General
-
Target
update2.exe
-
Size
746KB
-
Sample
221228-zea5taef5v
-
MD5
0bfb4a1efbb20a7291fcc022dec7d58b
-
SHA1
faec2a0afe296224f980ac059cf63f18eba800ce
-
SHA256
73ae67036a0d291c18208037010de359520cd613dda2f9eabfde3fec5558324f
-
SHA512
eae0e585ef29f56f27da897783ec582b228124437a6355cfd7b56be229558913dfd87d3005482c0fe54ba8f5e79fb1d50f869bd0e619b0ca7318ac055c62b425
-
SSDEEP
12288:dhhWltABHdeQEWngq+75M0m4Y3QxKmjKIiRCFhnquQI80BvaFViHM8:dhhQA5d4VMB4YQoiHnM0F
Malware Config
Extracted
qakbot
323.91
1572863946
Protocol: ftp- Host:
192.185.5.208 - Port:
21 - Username:
[email protected] - Password:
NxdkxAp4dUsY
Protocol: ftp- Host:
162.241.218.118 - Port:
21 - Username:
[email protected] - Password:
EcOV0DyGVgVN
Protocol: ftp- Host:
69.89.31.139 - Port:
21 - Username:
[email protected] - Password:
fcR7OvyLrMW6!
Protocol: ftp- Host:
169.207.67.14 - Port:
21 - Username:
[email protected] - Password:
eQyicNLzzqPN
112.171.126.153:443
67.200.146.98:2222
174.16.234.171:993
71.30.56.170:443
71.77.231.251:443
72.213.98.233:443
2.50.170.151:443
184.180.157.203:2222
96.35.170.82:2222
64.19.74.29:995
104.32.185.213:2222
104.3.91.20:995
173.22.120.11:2222
173.3.132.17:995
74.194.4.181:443
75.131.72.82:443
68.238.144.55:443
100.4.185.8:443
104.34.122.18:443
65.30.12.240:443
Targets
-
-
Target
update2.exe
-
Size
746KB
-
MD5
0bfb4a1efbb20a7291fcc022dec7d58b
-
SHA1
faec2a0afe296224f980ac059cf63f18eba800ce
-
SHA256
73ae67036a0d291c18208037010de359520cd613dda2f9eabfde3fec5558324f
-
SHA512
eae0e585ef29f56f27da897783ec582b228124437a6355cfd7b56be229558913dfd87d3005482c0fe54ba8f5e79fb1d50f869bd0e619b0ca7318ac055c62b425
-
SSDEEP
12288:dhhWltABHdeQEWngq+75M0m4Y3QxKmjKIiRCFhnquQI80BvaFViHM8:dhhQA5d4VMB4YQoiHnM0F
Score10/10-
Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
-
Turns off Windows Defender SpyNet reporting
-
Windows security bypass
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-