Overview

overview

10

Static

static

WP.vbs

windows7-x64

10

WP.vbs

windows10-2004-x64

10

metaphysic...on.vbs

windows7-x64

3

metaphysic...on.vbs

windows10-2004-x64

7

metaphysic/flag.ps1

windows7-x64

1

metaphysic/flag.ps1

windows10-2004-x64

1

Resubmissions

09-12-2022 21:29

221209-1cd95ahc3z 10

01-12-2022 14:21

221201-rpb6vsfg89 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JA-628WP.iso

  • Size

    101.2MB

  • Sample

    221209-1cd95ahc3z

  • MD5

    8e840abb75d5a8b513af1354f08d3c51

  • SHA1

    1256b46bfe1c4fd33c6fc1c3a20a5bd250fead28

  • SHA256

    e8265e1760c285bab27fe8817adcd5e6228c81dcebafe41e6de818856a61db65

  • SHA512

    5e66bf96dc93f155fb36f96f32c054edb0fd4813d696aca555a13368184d852a4920696c66773eaa9a027bf014a85f1b7a89beebcfaaaa18a4d79d78c97e7477

  • SSDEEP

    24576:YFolOZ7iwhywfHH3vwLwZ0RV9Z0OEdMdvz52kqAaBJP8fnLJ518VCqoI2ytHE:YFolOZ7iwhywfHH3vwLwRuDHAHE

Score
10/10
qakbotobama2241669794048bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

404.46

Botnet

obama224

Campaign

1669794048

C2

75.161.233.194:995

216.82.134.218:443

174.104.184.149:443

173.18.126.3:443

87.202.101.164:50000

172.90.139.138:2222

184.153.132.82:443

185.135.120.81:443

24.228.132.224:2222

87.223.84.190:443

178.153.195.40:443

24.64.114.59:2222

77.126.81.208:443

75.99.125.235:2222

173.239.94.212:443

98.145.23.67:443

109.177.245.176:2222

72.200.109.104:443

12.172.173.82:993

82.11.242.219:443
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Targets

    • Target

      WP.vbs

    • Size

      178B

    • MD5

      6d56c723eb7cf7abd06aa50a7056e6aa

    • SHA1

      6f8356a7b9ef9bf8be6defae17f16e2379414ab6

    • SHA256

      5331551c8b14b836ab6ed2aaa09f7b9b6219e6c188e35ec17b8a1bb8b3552183

    • SHA512

      50fde4517a31909d12e0a0169321a98ad752adb5fff58a6279330fe5cc5f1f27cdbe93f0f38d2d81c932cbd833129a931f8fff839f01247a10a57c4eee24cc2f

    Score
    10/10
    qakbotobama2241669794048bankerstealertrojan

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

      trojanbankerstealerqakbot

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    behavioral1behavioral2

    • Target

      metaphysic/communication.vbs

    • Size

      178B

    • MD5

      6d56c723eb7cf7abd06aa50a7056e6aa

    • SHA1

      6f8356a7b9ef9bf8be6defae17f16e2379414ab6

    • SHA256

      5331551c8b14b836ab6ed2aaa09f7b9b6219e6c188e35ec17b8a1bb8b3552183

    • SHA512

      50fde4517a31909d12e0a0169321a98ad752adb5fff58a6279330fe5cc5f1f27cdbe93f0f38d2d81c932cbd833129a931f8fff839f01247a10a57c4eee24cc2f

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral3behavioral4

    • Target

      metaphysic/flag.ps1

    • Size

      362B

    • MD5

      d755b1b1ae9c898fb5f990dfc6f6aca2

    • SHA1

      ab5f6d18ba717c432e667f2e5d9dd22daef91e58

    • SHA256

      be0a553c1e70ee99768d88d732f83fd1f15e12c974bdc0ccabe5ede71cbd162d

    • SHA512

      d0b2e42a75a30e612bb7a6f08d09fb4c80f5c6f298553b2f04b5729c00fc4af4ac1b8ce3738b9741eed62acf032552e75106a88118e31add9a6689403ae162f7

    Score
    1/10
    behavioral5behavioral6

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

5
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks