General

Malware Config

Signatures

Files

• qakbot.zip

  .zip

  Password: infected

• a16db0d2025dff39a4a0de4071ce0e73c6810ab497453ad67c16ba0980385f60

  .dll windows x86

  Password: infected

  43e5d7f630d7b07f03bf2c008cf04285

  
  

  Code Sign

  ac:30:7e:52:57:bb:81:4b:81:8d:36:33:b6:30:32:6f

  Certificate

  Issuer

  CN=Sectigo RSA Code Signing CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

  Not Before

  23-11-2020 00:00

  Not After

  23-11-2021 23:59

  Subject

  CN=Aqua Direct s.r.o.,O=Aqua Direct s.r.o.,POSTALCODE=619 00,STREET=Železná 646/8,L=Brno,C=CZ

  Extended Key Usages

  ExtKeyUsageCodeSigning

  Key Usages

  KeyUsageDigitalSignature

  01

  Certificate

  Issuer

  CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB

  Not Before

  01-01-2004 00:00

  Not After

  31-12-2028 23:59

  Subject

  CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB

  Key Usages

  KeyUsageCertSign

  KeyUsageCRLSign

  39:72:44:3a:f9:22:b7:51:d7:d3:6c:10:dd:31:35:95

  Certificate

  Issuer

  CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB

  Not Before

  12-03-2019 00:00

  Not After

  31-12-2028 23:59

  Subject

  CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US

  Key Usages

  KeyUsageDigitalSignature

  KeyUsageCertSign

  KeyUsageCRLSign

  1d:a2:48:30:6f:9b:26:18:d0:82:e0:96:7d:33:d3:6a

  Certificate

  Issuer

  CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US

  Not Before

  02-11-2018 00:00

  Not After

  31-12-2030 23:59

  Subject

  CN=Sectigo RSA Code Signing CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

  Extended Key Usages

  ExtKeyUsageCodeSigning

  ExtKeyUsageTimeStamping

  Key Usages

  KeyUsageDigitalSignature

  KeyUsageCertSign

  KeyUsageCRLSign

  b3:b7:be:1d:12:55:fa:34:bc:04:f7:92:8a:dd:da:84:62:2c:c6:d5

  Signer

  Actual PE Digest

  b3:b7:be:1d:12:55:fa:34:bc:04:f7:92:8a:dd:da:84:62:2c:c6:d5

  Digest Algorithm

  sha1

  PE Digest Matches

  true

  Signature Validations

  Trusted

  false

  Verification

  Signing Certificate

  CN=Aqua Direct s.r.o.,O=Aqua Direct s.r.o.,POSTALCODE=619 00,STREET=Železná 646/8,L=Brno,C=CZ

  23-03-2023 16:07

  Valid: false

  Headers

  File Characteristics

  IMAGE_FILE_EXECUTABLE_IMAGE

  IMAGE_FILE_32BIT_MACHINE

  Imports

  kernel32

  GetVersion

  LoadLibraryA

  VirtualAlloc

  VirtualProtect

  GetProcAddress

  GetCurrentThreadId

  lstrlenA

  lstrcatA

  SetLastError

  GetProcessId

  GetCurrentThread

  GetLastError

  lstrcmpA

  GetTickCount

  GetCurrentProcess

  gdiplus

  GdipResetPathGradientTransform

  winmm

  mciLoadCommandResource

  user32

  GetProcessDefaultLayout

  shlwapi

  PathSetDlgItemPathW

  Sections

  .code

  Size: 197KB - Virtual size: 196KB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  .data

  Size: 91KB - Virtual size: 90KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_CNT_UNINITIALIZED_DATA

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

• c59d033fa3a58112f7520113699c74552c4d12bb10783fa880359ec94affe2a1

  .dll windows x86

  Password: infected

  5d1ce61ba464735cd8b08ce9c25e47e9

  
  

  Code Sign

  a2:e3:6b:65:09:4c:61:7c:76:8b:f4:d1:7c:6d:75:1a

  Certificate

  Issuer

  CN=Sectigo RSA Code Signing CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

  Not Before

  30-11-2020 00:00

  Not After

  30-11-2021 23:59

  Subject

  CN=AGRO - KOVO spol. s r. o.,O=AGRO - KOVO spol. s r. o.,POSTALCODE=917 01,STREET=Vl. Clementisa 21,L=Trnava,C=SK

  Extended Key Usages

  ExtKeyUsageCodeSigning

  Key Usages

  KeyUsageDigitalSignature

  01

  Certificate

  Issuer

  CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB

  Not Before

  01-01-2004 00:00

  Not After

  31-12-2028 23:59

  Subject

  CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB

  Key Usages

  KeyUsageCertSign

  KeyUsageCRLSign

  39:72:44:3a:f9:22:b7:51:d7:d3:6c:10:dd:31:35:95

  Certificate

  Issuer

  CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB

  Not Before

  12-03-2019 00:00

  Not After

  31-12-2028 23:59

  Subject

  CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US

  Key Usages

  KeyUsageDigitalSignature

  KeyUsageCertSign

  KeyUsageCRLSign

  1d:a2:48:30:6f:9b:26:18:d0:82:e0:96:7d:33:d3:6a

  Certificate

  Issuer

  CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US

  Not Before

  02-11-2018 00:00

  Not After

  31-12-2030 23:59

  Subject

  CN=Sectigo RSA Code Signing CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

  Extended Key Usages

  ExtKeyUsageCodeSigning

  ExtKeyUsageTimeStamping

  Key Usages

  KeyUsageDigitalSignature

  KeyUsageCertSign

  KeyUsageCRLSign

  db:7c:39:23:71:81:a1:14:56:a7:7f:dd:a7:a9:13:6e:6d:e4:4d:75

  Signer

  Actual PE Digest

  db:7c:39:23:71:81:a1:14:56:a7:7f:dd:a7:a9:13:6e:6d:e4:4d:75

  Digest Algorithm

  sha1

  PE Digest Matches

  true

  Signature Validations

  Trusted

  false

  Verification

  Signing Certificate

  CN=AGRO - KOVO spol. s r. o.,O=AGRO - KOVO spol. s r. o.,POSTALCODE=917 01,STREET=Vl. Clementisa 21,L=Trnava,C=SK

  23-03-2023 16:07

  Valid: false

  Headers

  File Characteristics

  IMAGE_FILE_EXECUTABLE_IMAGE

  IMAGE_FILE_LINE_NUMS_STRIPPED

  IMAGE_FILE_LOCAL_SYMS_STRIPPED

  IMAGE_FILE_32BIT_MACHINE

  Imports

  kernel32

  VirtualAllocEx

  GetLastError

  GetModuleHandleW

  user32

  CountClipboardFormats

  GetListBoxInfo

  GetCapture

  ShowCaret

  PaintDesktop

  GetDesktopWindow

  IsCharAlphaNumericW

  GetShellWindow

  CreatePopupMenu

  IsCharAlphaW

  GetDoubleClickTime

  IsCharUpperW

  GetForegroundWindow

  CharUpperW

  OemKeyScan

  GetCaretBlinkTime

  GetMenuContextHelpId

  IsCharLowerA

  VkKeyScanW

  IsClipboardFormatAvailable

  LoadIconA

  GetOpenClipboardWindow

  GetLastActivePopup

  gdi32

  GetStockObject

  GetEnhMetaFileW

  GetEnhMetaFileBits

  BeginPath

  DeleteDC

  GetLayout

  CreateMetaFileW

  EndPage

  CloseEnhMetaFile

  CreateSolidBrush

  SaveDC

  GetStretchBltMode

  GetTextCharset

  CreatePolyPolygonRgn

  GdiConvertEnhMetaFile

  SetMagicColors

  ArcTo

  GetTransform

  BitBlt

  PlayEnhMetaFile

  GdiConvertBitmapV5

  AbortPath

  CreateEnhMetaFileA

  GdiEntry12

  CreateICW

  GetTextExtentExPointI

  GetCharWidthW

  GdiConvertAndCheckDC

  GdiGetPageCount

  FONTOBJ_pifi

  GetFontUnicodeRanges

  GetEnhMetaFilePixelFormat

  SetLayoutWidth

  GdiConvertDC

  GdiConvertPalette

  PtVisible

  SetBrushOrgEx

  IntersectClipRect

  RemoveFontResourceA

  advapi32

  RegOpenKeyA

  shell32

  DragAcceptFiles

  DoEnvironmentSubstW

  SHFreeNameMappings

  ShellExecuteA

  SHGetDesktopFolder

  SHGetFileInfo

  Shell_NotifyIcon

  SHCreateDirectoryExA

  SHGetInstanceExplorer

  ExtractAssociatedIconExW

  DragQueryFileW

  SHFileOperation

  ExtractIconEx

  SHGetFolderPathA

  FindExecutableW

  SHGetDiskFreeSpaceExW

  ExtractIconExW

  ExtractIconA

  SHIsFileAvailableOffline

  shlwapi

  StrStrA

  StrChrIW

  StrStrW

  StrCmpNIA

  Sections

  .text

  Size: 4KB - Virtual size: 3KB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  .text5

  Size: 512B - Virtual size: 300B

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  .text4

  Size: 512B - Virtual size: 300B

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  .text3

  Size: 512B - Virtual size: 300B

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  .text2

  Size: 512B - Virtual size: 300B

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  .rdata

  Size: 1024B - Virtual size: 573B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .data

  Size: 2.0MB - Virtual size: 2.0MB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  .rsrc

  Size: 24KB - Virtual size: 23KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .reloc

  Size: 1024B - Virtual size: 576B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_DISCARDABLE

  IMAGE_SCN_MEM_READ