Overview

overview

10

Static

static

8

document-1...96.xls

windows7_x64

10

document-1...96.xls

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    prices_and_characteristics_ (81).zip

  • Size

    15KB

  • Sample

    210222-7d1axltjx2

  • MD5

    efb492cbc4d2228b79c1801f28d1ab0b

  • SHA1

    ba8cc9130ef95e7780d7aca1dbbba1321727c9f6

  • SHA256

    4114dfd7ac821f9bef07c1e6a82c35218abbd1ac78d3e064ddde5f35c4f0bc51

  • SHA512

    d28b67e3dc3dcba790e1d34899ce8fb1523bcce6a04844483d00fb866113c76668e22ce0b56c641c21aca4c9e141c3257da3f3372fed902ef86d0901000fb10c

Score
10/10
qakbottr1613385567bankerevasionmacrostealerthemidatrojanxlm

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://ishikapress.com/ds/1802.gif

Extracted

Family

qakbot

Botnet

tr

Campaign

1613385567

C2

78.63.226.32:443

197.51.82.72:443

193.248.221.184:2222

95.77.223.148:443

71.199.192.62:443

77.211.30.202:995

80.227.5.69:443

77.27.204.204:995

81.97.154.100:443

173.184.119.153:995

38.92.225.121:443

81.150.181.168:2222

90.65.236.181:2222

83.110.103.152:443

73.153.211.227:443

188.25.63.105:443

89.137.211.239:995

202.188.138.162:443

98.173.34.212:995

87.202.87.210:2222

Targets

    • Target

      document-188374296.xls

    • Size

      88KB

    • MD5

      b5e25ac7801ba5bfaf34d9dc672bd7ca

    • SHA1

      b6e66d0b63c5340a770f43a5fdd7ddd4892068d9

    • SHA256

      62b2574ac8902e07008838760e2f923b70eb7dc3b3bf214bd3dc4a698373b692

    • SHA512

      7f64cb66607fc5ae3e719b8071641342fa81ec03bc74965fb2e01ee3c46fa58196149894e0a5228055f1696378d4e058220187acbe49f724efc45908016226de

    Score
    10/10
    qakbottr1613385567bankerevasionstealerthemidatrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

      trojanbankerstealerqakbot

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • themida

      Detects Themida, Advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks