General

  • Target

    document-1822227617.xlsb

  • Size

    292KB

  • Sample

    201112-bfdc6xvxbx

  • MD5

    c8cf8414838c8d9413832f6436ebe199

  • SHA1

    e224f6c32b7bfdcb93dc023941e8f659c7d8b447

  • SHA256

    ae9d33113befb8fdfe7dfdcdb1da86cc9593f087b2af1c5c446dcb8b87da33f3

  • SHA512

    3d9ea363803a5691659f44e5a84024bdd9c19c7e77c46f07f1a4c4c2c33b7ff76d055a9fd5fe477b7d7ef8544baea9e6481ff63bfccc22ef62029d1c831a87b0

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://we11wdsgd.com/

rc4.i32
rc4.i32

Extracted

Family

qakbot

Botnet

tr01

Campaign

1604997522

C2

122.61.213.85:443

2.50.89.119:995

189.183.201.0:443

86.98.145.152:2222

96.241.66.126:443

90.101.117.122:2222

94.69.112.148:2222

81.150.181.168:2222

82.127.125.209:2222

81.214.126.173:2222

86.140.82.116:20

172.87.157.235:443

176.181.247.197:443

78.97.110.47:443

5.15.90.117:2222

41.206.131.156:443

151.73.112.67:443

82.127.125.209:990

197.45.110.165:995

81.133.234.36:2222

Targets

    • Target

      document-1822227617.xlsb

    • Size

      292KB

    • MD5

      c8cf8414838c8d9413832f6436ebe199

    • SHA1

      e224f6c32b7bfdcb93dc023941e8f659c7d8b447

    • SHA256

      ae9d33113befb8fdfe7dfdcdb1da86cc9593f087b2af1c5c446dcb8b87da33f3

    • SHA512

      3d9ea363803a5691659f44e5a84024bdd9c19c7e77c46f07f1a4c4c2c33b7ff76d055a9fd5fe477b7d7ef8544baea9e6481ff63bfccc22ef62029d1c831a87b0

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

MITRE ATT&CK Enterprise v6

Tasks