qakbot | e4f56d12cb38a4963f7e7892bcd2b85484364c196e39af4d1b5d8b8a36d8c8ec | Triage

Sharing

General

Target

e4f56d12cb38a4963f7e7892bcd2b85484364c196e39af4d1b5d8b8a36d8c8ec.exe
Size

564KB
Sample

250217-alfanstmdp
MD5

43f52bc341e6bc7fc5ec02434713df80
SHA1

509d72dd83cd53a620c110fccb7beafe9097c2d3
SHA256

e4f56d12cb38a4963f7e7892bcd2b85484364c196e39af4d1b5d8b8a36d8c8ec
SHA512

bd14c3e95282229a87dce9b6bb2dd6a31cf7a8e94121579e39b7341280f1b7494dbb18a3f72cc4a9f3ac568398f4a8d2e5d6e6b4f373e22534b0f4558d71c249
SSDEEP

12288:P6Uupd48XXIMyXcGbqIo4hve1wHXGnx0me0KaznLxD2JA1h:P6UMsrHj3awHWnimjKar1DJh

Score

10^/10

qakbot 1542012699 banker discovery stealer trojan

Malware Config

Extracted

Family

qakbot

Version

322.618

Campaign

1542012699

Credentials

Protocol: ftp
Host:
192.185.5.208
Port:
21
Username:
[email protected]
Password:
NxdkxAp4dUsY

Protocol: ftp
Host:
162.241.218.118
Port:
21
Username:
[email protected]
Password:
EcOV0DyGVgVN

Protocol: ftp
Host:
69.89.31.139
Port:
21
Username:
[email protected]
Password:
fcR7OvyLrMW6!

Protocol: ftp
Host:
192.185.73.101
Port:
21
Username:
[email protected]
Password:
XpHexorVzwIO

C2

66.222.88.126:995

174.48.72.160:443

67.84.203.250:2222

109.74.53.179:2222

73.74.72.141:443

216.201.159.118:443

184.180.157.203:2222

207.178.109.161:443

74.88.210.56:995

70.183.154.153:995

50.252.93.122:2222

71.77.135.249:443

69.108.1.191:443

185.219.83.73:443

110.145.8.251:8443

190.185.219.110:443

50.198.141.161:2078

68.53.31.252:443

189.154.159.117:443

71.178.16.202:443

Targets

- Target
  
  e4f56d12cb38a4963f7e7892bcd2b85484364c196e39af4d1b5d8b8a36d8c8ec.exe
- Size
  
  564KB
- MD5
  
  43f52bc341e6bc7fc5ec02434713df80
- SHA1
  
  509d72dd83cd53a620c110fccb7beafe9097c2d3
- SHA256
  
  e4f56d12cb38a4963f7e7892bcd2b85484364c196e39af4d1b5d8b8a36d8c8ec
- SHA512
  
  bd14c3e95282229a87dce9b6bb2dd6a31cf7a8e94121579e39b7341280f1b7494dbb18a3f72cc4a9f3ac568398f4a8d2e5d6e6b4f373e22534b0f4558d71c249
- SSDEEP
  
  12288:P6Uupd48XXIMyXcGbqIo4hve1wHXGnx0me0KaznLxD2JA1h:P6UMsrHj3awHWnimjKar1DJh
Score

10^/10

qakbot 1542012699 banker discovery stealer trojan
- Qakbot family
  qakbot
- Qakbot/Qbot
  Qbot or Qakbot is a sophisticated worm with banking capabilities.
  trojan banker stealer qakbot
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

qakbot1542012699bankerdiscoverystealertrojan

behavioral2

qakbot1542012699bankerdiscoverystealertrojan