qakbot | 281c8fa1199e5a9a59e98ab46fd01306d6b01aaf9130bb933df501140525db36 | Triage

Sharing

General

Target

2d9a718e60238a696d4616ef279c0a99a05d1fbb2efaded26db1f0c3ba5acde6.zip
Size

5.1MB
Sample

230406-3n1zdahf3s
MD5

f9fa9db9ad256f2ec4e959a4b06c6d4a
SHA1

c3d5f4de22b89fa6bfc15b63b7a47b33242545c4
SHA256

281c8fa1199e5a9a59e98ab46fd01306d6b01aaf9130bb933df501140525db36
SHA512

8ed1be498cfa5ff328846a929c945bc56d225e7cb30373bfcf4b729e5d9f50037ab9bc8f3fa8e1bc4035a367bdfe16b90259ab018ecfd07fe58ba73efe720e4a
SSDEEP

98304:NT8r5DLrAuGTFD95xYCQQ+LrtNaK3/vtvO6nCZ3m/82CzEN+LqWI:RK6JWCQQ+LBNftvOW6ndYtD

Score

10^/10

qakbot tzr01 1649312144 banker stealer trojan

Malware Config

Extracted

Language

xlm4.0

Source

Extracted

Family

qakbot

Version

403.573

Botnet

tzr01

Campaign

1649312144

C2

140.82.49.12:443

182.191.92.203:995

176.67.56.94:443

148.64.96.100:443

47.180.172.159:443

47.23.89.62:995

181.118.183.98:443

1.161.121.58:995

96.21.251.127:2222

119.158.126.69:995

41.228.22.180:443

176.88.238.122:995

66.98.42.102:443

83.110.85.209:443

208.107.221.224:443

172.115.177.204:2222

73.67.152.98:2222

176.205.119.81:2078

46.107.48.202:443

81.215.196.174:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Targets

- Target
  
  2d9a718e60238a696d4616ef279c0a99a05d1fbb2efaded26db1f0c3ba5acde6
- Size
  
  13.5MB
- MD5
  
  a46c696d1afb964a9dc8b838e8978bd2
- SHA1
  
  edc5ee2ebb8a7f7563a102ce5ee35c5c50276cc6
- SHA256
  
  2d9a718e60238a696d4616ef279c0a99a05d1fbb2efaded26db1f0c3ba5acde6
- SHA512
  
  1f2247b49c8e3142bd6d92e5faefd14467de584ccff6d6424d57b1c7974151b7cdc0fb47617077fc2e7cf99d7405785e2d321cbd5a316f2a2f11b3a64328f895
- SSDEEP
  
  49152:LfNqvX0brf57E7CMelJadKe3fUZ5TwEktnXhCLfmP+JhkCXfHz:sv03xQCM/82fUZWXRhqfmP+Jhkkz
Score

10^/10

qakbot tzr01 1649312144 banker stealer trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Qakbot/Qbot
  Qbot or Qakbot is a sophisticated worm with banking capabilities.
  trojan banker stealer qakbot
- Blocklisted process makes network request
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

qakbottzr011649312144bankerstealertrojan