qakbot | old_unpacked_qbot[.]bin

Resubmissions

31-10-2023 16:23

231031-tvvw9sba41 10

25-10-2023 22:14

231025-15mf7sha9z 10

Sharing

Copy URL

Twitter E-mail

General

Target

old_unpacked_qbot.bin
Size

120KB
MD5

35927b301d9cd6c33a927b97dccf6266
SHA1

1ccb9ec68f0fd685a58b1b6d2e78ba3b878783da
SHA256

18df034ee69d675ce1b04b95569154f0e3fe41c8bd6a00e59e8dae24b41ed7f7
SHA512

0cbbe3dbc6fea05760801bb812a8eac2b981f55a45aa994112e822e9f8f6741ae5052bab25dd1ab29d65e4b05fe353a0c796b9f8c0ddc4d89a03c13da69e081b
SSDEEP

1536:DCEh82pWrjickOZol59ZJkCZuH6cYTUk8JrNZmwmIOvnToIfwsbuYkR:WH5r+ckl57J4HpYTaJBZfE/TBfwkuYk

Score

10^/10

obama125 1636625439 qakbot

Malware Config

Extracted

Family

qakbot

Version

403.2

Botnet

obama125

Campaign

1636625439

117.198.155.237:443

190.73.3.148:2222

63.143.92.99:995

216.238.71.31:443

216.238.72.121:995

216.238.71.31:995

216.238.72.121:443

105.198.236.99:995

136.232.34.70:443

41.37.243.129:443

140.82.49.12:443

71.13.93.154:2222

96.246.158.154:995

102.65.38.57:443

71.13.93.154:6881

123.252.190.14:443

45.9.20.200:2211

136.143.11.232:443

103.143.8.71:995

103.142.10.177:443

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot family
qakbot

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

Processes:

resource
old_unpacked_qbot.bin

Files

old_unpacked_qbot.bin
.dll regsvr32 windows:6 windows x86

7b3bf330d8b8bdc633b50cd4fbfebe95

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

ws2_32

inet_ntoa

msvcrt

localeconv
strtod
strchr
strncpy
_time64
malloc
free
memset
memchr
_strtoi64
_ftol2_sse
_vsnwprintf
memcpy
atol
_errno
qsort
_snprintf
_vsnprintf

kernel32

GetWindowsDirectoryW
GetSystemInfo
GetTickCount
LoadLibraryW
FlushFileBuffers
GetVersionExA
lstrcmpiA
LocalAlloc
SetFileAttributesW
FindNextFileW
FindFirstFileW
GetExitCodeProcess
GetCurrentProcess
CreateMutexA
lstrcmpA
DuplicateHandle
GetCurrentThread
lstrcpynA
GetLastError
lstrcatA
CreateDirectoryW
DisconnectNamedPipe
lstrcpynW
GetProcessId
lstrcatW
lstrcpyW
GetCurrentProcessId
lstrcmpiW
SetLastError
OutputDebugStringA
GetModuleFileNameW
GetFileAttributesW
GetModuleHandleA
MultiByteToWideChar
GetDriveTypeW
K32GetModuleFileNameExW
MoveFileW
SwitchToThread
GetProcAddress
HeapCreate
HeapFree
HeapAlloc
WideCharToMultiByte
LoadLibraryA
FreeLibrary
GetSystemTimeAsFileTime
SetThreadPriority
CreatePipe

user32

DestroyWindow
CreateWindowExA
UnregisterClassA
RegisterClassExA
CharUpperBuffA
DefWindowProcA
CharUpperBuffW

ole32

CoInitializeSecurity
CoSetProxyBlanket
CoCreateInstance
CoInitializeEx

oleaut32

SafeArrayDestroy
SafeArrayGetUBound
SafeArrayGetElement
SafeArrayGetLBound
SysFreeString
VariantClear
SysAllocString

Exports

Exports

DllRegisterServer

Sections

.text
Size: 90KB - Virtual size: 90KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 18KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Resubmissions

Sharing

General

Malware Config

Extracted

Signatures

Files

7b3bf330d8b8bdc633b50cd4fbfebe95

Headers

File Characteristics

Imports

ws2_32

msvcrt

kernel32

user32

ole32

oleaut32

Exports

Exports

Sections

.text Size: 90KB - Virtual size: 90KB

.rdata Size: 18KB - Virtual size: 17KB

.data Size: 6KB - Virtual size: 5KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 3KB - Virtual size: 3KB

.text
Size: 90KB - Virtual size: 90KB

.rdata
Size: 18KB - Virtual size: 17KB

.data
Size: 6KB - Virtual size: 5KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 3KB - Virtual size: 3KB