General
-
Target
Documents 4995.xlsb
-
Size
75KB
-
Sample
210415-by5edtc1d2
-
MD5
f26158691ea9aeec5e2aa69e58c65c7d
-
SHA1
0954a286bd666290d9396833cf948c62cd038492
-
SHA256
ee1e81fcd5e336fd2d19cc9eb0a5a8f796613f387b1b7216106d7130da0ea3cf
-
SHA512
6b223115cccfc67ce2449689af76744549d58b85f0cf491c591d6bfe60eb0bcd81f6b5044fafd62ecce90202a3ffb727b1617b93cf1184990e14412ac286b0fb
Malware Config
Extracted
https://fcwinebarrelworks.com/drms/body.html
https://studenthousecolchester.co.uk/drms/body.html
https://novosite.autonor.com.br/drms/body.html
https://tresvalesagro.com.br/drms/body.html
https://www.docusign.com/doc.html
Extracted
qakbot
tr
1618398298
47.196.192.184:443
216.201.162.158:443
136.232.34.70:443
71.41.184.10:3389
140.82.49.12:443
45.63.107.192:2222
45.63.107.192:443
149.28.98.196:443
45.32.211.207:443
144.202.38.185:443
45.77.115.208:2222
45.77.115.208:8443
207.246.116.237:995
45.77.117.108:443
149.28.99.97:443
149.28.99.97:995
149.28.98.196:995
45.32.211.207:995
45.32.211.207:2222
149.28.98.196:2222
Targets
-
-
Target
Documents 4995.xlsb
-
Size
75KB
-
MD5
f26158691ea9aeec5e2aa69e58c65c7d
-
SHA1
0954a286bd666290d9396833cf948c62cd038492
-
SHA256
ee1e81fcd5e336fd2d19cc9eb0a5a8f796613f387b1b7216106d7130da0ea3cf
-
SHA512
6b223115cccfc67ce2449689af76744549d58b85f0cf491c591d6bfe60eb0bcd81f6b5044fafd62ecce90202a3ffb727b1617b93cf1184990e14412ac286b0fb
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
-
Loads dropped DLL
-