Malware sandboxing report by Hatching Triage

General

Target

document-1743692288.xls
Size

88KB
Sample

210218-pnw1z6fjv2
MD5

fa1f35763e1c13386feca469dd16a22b
SHA1

1cbfc5e62e085bba8366cc077dfc91923a8ceefd
SHA256

c9def02fd0b90810e1ac5af1906e461c8c1a5534ee19b5b2ce7aac77f2943b54
SHA512

31619aeebfdd1247252a9e3881c4ba5824b82558af2a814b1fe90b67b4403950f94f9ab02d968d30477031648cbf90c520b95f58f8beffa47952994a1c3b38dc

Score

10^/10

qakbot tr 1613385567 banker macro stealer trojan xlm

Malware Config

Extracted

Language	xlm4.0
Source
URLs	https://miraclecollagen.co.za/ds/1802.gif xlm40.dropper https://miraclecollagen.co.za/ds/1802.gif

Extracted

Family	qakbot
Botnet	tr
Campaign	1613385567
C2	78.63.226.32:443 197.51.82.72:443 193.248.221.184:2222 95.77.223.148:443 71.199.192.62:443 77.211.30.202:995 80.227.5.69:443 77.27.204.204:995 81.97.154.100:443 173.184.119.153:995 38.92.225.121:443 81.150.181.168:2222 90.65.236.181:2222 83.110.103.152:443 73.153.211.227:443 188.25.63.105:443 89.137.211.239:995 202.188.138.162:443 98.173.34.212:995 87.202.87.210:2222 195.12.154.8:443 47.217.24.69:6881 182.48.193.200:443 108.160.123.244:443 96.57.188.174:2222 45.118.216.157:443 84.72.35.226:443 172.115.177.204:2222 86.236.77.68:2222 82.127.125.209:990 176.181.247.197:443 97.69.160.4:2222 90.101.117.122:2222 189.223.201.91:443 140.82.49.12:443 2.7.69.217:2222 83.110.12.140:2222 85.132.36.111:2222 197.45.110.165:995 149.28.99.97:995 45.63.107.192:2222 149.28.98.196:2222 149.28.99.97:2222 144.202.38.185:443 149.28.99.97:443 45.63.107.192:443 45.63.107.192:995 144.202.38.185:2222 149.28.101.90:995 149.28.101.90:2222 149.28.101.90:8443 45.32.211.207:8443 149.28.98.196:995 149.28.98.196:443 45.32.211.207:995 149.28.101.90:443 207.246.77.75:443 45.77.115.208:8443 207.246.77.75:995 207.246.77.75:2222 45.32.211.207:2222 45.32.211.207:443 45.77.115.208:995 144.202.38.185:995 45.77.115.208:2222 207.246.116.237:8443 207.246.116.237:2222 207.246.77.75:8443 207.246.116.237:995 207.246.116.237:443 45.77.117.108:443 45.77.117.108:995 45.77.117.108:8443 45.77.117.108:2222 45.77.115.208:443 89.3.198.238:443 2.232.253.79:995 73.25.124.140:2222 136.232.34.70:443 157.131.108.180:443 217.133.54.140:32100 195.43.173.70:443 86.98.93.124:2078 176.205.222.30:2078 105.96.8.96:443 50.29.166.232:995 27.223.92.142:995 119.153.62.76:3389 47.187.115.228:443 67.6.12.4:443 65.27.228.247:443 23.240.70.80:995 216.201.162.158:443 139.216.137.189:995 64.121.114.87:443 79.129.121.81:995 172.87.157.235:3389 75.118.1.141:443 75.136.26.147:443 96.250.60.138:443 50.244.112.106:443 115.133.243.6:443 47.196.192.184:443 45.46.53.140:2222 105.198.236.101:443 144.139.166.18:443 196.151.252.84:443 71.197.126.250:443 196.221.207.137:995 71.117.132.169:443 74.68.144.202:443 76.25.142.196:443 98.240.24.57:443 144.139.47.206:443 86.245.46.27:2222 173.21.10.71:2222 78.97.207.104:443 86.220.60.133:2222 69.245.102.225:443 94.53.92.42:443 71.74.12.34:443 84.247.55.190:8443 173.25.45.66:443 46.153.55.149:995 78.22.58.205:3389 105.198.236.99:443 24.152.219.253:995 82.76.47.211:443 189.223.234.23:995 96.37.113.36:993 47.187.74.181:443 50.25.89.74:443 174.104.31.209:443 199.19.117.131:443 201.143.235.13:443 189.146.183.105:443 181.48.190.78:443 189.223.97.175:443 47.22.148.6:443 173.70.165.101:995 74.222.204.82:995 75.67.192.125:443 32.210.98.6:443 106.51.52.111:443 59.90.246.200:443 70.49.88.199:2222 186.28.51.27:443 98.252.118.134:443 209.210.187.52:995 189.210.115.207:443 78.63.226.32:443 197.51.82.72:443 193.248.221.184:2222 95.77.223.148:443 71.199.192.62:443 77.211.30.202:995 80.227.5.69:443 77.27.204.204:995 81.97.154.100:443 173.184.119.153:995 38.92.225.121:443 81.150.181.168:2222 90.65.236.181:2222 83.110.103.152:443 73.153.211.227:443 188.25.63.105:443 89.137.211.239:995 202.188.138.162:443 98.173.34.212:995 87.202.87.210:2222 195.12.154.8:443 47.217.24.69:6881 182.48.193.200:443 108.160.123.244:443 96.57.188.174:2222 45.118.216.157:443 84.72.35.226:443 172.115.177.204:2222 86.236.77.68:2222 82.127.125.209:990 176.181.247.197:443 97.69.160.4:2222 90.101.117.122:2222 189.223.201.91:443 140.82.49.12:443 2.7.69.217:2222 83.110.12.140:2222 85.132.36.111:2222 197.45.110.165:995 149.28.99.97:995 45.63.107.192:2222 149.28.98.196:2222 149.28.99.97:2222 144.202.38.185:443 149.28.99.97:443 45.63.107.192:443 45.63.107.192:995 144.202.38.185:2222 149.28.101.90:995 149.28.101.90:2222 149.28.101.90:8443 45.32.211.207:8443 149.28.98.196:995 149.28.98.196:443 45.32.211.207:995 149.28.101.90:443 207.246.77.75:443 45.77.115.208:8443 207.246.77.75:995 207.246.77.75:2222 45.32.211.207:2222 45.32.211.207:443 45.77.115.208:995 144.202.38.185:995 45.77.115.208:2222 207.246.116.237:8443 207.246.116.237:2222 207.246.77.75:8443 207.246.116.237:995 207.246.116.237:443 45.77.117.108:443 45.77.117.108:995 45.77.117.108:8443 45.77.117.108:2222 45.77.115.208:443 89.3.198.238:443 2.232.253.79:995 73.25.124.140:2222 136.232.34.70:443 157.131.108.180:443 217.133.54.140:32100 195.43.173.70:443 86.98.93.124:2078 176.205.222.30:2078 105.96.8.96:443 50.29.166.232:995 27.223.92.142:995 119.153.62.76:3389 47.187.115.228:443 67.6.12.4:443 65.27.228.247:443 23.240.70.80:995 216.201.162.158:443 139.216.137.189:995 64.121.114.87:443 79.129.121.81:995 172.87.157.235:3389 75.118.1.141:443 75.136.26.147:443 96.250.60.138:443 50.244.112.106:443 115.133.243.6:443 47.196.192.184:443 45.46.53.140:2222 105.198.236.101:443 144.139.166.18:443 196.151.252.84:443 71.197.126.250:443 196.221.207.137:995 71.117.132.169:443 74.68.144.202:443 76.25.142.196:443 98.240.24.57:443 144.139.47.206:443 86.245.46.27:2222 173.21.10.71:2222 78.97.207.104:443 86.220.60.133:2222 69.245.102.225:443 94.53.92.42:443 71.74.12.34:443 84.247.55.190:8443 173.25.45.66:443 46.153.55.149:995 78.22.58.205:3389 105.198.236.99:443 24.152.219.253:995 82.76.47.211:443 189.223.234.23:995 96.37.113.36:993 47.187.74.181:443 50.25.89.74:443 174.104.31.209:443 199.19.117.131:443 201.143.235.13:443 189.146.183.105:443 181.48.190.78:443 189.223.97.175:443 47.22.148.6:443 173.70.165.101:995 74.222.204.82:995 75.67.192.125:443 32.210.98.6:443 106.51.52.111:443 59.90.246.200:443 70.49.88.199:2222 186.28.51.27:443 98.252.118.134:443 209.210.187.52:995 189.210.115.207:443

Targets

- Target
  
  document-1743692288.xls
- Size
  
  88KB
- MD5
  
  fa1f35763e1c13386feca469dd16a22b
- SHA1
  
  1cbfc5e62e085bba8366cc077dfc91923a8ceefd
- SHA256
  
  c9def02fd0b90810e1ac5af1906e461c8c1a5534ee19b5b2ce7aac77f2943b54
- SHA512
  
  31619aeebfdd1247252a9e3881c4ba5824b82558af2a814b1fe90b67b4403950f94f9ab02d968d30477031648cbf90c520b95f58f8beffa47952994a1c3b38dc
Score

10^/10

qakbot tr 1613385567 banker stealer trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Qakbot/Qbot
  Qbot or Qakbot is a sophisticated worm with banking capabilities.
  trojan banker stealer qakbot
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Scheduled Task

Privilege Escalation

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Process spawned unexpected child process

Qakbot/Qbot

Loads dropped DLL

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2