qakbot | b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba

General

Target

b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba
Size

536KB
Sample

240508-cr8waadf4z
MD5

4d9add7f38d2bfcfbc3d4bcf3f44e47d
SHA1

c9198de89705f6983a50c445ed1866a24cc9c846
SHA256

b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba
SHA512

06e86fdfd21bfc8b91f1489bda9e17e27e5bc6855a4f91753353d4d8fbcb645ccef8b70e92eb2e5ed7edad55e87fe75e7a597310e464354313d01a8a6a068d32
SSDEEP

6144:K3puL8eujbUcqbRI30RYAimlQY1KdZwzlW+2M0WybVGH/Itkug/i03s/nZYIVQV2:R8eSbcRYAplQYU3YlWOdT/pbqUVxg

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://www.dropbox.com/s/41zf98knyy5atko/001_01.ps1?dl=1

ps1.dropper

https://www.dropbox.com/s/dh8flnrogfq1h1w/001.ps1?dl=1

Extracted

Family

qakbot

Version

322.358

Campaign

1524770894

Credentials

Protocol: ftp
Host:
37.60.244.211
Port:
21
Username:
[email protected]
Password:
4AsEzIaMwi2d

Protocol: ftp
Host:
198.38.77.162
Port:
21
Username:
[email protected]
Password:
kJm6DKVPfyiv

Protocol: ftp
Host:
61.221.12.26
Port:
21
Username:
[email protected]
Password:
346HZGCMlwecz9S

Protocol: ftp
Host:
67.222.137.18
Port:
21
Username:
[email protected]
Password:
p4a8k6fE1FtA3pR

Protocol: ftp
Host:
107.6.152.61
Port:
21
Username:
[email protected]
Password:
RoP4Af0RKAAQ74V

C2

65.40.207.151:995

98.242.248.219:443

96.248.7.111:443

24.240.178.42:995

67.141.64.98:443

12.166.108.82:995

47.223.79.196:993

73.48.132.91:443

24.209.130.208:443

216.16.14.19:443

173.81.42.136:443

209.213.24.194:443

69.129.91.38:443

185.219.83.73:443

70.182.79.66:443

68.49.120.179:443

73.222.54.231:443

66.189.228.49:995

98.190.205.8:443

216.21.168.27:32101

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://www.dropbox.com/s/41zf98knyy5atko/001_01.ps1?dl=1

ps1.dropper

https://www.dropbox.com/s/dh8flnrogfq1h1w/001.ps1?dl=1

Targets

- Target
  
  b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba
- Size
  
  536KB
- MD5
  
  4d9add7f38d2bfcfbc3d4bcf3f44e47d
- SHA1
  
  c9198de89705f6983a50c445ed1866a24cc9c846
- SHA256
  
  b7a00ad06ccceff1cf5fe5c7fed8e0d43b456662721ec668f91681196a1cb3ba
- SHA512
  
  06e86fdfd21bfc8b91f1489bda9e17e27e5bc6855a4f91753353d4d8fbcb645ccef8b70e92eb2e5ed7edad55e87fe75e7a597310e464354313d01a8a6a068d32
- SSDEEP
  
  6144:K3puL8eujbUcqbRI30RYAimlQY1KdZwzlW+2M0WybVGH/Itkug/i03s/nZYIVQV2:R8eSbcRYAplQYU3YlWOdT/pbqUVxg
Score

10^/10

qakbot 1524770894 banker execution persistence stealer trojan
- Qakbot/Qbot
  Qbot or Qakbot is a sophisticated worm with banking capabilities.
  trojan banker stealer qakbot
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2