Overview

overview

10

Static

static

8

document-1...87.xls

windows7_x64

10

document-1...87.xls

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    documentation (41).zip

  • Size

    271KB

  • Sample

    210218-hta2xs7e5j

  • MD5

    96f0c4b957e6da46dbabab10a4fd1359

  • SHA1

    6bc5d59ffd15be06c0b3b33a9aa5a4d73ee25127

  • SHA256

    b81871b1938d16b9f9f3b933b512d914c0e316399d44f297a0f1631ced46befe

  • SHA512

    635ad2b46c70d5b80789a25a54016a94830ab1b72a12807b1214af6a975150c9539af55105e95c6c3e5ab883632e6e2b0a804524d822b519b70e1b0eb74529a3

Score
10/10
qakbottr1613385567bankermacrostealertrojanxlm

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://bengalvillage.com/ds/1702.gif

Extracted

Family

qakbot

Botnet

tr

Campaign

1613385567

C2

78.63.226.32:443

197.51.82.72:443

193.248.221.184:2222

95.77.223.148:443

71.199.192.62:443

77.211.30.202:995

80.227.5.69:443

77.27.204.204:995

81.97.154.100:443

173.184.119.153:995

38.92.225.121:443

81.150.181.168:2222

90.65.236.181:2222

83.110.103.152:443

73.153.211.227:443

188.25.63.105:443

89.137.211.239:995

202.188.138.162:443

98.173.34.212:995

87.202.87.210:2222

Targets

    • Target

      document-1166649187.xls

    • Size

      315KB

    • MD5

      1da9b80505e8c6728676c0929071791b

    • SHA1

      645827de6ecd80dc1c0e8d7888f9d2e78cced5be

    • SHA256

      f8ab9da05c380cbd9e59f59452cf1dd09d7abe0eb53e961a98625b748237a1f6

    • SHA512

      2cfa006db7ed433261d6e0df2171423e17cec13afdc05aff6710869d4bfe0da675065d434c05c341be0914c4c5ad79dc299640698a3b57b3f8d5b17d2b2057da

    Score
    10/10
    qakbottr1613385567bankerstealertrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

      trojanbankerstealerqakbot

    • Loads dropped DLL

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks