Overview

overview

10

Static

static

DOC_FI7820.lnk

windows7-x64

10

DOC_FI7820.lnk

windows10-2004-x64

10

NewInvoice...ce.cmd

windows7-x64

10

NewInvoice...ce.cmd

windows10-2004-x64

10

NewInvoice...es.dll

windows7-x64

3

NewInvoice...es.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    attachment.zip

  • Size

    425KB

  • Sample

    221213-ltb4rshb3s

  • MD5

    c5a31070a1b52fb7bcd076a2805c020b

  • SHA1

    b7643ff66e8c65356d19d3f611bd5634061057fa

  • SHA256

    a80a15e4dbd9191e1c3c3faf804c60d614a844d9a7f7472c3c1816e9bf2dc81a

  • SHA512

    46c5fb3ba897ac2528a21d63a5a53392f7dea519f9ba48b77bf05d681834256ccc4781428857fa0337af68b69ce5ad57689776bd2d9ee8e26e27c687e4947b81

  • SSDEEP

    12288:PPET7sbhJObntPhemGL9sM8fMMgvMZIxbEFO:nkIbzwnbvGaM8fEsc

Score
10/10
qakbotazd1670585059bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

404.46

Botnet

azd

Campaign

1670585059

C2

173.239.94.212:443

91.169.12.198:32100

74.66.134.24:443

66.191.69.18:995

182.75.189.42:995

78.69.251.252:2222

98.145.23.67:443

103.71.21.107:443

197.94.219.133:443

91.68.227.219:443

12.172.173.82:993

86.176.83.127:2222

64.121.161.102:443

41.98.21.114:443

92.154.17.149:2222

151.65.67.211:443

89.129.109.27:2222

76.11.14.249:443

69.119.123.159:2222

70.66.199.12:443
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Targets

    • Target

      DOC_FI7820.lnk

    • Size

      1KB

    • MD5

      32b5854f5a7cb3f0837767291afd24f5

    • SHA1

      9e69b181e8afd292e9a14320db2774ecf66aeb00

    • SHA256

      7559a1d112ee174f4cc2d72df34f1a23db6dc1616684bd8e5c88a853e7d1f423

    • SHA512

      4f8dceabcfdf31addee6355aeb1d1a3ea2583089b3146e3b2481ac7419b12894530c01959ab5511cb37ac74987e27405e973eb521596a5d645b302501a06445b

    Score
    10/10
    qakbotazd1670585059bankerstealertrojan

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

      trojanbankerstealerqakbot

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral1behavioral2

    • Target

      NewInvoice/NewInvoice.cmd

    • Size

      9KB

    • MD5

      e664607089ca89edba7bf12cc9daf951

    • SHA1

      6ba2846f1a75bead0f68902316d1962c4bd79ebe

    • SHA256

      38b81ef7d029cb614991ae402ac6104901770cabb59fe45bcb8a76d5f916e9e4

    • SHA512

      b47846946259d895c6f0c0228d48e24bb14a826fbad4d31f6299d8d364f971e5452ac94d6f9914b4cc59f1737ea660f8d4c3d36f7a4544f0fb8c4513ea601a6c

    • SSDEEP

      96:iZtaVuRjH84cfD9x5unKxX01DOfWWBRNj7vwCrlMei4y1GEb5k4YfHqzOYmi+Bpc:rVwH0RG4WWB7vwKti4yMEtk1pBo9Floo

    Score
    10/10
    qakbotazd1670585059bankerstealertrojan
    behavioral3behavioral4

    • Target

      NewInvoice/NewRules.get

    • Size

      733KB

    • MD5

      1b4eb3e5510b5f32c4ed5f9ba11288bd

    • SHA1

      f91052aa0a9375422ee29a7756df4756fb759486

    • SHA256

      678b2d1d0e5dc0e18f5f85abbed3d036c99fa9db8704676adaf9ec304b582523

    • SHA512

      40f479618f6f8cc103cb2acb0890ef0833263a501a8a60f2c50eba5602540bd98c7c142eb01355962e5b8bad6d34bb42f31b11aa3f1d950bf2a3c2f82b7e6960

    • SSDEEP

      12288:bx5BlbjoVPn84C8oSZTkwvFsaLJ5sU4gzplUWQnLI7QAeh+nqb7/ODsrETSeWBE:b/CP1jVtkBKzsU4gLUWZ7tqb72eR

    Score
    3/10
    behavioral5behavioral6

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks