Overview

overview

10

Static

static

8

document-1...90.xls

windows7_x64

10

document-1...90.xls

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    estimated (73).zip

  • Size

    15KB

  • Sample

    210218-l2n61eqjma

  • MD5

    9530cd7c71c493af07ce25aed3b9220d

  • SHA1

    253d50d8f963081ed96ee2537ddc7c2ebca0bf4f

  • SHA256

    be7845ed01ffc55fee1afc3dfe920fe26fc6b992ba9ae33a35e036c1b4b9f0d4

  • SHA512

    1b7fea8e0092d5d720cb80d300cd7a8b651863a28d57f311aacdcbdfdb06f79ae241c283e81961ac2eb0a3c9b7b05e03c2630d64ece6a525d4ad5000a770c354

Score
10/10
qakbottr1613385567bankerevasionmacrostealerthemidatrojanxlm

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://ishikapress.com/ds/1802.gif

Extracted

Family

qakbot

Botnet

tr

Campaign

1613385567

C2

78.63.226.32:443

197.51.82.72:443

193.248.221.184:2222

95.77.223.148:443

71.199.192.62:443

77.211.30.202:995

80.227.5.69:443

77.27.204.204:995

81.97.154.100:443

173.184.119.153:995

38.92.225.121:443

81.150.181.168:2222

90.65.236.181:2222

83.110.103.152:443

73.153.211.227:443

188.25.63.105:443

89.137.211.239:995

202.188.138.162:443

98.173.34.212:995

87.202.87.210:2222

Targets

    • Target

      document-1911271790.xls

    • Size

      88KB

    • MD5

      b06088f340daf14e2329423e6c03a3d8

    • SHA1

      16cb3c036658cb410b7ba2af0e5b580791d43271

    • SHA256

      9c60f9e70aacfccb250fe5cce6d0cf8701e5dc08c2aa9ac44db5e95d8f51130a

    • SHA512

      6fb87d80550049a3a2750c8d3e0078d75a30b1e987c0f4d1afc40030fe95242c5146e4206bafd3f8c36be1f6b6cdd257e7dd90690f8f14b7df66e06889da2aee

    Score
    10/10
    qakbottr1613385567bankerevasionstealerthemidatrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

      trojanbankerstealerqakbot

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • themida

      Detects Themida, Advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks