qakbot | 05aa82c819f371f5065bd04ccca6f97957a2930e1eec5eb869e0a4420fb04bb6 | Triage

Sharing

General

Target

05aa82c819f371f5065bd04ccca6f97957a2930e1eec5eb869e0a4420fb04bb6
Size

1.9MB
Sample

240923-xphxas1era
MD5

ca0011efef1a21dd0e4c7f9a472b6ae5
SHA1

c7c1238e9f8e874d8c7a78f535a946d00339db3a
SHA256

05aa82c819f371f5065bd04ccca6f97957a2930e1eec5eb869e0a4420fb04bb6
SHA512

ff6aaa6856961d142499bd3e8bfd1fe2336b02bdc7efbdfb3dc779dc16db5832217c1f92da834f9bb864d37bcb7ac113a4ec6f451c3f40ea842ba4de37f65d5c
SSDEEP

6144:OIfbfTbpOCVXyt576GKRemW5BYBzmhOce9O3e2pBBK6kVnC+jHb:fbwazGKAJ5BGv7B2NK6KlHb

Score

10^/10

qakbot notset 1604404534 banker discovery stealer trojan

Malware Config

Extracted

Family

qakbot

Version

325.59

Botnet

notset

Campaign

1604404534

Credentials

Protocol: ftp
Host:
192.185.5.208
Port:
21
Username:
[email protected]
Password:
NxdkxAp4dUsY

Protocol: ftp
Host:
162.241.218.118
Port:
21
Username:
[email protected]
Password:
EcOV0DyGVgVN

Protocol: ftp
Host:
69.89.31.139
Port:
21
Username:
[email protected]
Password:
fcR7OvyLrMW6!

Protocol: ftp
Host:
169.207.67.14
Port:
21
Username:
[email protected]
Password:
eQyicNLzzqPN

C2

67.6.55.77:443

89.136.39.108:443

2.50.58.76:443

188.25.158.61:443

45.63.107.192:995

45.32.154.10:443

94.52.160.116:443

45.63.107.192:2222

45.63.107.192:443

72.204.242.138:465

84.117.176.32:443

95.77.223.148:443

47.146.39.147:443

41.225.13.128:8443

80.14.209.42:2222

190.220.8.10:995

66.76.105.194:443

105.101.69.242:443

89.33.87.107:443

75.136.40.155:443

Targets

- Target
  
  05aa82c819f371f5065bd04ccca6f97957a2930e1eec5eb869e0a4420fb04bb6
- Size
  
  1.9MB
- MD5
  
  ca0011efef1a21dd0e4c7f9a472b6ae5
- SHA1
  
  c7c1238e9f8e874d8c7a78f535a946d00339db3a
- SHA256
  
  05aa82c819f371f5065bd04ccca6f97957a2930e1eec5eb869e0a4420fb04bb6
- SHA512
  
  ff6aaa6856961d142499bd3e8bfd1fe2336b02bdc7efbdfb3dc779dc16db5832217c1f92da834f9bb864d37bcb7ac113a4ec6f451c3f40ea842ba4de37f65d5c
- SSDEEP
  
  6144:OIfbfTbpOCVXyt576GKRemW5BYBzmhOce9O3e2pBBK6kVnC+jHb:fbwazGKAJ5BGv7B2NK6KlHb
Score

10^/10

qakbot notset 1604404534 banker discovery stealer trojan
- Qakbot/Qbot
  Qbot or Qakbot is a sophisticated worm with banking capabilities.
  trojan banker stealer qakbot
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

qakbotnotset1604404534bankerdiscoverystealertrojan

behavioral2

qakbotnotset1604404534bankerdiscoverystealertrojan