General

  • Target

    4QCNO.zip

  • Size

    1.6MB

  • Sample

    230222-wh26xscg68

  • MD5

    d4006bece2a7933ca9bef826b85e17bb

  • SHA1

    bf16779220da6701bafb042808f62c5076ea807f

  • SHA256

    88ab8b7a1f4b611175289d599907dce20ac7811cf41bb381113bd0fbd0d61f38

  • SHA512

    eee39afbe19b1bd20f0e7db8fde00e2a2980c0e9cccba002dffccc81f76c7b0f08a4859df2eced92c11b1b5dbd1c7ef4f19eab29414a37738739b46271e1812d

  • SSDEEP

    49152:tCi55Rhl/OdHdUa7O4uTamfZUTJG0beUCILuLBF19NcW7Dxs:tH5pQdUa7yZfiTJDysQ19mGDq

Malware Config

Extracted

Family

qakbot

Version

404.9

Botnet

BB16

Campaign

1677046917

C2

47.21.51.138:443

72.80.7.6:50003

82.127.204.82:2222

49.175.72.56:443

201.244.108.183:995

122.184.143.82:443

102.156.253.86:443

74.58.71.237:443

47.21.51.138:995

77.86.98.236:443

71.31.101.183:443

136.232.184.134:995

86.225.214.138:2222

95.242.101.251:995

109.11.175.42:2222

90.78.138.217:2222

184.176.35.223:2222

35.143.97.145:995

202.186.177.88:443

114.79.180.14:995

Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Targets

    • Target

      RR.lnk

    • Size

      1KB

    • MD5

      02ffb37fb80d62bccbe6013ff3d4d2f0

    • SHA1

      8f06f89e0fa1ef30b3be0637c3f9a009f8492854

    • SHA256

      acbfe9386d83f7db8529f9a5d10a0add6a26b1ee6a855210a4f4100f94dea21c

    • SHA512

      0f4883a7d35e3cee520ba8c3b78c6cf9d339cd273172f999a9d6cd4149120aca330c01c078653af99a171f7a49ddd0d61ffe2af3aab9a66421d814c923b9149e

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Target

      vibrations/airtightness.exe

    • Size

      1.6MB

    • MD5

      018796d4670ac12865be2f00382bbc8e

    • SHA1

      8564027153dca487eca613345ab3b2de0add4f26

    • SHA256

      22d1471ed17c681aa5580c59712005e1c70ef9c306cbcad245a64f7dfae47847

    • SHA512

      4edac00e0d19b439c300328bf4f7abc98cadfce0d7f4283f1c6278bec24d0ed7c2e51090a2e584a7a2a2e645e396a890d9589fe3f660fa73fc238a09d827bc7b

    • SSDEEP

      24576:qN2PGK9rDuNMZD22lHNFVntTX25fHSMv0UskeuzQU2z6IdcL6UCUK:qN2P39PuNYvlHTX2EMuZuzJ2z6nzK

    Score
    1/10
    • Target

      vibrations/polaroid.cmd

    • Size

      244B

    • MD5

      35489cc30e625da2c3de0d1eed6feaea

    • SHA1

      61d664db85b7537dabdbff17c76c34357c3fb9ec

    • SHA256

      5437196beb0f70b578ef319b7cec47850d7538661fdbc1ab099ae06615367f45

    • SHA512

      8b3083036466a80bfd2107d847650a6c5a9c1a963c97f1105b2f9787aeceea08426fc6a432fa70e7de1c3a601945d4aa0b7da060ad0c5db3508724a739a1e916

    Score
    1/10

MITRE ATT&CK Enterprise v6

Tasks