General

  • Target

    Complaint-Letter_1492841762_12042020.xls

  • Size

    43KB

  • Sample

    201204-6h2bnpww5a

  • MD5

    e1bddad335af1cbf14788dfd3b898a59

  • SHA1

    1bbc9138c1f5fbd83c0484b2e00fc7d0ec03bb4d

  • SHA256

    bcc1731e3f2dc4772be5ad445247f717b82ec84eda5f86adc57824241dc77823

  • SHA512

    7aaf789e6fbdea965773046e966ae57d097c8b07fd5ccdf3ed90a380160c56ea105dfe6da48fb7981b618180f22976e9db0d3f6edd46cec23f83ac0d78526e51

Malware Config

Extracted

Family

qakbot

Botnet

abc107

Campaign

1607078484

C2

32.212.117.188:443

109.205.204.229:2222

72.36.59.46:2222

173.18.126.193:2222

96.225.88.23:443

89.137.211.239:443

110.142.205.182:443

82.76.47.211:443

193.83.25.177:995

67.40.253.209:995

73.244.83.199:443

2.90.186.243:995

189.252.62.238:995

141.237.135.194:443

82.78.70.128:443

185.125.151.172:443

79.117.239.22:2222

86.189.252.131:2222

83.114.243.80:2222

2.50.56.81:443

Targets

    • Target

      Complaint-Letter_1492841762_12042020.xls

    • Size

      43KB

    • MD5

      e1bddad335af1cbf14788dfd3b898a59

    • SHA1

      1bbc9138c1f5fbd83c0484b2e00fc7d0ec03bb4d

    • SHA256

      bcc1731e3f2dc4772be5ad445247f717b82ec84eda5f86adc57824241dc77823

    • SHA512

      7aaf789e6fbdea965773046e966ae57d097c8b07fd5ccdf3ed90a380160c56ea105dfe6da48fb7981b618180f22976e9db0d3f6edd46cec23f83ac0d78526e51

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • Loads dropped DLL

    • Process spawned suspicious child process

      This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

MITRE ATT&CK Enterprise v6

Tasks