Overview

overview

10

Static

static

8

direct,02.01.2021.doc

windows7_x64

10

direct,02.01.2021.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    direct,02.01.2021.doc

  • Size

    75KB

  • Sample

    210202-3b8andc2aa

  • MD5

    a7381f4e85590449ca5c33bec0aa39b3

  • SHA1

    f299694003dd4e96abd9b9b36857c6f5373b56e4

  • SHA256

    5b729ea665fa8c4ee7d64a33f8037ddcd0cd67e018362b8faef0fb385a8cef7f

  • SHA512

    e8b4a2e5bfc7669a735946a9f51dd6fe528dfa4bc68c33de0a73439bbb57696362f036a206aa2efb6f31482cf8a283f96154e48c1672d09d2cbb6641e84f1569

Score
10/10
qakbotkrk011611569149bankermacroransomwarestealertrojan

Malware Config

Extracted

Family

qakbot

Botnet

krk01

Campaign

1611569149

C2

31.5.21.66:995

89.3.198.238:443

202.188.138.162:443

188.24.128.253:443

175.141.219.71:443

151.60.15.183:443

184.189.122.72:443

80.227.5.70:443

140.82.49.12:443

89.211.241.100:995

81.97.154.100:443

77.27.174.49:995

92.154.83.96:2078

42.3.8.54:443

71.187.170.235:443

46.153.36.53:995

71.182.142.63:443

105.186.102.16:443

50.244.112.106:443

78.63.226.32:443

Targets

    • Target

      direct,02.01.2021.doc

    • Size

      75KB

    • MD5

      a7381f4e85590449ca5c33bec0aa39b3

    • SHA1

      f299694003dd4e96abd9b9b36857c6f5373b56e4

    • SHA256

      5b729ea665fa8c4ee7d64a33f8037ddcd0cd67e018362b8faef0fb385a8cef7f

    • SHA512

      e8b4a2e5bfc7669a735946a9f51dd6fe528dfa4bc68c33de0a73439bbb57696362f036a206aa2efb6f31482cf8a283f96154e48c1672d09d2cbb6641e84f1569

    Score
    10/10
    qakbotkrk011611569149bankerransomwarestealertrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

      trojanbankerstealerqakbot

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

4
T1082

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks