Overview

overview

10

Static

static

3

b7a00ad06c...ba.exe

windows7-x64

10

b7a00ad06c...ba.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba

  • Size

    536KB

  • Sample

    240508-cr8waadf4z

  • MD5

    4d9add7f38d2bfcfbc3d4bcf3f44e47d

  • SHA1

    c9198de89705f6983a50c445ed1866a24cc9c846

  • SHA256

    b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba

  • SHA512

    06e86fdfd21bfc8b91f1489bda9e17e27e5bc6855a4f91753353d4d8fbcb645ccef8b70e92eb2e5ed7edad55e87fe75e7a597310e464354313d01a8a6a068d32

  • SSDEEP

    6144:K3puL8eujbUcqbRI30RYAimlQY1KdZwzlW+2M0WybVGH/Itkug/i03s/nZYIVQV2:R8eSbcRYAplQYU3YlWOdT/pbqUVxg

Score
10/10
qakbot1524770894bankerexecutionpersistencestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://www.dropbox.com/s/41zf98knyy5atko/001_01.ps1?dl=1
ps1.dropper

https://www.dropbox.com/s/dh8flnrogfq1h1w/001.ps1?dl=1

Extracted

Family

qakbot

Version

322.358

Campaign

1524770894

Credentials

  • Protocol:     ftp
  • Host:
    37.60.244.211
  • Port:
    21
  • Username:
    backup_manager@garciasdrywall.com
  • Password:
    4AsEzIaMwi2d

  • Protocol:     ftp
  • Host:
    198.38.77.162
  • Port:
    21
  • Username:
    backup_manager@worldexpresscargo.com
  • Password:
    kJm6DKVPfyiv

  • Protocol:     ftp
  • Host:
    61.221.12.26
  • Port:
    21
  • Username:
    logger@ostergift.com
  • Password:
    346HZGCMlwecz9S

  • Protocol:     ftp
  • Host:
    67.222.137.18
  • Port:
    21
  • Username:
    logger@grupocrepusculo.net
  • Password:
    p4a8k6fE1FtA3pR

  • Protocol:     ftp
  • Host:
    107.6.152.61
  • Port:
    21
  • Username:
    logger@trussedup.com
  • Password:
    RoP4Af0RKAAQ74V
C2

65.40.207.151:995

98.242.248.219:443

96.248.7.111:443

24.240.178.42:995

67.141.64.98:443

12.166.108.82:995

47.223.79.196:993

73.48.132.91:443

24.209.130.208:443

216.16.14.19:443

173.81.42.136:443

209.213.24.194:443

69.129.91.38:443

185.219.83.73:443

70.182.79.66:443

68.49.120.179:443

73.222.54.231:443

66.189.228.49:995

98.190.205.8:443

216.21.168.27:32101

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://www.dropbox.com/s/41zf98knyy5atko/001_01.ps1?dl=1
ps1.dropper

https://www.dropbox.com/s/dh8flnrogfq1h1w/001.ps1?dl=1

Targets

    • Target

      b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba

    • Size

      536KB

    • MD5

      4d9add7f38d2bfcfbc3d4bcf3f44e47d

    • SHA1

      c9198de89705f6983a50c445ed1866a24cc9c846

    • SHA256

      b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba

    • SHA512

      06e86fdfd21bfc8b91f1489bda9e17e27e5bc6855a4f91753353d4d8fbcb645ccef8b70e92eb2e5ed7edad55e87fe75e7a597310e464354313d01a8a6a068d32

    • SSDEEP

      6144:K3puL8eujbUcqbRI30RYAimlQY1KdZwzlW+2M0WybVGH/Itkug/i03s/nZYIVQV2:R8eSbcRYAplQYU3YlWOdT/pbqUVxg

    Score
    10/10
    qakbot1524770894bankerexecutionpersistencestealertrojan

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

      trojanbankerstealerqakbot

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks