qakbot | 49884cfdeba5b72f5dd80f017cc6efca51d789da77d8dbc577f1df9e595777fc | Triage

Sharing

General

Target

49884cfdeba5b72f5dd80f017cc6efca51d789da77d8dbc577f1df9e595777fcN.exe
Size

564KB
Sample

250216-zntnhsynex
MD5

ff4e3a569da6929f317709161eaca220
SHA1

d4f3dd09d2661930018c0606b1da09fb74325124
SHA256

49884cfdeba5b72f5dd80f017cc6efca51d789da77d8dbc577f1df9e595777fc
SHA512

175a67551a1179169d60a70cdb864fb6779c99556a415fe18b923d8b987792725389a57cffd9d2979d5720725bd96f6b941a4cba22c8fc20d08a60019f4057c6
SSDEEP

12288:P6Uupd48XXIMyXcGbqIo4hve1wHXGnx0me0KaznLxD2JA1:P6UMsrHj3awHWnimjKar1DJ

Score

10^/10

qakbot 1542012699 banker discovery stealer trojan

Malware Config

Extracted

Family

qakbot

Version

322.618

Campaign

1542012699

Credentials

Protocol: ftp
Host:
192.185.5.208
Port:
21
Username:
[email protected]
Password:
NxdkxAp4dUsY

Protocol: ftp
Host:
162.241.218.118
Port:
21
Username:
[email protected]
Password:
EcOV0DyGVgVN

Protocol: ftp
Host:
69.89.31.139
Port:
21
Username:
[email protected]
Password:
fcR7OvyLrMW6!

Protocol: ftp
Host:
192.185.73.101
Port:
21
Username:
[email protected]
Password:
XpHexorVzwIO

C2

66.222.88.126:995

174.48.72.160:443

67.84.203.250:2222

109.74.53.179:2222

73.74.72.141:443

216.201.159.118:443

184.180.157.203:2222

207.178.109.161:443

74.88.210.56:995

70.183.154.153:995

50.252.93.122:2222

71.77.135.249:443

69.108.1.191:443

185.219.83.73:443

110.145.8.251:8443

190.185.219.110:443

50.198.141.161:2078

68.53.31.252:443

189.154.159.117:443

71.178.16.202:443

Targets

- Target
  
  49884cfdeba5b72f5dd80f017cc6efca51d789da77d8dbc577f1df9e595777fcN.exe
- Size
  
  564KB
- MD5
  
  ff4e3a569da6929f317709161eaca220
- SHA1
  
  d4f3dd09d2661930018c0606b1da09fb74325124
- SHA256
  
  49884cfdeba5b72f5dd80f017cc6efca51d789da77d8dbc577f1df9e595777fc
- SHA512
  
  175a67551a1179169d60a70cdb864fb6779c99556a415fe18b923d8b987792725389a57cffd9d2979d5720725bd96f6b941a4cba22c8fc20d08a60019f4057c6
- SSDEEP
  
  12288:P6Uupd48XXIMyXcGbqIo4hve1wHXGnx0me0KaznLxD2JA1:P6UMsrHj3awHWnimjKar1DJ
Score

10^/10

qakbot 1542012699 banker discovery stealer trojan
- Qakbot family
  qakbot
- Qakbot/Qbot
  Qbot or Qakbot is a sophisticated worm with banking capabilities.
  trojan banker stealer qakbot
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

qakbot1542012699bankerdiscoverystealertrojan

behavioral2

qakbot1542012699bankerdiscoverystealertrojan