Overview

overview

10

Static

static

8

Complaint-...20.xls

windows7_x64

10

Complaint-...20.xls

windows10_x64

6

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Complaint-Letter_1191456850_12042020.xls

  • Size

    43KB

  • Sample

    201204-11y9emt4h6

  • MD5

    3cbd0cbd64e659489a26322f9c2eddec

  • SHA1

    277e506151d96684bc4f9da830fe69dded10af08

  • SHA256

    342318a6e69290dc55c25d09daaa3e452484df845f1f184acb93362f89e99e9e

  • SHA512

    c3d5e21acf09cc76aed5811d3cdb80f4e8b84b62454a6ecf834716b7715750656e325d73fb241fddc96478415d377cd2dcd80d06d28a749c05cfbe36ea7e7038

Score
10/10
qakbotabc1071607078484bankermacrostealertrojan

Malware Config

Extracted

Family

qakbot

Botnet

abc107

Campaign

1607078484

C2

32.212.117.188:443

109.205.204.229:2222

72.36.59.46:2222

173.18.126.193:2222

96.225.88.23:443

89.137.211.239:443

110.142.205.182:443

82.76.47.211:443

193.83.25.177:995

67.40.253.209:995

73.244.83.199:443

2.90.186.243:995

189.252.62.238:995

141.237.135.194:443

82.78.70.128:443

185.125.151.172:443

79.117.239.22:2222

86.189.252.131:2222

83.114.243.80:2222

2.50.56.81:443

Targets

    • Target

      Complaint-Letter_1191456850_12042020.xls

    • Size

      43KB

    • MD5

      3cbd0cbd64e659489a26322f9c2eddec

    • SHA1

      277e506151d96684bc4f9da830fe69dded10af08

    • SHA256

      342318a6e69290dc55c25d09daaa3e452484df845f1f184acb93362f89e99e9e

    • SHA512

      c3d5e21acf09cc76aed5811d3cdb80f4e8b84b62454a6ecf834716b7715750656e325d73fb241fddc96478415d377cd2dcd80d06d28a749c05cfbe36ea7e7038

    Score
    10/10
    qakbotabc1071607078484bankerstealertrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

      trojanbankerstealerqakbot

    • Loads dropped DLL

    • Process spawned suspicious child process

      This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks