qakbot | 798e44b2af6329ac38f144d816096b72889009f44c9d74aefa36c11dbdc5522a | Triage

Sharing

General

Target

32432f63ce811f734d1938060fe83b4c_JaffaCakes118
Size

1.9MB
Sample

240511-cy5gfagc7y
MD5

32432f63ce811f734d1938060fe83b4c
SHA1

e768c6bf965a548f8e8e79413d67998ee5173364
SHA256

798e44b2af6329ac38f144d816096b72889009f44c9d74aefa36c11dbdc5522a
SHA512

d41328ae22eb0768c70567c7759ed9164112c47f4c81ffb3c3b387c0f8fe33b29725d25cd5b8b390c9feca405d9f426cb823ed8ec5b91d7a139ae5de742e9351
SSDEEP

49152:bs87tFIYKrGSBUsthSxelQwz1w9r+U32mIXzTmCc4iMVWS:k

Score

10^/10

qakbot spx04 1568039940 banker evasion persistence stealer trojan

Malware Config

Extracted

Family

qakbot

Version

323.79

Botnet

spx04

Campaign

1568039940

C2

190.120.196.18:443

70.169.2.228:21

189.160.191.239:443

174.48.72.160:443

99.231.208.9:443

12.5.37.3:443

173.178.129.3:443

189.236.138.168:443

67.41.197.173:2078

173.172.205.216:443

76.69.181.244:995

70.164.39.91:443

75.131.72.82:443

189.236.214.160:995

199.126.92.231:995

98.224.57.108:443

72.142.106.198:995

98.186.90.192:995

72.36.14.160:443

75.177.172.209:6882

Targets

- Target
  
  32432f63ce811f734d1938060fe83b4c_JaffaCakes118
- Size
  
  1.9MB
- MD5
  
  32432f63ce811f734d1938060fe83b4c
- SHA1
  
  e768c6bf965a548f8e8e79413d67998ee5173364
- SHA256
  
  798e44b2af6329ac38f144d816096b72889009f44c9d74aefa36c11dbdc5522a
- SHA512
  
  d41328ae22eb0768c70567c7759ed9164112c47f4c81ffb3c3b387c0f8fe33b29725d25cd5b8b390c9feca405d9f426cb823ed8ec5b91d7a139ae5de742e9351
- SSDEEP
  
  49152:bs87tFIYKrGSBUsthSxelQwz1w9r+U32mIXzTmCc4iMVWS:k
Score

10^/10

qakbot spx04 1568039940 banker evasion persistence stealer trojan
- Qakbot/Qbot
  Qbot or Qakbot is a sophisticated worm with banking capabilities.
  trojan banker stealer qakbot
- Turns off Windows Defender SpyNet reporting
  evasion
- Windows security bypass
  evasion trojan
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Peripheral Device Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

qakbotspx041568039940bankerevasionpersistencestealertrojan

behavioral2

qakbotspx041568039940bankerevasionpersistencestealertrojan