qgkpUdh9Msme0CWUdOWk4F:QSTiWDvL1Rme0C0Wk4

    Score
    1/10
    behavioral1behavioral2

    • Target

      17847 Dec 01.lnk

    • Size

      955B

    • MD5

      0a18cfdb2128226f1096903336306c7b

    • SHA1

      f96db837c52c2667fe1924221ff2cfb676dfbdd4

    • SHA256

      ba3ae6c13f3accb892ba075ef32c18c0841de76847c8f20670a80fab9d1e3e81

    • SHA512

      86983280f9f0508941963530bec8b521ddd7f26f411dc055e6afe3b27a130024822cf78d38bb54574184ba8e0d6fb6acbf92368cd83ba0c8e6f0f4d25dfc921c

    Score
    10/10
    qakbotobama2241669794048bankerstealertrojan

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

      trojanbankerstealerqakbot

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks