General

  • Target

    documents-122179384.xlsm

  • Size

    95KB

  • Sample

    210412-9m8xtwemnj

  • MD5

    64ce728339d9ca928a4f2643b6098dda

  • SHA1

    43fb58a8536b4b97cb812f8c02329703d3085cc7

  • SHA256

    b93a9e972d297bb2a0ae163d5c9a087bf29dc5db48eaab8d9e0e5560f48065c0

  • SHA512

    4b83a359690fc96c994d807ddf059393c916723dbcb5776c4cbfe1551c821365da6b8f85c1046739e563e357229a1eba6689967ce5dd20117cfc88440bd070ec

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://kemard12e.ru.com/ex.html

xlm40.dropper

http://wstanton12qn.ru.com/ex.html

xlm40.dropper

http://mississippifloodinsurance.org/drms/ex.html

xlm40.dropper

https://sucessosaometas.com.br/drms/ex.html

xlm40.dropper

https://giriandassociates.co.in/drms/ex.html

Extracted

Family

qakbot

Botnet

tr

Campaign

1618225074

C2

197.45.110.165:995

216.201.162.158:443

71.74.12.34:443

45.63.107.192:2222

149.28.101.90:2222

45.32.211.207:443

45.32.211.207:995

45.32.211.207:8443

45.32.211.207:2222

149.28.99.97:995

149.28.98.196:443

149.28.101.90:443

149.28.101.90:8443

207.246.77.75:2222

207.246.116.237:443

207.246.116.237:995

207.246.116.237:2222

45.77.117.108:995

149.28.99.97:443

45.63.107.192:443

Targets

    • Target

      documents-122179384.xlsm

    • Size

      95KB

    • MD5

      64ce728339d9ca928a4f2643b6098dda

    • SHA1

      43fb58a8536b4b97cb812f8c02329703d3085cc7

    • SHA256

      b93a9e972d297bb2a0ae163d5c9a087bf29dc5db48eaab8d9e0e5560f48065c0

    • SHA512

      4b83a359690fc96c994d807ddf059393c916723dbcb5776c4cbfe1551c821365da6b8f85c1046739e563e357229a1eba6689967ce5dd20117cfc88440bd070ec

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • Loads dropped DLL

MITRE ATT&CK Enterprise v6

Tasks