document-1743692288.xls

General
Target

document-1743692288.xls

Size

88KB

Sample

210218-pnw1z6fjv2

Score
10 /10
MD5

fa1f35763e1c13386feca469dd16a22b

SHA1

1cbfc5e62e085bba8366cc077dfc91923a8ceefd

SHA256

c9def02fd0b90810e1ac5af1906e461c8c1a5534ee19b5b2ce7aac77f2943b54

SHA512

31619aeebfdd1247252a9e3881c4ba5824b82558af2a814b1fe90b67b4403950f94f9ab02d968d30477031648cbf90c520b95f58f8beffa47952994a1c3b38dc

Malware Config

Extracted

Language xlm4.0
Source
URLs
xlm40.dropper

https://miraclecollagen.co.za/ds/1802.gif

Extracted

Family qakbot
Botnet tr
Campaign 1613385567
C2

78.63.226.32:443

197.51.82.72:443

193.248.221.184:2222

95.77.223.148:443

71.199.192.62:443

77.211.30.202:995

80.227.5.69:443

77.27.204.204:995

81.97.154.100:443

173.184.119.153:995

38.92.225.121:443

81.150.181.168:2222

90.65.236.181:2222

83.110.103.152:443

73.153.211.227:443

188.25.63.105:443

89.137.211.239:995

202.188.138.162:443

98.173.34.212:995

87.202.87.210:2222

195.12.154.8:443

47.217.24.69:6881

182.48.193.200:443

108.160.123.244:443

96.57.188.174:2222

45.118.216.157:443

84.72.35.226:443

172.115.177.204:2222

86.236.77.68:2222

82.127.125.209:990

176.181.247.197:443

97.69.160.4:2222

90.101.117.122:2222

189.223.201.91:443

140.82.49.12:443

2.7.69.217:2222

83.110.12.140:2222

85.132.36.111:2222

197.45.110.165:995

149.28.99.97:995

45.63.107.192:2222

149.28.98.196:2222

149.28.99.97:2222

144.202.38.185:443

149.28.99.97:443

45.63.107.192:443

45.63.107.192:995

144.202.38.185:2222

149.28.101.90:995

149.28.101.90:2222

Targets
Target

document-1743692288.xls

MD5

fa1f35763e1c13386feca469dd16a22b

Filesize

88KB

Score
10 /10
SHA1

1cbfc5e62e085bba8366cc077dfc91923a8ceefd

SHA256

c9def02fd0b90810e1ac5af1906e461c8c1a5534ee19b5b2ce7aac77f2943b54

SHA512

31619aeebfdd1247252a9e3881c4ba5824b82558af2a814b1fe90b67b4403950f94f9ab02d968d30477031648cbf90c520b95f58f8beffa47952994a1c3b38dc

Tags

Signatures

  • Process spawned unexpected child process

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

  • Qakbot/Qbot

    Description

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

    Tags

  • Loads dropped DLL

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                  Privilege Escalation
                    Tasks