General

  • Target

    9287941584.zip

  • Size

    1.3MB

  • Sample

    230223-rfz7bsga78

  • MD5

    eeb6553006d2f39ad411c4d99ec43d75

  • SHA1

    2f9f6438cb3d16f888294f2b761175744a4f2276

  • SHA256

    ab0a56e2e625f3bc98c1c927576e7403f8bd8ff501def7aa551325b40d469df7

  • SHA512

    cafb3f9444506bfa7cb658a3e8b443a5e5c565cc1c20df2b37f38493b6d2dff97c71a042d28d98881c5ec667a359bfc12c7011559d81c20aadeb0b07e6ab957b

  • SSDEEP

    24576:5XaiiWYUinMCUqd/wPGReaBmUhR/3ziZyiXQYRFVm/8loq080vuuEEbpxzaC8ASx:quiMfqd/wOReaB3H+yi5RS/kyCEVxzto

Malware Config

Extracted

Family

qakbot

Version

404.9

Botnet

BB16

Campaign

1677046917

C2

47.21.51.138:443

72.80.7.6:50003

82.127.204.82:2222

49.175.72.56:443

201.244.108.183:995

122.184.143.82:443

102.156.253.86:443

74.58.71.237:443

47.21.51.138:995

77.86.98.236:443

71.31.101.183:443

136.232.184.134:995

86.225.214.138:2222

95.242.101.251:995

109.11.175.42:2222

90.78.138.217:2222

184.176.35.223:2222

35.143.97.145:995

202.186.177.88:443

114.79.180.14:995

Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Targets

    • Target

      0ZVLQ.iso

    • Size

      203.3MB

    • MD5

      16683f05fbd6b26a1f9643824936ff6b

    • SHA1

      65c58e8c7683b1b8a5491f9070c0297b68284736

    • SHA256

      a1d77bd0d9fa0387f24378f62a65c9532d9bf28398d3c139b3963343c1ae7a9a

    • SHA512

      15188a3dd573b1e60adcdf16a85fb85149b69aa6dc5e9d518ac0a26af027a9464494d7237997c111b0c160884b71a99fe6f8541fe06391ca3714521f660bd4f9

    • SSDEEP

      49152:2XoYTN2P39PuNYvlHTX2EMuZuzJ2z6nzK:wNimNC5ozn

    Score
    3/10
    • Target

      RR.lnk

    • Size

      1KB

    • MD5

      31708b36ba2a3e7da8e0f1c1f04b1735

    • SHA1

      fd1ff76899f81fc2ad822d56f6f2b8185787221e

    • SHA256

      6f4b859642b0b8b9df130b5cb5fb9b65725df6efbae7245c3fd3062b33928c64

    • SHA512

      878c36a842c1388d3118013b47301b9d12d931674f132e46f53c5036a75bb1ec9022d3fd3944ce4002fe549142e558333557d14a0dd734e89e0f8613fd0bfadf

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Target

      vibrations/unfed.exe

    • Size

      1.6MB

    • MD5

      018796d4670ac12865be2f00382bbc8e

    • SHA1

      8564027153dca487eca613345ab3b2de0add4f26

    • SHA256

      22d1471ed17c681aa5580c59712005e1c70ef9c306cbcad245a64f7dfae47847

    • SHA512

      4edac00e0d19b439c300328bf4f7abc98cadfce0d7f4283f1c6278bec24d0ed7c2e51090a2e584a7a2a2e645e396a890d9589fe3f660fa73fc238a09d827bc7b

    • SSDEEP

      24576:qN2PGK9rDuNMZD22lHNFVntTX25fHSMv0UskeuzQU2z6IdcL6UCUK:qN2P39PuNYvlHTX2EMuZuzJ2z6nzK

    Score
    1/10
    • Target

      vibrations/yokohama.cmd

    • Size

      238B

    • MD5

      6e103a84f0498745d30bbc6c8886609d

    • SHA1

      a67ea3cb3f3d4dcc6a56efc2bbee62d576a44a80

    • SHA256

      2cfed54700ddce6b838cb10d5d595a5ea7b33d04c66238231ca9819731984f94

    • SHA512

      c74a2b7eefdc04c509f97087d017c243c4763b2ef925d90450100025a69f892f5371a7925c78732baaaab37800c82562f554d4389f044936df958a513a201e59

    Score
    1/10

MITRE ATT&CK Enterprise v6

Tasks