qakbot | fb26dc2598e18c8e9b95a4a3aace4f6c19dee93894eaab8d7d9d31f2b963f806 | Triage

Sharing

General

Target

af285a3f91f3f9aac89875942c03771b_JaffaCakes118
Size

1.0MB
Sample

240615-s7hxsswckh
MD5

af285a3f91f3f9aac89875942c03771b
SHA1

3b1d28087fdb201c6b2191631c60f352c46c630f
SHA256

fb26dc2598e18c8e9b95a4a3aace4f6c19dee93894eaab8d7d9d31f2b963f806
SHA512

27c5ac2001812800d18d681c3f97a7d7617b1f6fb4886ac3e612ebca67f1be9684c9716457a2271cb437b492d96f8ec4035199f3d4441565d065a61d383234a0
SSDEEP

24576:4/WmaxvuGNdBd0zcT7JOgygMLgkq8Kxp:K1gNDkcIgygQgwep

Score

10^/10

qakbot xxx02 1543704484 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

322.642

Botnet

xxx02

Campaign

1543704484

Credentials

Protocol: ftp
Host:
192.185.5.208
Port:
21
Username:
[email protected]
Password:
NxdkxAp4dUsY

Protocol: ftp
Host:
162.241.218.118
Port:
21
Username:
[email protected]
Password:
EcOV0DyGVgVN

Protocol: ftp
Host:
69.89.31.139
Port:
21
Username:
[email protected]
Password:
fcR7OvyLrMW6!

Protocol: ftp
Host:
192.185.73.101
Port:
21
Username:
[email protected]
Password:
XpHexorVzwIO

C2

72.220.211.207:443

174.48.72.160:443

142.197.246.64:443

207.178.109.161:443

69.30.241.245:443

76.124.56.184:443

185.219.83.73:443

184.180.157.203:2222

173.169.15.3:443

71.206.209.190:443

73.130.229.200:443

73.96.172.45:443

174.106.146.89:443

70.183.154.153:995

71.171.94.146:443

70.59.16.36:443

189.175.141.171:443

98.223.98.14:443

71.58.77.120:443

173.27.21.37:995

Targets

- Target
  
  af285a3f91f3f9aac89875942c03771b_JaffaCakes118
- Size
  
  1.0MB
- MD5
  
  af285a3f91f3f9aac89875942c03771b
- SHA1
  
  3b1d28087fdb201c6b2191631c60f352c46c630f
- SHA256
  
  fb26dc2598e18c8e9b95a4a3aace4f6c19dee93894eaab8d7d9d31f2b963f806
- SHA512
  
  27c5ac2001812800d18d681c3f97a7d7617b1f6fb4886ac3e612ebca67f1be9684c9716457a2271cb437b492d96f8ec4035199f3d4441565d065a61d383234a0
- SSDEEP
  
  24576:4/WmaxvuGNdBd0zcT7JOgygMLgkq8Kxp:K1gNDkcIgygQgwep
Score

10^/10

qakbot xxx02 1543704484 banker stealer trojan
- Qakbot/Qbot
  Qbot or Qakbot is a sophisticated worm with banking capabilities.
  trojan banker stealer qakbot
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

qakbotxxx021543704484bankerstealertrojan

behavioral2

qakbotxxx021543704484bankerstealertrojan