qakbot | b293691f6cf941d9841b65a58f8b75b97e37da6752531bdcfba449ec7fe3128b | Triage

Sharing

General

Target

c42e511e79fa6c3b2931080364522dfc_JaffaCakes118
Size

1.8MB
Sample

240827-cd6trsyfnq
MD5

c42e511e79fa6c3b2931080364522dfc
SHA1

413fa44b48570a07420aa1511276bb4c72374cd7
SHA256

b293691f6cf941d9841b65a58f8b75b97e37da6752531bdcfba449ec7fe3128b
SHA512

d114ffc76a5c9de6bb02228fe84f76e78ebcfcbf28be9f3dd02cfb2f00dfbc38579cee379cfb7adb580b6a5eb54c7d6e37b4fa346fcfea3ab9dd9abecf2b0295
SSDEEP

49152:lP3fgyBTbzDjvjwSBLoZFVf4d6enfWoKFxCZqOoFBvQC6bztk2KSZxE2i:s

Score

10^/10

qakbot spx01 1567608215 banker discovery evasion persistence stealer trojan

Malware Config

Extracted

Family

qakbot

Version

323.79

Botnet

spx01

Campaign

1567608215

C2

72.16.212.107:995

107.12.140.181:443

69.70.37.246:465

66.51.231.183:443

108.160.123.244:443

65.30.12.240:443

47.49.7.42:443

73.202.121.222:443

47.153.115.154:995

47.153.115.154:443

72.29.181.77:2083

104.3.91.20:995

190.144.81.158:995

186.7.117.189:443

50.247.230.33:443

216.221.88.160:443

67.246.16.250:995

107.180.70.163:443

70.169.2.228:21

72.36.14.160:443

Targets

- Target
  
  c42e511e79fa6c3b2931080364522dfc_JaffaCakes118
- Size
  
  1.8MB
- MD5
  
  c42e511e79fa6c3b2931080364522dfc
- SHA1
  
  413fa44b48570a07420aa1511276bb4c72374cd7
- SHA256
  
  b293691f6cf941d9841b65a58f8b75b97e37da6752531bdcfba449ec7fe3128b
- SHA512
  
  d114ffc76a5c9de6bb02228fe84f76e78ebcfcbf28be9f3dd02cfb2f00dfbc38579cee379cfb7adb580b6a5eb54c7d6e37b4fa346fcfea3ab9dd9abecf2b0295
- SSDEEP
  
  49152:lP3fgyBTbzDjvjwSBLoZFVf4d6enfWoKFxCZqOoFBvQC6bztk2KSZxE2i:s
Score

10^/10

qakbot spx01 1567608215 banker discovery evasion persistence stealer trojan
- Qakbot/Qbot
  Qbot or Qakbot is a sophisticated worm with banking capabilities.
  trojan banker stealer qakbot
- Turns off Windows Defender SpyNet reporting
  evasion
- Windows security bypass
  evasion trojan
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

qakbotspx011567608215bankerdiscoveryevasionpersistencestealertrojan

behavioral2

qakbotspx011567608215bankerdiscoveryevasionpersistencestealertrojan