Overview

overview

10

Static

static

8

document-2...00.xls

windows7_x64

10

document-2...00.xls

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    projected (11).zip

  • Size

    15KB

  • Sample

    210218-3aa4n6ak46

  • MD5

    806781fb7e8245a17185314cea815185

  • SHA1

    c681f40ce2fe5b62f211aa07be291433eab5237b

  • SHA256

    c064b7289d89a82a8f4d3bf908e7fd5f0a5dbffc37955cb1540c0fe24b806719

  • SHA512

    4b166d9abbf9111aa9f60aaa48e7f9b2af8c245c3a8f839ce70a8d92dd9b0e4bca90a94f3bafeda22b714186e9a019025ba8ccb984cd8df4006b8d2462954978

Score
10/10
qakbottr1613385567bankermacrostealertrojanxlm

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://lloydsindian.co.uk/ds/1802.gif

Extracted

Family

qakbot

Botnet

tr

Campaign

1613385567

C2

78.63.226.32:443

197.51.82.72:443

193.248.221.184:2222

95.77.223.148:443

71.199.192.62:443

77.211.30.202:995

80.227.5.69:443

77.27.204.204:995

81.97.154.100:443

173.184.119.153:995

38.92.225.121:443

81.150.181.168:2222

90.65.236.181:2222

83.110.103.152:443

73.153.211.227:443

188.25.63.105:443

89.137.211.239:995

202.188.138.162:443

98.173.34.212:995

87.202.87.210:2222

Targets

    • Target

      document-2089175100.xls

    • Size

      88KB

    • MD5

      4c840e6d178c13c1b3662d5412b83a74

    • SHA1

      2332f759c4575419f70e8abcaccdf5fbe4a2fb47

    • SHA256

      386de64d9d460a4a5da609acecc088f0e63b882e9e160d6e587648eb23a6d138

    • SHA512

      6f1494ed35e19740b7c4fba6d9606482cc5c420ee28bcfa036c91c1e4e635212659f07d228d2c81eaf26883dec9b113ae338dcac2e1d2bd1cf25404f183a7c7a

    Score
    10/10
    qakbottr1613385567bankerstealertrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

      trojanbankerstealerqakbot

    • Loads dropped DLL

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks