General

  • Target

    d7d9b3b49462caa3f870fd98af9ac3af.bin

  • Size

    102.7MB

  • Sample

    230116-krmxtagc91

  • MD5

    d7d9b3b49462caa3f870fd98af9ac3af

  • SHA1

    755b5340afdb557626ae87ec783096c8cb4e5c30

  • SHA256

    fc5d857e62ebe6dd27e35c5d6f97de1a97528dd341eb6ab70b5ec51cfb75a768

  • SHA512

    b11c54b48f7e7a063587e00e95b254bb17868d8237f5503fd8e58c95fb1dd8f53c4ab46027b8812b702e13aac5020ab69ea01c6d6f9cf58fc51ef3d756eb699e

  • SSDEEP

    24576:39UihPHHHHYwgBHp8wOHeHwwHy2qyTIUgN/nNE48cPg:39UihPHHHHYwgBHp8wOHeHwwH5cPg

Malware Config

Extracted

Family

qakbot

Version

404.62

Botnet

obama233

Campaign

1671781480

C2

51.199.123.42:443

213.67.255.57:2222

70.51.134.110:2222

116.74.162.173:443

206.166.209.170:2222

193.154.124.4:443

65.30.139.145:995

92.189.214.236:2222

73.29.92.128:443

188.52.183.146:995

175.139.207.179:2222

190.78.77.15:993

162.248.14.107:443

184.153.132.82:443

199.83.165.233:443

12.172.173.82:995

12.172.173.82:50001

37.15.128.31:2222

178.142.126.181:443

176.142.207.63:443

Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Targets

    • Target

      d7d9b3b49462caa3f870fd98af9ac3af.bin

    • Size

      102.7MB

    • MD5

      d7d9b3b49462caa3f870fd98af9ac3af

    • SHA1

      755b5340afdb557626ae87ec783096c8cb4e5c30

    • SHA256

      fc5d857e62ebe6dd27e35c5d6f97de1a97528dd341eb6ab70b5ec51cfb75a768

    • SHA512

      b11c54b48f7e7a063587e00e95b254bb17868d8237f5503fd8e58c95fb1dd8f53c4ab46027b8812b702e13aac5020ab69ea01c6d6f9cf58fc51ef3d756eb699e

    • SSDEEP

      24576:39UihPHHHHYwgBHp8wOHeHwwHy2qyTIUgN/nNE48cPg:39UihPHHHHYwgBHp8wOHeHwwH5cPg

    Score
    3/10
    • Target

      Cancellation-J21.wsf

    • Size

      487B

    • MD5

      1eb424ed65c282df367169d2c95f5e64

    • SHA1

      ec82152577fd11be15c5a658077fe169d329d883

    • SHA256

      86a065377605b5cd585054a42468517cb4e4b89c5d60a4beb732bb7b903dd158

    • SHA512

      240c7c409cdb4b33e0a7c86bc92a66a443c1ff0c2d787935b6c8ee2af72dff76dbd94aa2696324f8230fac9a5fe8883974cbc495b95da2c4e28974cda1476cad

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

MITRE ATT&CK Enterprise v6

Tasks