qakbot | 78bccdfce650d1b0c3023ed1cf7174625e88af831865a926c927a320c1177e10

General

Target

JaffaCakes118_cab72ace08bfd9114939c22f04a5524d
Size

1.1MB
Sample

250109-rzjzfsskgx
MD5

cab72ace08bfd9114939c22f04a5524d
SHA1

4cbc3ac583a001e2a717acd4db8fce69257f57c2
SHA256

78bccdfce650d1b0c3023ed1cf7174625e88af831865a926c927a320c1177e10
SHA512

cdf0c48be3ac5a5f8d15b6183abc3b6bfbc27c0dbf022bf3db4f9d85f33dc6ce3e71b990c75199d79bc4ee64dd782ce9f9ae73c6317e2f87ff789d33efea8438
SSDEEP

24576:/xrHjxsKK2jWSHw3mZZrbcF+tuGp3dA12LS1o2PjWlZn3j/x34:/tHGKJjZHw2ZZrbcF+tzbAMLYoNZ3j/e

Score

10^/10

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

http://194.36.191.30/45666.6096484954.dat

xlm40.dropper

http://23.106.122.40/45666.6096484954.dat

xlm40.dropper

http://94.140.112.52/45666.6096484954.dat

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

http://194.36.191.30/45666.6096425926.dat

xlm40.dropper

http://23.106.122.40/45666.6096425926.dat

xlm40.dropper

http://94.140.112.52/45666.6096425926.dat

Extracted

Family

qakbot

Version

402.363

Botnet

biden53

Campaign

1634717752

C2

103.142.10.177:443

24.152.219.253:995

181.118.183.94:443

129.208.147.188:995

24.119.214.7:443

38.70.253.226:2222

103.143.8.71:443

77.57.204.78:443

65.100.174.110:995

220.255.25.28:2222

91.178.126.51:995

37.210.155.239:995

81.241.252.59:2078

93.48.58.123:2222

65.100.174.110:443

76.25.142.196:443

24.231.209.2:2222

140.82.49.12:443

146.66.238.74:443

39.49.4.147:995

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Targets

- Target
  
  Account-1579644703.xls
- Size
  
  534KB
- MD5
  
  65a32f108d3c8a6cc8d7813b9892a952
- SHA1
  
  58f1ec7f794a717acfef21f2e1718a80e76d41c5
- SHA256
  
  6410cdf429baab84d583828623814316317029059eb46d8eab9a755bf234c612
- SHA512
  
  5a9e430794bee2f27dd376f98617a718702600d4ef1a069c16da895c0848c2d3b5372ebf9a7fe5dec5a32427503433bef52bd42349a0b65b995175d80054b84a
- SSDEEP
  
  12288:+z7yduBV3IpMiw44f6Mw4ntMe5AofygCuOqPLkH5:mMuBVfQMwe51HCuZPQ
Score

10^/10

discovery
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
behavioral1 behavioral2
- Target
  
  Original.dll
- Size
  
  1.2MB
- MD5
  
  b010fb1ea0c950e9b14a331b0da5aac8
- SHA1
  
  243989dc10c90b77ed107cbc066d8cc162fe7ab4
- SHA256
  
  641d48fdf79d0513748ed7044275f35ed5fa27177e5427a38d143d1c3272c40b
- SHA512
  
  6b8376162d9a7c88903280895e4efa133b3bb0a930021e52a591cab9e20c15097056a2b5a260ba9f678bf8409f1deabd687f85852dcf337e46606e4657ccf3f8
- SSDEEP
  
  24576:RzVwOlR/8qI8ixvTyj2AVpIP97+xgbZTekrX:RzVjR/zI8ixyjzS97+xgbZTfrX
Score

10^/10

qakbot biden53 1634717752 banker discovery evasion stealer trojan
- Qakbot family
  qakbot
- Qakbot/Qbot
  Qbot or Qakbot is a sophisticated worm with banking capabilities.
  trojan banker stealer qakbot
- Windows security bypass
  evasion trojan
- Loads dropped DLL
behavioral3 behavioral4