Resubmissions

17-02-2021 17:09

210217-pvhwd2csv6 10

17-02-2021 17:06

210217-s9cbxy3whe 10

17-02-2021 16:57

210217-1k9xjdcsra 10

17-02-2021 16:55

210217-gq1l4jmgjx 10

17-02-2021 16:06

210217-m8j2qst48j 10

17-02-2021 16:03

210217-ne144tv16a 10

17-02-2021 16:02

210217-tsrhk9nkz2 10

16-02-2021 16:29

210216-w399b7h8en 10

General

  • Target

    docs_ (35).xls.zip

  • Size

    271KB

  • Sample

    210217-m8j2qst48j

  • MD5

    13cebfa9973c13d51d55f36b7e8354ea

  • SHA1

    47690bad25618f1872ad5dc624a9e0b7ed1d4fda

  • SHA256

    e7fdb1158e0a228cde2d2aa03f7dd3a5fda12417ce2f2bea4b21a654152ac64f

  • SHA512

    e1db44bc4a03ff8ad95d57ac4afea7977eabf64156f690ed3703b127a3746a240a5c0adfd07cfb4de587218ab308a4f369d6e438bb12c75f4f457da4a50a7006

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://skyflyfares.com/ds/1602.gif

Extracted

Family

qakbot

Botnet

tr

Campaign

1613385567

C2

78.63.226.32:443

197.51.82.72:443

193.248.221.184:2222

95.77.223.148:443

71.199.192.62:443

77.211.30.202:995

80.227.5.69:443

77.27.204.204:995

81.97.154.100:443

173.184.119.153:995

38.92.225.121:443

81.150.181.168:2222

90.65.236.181:2222

83.110.103.152:443

73.153.211.227:443

188.25.63.105:443

89.137.211.239:995

202.188.138.162:443

98.173.34.212:995

87.202.87.210:2222

Targets

    • Target

      docs_ (35).xls

    • Size

      317KB

    • MD5

      08510e105da0cd70372df801da0d50d1

    • SHA1

      c14c05c17dfc2896e461c62e9dad7f81d1d48cdb

    • SHA256

      37ea0eaeed142c4a0d1d4e3b801a8cef3dc5f2cd69a5af4f59bd817362833020

    • SHA512

      5283efd05dd547ecaecd62236245533496fce006e7ea228a11efed7e56ae541d4c691f48b927bd1a390bb853acf5b95cc6a5aab1a3a4311f2ee292eec54ea747

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • Loads dropped DLL

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Tasks