General

  • Target

    document-758694650.xls

  • Size

    426KB

  • Sample

    201019-dabb2pvene

  • MD5

    1ef1df84b9922e0b756021b9fc792341

  • SHA1

    12d391b1010a2bf80497b6e84e17aeef9c8999e1

  • SHA256

    58c4853003ebdc9a7fa79bd9bc85a040431fcef61c2510500c17372dbe0ba7f0

  • SHA512

    a876aba1166e4d3cf4a227605e44e534b1c0376aee9eadb09465b9f3f7808d94d2bf0d73ed04ee90abf06980c5b87b2aad3ec091bb1204e474060392444135b6

Malware Config

Extracted

Family

qakbot

Botnet

tr01

Campaign

1602688146

C2

73.228.1.246:443

74.109.219.145:443

76.111.128.194:443

90.175.88.99:2222

108.191.28.158:443

68.225.60.77:443

75.136.40.155:443

5.193.181.221:2078

72.204.242.138:20

118.160.162.234:443

68.14.210.246:22

148.101.74.12:443

74.222.204.82:443

96.30.198.161:443

140.82.27.132:443

2.50.131.64:443

45.32.155.12:995

45.63.104.123:443

45.32.165.134:443

217.162.149.212:443

Targets

    • Target

      document-758694650.xls

    • Size

      426KB

    • MD5

      1ef1df84b9922e0b756021b9fc792341

    • SHA1

      12d391b1010a2bf80497b6e84e17aeef9c8999e1

    • SHA256

      58c4853003ebdc9a7fa79bd9bc85a040431fcef61c2510500c17372dbe0ba7f0

    • SHA512

      a876aba1166e4d3cf4a227605e44e534b1c0376aee9eadb09465b9f3f7808d94d2bf0d73ed04ee90abf06980c5b87b2aad3ec091bb1204e474060392444135b6

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • Executes dropped EXE

    • Loads dropped DLL

    • Process spawned suspicious child process

      This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

MITRE ATT&CK Enterprise v6

Tasks