General

  • Target

    Complaint-Letter_1191456850_12042020.xls

  • Size

    43KB

  • Sample

    201204-11y9emt4h6

  • MD5

    3cbd0cbd64e659489a26322f9c2eddec

  • SHA1

    277e506151d96684bc4f9da830fe69dded10af08

  • SHA256

    342318a6e69290dc55c25d09daaa3e452484df845f1f184acb93362f89e99e9e

  • SHA512

    c3d5e21acf09cc76aed5811d3cdb80f4e8b84b62454a6ecf834716b7715750656e325d73fb241fddc96478415d377cd2dcd80d06d28a749c05cfbe36ea7e7038

Malware Config

Extracted

Family

qakbot

Botnet

abc107

Campaign

1607078484

C2

32.212.117.188:443

109.205.204.229:2222

72.36.59.46:2222

173.18.126.193:2222

96.225.88.23:443

89.137.211.239:443

110.142.205.182:443

82.76.47.211:443

193.83.25.177:995

67.40.253.209:995

73.244.83.199:443

2.90.186.243:995

189.252.62.238:995

141.237.135.194:443

82.78.70.128:443

185.125.151.172:443

79.117.239.22:2222

86.189.252.131:2222

83.114.243.80:2222

2.50.56.81:443

Targets

    • Target

      Complaint-Letter_1191456850_12042020.xls

    • Size

      43KB

    • MD5

      3cbd0cbd64e659489a26322f9c2eddec

    • SHA1

      277e506151d96684bc4f9da830fe69dded10af08

    • SHA256

      342318a6e69290dc55c25d09daaa3e452484df845f1f184acb93362f89e99e9e

    • SHA512

      c3d5e21acf09cc76aed5811d3cdb80f4e8b84b62454a6ecf834716b7715750656e325d73fb241fddc96478415d377cd2dcd80d06d28a749c05cfbe36ea7e7038

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • Loads dropped DLL

    • Process spawned suspicious child process

      This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks