Overview

overview

10

Static

static

8

SecuriteIn...54.xls

windows7_x64

10

SecuriteIn...54.xls

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SecuriteInfo.com.Exploit.Siggen3.10204.3307.14854

  • Size

    88KB

  • Sample

    210219-qv8rq31zsa

  • MD5

    154c724e8d22717a5afba1d10833f379

  • SHA1

    11fdadd9f2435ab35b7cb16720ecf8acf0b3a91d

  • SHA256

    edf8b59767f30d39e661e3c2274fb6425038a8d59feaa47c4136e93fc6a10f53

  • SHA512

    283d26c60863461c57f21ced26bb50e15cf5a3d3592560b99874b5b0d1b116eb6d2d58264ad91e68a59e24be24a96b182fe188697c2ae7b65d26064ccde84e62

Score
10/10
qakbottr1613385567bankerevasionmacrostealerthemidatrojanxlm

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://ishikapress.com/ds/1802.gif

Extracted

Family

qakbot

Botnet

tr

Campaign

1613385567

C2

78.63.226.32:443

197.51.82.72:443

193.248.221.184:2222

95.77.223.148:443

71.199.192.62:443

77.211.30.202:995

80.227.5.69:443

77.27.204.204:995

81.97.154.100:443

173.184.119.153:995

38.92.225.121:443

81.150.181.168:2222

90.65.236.181:2222

83.110.103.152:443

73.153.211.227:443

188.25.63.105:443

89.137.211.239:995

202.188.138.162:443

98.173.34.212:995

87.202.87.210:2222

Targets

    • Target

      SecuriteInfo.com.Exploit.Siggen3.10204.3307.14854

    • Size

      88KB

    • MD5

      154c724e8d22717a5afba1d10833f379

    • SHA1

      11fdadd9f2435ab35b7cb16720ecf8acf0b3a91d

    • SHA256

      edf8b59767f30d39e661e3c2274fb6425038a8d59feaa47c4136e93fc6a10f53

    • SHA512

      283d26c60863461c57f21ced26bb50e15cf5a3d3592560b99874b5b0d1b116eb6d2d58264ad91e68a59e24be24a96b182fe188697c2ae7b65d26064ccde84e62

    Score
    10/10
    qakbottr1613385567bankerevasionstealerthemidatrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

      trojanbankerstealerqakbot

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • themida

      Detects Themida, Advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks