General

  • Target

    document-977179160.xls

  • Size

    426KB

  • Sample

    201019-4kpfmj2bge

  • MD5

    987bd70e6fd14cb3660c336ee8f582e3

  • SHA1

    30697ed7483b089bf84fc4eba42dab5741e36988

  • SHA256

    09f2e1b00dc7d15f243c0e6ee7e2dd59b0d34db61e2bf8575b08abf96bb48c36

  • SHA512

    5a00418791fdcbab1a86f3f569c33be54720449ccca36908d92e22bdc3688017c588b8afbe36bdd84bb7e0660437d859d262e4ef6cdfbf2126c704a64d2a3ee8

Malware Config

Extracted

Family

qakbot

Botnet

tr01

Campaign

1602688146

C2

73.228.1.246:443

74.109.219.145:443

76.111.128.194:443

90.175.88.99:2222

108.191.28.158:443

68.225.60.77:443

75.136.40.155:443

5.193.181.221:2078

72.204.242.138:20

118.160.162.234:443

68.14.210.246:22

148.101.74.12:443

74.222.204.82:443

96.30.198.161:443

140.82.27.132:443

2.50.131.64:443

45.32.155.12:995

45.63.104.123:443

45.32.165.134:443

217.162.149.212:443

Targets

    • Target

      document-977179160.xls

    • Size

      426KB

    • MD5

      987bd70e6fd14cb3660c336ee8f582e3

    • SHA1

      30697ed7483b089bf84fc4eba42dab5741e36988

    • SHA256

      09f2e1b00dc7d15f243c0e6ee7e2dd59b0d34db61e2bf8575b08abf96bb48c36

    • SHA512

      5a00418791fdcbab1a86f3f569c33be54720449ccca36908d92e22bdc3688017c588b8afbe36bdd84bb7e0660437d859d262e4ef6cdfbf2126c704a64d2a3ee8

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • Executes dropped EXE

    • Loads dropped DLL

    • Process spawned suspicious child process

      This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

MITRE ATT&CK Enterprise v6

Tasks