General

  • Target

    document-546688594.xls.zip

  • Size

    271KB

  • Sample

    210217-b99dbjts1e

  • MD5

    832a955839049d17ae83d9894829846a

  • SHA1

    ce59fa0ad7dc8696be7dd2b7b639bdec26305aae

  • SHA256

    7535757927d82a22cc0f752eba339abb455dd60141202d7e0dd85b08736f9657

  • SHA512

    a49ccab414c132b53a94f00a34bd2b123c2dca05d47062e71274b6e6bde4cbbc17bfeabb3988d2c0b1ce50d00fae3143d06e5a38c4689eb5b0147b4f8b222776

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://spititourism.com/ds/1702.gif

Extracted

Family

qakbot

Botnet

tr

Campaign

1613385567

C2

78.63.226.32:443

197.51.82.72:443

193.248.221.184:2222

95.77.223.148:443

71.199.192.62:443

77.211.30.202:995

80.227.5.69:443

77.27.204.204:995

81.97.154.100:443

173.184.119.153:995

38.92.225.121:443

81.150.181.168:2222

90.65.236.181:2222

83.110.103.152:443

73.153.211.227:443

188.25.63.105:443

89.137.211.239:995

202.188.138.162:443

98.173.34.212:995

87.202.87.210:2222

Targets

    • Target

      document-546688594.xls

    • Size

      315KB

    • MD5

      01c5aa8391ead06e32e0b473977eb329

    • SHA1

      4cc4f8662b6a690db7d5fa6552e1a14a46ceaec1

    • SHA256

      f9fd452f0a3efce6f120992961de66b789f3bbdfebeae787cc6abbcbbde6047e

    • SHA512

      346d74e3504ab526ead7c1131d28382e91fc82fd1e5e0e4440be28ffafe9277a19b0c832afef59bcc6bab62db2f74d3bea5952baa0634f874530cb42ae69652f

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • Loads dropped DLL

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Tasks