Severity
High
Analysis Summary
QakBot is financial malware known to target businesses to drain their online banking accounts. The malware features worm capabilities to self-replicate through shared drives and removable media. It uses powerful information-stealing features to spy on users’ banking activity and eventually defraud them of large sums of money. QakBot is modular, multithread malware whose various components implement online banking credential theft, a backdoor feature, SOCKS proxy, extensive anti-research capabilities and the ability to subvert antivirus (AV) tools. Aside from its evasion techniques, given admin privileges, QakBot’s current variant can disable security software running on the endpoint.
Impact
- Credential Theft
- Unauthorized Access
- Theft of banking information
- Unauthorized Code Execution
- Information theft
Indicators of Compromise
MD5
- 93a7bed84709385e17944885adc299dc
- f63b0c1d293043701fc708c759d4895a
- f7afd1f5e34da090a6175737c622b853
SHA-256
- 2a2e0656f036e46a60f15c1259d75eeb6d26f51a9748969b37cdd28cc20343a2
- ce27a7341c90aa0a0588aeca6a995c8e1966c294cac88da2078bdaebbdc1151d
- 7f97e6d6337b217ab428de65fc72652be1c739c0ba34b9ef1f629ec823131254
- 0ca1bd1d0e4a9733b497c14fc5379fa0894937859e8c40cad0b48154112cc4a4
SHA1
- a8e5d9116f62c9bd475ae7cbb56aafed67cc2ce0
- 712830d521d4c3c46433e8ea6668512d3c9ad63f
- c22a9a3ff849f1f9f4542d3dd4b3b0a3ed5054fa
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment,