General

  • Target

    doc_pack-276661880.xls

  • Size

    62KB

  • Sample

    201020-2q8njr87ts

  • MD5

    83210cb6f84d46fee8980be84d1af519

  • SHA1

    81d385a0a9c23c2f46863a1b16be8cb4d3d4febf

  • SHA256

    af5b6726d3509c8f4f580609bb764ac22fae56956bcd275fb8b011ae17f85899

  • SHA512

    075bb3c5e5b2ffe2df542fbd22ad3c1938b029148df6226089988125fdf8fd6c9aede60121123d433c69d11b1177b11a7160ab8dc7a265715acfd0e324055213

Malware Config

Extracted

Family

qakbot

Botnet

tr01

Campaign

1602688146

C2

73.228.1.246:443

74.109.219.145:443

76.111.128.194:443

90.175.88.99:2222

108.191.28.158:443

68.225.60.77:443

75.136.40.155:443

5.193.181.221:2078

72.204.242.138:20

118.160.162.234:443

68.14.210.246:22

148.101.74.12:443

74.222.204.82:443

96.30.198.161:443

140.82.27.132:443

2.50.131.64:443

45.32.155.12:995

45.63.104.123:443

45.32.165.134:443

217.162.149.212:443

Targets

    • Target

      doc_pack-276661880.xls

    • Size

      62KB

    • MD5

      83210cb6f84d46fee8980be84d1af519

    • SHA1

      81d385a0a9c23c2f46863a1b16be8cb4d3d4febf

    • SHA256

      af5b6726d3509c8f4f580609bb764ac22fae56956bcd275fb8b011ae17f85899

    • SHA512

      075bb3c5e5b2ffe2df542fbd22ad3c1938b029148df6226089988125fdf8fd6c9aede60121123d433c69d11b1177b11a7160ab8dc7a265715acfd0e324055213

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • Executes dropped EXE

    • Loads dropped DLL

    • Process spawned suspicious child process

      This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

MITRE ATT&CK Enterprise v6

Tasks