Resubmissions

27/12/2022, 14:30

221227-rva6raab9t 10

27/12/2022, 05:12

221227-fwa2lahe3w 10

General

  • Target

    Cancellation#W94.iso

  • Size

    102.7MB

  • Sample

    221227-fwa2lahe3w

  • MD5

    2bc421b028b1463a5eca13eab798c996

  • SHA1

    85c3d0400d4b2167b0d5c8f58371db90c795f604

  • SHA256

    2e1cd7881d0fc154569126eb6a50de0ae98d45dc0a68f443a71b8511ee783dae

  • SHA512

    7ad8de827e54b8dd24fc593bf37cdbc67a655c7a465d9354e6b95eb6276c4a84b0c7720c27e06365e41f3286c4a5eeccd83a7321c3a1fa175d9f5f923937a844

  • SSDEEP

    24576:E9UiBqyTIUgN/nNE2cPHHHHYwgBHp8wOHeHwwHyCcPg:E9Ui3PHHHHYwgBHp8wOHeHwwHZcPg

Malware Config

Extracted

Family

qakbot

Version

404.62

Botnet

obama233

Campaign

1671781480

C2

51.199.123.42:443

213.67.255.57:2222

70.51.134.110:2222

116.74.162.173:443

206.166.209.170:2222

193.154.124.4:443

65.30.139.145:995

92.189.214.236:2222

73.29.92.128:443

188.52.183.146:995

175.139.207.179:2222

190.78.77.15:993

162.248.14.107:443

184.153.132.82:443

199.83.165.233:443

12.172.173.82:995

12.172.173.82:50001

37.15.128.31:2222

178.142.126.181:443

176.142.207.63:443

Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Targets

    • Target

      Cancellation#W94.iso

    • Size

      102.7MB

    • MD5

      2bc421b028b1463a5eca13eab798c996

    • SHA1

      85c3d0400d4b2167b0d5c8f58371db90c795f604

    • SHA256

      2e1cd7881d0fc154569126eb6a50de0ae98d45dc0a68f443a71b8511ee783dae

    • SHA512

      7ad8de827e54b8dd24fc593bf37cdbc67a655c7a465d9354e6b95eb6276c4a84b0c7720c27e06365e41f3286c4a5eeccd83a7321c3a1fa175d9f5f923937a844

    • SSDEEP

      24576:E9UiBqyTIUgN/nNE2cPHHHHYwgBHp8wOHeHwwHyCcPg:E9Ui3PHHHHYwgBHp8wOHeHwwHZcPg

    Score
    3/10
    • Target

      Cancellation-W94.wsf

    • Size

      487B

    • MD5

      1eb424ed65c282df367169d2c95f5e64

    • SHA1

      ec82152577fd11be15c5a658077fe169d329d883

    • SHA256

      86a065377605b5cd585054a42468517cb4e4b89c5d60a4beb732bb7b903dd158

    • SHA512

      240c7c409cdb4b33e0a7c86bc92a66a443c1ff0c2d787935b6c8ee2af72dff76dbd94aa2696324f8230fac9a5fe8883974cbc495b95da2c4e28974cda1476cad

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Target

      escapists/data.txt

    • Size

      1KB

    • MD5

      c50bc0e676d4a797fa15e7cef6e18ae5

    • SHA1

      7684609531a4f5683bda0b629f565d06b1e20f66

    • SHA256

      5216c0f4ba65ab5c5865ff3703192bf1ce0350a99cb8d8a552a97ba157377b45

    • SHA512

      ff60b4dd7d18ebbd43f5118378161ffd6b4b19ae3656d305ad0991b40a26e2767318b3c95fb13f5b098c36dd07a3b8bd9919bd4d2d95febc1b88348d5eb46619

    Score
    1/10
    • Target

      escapists/psychophysic.txt

    • Size

      2.1MB

    • MD5

      77276574fb4672b3e42ea766478779fc

    • SHA1

      e8ba77d2a4914710b5f8a7ad5abe830c916d2134

    • SHA256

      7f5a479345e7ed0efb1f137689f0b6668f0a32886a35984566fc875c5f8d32a7

    • SHA512

      3fcf9fa2647ec29289b27cb2d889ddb39556f7cc19c5b3962366188fb4b7fb7166404ac07bfe99c31be671f847c8e3f8dbb14f41c92cf4784dd5aaded833ed55

    • SSDEEP

      12288:fTqyEYU/UgNPzJ2bTXPPj8I8aigEXTJcn8NT8:7qyTIUgN/nNE28

    Score
    1/10

MITRE ATT&CK Enterprise v6

Tasks