General

  • Target

    231009-z28plaad66

  • Size

    1.2MB

  • Sample

    240326-qjzjjaea7x

  • MD5

    136b9c85525ba66276b8c9f6b7014b0b

  • SHA1

    0cf5ba13d14c28c60586c7f4b9679925fa4d4172

  • SHA256

    a23ef053cccf6a35fda9adc5f1702ba99a7be695107d3ba5d1ea8c9c258299e4

  • SHA512

    0c02b116029a7d4f4c44988dc6220ed4050c94cab6e57f4aeb29d8edd0b8b59e74c89d6bd62e6e828826f44ebfb478280051ca289ea712c52d5fd113541e2590

  • SSDEEP

    6144:JanAo3boaSrTBRc6nWF84LvSkgNSjEtIovH6DgJG3uhRtSUgnSt9BYbC38g/T4J:JaAKoRrTBHWC4LINSjA/EMGU/SHomaI

Malware Config

Extracted

Family

qakbot

Version

324.142

Botnet

spx133

Campaign

1591267427

C2

49.144.84.21:443

189.159.133.162:995

173.245.152.231:443

77.237.181.212:995

207.255.161.8:2078

76.187.8.160:443

207.255.161.8:2087

98.219.77.197:443

66.222.88.126:995

207.255.161.8:32102

108.58.9.238:995

47.152.210.233:443

1.40.42.4:443

188.27.71.163:443

82.127.193.151:2222

104.50.141.139:995

67.83.54.76:2222

86.126.97.183:2222

73.94.229.115:443

47.35.182.97:443

Targets

    • Target

      231009-z28plaad66

    • Size

      1.2MB

    • MD5

      136b9c85525ba66276b8c9f6b7014b0b

    • SHA1

      0cf5ba13d14c28c60586c7f4b9679925fa4d4172

    • SHA256

      a23ef053cccf6a35fda9adc5f1702ba99a7be695107d3ba5d1ea8c9c258299e4

    • SHA512

      0c02b116029a7d4f4c44988dc6220ed4050c94cab6e57f4aeb29d8edd0b8b59e74c89d6bd62e6e828826f44ebfb478280051ca289ea712c52d5fd113541e2590

    • SSDEEP

      6144:JanAo3boaSrTBRc6nWF84LvSkgNSjEtIovH6DgJG3uhRtSUgnSt9BYbC38g/T4J:JaAKoRrTBHWC4LINSjA/EMGU/SHomaI

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • Turns off Windows Defender SpyNet reporting

    • Windows security bypass

    • CryptOne packer

      Detects CryptOne packer defined in NCC blogpost.

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks