Overview

overview

10

Static

static

8

documents-...2.xlsb

windows7_x64

10

documents-...2.xlsb

windows10_x64

10

documents-...5.xlsb

windows7_x64

10

documents-...5.xlsb

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    test.7z

  • Size

    85KB

  • Sample

    210414-jed7lmh72x

  • MD5

    6a959f1446af4acdb97b4a52119d7c33

  • SHA1

    de594bb7848487752032f97f2fb85ab28531af85

  • SHA256

    15d7aea3e0ad3d6cb43bfe1f7e308cf05113a021fc6443821025a46a256642fe

  • SHA512

    faf48400b97841d13ec6d1b240b57449513f702d3f32506d7d3114ba608f4dacef98d4d33d83814a17084a33ae85d346956ce0e8c4490e2dd487f2b7ad4e3dbe

Score
10/10
qakbottr1618398298bankermacrostealertrojanxlm

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://theottomandoner.co.uk/drms/bb.html
xlm40.dropper

http://paufderhar07ol.ru.com/bb.html
xlm40.dropper

http://nicolette7107gq.ru.com/bb.html
xlm40.dropper

https://chocolateuncle.online/drms/bb.html
xlm40.dropper

https://cablenet.com.ec/drms/bb.html

Extracted

Family

qakbot

Botnet

tr

Campaign

1618398298

C2

47.196.192.184:443

216.201.162.158:443

136.232.34.70:443

71.41.184.10:3389

140.82.49.12:443

45.63.107.192:2222

45.63.107.192:443

149.28.98.196:443

45.32.211.207:443

144.202.38.185:443

45.77.115.208:2222

45.77.115.208:8443

207.246.116.237:995

45.77.117.108:443

149.28.99.97:443

149.28.99.97:995

149.28.98.196:995

45.32.211.207:995

45.32.211.207:2222

149.28.98.196:2222

Targets

    • Target

      documents-172432862.xlsb

    • Size

      94KB

    • MD5

      7caf6cedbc97b152d2d44c1a4f159cec

    • SHA1

      d9dd28c11641ec176c82b44b6c69459a2f960d45

    • SHA256

      91b6ca1d47127eaa4b3c9cf13c0a3d2e8945393e6de4779f3580a2246179b2ba

    • SHA512

      beda9c6d76df0b0f840a560baa3895d4208e6498e9537e23b6d560b3e357887fb3864ae53fbbd0fe2a443f882bca9e64223dff687643862360a703d59d712344

    Score
    10/10
    qakbottr1618398298bankerstealertrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

      trojanbankerstealerqakbot

    • Loads dropped DLL

    behavioral1behavioral2

    • Target

      documents-1762652855.xlsb

    • Size

      94KB

    • MD5

      15184e360c4f2597a120edb0ec3b1529

    • SHA1

      e1c61283e9ceaceef3918bab4395ab6762f8c2fa

    • SHA256

      f14dc38347bc80f5f0690d6d1306a24d133bfaafb21007ad5e935000f21ebca9

    • SHA512

      edcfd7bd9545344f581e4023de15cfd9fc90324f5b63c0880d26f1e371664fc8248c6da481825a4070c2714ac66a936dcc683a6fc3c4a36ef9ab5e2d4ac002dd

    Score
    10/10
    qakbottr1618398298bankerstealertrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

      trojanbankerstealerqakbot

    • Loads dropped DLL

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

2
T1053

Persistence

Scheduled Task

2
T1053

Privilege Escalation

Scheduled Task

2
T1053

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

4
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks