General

  • Target

    catalog-1019838498.zip

  • Size

    84KB

  • Sample

    210423-ecszt17ble

  • MD5

    ec6cded2bef6d817e114107c5bc8acae

  • SHA1

    a80499804554ac6aa943d6f1844efe233c1b0f53

  • SHA256

    8296e3f936fbfe1f8932cef48ecfd30af9de9c70e0fe9f3d2a5189a7ac85e90c

  • SHA512

    f2ad56c85681718104aaa9156777de094c10c3c968e5d7a3ec92de4a9a0c780f886247228b1cb3b47f1bc5db75bf77c3572a03361d7284d8b13adc3d5f48a283

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://immobiliareneri.casa/drms/ind.html

xlm40.dropper

https://gidbasket.com/drms/ind.html

Extracted

Family

qakbot

Version

402.12

Botnet

tr

Campaign

1618935072

C2

140.82.49.12:443

190.85.91.154:443

96.37.113.36:993

71.41.184.10:3389

186.31.46.121:443

73.25.124.140:2222

109.12.111.14:443

24.229.150.54:995

45.32.211.207:443

45.77.117.108:443

45.77.117.108:8443

149.28.98.196:443

149.28.98.196:2222

144.202.38.185:443

144.202.38.185:995

45.32.211.207:995

207.246.116.237:995

149.28.99.97:995

45.63.107.192:2222

149.28.101.90:995

Targets

    • Target

      catalog-1019838498.xlsm

    • Size

      109KB

    • MD5

      ef92046d570f671e1a5b74b0f4c51270

    • SHA1

      f58a251babeabf92ea209d94bd39f126f434ab2a

    • SHA256

      b3b39f76d03c4556a89eceb1a7ffa4041bc87e0408f8db33f9698b7b5a5c903c

    • SHA512

      a5b05d62e4f5cc5782a68aed9b24e34154cbb98f86bbf887ddeb5662f8d6c2eafcb0b3eebfc35411437c6c2e6f533b8e4c156aee37441b4c523d5da71e4ad116

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • Loads dropped DLL

MITRE ATT&CK Enterprise v6

Tasks