qakbot | samples[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

samples.zip
Size

83KB
MD5

8c42fa803a480bf2ee627ec8d1ddb9a1
SHA1

5be3fd49d9eb8b867c953ba81e250564ab4a849c
SHA256

b8474064f2732525940dd425baa784291306f9180234447109f52275d0384272
SHA512

c46baeb5f3a6dc68ca3d162fe94bffccff2952fcee9cef18fbfcad09ab99020fb8204c51f2f5411e97f120d3e5df5761cf6e747c8ae31e74dfae85a2ebba9656
SSDEEP

1536:NSljFS+fknKa2igxnjzHsoDQDwtbTmKPH9b19/3VEWxCiFIjMUxtTpnEn5wrfHx:AljpfkKaK3HbMDmbycOWx4MgtThEnQ5

Score

10^/10

bb32 1686735623 qakbot

Malware Config

Extracted

Family

qakbot

Version

404.1374

Botnet

BB32

Campaign

1686735623

86.129.138.170:443

113.11.92.30:443

12.172.173.82:2087

72.205.104.134:443

84.213.236.225:995

92.186.69.229:2222

1.221.179.74:443

103.141.50.43:995

58.162.223.233:443

96.242.126.116:2222

92.154.17.149:2222

75.109.111.89:443

125.99.76.102:443

80.12.88.148:2222

109.149.147.195:2222

27.99.32.26:2222

70.28.50.223:3389

70.28.50.223:32100

86.97.96.62:2222

66.241.183.99:443

Signatures

Qakbot family
qakbot

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/4193943e679dc586e662284d5d4f0ffda297e8459d6471c02122a94622c85b5a

Files

samples.zip
.zip

Password: infected
4193943e679dc586e662284d5d4f0ffda297e8459d6471c02122a94622c85b5a
.dll windows x86

e691d2d770fea3e99dbc2a226b1d5802

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

msvcrt

_snprintf
memchr
malloc
_errno
_strtoi64
_vsnprintf
memset
qsort
_ftol2_sse
_vsnwprintf
free
_time64
strncpy
strchr
strtod
localeconv
memcpy
atol

kernel32

FindNextFileW
GetTickCount
SetThreadPriority
FlushFileBuffers
LocalAlloc
GetExitCodeProcess
GetSystemTimeAsFileTime
GetFileAttributesW
MultiByteToWideChar
SetCurrentDirectoryA
Sleep
lstrcmpiW
GetDriveTypeW
GetLastError
CreateDirectoryW
lstrcatA
CreateMutexW
GetCurrentThread
GetProcessId
DisconnectNamedPipe
lstrcmpA
K32GetModuleFileNameExW
MoveFileW
ExitThread
GetNumberFormatA
GetCurrentProcessId
SwitchToThread
GetModuleHandleW
GetProcAddress
HeapCreate
HeapFree
HeapAlloc
GetModuleHandleA
LoadLibraryA
GetCurrentProcess
lstrcatW
WideCharToMultiByte
FindFirstFileW
GetWindowsDirectoryW
SetFileAttributesW
lstrlenW
LoadLibraryW
FreeLibrary
GetCommandLineW
GetVersionExA
GetSystemInfo
GetCurrentDirectoryW

user32

CharUpperBuffA
CharUpperBuffW

shell32

CommandLineToArgvW

ole32

CoCreateInstance
CoInitializeEx
CoSetProxyBlanket
CoInitializeSecurity

oleaut32

SafeArrayGetLBound
SysFreeString
SysAllocString
VariantClear
SafeArrayGetUBound
SafeArrayDestroy
SafeArrayGetElement

Exports

Exports

must

Sections

.text
Size: 98KB - Virtual size: 97KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 18KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

Password: infected

e691d2d770fea3e99dbc2a226b1d5802

Headers

File Characteristics

Imports

msvcrt

kernel32

user32

shell32

ole32

oleaut32

Exports

Exports

Sections

.text Size: 98KB - Virtual size: 97KB

.rdata Size: 18KB - Virtual size: 17KB

.data Size: 8KB - Virtual size: 8KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 3KB - Virtual size: 3KB

.text
Size: 98KB - Virtual size: 97KB

.rdata
Size: 18KB - Virtual size: 17KB

.data
Size: 8KB - Virtual size: 8KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 3KB - Virtual size: 3KB