Overview

overview

10

Static

static

8

Complaint-...20.xls

windows7_x64

10

Complaint-...20.xls

windows10_x64

6

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Complaint-Letter_1492841762_12042020.xls

  • Size

    43KB

  • Sample

    201204-6h2bnpww5a

  • MD5

    e1bddad335af1cbf14788dfd3b898a59

  • SHA1

    1bbc9138c1f5fbd83c0484b2e00fc7d0ec03bb4d

  • SHA256

    bcc1731e3f2dc4772be5ad445247f717b82ec84eda5f86adc57824241dc77823

  • SHA512

    7aaf789e6fbdea965773046e966ae57d097c8b07fd5ccdf3ed90a380160c56ea105dfe6da48fb7981b618180f22976e9db0d3f6edd46cec23f83ac0d78526e51

Score
10/10
qakbotabc1071607078484bankermacrostealertrojan

Malware Config

Extracted

Family

qakbot

Botnet

abc107

Campaign

1607078484

C2

32.212.117.188:443

109.205.204.229:2222

72.36.59.46:2222

173.18.126.193:2222

96.225.88.23:443

89.137.211.239:443

110.142.205.182:443

82.76.47.211:443

193.83.25.177:995

67.40.253.209:995

73.244.83.199:443

2.90.186.243:995

189.252.62.238:995

141.237.135.194:443

82.78.70.128:443

185.125.151.172:443

79.117.239.22:2222

86.189.252.131:2222

83.114.243.80:2222

2.50.56.81:443

Targets

    • Target

      Complaint-Letter_1492841762_12042020.xls

    • Size

      43KB

    • MD5

      e1bddad335af1cbf14788dfd3b898a59

    • SHA1

      1bbc9138c1f5fbd83c0484b2e00fc7d0ec03bb4d

    • SHA256

      bcc1731e3f2dc4772be5ad445247f717b82ec84eda5f86adc57824241dc77823

    • SHA512

      7aaf789e6fbdea965773046e966ae57d097c8b07fd5ccdf3ed90a380160c56ea105dfe6da48fb7981b618180f22976e9db0d3f6edd46cec23f83ac0d78526e51

    Score
    10/10
    qakbotabc1071607078484bankerstealertrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

      trojanbankerstealerqakbot

    • Loads dropped DLL

    • Process spawned suspicious child process

      This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks