General

  • Target

    document-1743692288.xls

  • Size

    88KB

  • Sample

    210218-pnw1z6fjv2

  • MD5

    fa1f35763e1c13386feca469dd16a22b

  • SHA1

    1cbfc5e62e085bba8366cc077dfc91923a8ceefd

  • SHA256

    c9def02fd0b90810e1ac5af1906e461c8c1a5534ee19b5b2ce7aac77f2943b54

  • SHA512

    31619aeebfdd1247252a9e3881c4ba5824b82558af2a814b1fe90b67b4403950f94f9ab02d968d30477031648cbf90c520b95f58f8beffa47952994a1c3b38dc

Malware Config

Extracted

Language xlm4.0
Source
URLs
xlm40.dropper

https://miraclecollagen.co.za/ds/1802.gif

Extracted

Family

qakbot

Botnet

tr

Campaign

1613385567

C2

78.63.226.32:443

197.51.82.72:443

193.248.221.184:2222

95.77.223.148:443

71.199.192.62:443

77.211.30.202:995

80.227.5.69:443

77.27.204.204:995

81.97.154.100:443

173.184.119.153:995

38.92.225.121:443

81.150.181.168:2222

90.65.236.181:2222

83.110.103.152:443

73.153.211.227:443

188.25.63.105:443

89.137.211.239:995

202.188.138.162:443

98.173.34.212:995

87.202.87.210:2222

Targets

    • Target

      document-1743692288.xls

    • Size

      88KB

    • MD5

      fa1f35763e1c13386feca469dd16a22b

    • SHA1

      1cbfc5e62e085bba8366cc077dfc91923a8ceefd

    • SHA256

      c9def02fd0b90810e1ac5af1906e461c8c1a5534ee19b5b2ce7aac77f2943b54

    • SHA512

      31619aeebfdd1247252a9e3881c4ba5824b82558af2a814b1fe90b67b4403950f94f9ab02d968d30477031648cbf90c520b95f58f8beffa47952994a1c3b38dc

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • Loads dropped DLL

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Persistence

                  Privilege Escalation