qakbot | ce80bb3f99f496156c06ec2a2927497279e6a3b52460c5951ae879d911a4bde6 | Triage

Sharing

General

Target

81f39b11a731fdcb71fdadea1dd8a54f_JaffaCakes118
Size

988KB
Sample

240801-183mlaygpr
MD5

81f39b11a731fdcb71fdadea1dd8a54f
SHA1

79c78ab1ed613be1bb3214283039d89466396380
SHA256

ce80bb3f99f496156c06ec2a2927497279e6a3b52460c5951ae879d911a4bde6
SHA512

d1e0aa4b74f921de3f84884f23c7a4fb4c022792212e70773960229bc9a07fa14d44d9ad4acbc8bd7e0c3bf3bd44e5ef1b88660ada49369f50f579622f5bd79e
SSDEEP

24576:QT+X9Up0s/k/PZ+0gJwNYvfLViPRyqiz5nU76jP/qGO:SeUCGJwNqh8Ryq0Ee/hO

Score

10^/10

qakbot spx16 1569917382 banker discovery evasion persistence stealer trojan

Malware Config

Extracted

Family

qakbot

Version

323.91

Botnet

spx16

Campaign

1569917382

C2

71.93.60.90:443

113.77.242.83:443

203.192.232.72:443

98.186.90.192:995

172.78.47.99:443

72.213.98.233:443

76.184.141.236:443

12.5.37.3:443

96.20.238.2:2087

68.225.250.136:443

75.110.90.155:443

96.20.238.2:2078

96.22.239.27:2222

123.252.128.47:443

70.167.72.28:443

2.50.170.151:443

2.177.115.198:443

96.28.229.218:443

67.10.18.112:995

70.183.155.118:80

Targets

- Target
  
  CK_19617_9585862810069.vbs
- Size
  
  2.5MB
- MD5
  
  8d658117310b8089242c9e9c572dde73
- SHA1
  
  6403b791f6d07b13900fdc2a921feb19fe3daf29
- SHA256
  
  5b0e3944fec83a8d868a84247ed664764ba213a1c22bf7618240a4c995fc6c74
- SHA512
  
  2e62354b9259629b94978cca95ffd8c3d1e4fe5fea79a7efe5c14fa378e8f7ae8c630d9805611d9bb71aa40433768a88b018a13040fbdd289c395fd59d3fd77f
- SSDEEP
  
  24576:NC4YmLjKcMR0sjeZavuZ+Ijp6rc6/zo1gcHpXZtJ1f/IiF5dvldb6gyCUrN7YFc+:F5Q/bfdhJFC
Score

10^/10

qakbot spx16 1569917382 banker discovery evasion persistence stealer trojan
- Qakbot/Qbot
  Qbot or Qakbot is a sophisticated worm with banking capabilities.
  trojan banker stealer qakbot
- Turns off Windows Defender SpyNet reporting
  evasion
- Windows security bypass
  evasion trojan
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

qakbotspx161569917382bankerdiscoveryevasionpersistencestealertrojan

behavioral2