qakbot | 979d4495e2d1ee530c3d61ee96aaca3ec80b14b6f18df514f781d513fb3d0bbb

General

Target

hv.js
Size

57KB
Sample

230315-s56k3sea74
MD5

67ead5069eca24d3705c4bf7811f9558
SHA1

82337cb75efbb311bb81ff3a0d0014996d8cb50b
SHA256

979d4495e2d1ee530c3d61ee96aaca3ec80b14b6f18df514f781d513fb3d0bbb
SHA512

f9f8451b9125076212a215c1b2506f61d74b9c4cc7604f0918e0f68895a2939bdafed99cc1c351891ac0bd8adc4e6260ab1b7c4eaa860280251c472733c3dcbf
SSDEEP

1536:CY5Qt5syZgWZ8udu3FIAnHbgQW6d+oNW7o:ysJvFd+op

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://kotogadang-pusako.com/MweGD/1

exe.dropper

https://dimoparkhogar.com/7VQuf/1

exe.dropper

https://fondationjoelkrasso.org/rjzgP6/1

exe.dropper

https://earnforpak.com/CzIUp/1

exe.dropper

https://laposadadeugartearequipa.com/NARKhE/1

exe.dropper

https://cocovedaglobal.com/XBtcjkQ/1

exe.dropper

https://accesstelematics.com/Ulo3MpM/1

exe.dropper

https://lamired.com/8FIz2P/1

Extracted

Family

qakbot

Version

404.263

Botnet

BB19

Campaign

1678819882

C2

162.248.14.107:443

89.32.159.107:995

50.68.186.195:443

50.68.204.71:443

24.69.84.237:443

92.239.81.124:443

149.74.159.67:2222

176.202.46.81:443

2.82.8.80:443

72.203.216.98:2222

73.22.121.210:443

190.218.125.145:443

76.71.137.91:2222

81.158.112.20:2222

190.191.35.122:443

12.172.173.82:993

98.145.23.67:443

12.172.173.82:22

37.186.55.60:2222

73.161.176.218:443

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Targets

- Target
  
  hv.js
- Size
  
  57KB
- MD5
  
  67ead5069eca24d3705c4bf7811f9558
- SHA1
  
  82337cb75efbb311bb81ff3a0d0014996d8cb50b
- SHA256
  
  979d4495e2d1ee530c3d61ee96aaca3ec80b14b6f18df514f781d513fb3d0bbb
- SHA512
  
  f9f8451b9125076212a215c1b2506f61d74b9c4cc7604f0918e0f68895a2939bdafed99cc1c351891ac0bd8adc4e6260ab1b7c4eaa860280251c472733c3dcbf
- SSDEEP
  
  1536:CY5Qt5syZgWZ8udu3FIAnHbgQW6d+oNW7o:ysJvFd+op
Score

10^/10

qakbot bb19 1678819882 banker stealer trojan
- Qakbot/Qbot
  Qbot or Qakbot is a sophisticated worm with banking capabilities.
  trojan banker stealer qakbot
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Qakbot/Qbot

Blocklisted process makes network request

Downloads MZ/PE file

Checks computer location settings

Loads dropped DLL

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2