qakbot | a7fcf4db18ca60e8cf3db3a2c3e1525e4cf4f2dbee71e24eeb454e95af2d28cb

General

Target

Correos Maliciosos.rar
Size

190KB
Sample

210219-f99slwglyx
MD5

fbdfc897b5020fe93a8ce14854ee915f
SHA1

6d6c47c9fc20ca6f04b73a9468d6c9275cadae7e
SHA256

a7fcf4db18ca60e8cf3db3a2c3e1525e4cf4f2dbee71e24eeb454e95af2d28cb
SHA512

2efa64876d660b3e196235d735e007c70edc6ea00afb996657555a2bc33f7ee9f00d50a7ad51c21e33192ad4a3306123dc8c2a59f832044d17c891b81c4b8a8d

Score

10^/10

qakbot tr 1613385567 banker evasion macro stealer themida trojan xlm

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

https://ishikapress.com/ds/1802.gif

Extracted

Family

qakbot

Botnet

tr

Campaign

1613385567

C2

78.63.226.32:443

197.51.82.72:443

193.248.221.184:2222

95.77.223.148:443

71.199.192.62:443

77.211.30.202:995

80.227.5.69:443

77.27.204.204:995

81.97.154.100:443

173.184.119.153:995

38.92.225.121:443

81.150.181.168:2222

90.65.236.181:2222

83.110.103.152:443

73.153.211.227:443

188.25.63.105:443

89.137.211.239:995

202.188.138.162:443

98.173.34.212:995

87.202.87.210:2222

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

https://mygrandmomskitchen.com/ds/1802.gif

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

https://casadodestino.com/ds/1802.gif

Targets

- Target
  
  document-1550330529.xls
- Size
  
  88KB
- MD5
  
  f702f05f75fbde10384efefbdb305592
- SHA1
  
  54865fdf009d216932a0eaa2ed053a39f49dcc29
- SHA256
  
  35d1ccc69c4367606be744c74d09b9a39ec8b3b44d562f25fed272f22815ad9f
- SHA512
  
  b755744f84fa5d374abda9f465f084101912ee9af7b7241ba7a9af61e0b06aa26b4dc1e5a9985f9bed0b1283df6ae44e9dab5c42a3a5751a14364501fc7ba7d0
Score

10^/10

qakbot tr 1613385567 banker evasion stealer themida trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Qakbot/Qbot
  Qbot or Qakbot is a sophisticated worm with banking capabilities.
  trojan banker stealer qakbot
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Loads dropped DLL
- themida
  Detects Themida, Advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  document-910135933.xls
- Size
  
  88KB
- MD5
  
  814282f1d7fd479acd82713add78e6c6
- SHA1
  
  0a8b3f73bad2b6c0ec9b5baf348d1734f809f4ab
- SHA256
  
  76aa36a044f5bce1d9bed46da22c92670ed558caf67745e5c1fa351710e8bb1d
- SHA512
  
  8994cb14a450b2ca9b03af6f8c698e38d4e5cfe88246b9d996dc25fc570e3c3a6e7102ad7e30e07f50f68d344b58a43a1bb82a73ff015ccd7bd5b64aa94a1e00
Score

10^/10
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
behavioral3 behavioral4
- Target
  
  document-352528369.xls
- Size
  
  88KB
- MD5
  
  bc2c7b5000c97d90fb90ca2ee4b42484
- SHA1
  
  7c70c29f8454d23690c4a305c35da5939b2f21da
- SHA256
  
  559fd631dce1aaf66ea3ba6590a583c749c92fc95c5eb2e10ef8eeb1ef9f27a0
- SHA512
  
  86083eb10ad4cf01fcc556920b4e7cb94741f970d52640977a78efec5ce9f073a4a6acf8303acec42356ec141e6d6f35304b1b14c6daab3c75551b800667bc53
Score

10^/10
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
behavioral5 behavioral6