Overview

overview

10

Static

static

1

9562928861.zip

windows7-x64

1

9562928861.zip

windows10-2004-x64

1

547de75773...de.zip

windows7-x64

1

547de75773...de.zip

windows10-2004-x64

1

Agreement_...r4.xll

windows7-x64

10

Agreement_...r4.xll

windows10-2004-x64

1

Agreement_...r4.xll

windows7-x64

7

Agreement_...r4.xll

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9562928861.zip

  • Size

    1.5MB

  • Sample

    230315-r9m4vsdg45

  • MD5

    232483e0760b6b334bf8cb1ac533060e

  • SHA1

    76bf8c74be91276bfd0ac2fe6fd3917f1214bbe0

  • SHA256

    ed99937314d2aa6cd69bca7a9fe2e71b2880fa37846965d5578986525ef2f3fe

  • SHA512

    17491cc2e910ffa62954d4b5e443df8aba91f70b433cad64f57b579903cb57745780b3fa05664af42060255286fc775c764e8e9005dc8fc69abff2ee723f0e1b

  • SSDEEP

    49152:vUzPQpPcnTSQAU8GuI1skstg8TzTGy5+HiHRD:vUzIp0eS93eky9Og+CRD

Score
10/10
qakbotobama2421678805546bankerstealertrojan

Malware Config

Extracted

Family

qakbot

Version

404.266

Botnet

obama242

Campaign

1678805546

C2

92.239.81.124:443

176.202.46.81:443

2.49.58.47:2222

86.225.214.138:2222

74.66.134.24:443

213.31.90.183:2222

12.172.173.82:50001

202.187.87.178:995

70.53.96.223:995

92.154.45.81:2222

186.64.67.54:443

81.158.112.20:2222

190.191.35.122:443

68.173.170.110:8443

12.172.173.82:993

98.145.23.67:443

12.172.173.82:22

37.186.55.60:2222

84.216.198.124:6881

73.161.176.218:443
Attributes
  • salt

    SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Extracted

Language
xlm4.0
Source

Targets

    • Target

      9562928861.zip

    • Size

      1.5MB

    • MD5

      232483e0760b6b334bf8cb1ac533060e

    • SHA1

      76bf8c74be91276bfd0ac2fe6fd3917f1214bbe0

    • SHA256

      ed99937314d2aa6cd69bca7a9fe2e71b2880fa37846965d5578986525ef2f3fe

    • SHA512

      17491cc2e910ffa62954d4b5e443df8aba91f70b433cad64f57b579903cb57745780b3fa05664af42060255286fc775c764e8e9005dc8fc69abff2ee723f0e1b

    • SSDEEP

      49152:vUzPQpPcnTSQAU8GuI1skstg8TzTGy5+HiHRD:vUzIp0eS93eky9Og+CRD

    Score
    1/10
    behavioral1behavioral2

    • Target

      547de75773c2e3d12c5b9ea46b6b9f28410095e2d9b6441dd1580def448b94de

    • Size

      1.5MB

    • MD5

      60d7fc5cd2d8fa66bc7adaa187b09c7b

    • SHA1

      363aa00aa728614db9d0492997175b8287cdbf6d

    • SHA256

      547de75773c2e3d12c5b9ea46b6b9f28410095e2d9b6441dd1580def448b94de

    • SHA512

      0051f56f2fced3302a2280334849f62f3203c15e59763cd8c12845f5278adb8d2fab4652d22473f741da4e546c53d5fc3330e9e999ae8b47def28fcf8413e363

    • SSDEEP

      49152:JaeENIGDFC/yGxS8RFW/pwpsSNJuNrd6POjj2O:Jae8IGAyCS8veSLu5vnj

    Score
    1/10
    behavioral3behavioral4

    • Target

      Agreement_277183_Mar4.xll

    • Size

      589KB

    • MD5

      34500ab4418a844d9cb84c88ad980c0b

    • SHA1

      dccff591d601fb53dc171115cede2c62894c8e61

    • SHA256

      64b6e5633ee0b6393bbaa3cc2068af6b6527f25615f6049b19cd105390de27b3

    • SHA512

      84c346452561eae2a6e9364b5c266001d0104c456517c7ae08bcf4be1a22b46bf0355e80715e90e88a98d7e78284656c3300276d48297ce9e68111da0a80b36e

    • SSDEEP

      6144:8cTaT6oGCNIamrNSYVnt2pONtX7EmG2dOdQRG8l/dmMF7VndLmmmmmmm644tkw95:f+pSIm3OdQwgvpVndf42HXDiuJTMw4

    Score
    10/10
    qakbotobama2421678805546bankerstealertrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

      trojanbankerstealerqakbot

    • Loads dropped DLL

    behavioral5behavioral6

    • Target

      Agreement_277183a_Mar4.xll

    • Size

      2.3MB

    • MD5

      109396393d86831ebcfd44c43e97ad63

    • SHA1

      9180bc13b167ca7d2fe75c061f60c2bf580bab1a

    • SHA256

      cdd168c54958a2ae49d029533df5eeea4a12e418b09f5f44174c108a91799237

    • SHA512

      febc52ef022571de70331b47a7092b376591b87ca874fd1eacb0e6962b477ac6b79576d4ff3bca37347eb33402ad848bd4004aef38e8c011fb3adfa3a789771e

    • SSDEEP

      49152:Wjrwd3EfessB2KEAQ3PlAEIZ6QqrONloCt4nnM+DoRDPOjYvf9FB:arwd028KEl39AdZ/6y+9M7RDPZB

    Score
    10/10
    qakbotobama2421678805546bankerstealertrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

      trojanbankerstealerqakbot

    • Loads dropped DLL

    behavioral7behavioral8

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

5
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks