Overview

overview

10

task1

 

10

task2

 

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8.bin

  • Size

    757KB

  • Sample

    191111-7tn19rbh9x

  • MD5

    37bb4d9f1bd92067748c2d86dc487105

  • SHA1

    aa8ccf3c1a22c3102c604f63964ccf4751d15288

  • SHA256

    eb17935cf972d90be92c9b39fff8b3d760ecda78a6f602cb2b8bbaf3d87e6b61

  • SHA512

    da67ef1ef3ddfc7c3a9bbc6d0bc42935ac737f2fbf98a102a0aef92358e20b94163701e21786447c56d772f5c0a16170834c1b34b0ce0ae93ac2d20f4ad7a4b4

Score
10/10
qakbot1573401612bankerevasionpersistencestealertrojan

Malware Config

Extracted

Family

qakbot

Campaign

1573401612

Credentials

  • Protocol:     ftp
  • Host:
    192.185.5.208
  • Port:
    21
  • Username:
    logger@dustinkeeling.com
  • Password:
    NxdkxAp4dUsY

  • Protocol:     ftp
  • Host:
    162.241.218.118
  • Port:
    21
  • Username:
    logger@misterexterior.com
  • Password:
    EcOV0DyGVgVN

  • Protocol:     ftp
  • Host:
    69.89.31.139
  • Port:
    21
  • Username:
    cpanel@vivekharris-architects.com
  • Password:
    fcR7OvyLrMW6!

  • Protocol:     ftp
  • Host:
    169.207.67.14
  • Port:
    21
  • Username:
    cpanel@dovetailsolar.com
  • Password:
    eQyicNLzzqPN
C2

50.246.229.50:443

74.134.35.54:443

75.110.219.10:443

65.16.241.150:443

74.134.4.236:443

182.56.93.78:995

184.191.62.78:443

76.181.237.223:443

2.50.41.185:443

107.12.140.181:443

72.29.181.77:2078

73.137.187.150:443

71.93.60.90:443

72.46.151.196:995

173.233.182.249:443

67.10.18.112:993

181.47.60.21:995

97.83.66.143:443

184.74.101.234:995

181.1.204.139:443

Targets

    • Target

      8.bin

    • Size

      757KB

    • MD5

      37bb4d9f1bd92067748c2d86dc487105

    • SHA1

      aa8ccf3c1a22c3102c604f63964ccf4751d15288

    • SHA256

      eb17935cf972d90be92c9b39fff8b3d760ecda78a6f602cb2b8bbaf3d87e6b61

    • SHA512

      da67ef1ef3ddfc7c3a9bbc6d0bc42935ac737f2fbf98a102a0aef92358e20b94163701e21786447c56d772f5c0a16170834c1b34b0ce0ae93ac2d20f4ad7a4b4

    Score
    10/10
    trojanbankerstealerqakbotpersistenceevasion

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

      trojanbankerstealerqakbot

    • Windows security bypass

      evasiontrojan

    • Executes dropped EXE

    • Turns off Windows Defender SpyNet reporting

    • Loads dropped DLL

    • Windows security modification

      evasiontrojan

    • Adds Run entry to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Modifies service

      persistence
    task1task2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Modify Existing Service

1
T1031

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Disabling Security Tools

2
T1089

Modify Registry

5
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks