General

  • Target

    document-1406506371.xls

  • Size

    88KB

  • Sample

    210218-gfx29gmlk2

  • MD5

    ea516f72ae0fc8f307eb63fd76eb4867

  • SHA1

    abe0ff1777c7a47dd40c4a5c5c25fc90203f7c66

  • SHA256

    ed89c55ffb07c4e94576eada0c0a91d86988772535844fdd8d784702934c66f3

  • SHA512

    0d86be1f2a59c0dae42d295b06b95b459f9c5388ce7f7b54b3fd6cd28ee96d8a2261c11bfcd98466d5cf6a5f23e1e86024381a2989ecbb831b6883aafadf4cf5

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://lloydsindian.co.uk/ds/1802.gif

Extracted

Family

qakbot

Botnet

tr

Campaign

1613385567

C2

78.63.226.32:443

197.51.82.72:443

193.248.221.184:2222

95.77.223.148:443

71.199.192.62:443

77.211.30.202:995

80.227.5.69:443

77.27.204.204:995

81.97.154.100:443

173.184.119.153:995

38.92.225.121:443

81.150.181.168:2222

90.65.236.181:2222

83.110.103.152:443

73.153.211.227:443

188.25.63.105:443

89.137.211.239:995

202.188.138.162:443

98.173.34.212:995

87.202.87.210:2222

Targets

    • Target

      document-1406506371.xls

    • Size

      88KB

    • MD5

      ea516f72ae0fc8f307eb63fd76eb4867

    • SHA1

      abe0ff1777c7a47dd40c4a5c5c25fc90203f7c66

    • SHA256

      ed89c55ffb07c4e94576eada0c0a91d86988772535844fdd8d784702934c66f3

    • SHA512

      0d86be1f2a59c0dae42d295b06b95b459f9c5388ce7f7b54b3fd6cd28ee96d8a2261c11bfcd98466d5cf6a5f23e1e86024381a2989ecbb831b6883aafadf4cf5

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • Loads dropped DLL

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Tasks