Overview

overview

10

Static

static

8

documents-...1.xlsb

windows7_x64

10

documents-...1.xlsb

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    documents-325214421.xlsb

  • Size

    94KB

  • Sample

    210414-887lvatje6

  • MD5

    eb83376c53e8cd34b9ca2dde1554b633

  • SHA1

    482e4a68970971f43575187e8ac7364a8cc01af1

  • SHA256

    c662cfb7e455f4245565775c6d72804b102310e4dff2d180245ae0258beb90d5

  • SHA512

    21664ad35d766531f3a459cd52209f1cc8be912fea1280065aa99f4a1b75ac3cd5728bd6f733d23f20c1a2ab6fe1905f931ce6d23f88dd79972f5ad9dfee4c44

Score
10/10
qakbottr1618225074bankermacrostealertrojanxlm

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://theottomandoner.co.uk/drms/bb.html
xlm40.dropper

http://paufderhar07ol.ru.com/bb.html
xlm40.dropper

http://nicolette7107gq.ru.com/bb.html
xlm40.dropper

https://chocolateuncle.online/drms/bb.html
xlm40.dropper

https://cablenet.com.ec/drms/bb.html

Extracted

Family

qakbot

Botnet

tr

Campaign

1618225074

C2

197.45.110.165:995

216.201.162.158:443

71.74.12.34:443

45.63.107.192:2222

149.28.101.90:2222

45.32.211.207:443

45.32.211.207:995

45.32.211.207:8443

45.32.211.207:2222

149.28.99.97:995

149.28.98.196:443

149.28.101.90:443

149.28.101.90:8443

207.246.77.75:2222

207.246.116.237:443

207.246.116.237:995

207.246.116.237:2222

45.77.117.108:995

149.28.99.97:443

45.63.107.192:443

Targets

    • Target

      documents-325214421.xlsb

    • Size

      94KB

    • MD5

      eb83376c53e8cd34b9ca2dde1554b633

    • SHA1

      482e4a68970971f43575187e8ac7364a8cc01af1

    • SHA256

      c662cfb7e455f4245565775c6d72804b102310e4dff2d180245ae0258beb90d5

    • SHA512

      21664ad35d766531f3a459cd52209f1cc8be912fea1280065aa99f4a1b75ac3cd5728bd6f733d23f20c1a2ab6fe1905f931ce6d23f88dd79972f5ad9dfee4c44

    Score
    10/10
    qakbottr1618225074bankerstealertrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

      trojanbankerstealerqakbot

    • Loads dropped DLL

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks