Overview

overview

10

Static

static

8

Document_3...y.xlsm

windows7_x64

10

Document_3...y.xlsm

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Document_312780006-12232020-Copy.xlsm

  • Size

    25KB

  • Sample

    201225-7dj2fsmt8e

  • MD5

    c22078f129f1d702314102bc47fa5a77

  • SHA1

    b9fb91344d5276c9ca779867fecea5ac80c89f21

  • SHA256

    d85b3c0bee9a537ec923c070fde22f9e275130ab2c3e031397796cc856a44588

  • SHA512

    aad36bb3ce63f59fae9b4d66ec5a6921edba8903c684746021a44c04817635513cedf48fb34bd69c14637874313de66a7e5d623dd36011bffae1728e7398cd9e

Score
10/10
qakbotabc1171608747966bankercryptonemacropackerstealertrojan

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://nicknewsteadconstructions.com.au/zhsvrgfcs/55555555555.jpg

Extracted

Family

qakbot

Botnet

abc117

Campaign

1608747966

C2

67.6.54.180:443

187.250.170.34:995

67.141.11.98:443

109.154.79.222:2222

2.88.184.160:443

85.52.72.32:2222

86.98.21.234:443

73.166.10.38:50003

90.61.30.155:2222

71.182.142.63:443

178.223.22.192:995

184.189.122.72:443

181.39.236.199:443

72.240.200.181:2222

154.238.45.174:995

47.22.148.6:443

2.51.251.47:995

199.19.117.131:443

200.76.215.87:443

37.104.39.32:995

Targets

    • Target

      Document_312780006-12232020-Copy.xlsm

    • Size

      25KB

    • MD5

      c22078f129f1d702314102bc47fa5a77

    • SHA1

      b9fb91344d5276c9ca779867fecea5ac80c89f21

    • SHA256

      d85b3c0bee9a537ec923c070fde22f9e275130ab2c3e031397796cc856a44588

    • SHA512

      aad36bb3ce63f59fae9b4d66ec5a6921edba8903c684746021a44c04817635513cedf48fb34bd69c14637874313de66a7e5d623dd36011bffae1728e7398cd9e

    Score
    10/10
    qakbotabc1171608747966bankercryptonepackerstealertrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

      trojanbankerstealerqakbot

    • CryptOne packer

      Detects CryptOne packer defined in NCC blogpost.

      cryptonepacker

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks