Overview

overview

10

Static

static

8

document-1...21.xls

windows7_x64

10

document-1...21.xls

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    documentation (12).zip

  • Size

    15KB

  • Sample

    210218-a3a7kw8qxn

  • MD5

    09f680cb45393f2ed13ceb47e5e7bbe7

  • SHA1

    e3bd759d503022e6e3562e3f37a41bb35cfc5420

  • SHA256

    53c723681fa8dd4670e2966be1cb39c07976befb73f6ec2c8877b9377765b157

  • SHA512

    c02fa4c468bc0a91d16a7af54ebc2cd9238308122a80e1bb3ca5fe3cd02ee2bbd4ad946f05c8234a4c44ecb2b462e52e5f98abf066af1fa5de27ae212eb418a0

Score
10/10
qakbottr1613385567bankerevasionmacrostealerthemidatrojanxlm

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://ishikapress.com/ds/1802.gif

Extracted

Family

qakbot

Botnet

tr

Campaign

1613385567

C2

78.63.226.32:443

197.51.82.72:443

193.248.221.184:2222

95.77.223.148:443

71.199.192.62:443

77.211.30.202:995

80.227.5.69:443

77.27.204.204:995

81.97.154.100:443

173.184.119.153:995

38.92.225.121:443

81.150.181.168:2222

90.65.236.181:2222

83.110.103.152:443

73.153.211.227:443

188.25.63.105:443

89.137.211.239:995

202.188.138.162:443

98.173.34.212:995

87.202.87.210:2222

Targets

    • Target

      document-153413021.xls

    • Size

      88KB

    • MD5

      5a12354ac64363a98cd4f7fce5506da9

    • SHA1

      ad623d0521e12908e60225b4eb3431ac303cae3b

    • SHA256

      f751560f6c086264858eeb3ce80c9c8f41357d9f0972272563d65f9d4b6f7ee6

    • SHA512

      2b3812d761fd4083ab881ca2dee365991c2041814d94f81d5274edb16c58ef9f3da0ddbe1383554ea78b6a03d2517b06564090086b45e63292b592e36cd4059d

    Score
    10/10
    qakbottr1613385567bankerevasionstealerthemidatrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

      trojanbankerstealerqakbot

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • themida

      Detects Themida, Advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks