Overview

overview

10

Static

static

8

document-1...62.xls

windows7_x64

10

document-1...62.xls

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    document-1658613562.xls

  • Size

    331KB

  • Sample

    201127-wcm3hqwx2a

  • MD5

    788d89c39b3eb92554b053245fe5a787

  • SHA1

    f3a32568579e1dc59a879971fd49be2cb6d1a9e3

  • SHA256

    abe7a1b04a5e1df32dfc86d61c0ec46f502a5435c1e516ff0d47fab8f8068e2a

  • SHA512

    2595528a93e5a57f6696de11c92b624abe9680e010a3e5a161fe761eada9f3217bbac8ed75db52c22dd2b3be3dd0e906199533a5c267a193df7818ebb7aa4935

Score
10/10
qakbottr021606301054bankermacrostealertrojan

Malware Config

Extracted

Family

qakbot

Botnet

tr02

Campaign

1606301054

C2

59.98.96.143:443

86.122.248.164:2222

101.185.175.169:2222

71.187.170.235:443

92.59.35.196:2222

188.52.193.110:995

90.175.88.99:2222

37.107.111.46:995

96.237.141.134:995

2.50.143.154:2078

109.205.204.229:2222

90.101.62.189:2222

41.228.220.155:443

190.128.215.174:443

188.26.243.119:443

79.113.247.80:443

82.76.47.211:443

73.248.120.240:443

72.36.59.46:2222

74.129.26.119:443

Targets

    • Target

      document-1658613562.xls

    • Size

      331KB

    • MD5

      788d89c39b3eb92554b053245fe5a787

    • SHA1

      f3a32568579e1dc59a879971fd49be2cb6d1a9e3

    • SHA256

      abe7a1b04a5e1df32dfc86d61c0ec46f502a5435c1e516ff0d47fab8f8068e2a

    • SHA512

      2595528a93e5a57f6696de11c92b624abe9680e010a3e5a161fe761eada9f3217bbac8ed75db52c22dd2b3be3dd0e906199533a5c267a193df7818ebb7aa4935

    Score
    10/10
    qakbottr021606301054bankerstealertrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

      trojanbankerstealerqakbot

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Loads dropped DLL

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks