General

  • Target

    Document_2124969363-12232020-Copy.xlsm

  • Size

    25KB

  • Sample

    201224-mkzd63g1se

  • MD5

    fdd92a903be9c2313c7a2caa1c2ed536

  • SHA1

    fad193a01a203670247e3ccb0d94fbae1be3e391

  • SHA256

    ed19c01f859cfb2f8432e280379edf45dc2d02e152360ffb3199f8f47deea73c

  • SHA512

    95fd89a469e482c4bf489d7845a3228942785b7924bfa47449f4da9721270716d65b7daf24ca195dee1d9aa508fe34b8864fe7a4352c363814e764b30ca2d640

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://nicknewsteadconstructions.com.au/zhsvrgfcs/55555555555.jpg

Extracted

Family

qakbot

Botnet

abc117

Campaign

1608747966

C2

67.6.54.180:443

187.250.170.34:995

67.141.11.98:443

109.154.79.222:2222

2.88.184.160:443

85.52.72.32:2222

86.98.21.234:443

73.166.10.38:50003

90.61.30.155:2222

71.182.142.63:443

178.223.22.192:995

184.189.122.72:443

181.39.236.199:443

72.240.200.181:2222

154.238.45.174:995

47.22.148.6:443

2.51.251.47:995

199.19.117.131:443

200.76.215.87:443

37.104.39.32:995

Targets

    • Target

      Document_2124969363-12232020-Copy.xlsm

    • Size

      25KB

    • MD5

      fdd92a903be9c2313c7a2caa1c2ed536

    • SHA1

      fad193a01a203670247e3ccb0d94fbae1be3e391

    • SHA256

      ed19c01f859cfb2f8432e280379edf45dc2d02e152360ffb3199f8f47deea73c

    • SHA512

      95fd89a469e482c4bf489d7845a3228942785b7924bfa47449f4da9721270716d65b7daf24ca195dee1d9aa508fe34b8864fe7a4352c363814e764b30ca2d640

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • CryptOne packer

      Detects CryptOne packer defined in NCC blogpost.

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Tasks