QakBot Main Core Configuration

Source: X-Force IBM blog 

Sample MD5: 8a3ab5d3fa3644ec1829e7825b0a22a3
Full core Quakbot config: Github

p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Georgia; -webkit-text-stroke: #000000} p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Georgia; -webkit-text-stroke: #000000; min-height: 12.0px} span.s1 {font-kerning: none}

Here is the excerpt from their sample .cfg pertaining to targeted financial institutions in the sample (MD5: 8a3ab5d3fa3644ec1829e7825b0a22a3):

The targeted financial instutions appears to the as follows:

cfg[.]tdetreasury[.]tdbank[.]com;cmoltp[.]bbt[.]com;cashmanageronline[.]bbt[.]com;[.]hsbcnet[.]com;ebc_ebc;blilk[.]com;bankeft[.]com;cmol[.]bbt[.]com;securentrycorp[.]zionsbank[.]com;tmcb[.]zionsbank[.]com;[.]web-access[.]com;nj00-wcm;commercial[.]bnc[.]ca;/clkccm/;paylinks[.]cunet[.]org;e-facts[.]org;accessonline[.]abnamro[.]com;providentnjolb[.]com;firstmeritib[.]com;corporatebanking;firstmeritib[.]com/defaultcorp[.]aspx;e-moneyger[.]com;jsp/mainWeb[.]jsp;svbconnect[.]com;premierview[.]membersunited[.]org;each[.]bremer[.]com;iris[.]sovereignbank[.]com;/wires/;paylinks[.]cunet[.]org;securentrycorp[.]amegybank[.]com;businessbankingcenter[.]synovus[.]com;businessinternetbanking[.]synovus[.]com;ocm[.]suntrust[.]com;otm[.]suntrust[.]com;cashproonline[.]bankofamerica[.]com;singlepoint[.]usbank[.]com;netconnect[.]bokf[.]com;business-eb[.]ibanking-services[.]com;cashproonline[.]bankofamerica[.]com;/cashplus/;ebanking-services[.]com;/cashman/;web-cashplus[.]com;treas-mgt[.]frostbank[.]com;businesseb[.]ibanking-services[.]com;treasury[.]pncbank[.]com;access[.]jpmorgan[.]com;tssportal[.]jpmorgan[.]com;ktt[.]key[.]com;onlineserv/CM;premierview[.]membersunited[.]org;directline4biz[.]com;[.]webcashmgmt[.]com;tmconnectweb;moneymanagergps[.]com;ibc[.]klikbca[.]com;directpay[.]wellsfargo[.]com;express[.]53[.]com;ctm[.]53[.]com;itreasury[.]regions[.]com;itreasurypr[.]regions[.]com;cpw-achweb[.]bankofamerica[.]com;businessaccess[.]citibank[.]citigroup[.]com;businessonline[.]huntington[.]com;/cmserver/;goldleafach[.]com;iachwellsprod[.]wellsfargo[.]com;achbatchlisting;/achupload;commercial2[.]wachovia[.]com;commercial3[.]wachovia[.]com;commercial4[.]wachovia[.]com;wc[.]wachovia[.]com;commercial[.]wachovia[.]com;wcp[.]wachovia[.]com;chsec[.]wellsfargo[.]com;wellsoffice[.]wellsfargo[.]com;/ibws/;/stbcorp/;/payments/ach;trz[.]tranzact[.]org;/wiret;/payments/ach;cbs[.]firstcitizensonline[.]com;/corpach/;scotiaconnect[.]scotiabank[.]com;webexpress[.]tdbank[.]com;businessonline[.]tdbank[.]com;/wcmpw/;/wcmpr/;wcmtr/;tcfexpressbusiness[.]com;trz[.]tranzact[.]org

p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Georgia; -webkit-text-stroke: #000000} span.s1 {font-kerning: none}

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s