Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

03/02/2023, 18:04

230203-wnx46abh7w 7

03/02/2023, 18:03

230203-wnhz8sgd94 10

03/02/2023, 14:58

230203-sb7w2sfg77 7

General

  • Target

    DocumentsFolder_729396_Feb_03.one_2.hta

  • Size

    5KB

  • Sample

    230203-wnhz8sgd94

  • MD5

    9367d6f27ef13ffcc8c86ea9c28c3dbf

  • SHA1

    4fe41d2d96f8ecddc2830c2a27aef22419c1509b

  • SHA256

    4ed16497feaa7bbd98b485d057bf25cb3f24132c6a9f52d4c7b838e6a7f5f761

  • SHA512

    09ae3e11d24a5485782a244ae4073b126757ba29a04f8f82ed6126f0a4e8f6bcb19b55229a9f23f190d48373669433fbf9e6af9fea6ae50895a2aea6a99e4c94

  • SSDEEP

    96:IhVxy8VC+iNVCv38RGynB8xVpA8oVCynBu9cEAGfPE3rFSEnzAINLuClhkeXbZkh:1gPoWkJuClhkeqH

Malware Config

Extracted

Family

qakbot

Version

404.432

Botnet

obama236

Campaign

1675410243

C2

79.9.64.37:995

174.104.184.149:443

24.64.112.40:3389

81.151.102.224:443

47.34.30.133:443

86.250.12.217:2222

50.68.204.71:993

156.217.208.137:995

181.118.206.65:995

103.212.19.254:995

83.114.60.6:2222

90.23.19.86:2222

66.131.25.6:443

12.172.173.82:465

86.195.14.72:2222

184.153.132.82:443

91.170.115.68:32100

72.80.7.6:995

71.31.101.183:443

198.2.51.242:993

Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Targets

    • Target

      DocumentsFolder_729396_Feb_03.one_2.hta

    • Size

      5KB

    • MD5

      9367d6f27ef13ffcc8c86ea9c28c3dbf

    • SHA1

      4fe41d2d96f8ecddc2830c2a27aef22419c1509b

    • SHA256

      4ed16497feaa7bbd98b485d057bf25cb3f24132c6a9f52d4c7b838e6a7f5f761

    • SHA512

      09ae3e11d24a5485782a244ae4073b126757ba29a04f8f82ed6126f0a4e8f6bcb19b55229a9f23f190d48373669433fbf9e6af9fea6ae50895a2aea6a99e4c94

    • SSDEEP

      96:IhVxy8VC+iNVCv38RGynB8xVpA8oVCynBu9cEAGfPE3rFSEnzAINLuClhkeXbZkh:1gPoWkJuClhkeqH

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

MITRE ATT&CK Enterprise v6

Tasks