Overview

overview

10

Static

static

8

decree 01.21_9.doc

windows7_x64

10

decree 01.21_9.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    decree 01.21_9.doc

  • Size

    79KB

  • Sample

    210129-a9hjg183ds

  • MD5

    abc0d29ef28b541636da5ed712551f47

  • SHA1

    a13e4da3eb973af3afb00b46dc236353c808376b

  • SHA256

    ba88ae16f19ddf0576a036516ca9385feae8b79e4f8f4b48e537d43ad046d6cf

  • SHA512

    c348db71255d1d89aad470c829c8a98ab50edde3fa8a908d31c2f79e741c6cc9584b76cb8c0243810e0755c7c4e25c885f6b6a089e0e0ef31028a172212af304

Score
10/10
qakbotkrk011611569149bankermacroransomwarestealertrojan

Malware Config

Extracted

Family

qakbot

Botnet

krk01

Campaign

1611569149

C2

31.5.21.66:995

89.3.198.238:443

202.188.138.162:443

188.24.128.253:443

175.141.219.71:443

151.60.15.183:443

184.189.122.72:443

80.227.5.70:443

140.82.49.12:443

89.211.241.100:995

81.97.154.100:443

77.27.174.49:995

92.154.83.96:2078

42.3.8.54:443

71.187.170.235:443

46.153.36.53:995

71.182.142.63:443

105.186.102.16:443

50.244.112.106:443

78.63.226.32:443

Targets

    • Target

      decree 01.21_9.doc

    • Size

      79KB

    • MD5

      abc0d29ef28b541636da5ed712551f47

    • SHA1

      a13e4da3eb973af3afb00b46dc236353c808376b

    • SHA256

      ba88ae16f19ddf0576a036516ca9385feae8b79e4f8f4b48e537d43ad046d6cf

    • SHA512

      c348db71255d1d89aad470c829c8a98ab50edde3fa8a908d31c2f79e741c6cc9584b76cb8c0243810e0755c7c4e25c885f6b6a089e0e0ef31028a172212af304

    Score
    10/10
    qakbotkrk011611569149bankerransomwarestealertrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

      trojanbankerstealerqakbot

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

4
T1082

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks