Overview

overview

10

Static

static

Documents 4995.xlsb

windows7_x64

10

Documents 4995.xlsb

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Documents 4995.xlsb

  • Size

    75KB

  • Sample

    210415-by5edtc1d2

  • MD5

    f26158691ea9aeec5e2aa69e58c65c7d

  • SHA1

    0954a286bd666290d9396833cf948c62cd038492

  • SHA256

    ee1e81fcd5e336fd2d19cc9eb0a5a8f796613f387b1b7216106d7130da0ea3cf

  • SHA512

    6b223115cccfc67ce2449689af76744549d58b85f0cf491c591d6bfe60eb0bcd81f6b5044fafd62ecce90202a3ffb727b1617b93cf1184990e14412ac286b0fb

Score
10/10
qakbottr1618398298bankerstealertrojan

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://fcwinebarrelworks.com/drms/body.html
xlm40.dropper

https://studenthousecolchester.co.uk/drms/body.html
xlm40.dropper

https://novosite.autonor.com.br/drms/body.html
xlm40.dropper

https://tresvalesagro.com.br/drms/body.html
xlm40.dropper

https://www.docusign.com/doc.html

Extracted

Family

qakbot

Botnet

tr

Campaign

1618398298

C2

47.196.192.184:443

216.201.162.158:443

136.232.34.70:443

71.41.184.10:3389

140.82.49.12:443

45.63.107.192:2222

45.63.107.192:443

149.28.98.196:443

45.32.211.207:443

144.202.38.185:443

45.77.115.208:2222

45.77.115.208:8443

207.246.116.237:995

45.77.117.108:443

149.28.99.97:443

149.28.99.97:995

149.28.98.196:995

45.32.211.207:995

45.32.211.207:2222

149.28.98.196:2222

Targets

    • Target

      Documents 4995.xlsb

    • Size

      75KB

    • MD5

      f26158691ea9aeec5e2aa69e58c65c7d

    • SHA1

      0954a286bd666290d9396833cf948c62cd038492

    • SHA256

      ee1e81fcd5e336fd2d19cc9eb0a5a8f796613f387b1b7216106d7130da0ea3cf

    • SHA512

      6b223115cccfc67ce2449689af76744549d58b85f0cf491c591d6bfe60eb0bcd81f6b5044fafd62ecce90202a3ffb727b1617b93cf1184990e14412ac286b0fb

    Score
    10/10
    qakbottr1618398298bankerstealertrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

      trojanbankerstealerqakbot

    • Loads dropped DLL

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks