qakbot | cc520b6370f031e04970b527d7fcb85692e6882e2548787cb39281c0dc7cee47 | Triage

Sharing

General

Target

03b2d792db2e980074541cdab987796f_JaffaCakes118
Size

4.2MB
Sample

240728-avh3xsxcnk
MD5

03b2d792db2e980074541cdab987796f
SHA1

b6c5f8a7a519c17bf346795de0da3d7839e45dd7
SHA256

cc520b6370f031e04970b527d7fcb85692e6882e2548787cb39281c0dc7cee47
SHA512

1a3b994ab234d9270b2f13b412acaffda2d6e1c342c4d0f571135a62f76f4337f27111c0f4748ce32640ffdd03f30d7d46bab6f46b4dbcf4baedcef196fcbeec
SSDEEP

6144:sGuALcHSh5D4hwxzOmHeYnQ4TXYJchTwAG5v1kPZudyAaXE+wnuo+PpN:fu4hxOmHeYnQ4TXdwMyyAaF

Score

10^/10

qakbot notset 1596817234 banker discovery stealer trojan

Malware Config

Extracted

Family

qakbot

Version

325.42

Botnet

notset

Campaign

1596817234

Credentials

Protocol: ftp
Host:
192.185.5.208
Port:
21
Username:
[email protected]
Password:
NxdkxAp4dUsY

Protocol: ftp
Host:
162.241.218.118
Port:
21
Username:
[email protected]
Password:
EcOV0DyGVgVN

Protocol: ftp
Host:
69.89.31.139
Port:
21
Username:
[email protected]
Password:
fcR7OvyLrMW6!

Protocol: ftp
Host:
169.207.67.14
Port:
21
Username:
[email protected]
Password:
eQyicNLzzqPN

C2

47.44.217.98:443

86.97.146.204:2222

65.60.228.130:443

216.201.162.158:443

94.59.24.79:995

108.46.145.30:443

24.139.132.70:443

47.206.174.82:443

188.52.106.206:20

72.204.242.138:6881

173.173.72.199:443

71.163.224.206:443

63.155.9.141:995

100.34.195.237:443

47.39.177.171:2222

96.20.108.17:2222

115.21.224.117:443

70.164.39.91:443

45.47.65.191:443

207.155.107.111:443

Targets

- Target
  
  03b2d792db2e980074541cdab987796f_JaffaCakes118
- Size
  
  4.2MB
- MD5
  
  03b2d792db2e980074541cdab987796f
- SHA1
  
  b6c5f8a7a519c17bf346795de0da3d7839e45dd7
- SHA256
  
  cc520b6370f031e04970b527d7fcb85692e6882e2548787cb39281c0dc7cee47
- SHA512
  
  1a3b994ab234d9270b2f13b412acaffda2d6e1c342c4d0f571135a62f76f4337f27111c0f4748ce32640ffdd03f30d7d46bab6f46b4dbcf4baedcef196fcbeec
- SSDEEP
  
  6144:sGuALcHSh5D4hwxzOmHeYnQ4TXYJchTwAG5v1kPZudyAaXE+wnuo+PpN:fu4hxOmHeYnQ4TXdwMyyAaF
Score

10^/10

qakbot notset 1596817234 banker discovery stealer trojan
- Qakbot/Qbot
  Qbot or Qakbot is a sophisticated worm with banking capabilities.
  trojan banker stealer qakbot
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

qakbotnotset1596817234bankerdiscoverystealertrojan

behavioral2

qakbotnotset1596817234bankerdiscoverystealertrojan