General

  • Target

    4QCNO.rar

  • Size

    1.2MB

  • Sample

    230223-dntsmaee63

  • MD5

    ebc3a6ec88b3bf597987bc8942bcd2d6

  • SHA1

    c3baec408264453af32c8661144f0d26e692ebf4

  • SHA256

    0ffff9d4927d79efa9a3999dccef2a809157653e21c3fb79811295d2e1880a7d

  • SHA512

    03f7dc4dd29f0a19fa937bf28505bd2cc65d9e57e9df6a0310897eb37a2dc8b5f51541500ec44f5c638beea01e97170d6bafaef6bfb92ac4315a1f448e1bbcb3

  • SSDEEP

    24576:z4uzazpp+hqb4knhb8VMq07U9sgUe7k71dmpXHGLgGHOFXP7M9zI5:cjpkMbp18a/YhL8apXZGuFo9O

Malware Config

Extracted

Family

qakbot

Version

404.9

Botnet

BB16

Campaign

1677046917

C2

47.21.51.138:443

72.80.7.6:50003

82.127.204.82:2222

49.175.72.56:443

201.244.108.183:995

122.184.143.82:443

102.156.253.86:443

74.58.71.237:443

47.21.51.138:995

77.86.98.236:443

71.31.101.183:443

136.232.184.134:995

86.225.214.138:2222

95.242.101.251:995

109.11.175.42:2222

90.78.138.217:2222

184.176.35.223:2222

35.143.97.145:995

202.186.177.88:443

114.79.180.14:995

Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Targets

    • Target

      4QCNO/RR.lnk

    • Size

      1KB

    • MD5

      02ffb37fb80d62bccbe6013ff3d4d2f0

    • SHA1

      8f06f89e0fa1ef30b3be0637c3f9a009f8492854

    • SHA256

      acbfe9386d83f7db8529f9a5d10a0add6a26b1ee6a855210a4f4100f94dea21c

    • SHA512

      0f4883a7d35e3cee520ba8c3b78c6cf9d339cd273172f999a9d6cd4149120aca330c01c078653af99a171f7a49ddd0d61ffe2af3aab9a66421d814c923b9149e

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

MITRE ATT&CK Enterprise v6

Tasks