1 Like
Hier mal ein Beispiel eines betroffenen Windows-Pc / User:
| Type | QakBot Config |
|---|---|
| Loader Build | 404.30 |
| Campaign ID | obama222 |
|---|---|
| Config timestamp | 13:38:39 17-11-2022 |
File Details
| Filename | booksellers.tmp |
|---|---|
| File Type | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows |
| File Size | 799744 bytes |
| MD5 | ba1953484c6e1a848e188f4fdf95546e |
| SHA1 | 4352a670a751c62fe33fecbba6ec9dcf84c591e5 |
| SHA256 | e4525d4812d75697a4b6524258a3e0325e49fce605c1691ba9fb6c2cfd2620ce |
| SHA3-384 | 194d01f60ef3793a76fd0bac3219f06fdc3890cbed0f093a0fae7d2bf3c12fd9e88e36f393b4588a434d0941436ab735 |
| — | — |
| CRC32 | CFB42756 |
| TLSH | T14B053902DD44F27EE5ED0175550D08368E2A2CEF32678862B6B53A5638FF2919CFE427 |
| Ssdeep | 12288:3+ed7zMD42lTz4kgSWdf8+wawM375RGyin7ZlUP9XqcYX:Zd7QUoTzZWdfwTTn3M9XqdX |
Accessed Files (User / PC):
C:\Windows\WindowsShell.Manifest
C:\Windows\System32\en-US\SETUPAPI.dll.mui
\Device\KsecDD
C:\Users\Rebecca\AppData\Local\Temp\booksellers.tmp.dll
C:\Windows\System32\api-ms-win-core-fibers-l1-1-1.DLL
C:\Windows\System32\api-ms-win-core-localization-l1-2-1.DLL
C:\Windows\System32\NKoGZNSeMETgjMwkjzTsYfLgdOXc
C:\Windows\system\NKoGZNSeMETgjMwkjzTsYfLgdOXc
C:\Windows\NKoGZNSeMETgjMwkjzTsYfLgdOXc
C:\Python27\NKoGZNSeMETgjMwkjzTsYfLgdOXc
C:\Python27\Scripts\NKoGZNSeMETgjMwkjzTsYfLgdOXc
C:\Windows\System32\wbem\NKoGZNSeMETgjMwkjzTsYfLgdOXc
C:\Windows\System32\WindowsPowerShell\v1.0\NKoGZNSeMETgjMwkjzTsYfLgdOXc
C:\ProgramData\chocolatey\bin\NKoGZNSeMETgjMwkjzTsYfLgdOXc
C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32\Scripts\NKoGZNSeMETgjMwkjzTsYfLgdOXc
C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32\NKoGZNSeMETgjMwkjzTsYfLgdOXc
C:\Users\Rebecca\AppData\Roaming\Python\Scripts\NKoGZNSeMETgjMwkjzTsYfLgdOXc
C:\Users\Rebecca\AppData\Local\Temp\OFSG
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Users\Rebecca\AppData\Local\Temp\zComif
C:\Windows\System32\nQgEjRijgaClyozoZSlsyUpqs
C:\Windows\system\nQgEjRijgaClyozoZSlsyUpqs
C:\Windows\nQgEjRijgaClyozoZSlsyUpqs
C:\Python27\nQgEjRijgaClyozoZSlsyUpqs
C:\Python27\Scripts\nQgEjRijgaClyozoZSlsyUpqs
C:\Windows\System32\wbem\nQgEjRijgaClyozoZSlsyUpqs
C:\Windows\System32\WindowsPowerShell\v1.0\nQgEjRijgaClyozoZSlsyUpqs
C:\ProgramData\chocolatey\bin\nQgEjRijgaClyozoZSlsyUpqs
C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32\Scripts\nQgEjRijgaClyozoZSlsyUpqs
C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32\nQgEjRijgaClyozoZSlsyUpqs
C:\Users\Rebecca\AppData\Roaming\Python\Scripts\nQgEjRijgaClyozoZSlsyUpqs
C:\Users\Rebecca\AppData\Local\Temp\i
C:\Users\Rebecca\AppData\Local\Temp\HACVxwqHHqxGEkwiPIMEHACVxwqHHqxGEkxGEkACVxwqHHACVxwqHzComif
C:\Users\Rebecca\AppData\Local\Temp\g
C:\Users\Rebecca\AppData\Local\Temp\HACVxwqHHqxGEkHACVxwqHHqxGEkxGEkxACVxwqHHACVxwqHzComifHACVxwqHHqxGEkHACVxwqHHqxGEkxGEkx
C:\INTERNAL\__empty
Accessed Registry Files:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SourcePath
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DevicePath
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\system\CurrentControlSet\control\NetworkProvider\HwOrder
DisableUserModeCallbackFilter
HKEY_CLASSES_ROOT\.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dll\(Default)
HKEY_CLASSES_ROOT\dllfile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dllfile\AutoRegister
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\regsvr32.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
Gut, dass mein User Account nicht Rebecca heißt 
Benutzer die ein Zip aus einem Passwort Geschützen Zip Extrahieren und dann ein IMG Mounten sind selber schuld.
Kein DAU oder 0-8-15 Benutzer sollte so Versiert sein dies zu machen.
Also Handelt es sich um Benutzer mit etwas mehr wissen als nur Hoch & Runter Fahren.
Selber schuld!
Hier eins der letzten Samples von qBot vom 18.11.2022 mit dem wunderschönen Titel:
Agreement#9999.html
Hybrid-Analysis Report → https://www.hybrid-analysis.com/sample/182d599918881d3a50d89f8cea088ce58b899cfde3d611971d351810ad8b5850/6377dd50dbf3577bb8607103
