qakbot | 15d7aea3e0ad3d6cb43bfe1f7e308cf05113a021fc6443821025a46a256642fe

General

Target

test.7z
Size

85KB
Sample

210414-jed7lmh72x
MD5

6a959f1446af4acdb97b4a52119d7c33
SHA1

de594bb7848487752032f97f2fb85ab28531af85
SHA256

15d7aea3e0ad3d6cb43bfe1f7e308cf05113a021fc6443821025a46a256642fe
SHA512

faf48400b97841d13ec6d1b240b57449513f702d3f32506d7d3114ba608f4dacef98d4d33d83814a17084a33ae85d346956ce0e8c4490e2dd487f2b7ad4e3dbe

Score

10^/10

qakbot tr 1618398298 banker macro stealer trojan xlm

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

https://theottomandoner.co.uk/drms/bb.html

xlm40.dropper

http://paufderhar07ol.ru.com/bb.html

xlm40.dropper

http://nicolette7107gq.ru.com/bb.html

xlm40.dropper

https://chocolateuncle.online/drms/bb.html

xlm40.dropper

https://cablenet.com.ec/drms/bb.html

Extracted

Family

qakbot

Botnet

tr

Campaign

1618398298

C2

47.196.192.184:443

216.201.162.158:443

136.232.34.70:443

71.41.184.10:3389

140.82.49.12:443

45.63.107.192:2222

45.63.107.192:443

149.28.98.196:443

45.32.211.207:443

144.202.38.185:443

45.77.115.208:2222

45.77.115.208:8443

207.246.116.237:995

45.77.117.108:443

149.28.99.97:443

149.28.99.97:995

149.28.98.196:995

45.32.211.207:995

45.32.211.207:2222

149.28.98.196:2222

Targets

- Target
  
  documents-172432862.xlsb
- Size
  
  94KB
- MD5
  
  7caf6cedbc97b152d2d44c1a4f159cec
- SHA1
  
  d9dd28c11641ec176c82b44b6c69459a2f960d45
- SHA256
  
  91b6ca1d47127eaa4b3c9cf13c0a3d2e8945393e6de4779f3580a2246179b2ba
- SHA512
  
  beda9c6d76df0b0f840a560baa3895d4208e6498e9537e23b6d560b3e357887fb3864ae53fbbd0fe2a443f882bca9e64223dff687643862360a703d59d712344
Score

10^/10

qakbot tr 1618398298 banker stealer trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Qakbot/Qbot
  Qbot or Qakbot is a sophisticated worm with banking capabilities.
  trojan banker stealer qakbot
- Loads dropped DLL
behavioral1 behavioral2
- Target
  
  documents-1762652855.xlsb
- Size
  
  94KB
- MD5
  
  15184e360c4f2597a120edb0ec3b1529
- SHA1
  
  e1c61283e9ceaceef3918bab4395ab6762f8c2fa
- SHA256
  
  f14dc38347bc80f5f0690d6d1306a24d133bfaafb21007ad5e935000f21ebca9
- SHA512
  
  edcfd7bd9545344f581e4023de15cfd9fc90324f5b63c0880d26f1e371664fc8248c6da481825a4070c2714ac66a936dcc683a6fc3c4a36ef9ab5e2d4ac002dd
Score

10^/10

qakbot tr 1618398298 banker stealer trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Qakbot/Qbot
  Qbot or Qakbot is a sophisticated worm with banking capabilities.
  trojan banker stealer qakbot
- Loads dropped DLL
behavioral3 behavioral4