General

  • Target

    9WUKB.zip.zip

  • Size

    1.3MB

  • Sample

    230222-1yy7esff7s

  • MD5

    2910b256eb5c83fee20df8ae67749c54

  • SHA1

    108a70bdfbf92ef16179a57bd0296067749e9c29

  • SHA256

    eadf29b611de83b2bb26d0314c1c1070966d7dacc3da2321520b0841ba183d7f

  • SHA512

    f4403e87d19f71ad7da6ace847dd23b6d5f95daba235e6ab592267003eb6d70076f0be7e7beca85b3df02c4acc11ccdb6f954aa5b9edb79e1900e9e0a0ef23ca

  • SSDEEP

    24576:e/g3cFiZKK1IqpvwHUdqUNdAgpmWkZ8Z8BaYDY1AiD/i1cCr7o/myANvwy:PsFi71Iq60jO7BbLjcA4yWy

Malware Config

Extracted

Family

qakbot

Version

404.9

Botnet

BB16

Campaign

1677046917

C2

47.21.51.138:443

72.80.7.6:50003

82.127.204.82:2222

49.175.72.56:443

201.244.108.183:995

122.184.143.82:443

102.156.253.86:443

74.58.71.237:443

47.21.51.138:995

77.86.98.236:443

71.31.101.183:443

136.232.184.134:995

86.225.214.138:2222

95.242.101.251:995

109.11.175.42:2222

90.78.138.217:2222

184.176.35.223:2222

35.143.97.145:995

202.186.177.88:443

114.79.180.14:995

Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Targets

    • Target

      9WUKB.iso

    • Size

      203.3MB

    • MD5

      a78609e1f800f22ca455d621492ee058

    • SHA1

      52841510df9461ce446ad19f77eab01d99d7b5f1

    • SHA256

      b7de1dc09a35f212e9c46c6edee2ae03b739ee6744c778030886e087707ff027

    • SHA512

      d317891da8e2f36556a333eaf32a6868fb1fe6f188b44bdc2c3f86ae8e5e63c5961188e225f60beb8fce078d4e33f332a2dbeea570ca55a15e79b58b86657586

    • SSDEEP

      49152:JN2P39PuNYvlHTX2EMuZuzJ2z6nzK/XoY:JNimNC5ozn

    Score
    3/10
    • Target

      RR.lnk

    • Size

      1KB

    • MD5

      9b1fd4eb34e5bb3f029ad0eb84f4e278

    • SHA1

      3f3883ab44af25346c41235d05322e6b4c138440

    • SHA256

      65859f608c90734b27ff410c490e20aa28dad5d3dd8b8f84cf03e6f01fdcb5e6

    • SHA512

      a8a0ec6f1f1da6b4ba75df9192a7719497b5ee5bf17b00759c72ad44a8024ca1946de2651f16d3432d657fd9568bc0e896eb196eadeaf1f79840bed4870d59a7

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Target

      vibrations/curvature.cmd

    • Size

      240B

    • MD5

      6dd2ab019159cfff54446fe3f6659091

    • SHA1

      7ac4704bb7065eea6f06ee8e8d6826c258f64c0a

    • SHA256

      c2e2c8ab4f7a1ae8c06fdd0967661b821c28eb370d43f40f6f0111bc199e2571

    • SHA512

      b9dcac77a995eca8b0f4d76d34d6e2444f69a71ff9f6913d618544de5b86171f452d9d4762f86b04ee6d91f39865499e395e1c30d2bb0682122a3cecb1f16f7d

    Score
    1/10
    • Target

      vibrations/outbids.exe

    • Size

      1.6MB

    • MD5

      018796d4670ac12865be2f00382bbc8e

    • SHA1

      8564027153dca487eca613345ab3b2de0add4f26

    • SHA256

      22d1471ed17c681aa5580c59712005e1c70ef9c306cbcad245a64f7dfae47847

    • SHA512

      4edac00e0d19b439c300328bf4f7abc98cadfce0d7f4283f1c6278bec24d0ed7c2e51090a2e584a7a2a2e645e396a890d9589fe3f660fa73fc238a09d827bc7b

    • SSDEEP

      24576:qN2PGK9rDuNMZD22lHNFVntTX25fHSMv0UskeuzQU2z6IdcL6UCUK:qN2P39PuNYvlHTX2EMuZuzJ2z6nzK

    Score
    1/10
    • Target

      vibrations/vets.sql

    • Size

      1.6MB

    • MD5

      11d046fe7ad0156dbc4bb7bf75a44ce3

    • SHA1

      3346966e784efad4a01cfb9fdba709ce9bc2f31a

    • SHA256

      39708e7376995f9e8584f534e2dfaa16ba296169d42a46857f19d7837594eaba

    • SHA512

      8bd149805facc4ae5176bcc3ee4af243a3c22f536fbd53aff854b8ae900c15e98a667042e025db98d0b81c21bbaa4317c2e0a79afd450cb043220286e06d5dd8

    • SSDEEP

      12288:hgD7oi4JVR7GiHZJUMY4qSl9rBQpVvFBuLBmIiPy0Kko1KTVFufFKHcqgEQX0ekS:c7o9PrBeVXoY76Nj31J

    Score
    3/10

MITRE ATT&CK Enterprise v6

Tasks