Hash / InformaciónValor
SHA25627bb0a8c1d9f9e7eaee26a97bd01f377c1f3048b881107021f60f7804410ebe8
MD5051ca5b22662dc01d89022625def3327
SHA17069a0c061068c500f7254afa0a2f02ad783d18f
Archivo AdiCalculationOfCosts-141075452.zip
Tipo de archivozip
Tamaño114,232 bytes
Primera detección2023-06-14

Tehdit Valorlendirmesi

Bu ornek, hedef sisteme ek zararlı yazılım yuklemek amacıyla tasarlanmis moduler bir yukleyici (loader) olarak tespit edilmistir. Bankacılık trojanları, fidye yazılımları veya diger ikinci asama yukler indirebilmektedir.

Capacidades detectadas

  • Payload Indirme
  • Surec Enjeksiyonu
  • Kalicilik
  • Anti-Analiz
  • Sifrelenmis Iletisim

Etiquetas de MalwareBazaar

obama268QakbotQuakbotzip

Nota de análisis

Bu ornek QakBot ailesine ait ve MalwareBazaar platformundan alınmıstır. KEYDAL Guvenlik Arastirmaları tarafından metadata analizi gerceklestirilmis ve IOC veritabanına eklenmistir.

QakBot — Perfil del malware

QakBot Quakbot banker. Notesvb.msi delivery. Named pipe IPC. Modular architecture.

Tipo de malware
Other
Lenguaje de programación
C++
Protocolo C2
HTTPS
Sistemas objetivo
Windows
También conocido como (AKA)
QBot

Detalles técnicos

QakBot (Qbot/QuakBot) is a banking trojan and loader active since 2007. Features: credential theft, email hijacking for thread hijacking attacks, lateral movement via SMB/psexec, web injection for banking fraud. Delivered via malspam using hijacked email threads (reply-chain attacks). Modules: email collector, credential grabber, network scanner, VNC plugin. Used to deliver Egregor, ProLock, REvil, Black Basta ransomware. FBI "Operation Duck Hunt" disrupted infrastructure August 2023, removing QakBot from 700,000+ infected machines. Attempted comeback Q4 2023 with new delivery methods.

Atribución / Actor de amenaza

Gold Lagoon, TA570 (Shatak)

Capacidades y comportamiento

Zararlı Yazılım Aktivitesi
Kalıcılık Mekanizması
C2 İletişimi
Anti-Analiz

Lista IOC (2 indicadores)

IOC — QakBot
# SHA256 27bb0a8c1d9f9e7eaee26a97bd01f377c1f3048b881107021f60f7804410ebe8 # MD5 051ca5b22662dc01d89022625def3327
TipoValorNota
sha256 27bb0a8c1d9f9e7eaee26a97bd01f377c1f3048b881107021f60f7804410ebe8
md5 051ca5b22662dc01d89022625def3327

Servidores C2 (8 servidores registrados para esta familia)

Dirección Tipo Puerto Protocolo Estado País
95.217.35.154 ip 443 HTTPS inactive FI
upd5.pro domain 443 HTTPS inactive —
upd5.pro domain 443 HTTPS inactive —
metasta.me domain 443 HTTPS inactive —
upd5.pro domain 443 HTTPS inactive —
amacey.com domain 443 HTTPS inactive —
181.174.165.208 ip 443 HTTPS sinkholed AR
212.117.180.232 ip 443 HTTPS sinkholed CH

Las direcciones C2 se proporcionan únicamente a partir de muestras de malware verificadas manualmente por el equipo KEYDAL. Se prohíbe el uso comercial.

Etiquetas
obama268QakbotQuakbotzip