Overview

overview

10

Static

static

8

Complaint-...20.xls

windows7_x64

10

Complaint-...20.xls

windows10_x64

6

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Complaint-Letter_2082718428_12042020.zip

  • Size

    18KB

  • Sample

    201204-kwwsl4yhls

  • MD5

    d325889f0505a8c1aee7be4bc37e0b15

  • SHA1

    a0140b34f5073ecb929717efb8c729ed8695b73f

  • SHA256

    bc70e3e36cc5f2443fb95bbfb74c494001c2e0e8520ca4000bffe38772273ddd

  • SHA512

    fc8ab1c271962ee1a346c2000fcc2c905353aaf060871bd66f7cc3c3f0cf647d0e51b18c5b8f227b886c88e670786becda63d2f71bbbd1b29ea57557e4b206f1

Score
10/10
qakbotabc1071607078484bankermacrostealertrojan

Malware Config

Extracted

Family

qakbot

Botnet

abc107

Campaign

1607078484

C2

32.212.117.188:443

109.205.204.229:2222

72.36.59.46:2222

173.18.126.193:2222

96.225.88.23:443

89.137.211.239:443

110.142.205.182:443

82.76.47.211:443

193.83.25.177:995

67.40.253.209:995

73.244.83.199:443

2.90.186.243:995

189.252.62.238:995

141.237.135.194:443

82.78.70.128:443

185.125.151.172:443

79.117.239.22:2222

86.189.252.131:2222

83.114.243.80:2222

2.50.56.81:443

Targets

    • Target

      Complaint-Letter_2082718428_12042020.xls

    • Size

      43KB

    • MD5

      af743920f1c2a88671efd757f7eaa9b7

    • SHA1

      d1743d50f044da581d99ffd7a81956c74262d896

    • SHA256

      bc6bb3e5c68a9624544780f6f1a7b411b4a0906b7662110b38e7cfff280731c3

    • SHA512

      69b6fcfabba261bea736c097d362ff8aa7255e71d0ec6a0c99624e4dd5033824fa6a279a10fcbbd6462e98b41d53df1ab3a94aea78dc0f1771786dffac504644

    Score
    10/10
    qakbotabc1071607078484bankerstealertrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

      trojanbankerstealerqakbot

    • Loads dropped DLL

    • Process spawned suspicious child process

      This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks