qakbot | eb17935cf972d90be92c9b39fff8b3d760ecda78a6f602cb2b8bbaf3d87e6b61 | Triage

Sharing

General

Target

8.bin
Size

757KB
Sample

191111-7tn19rbh9x
MD5

37bb4d9f1bd92067748c2d86dc487105
SHA1

aa8ccf3c1a22c3102c604f63964ccf4751d15288
SHA256

eb17935cf972d90be92c9b39fff8b3d760ecda78a6f602cb2b8bbaf3d87e6b61
SHA512

da67ef1ef3ddfc7c3a9bbc6d0bc42935ac737f2fbf98a102a0aef92358e20b94163701e21786447c56d772f5c0a16170834c1b34b0ce0ae93ac2d20f4ad7a4b4

Score

10^/10

qakbot 1573401612 banker evasion persistence stealer trojan

Malware Config

Extracted

Family

qakbot

Campaign

1573401612

Credentials

Protocol: ftp
Host:
192.185.5.208
Port:
21
Username:
[email protected]
Password:
NxdkxAp4dUsY

Protocol: ftp
Host:
162.241.218.118
Port:
21
Username:
[email protected]
Password:
EcOV0DyGVgVN

Protocol: ftp
Host:
69.89.31.139
Port:
21
Username:
[email protected]
Password:
fcR7OvyLrMW6!

Protocol: ftp
Host:
169.207.67.14
Port:
21
Username:
[email protected]
Password:
eQyicNLzzqPN

C2

50.246.229.50:443

74.134.35.54:443

75.110.219.10:443

65.16.241.150:443

74.134.4.236:443

182.56.93.78:995

184.191.62.78:443

76.181.237.223:443

2.50.41.185:443

107.12.140.181:443

72.29.181.77:2078

73.137.187.150:443

71.93.60.90:443

72.46.151.196:995

173.233.182.249:443

67.10.18.112:993

181.47.60.21:995

97.83.66.143:443

184.74.101.234:995

181.1.204.139:443

Targets

- Target
  
  8.bin
- Size
  
  757KB
- MD5
  
  37bb4d9f1bd92067748c2d86dc487105
- SHA1
  
  aa8ccf3c1a22c3102c604f63964ccf4751d15288
- SHA256
  
  eb17935cf972d90be92c9b39fff8b3d760ecda78a6f602cb2b8bbaf3d87e6b61
- SHA512
  
  da67ef1ef3ddfc7c3a9bbc6d0bc42935ac737f2fbf98a102a0aef92358e20b94163701e21786447c56d772f5c0a16170834c1b34b0ce0ae93ac2d20f4ad7a4b4
Score

10^/10

trojan banker stealer qakbot persistence evasion
- Qakbot/Qbot
  Qbot or Qakbot is a sophisticated worm with banking capabilities.
  trojan banker stealer qakbot
- Windows security bypass
  evasion trojan
- Executes dropped EXE
- Turns off Windows Defender SpyNet reporting
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run entry to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
- Modifies service
  persistence
task1 task2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

task1

persistenceevasiontrojanspreadingfamilyqakbot

task2

persistenceevasiontrojanspreadingfamilyqakbot