General

  • Target

    catalog-101660541.zip

  • Size

    84KB

  • Sample

    210423-t762m3ntbx

  • MD5

    6e3aa606cb9e16bd78333b077c063ba6

  • SHA1

    775de8891eff070b9830701f3424b864f6c35f30

  • SHA256

    362649a8a5db8ab4cbd383ad8325a407a425458613e6508f6fdf10c5fd13da5d

  • SHA512

    ba86ca54ede380b1193ead417d25fc2b968d098f19229b91e54c327f36a11c7b3577db61f0fa3d1dd00e977e3f09a090517867e8928caf9d4e00c4b85d946de1

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://immobiliareneri.casa/drms/ind.html

xlm40.dropper

https://gidbasket.com/drms/ind.html

Extracted

Family

qakbot

Version

402.12

Botnet

tr

Campaign

1618935072

C2

140.82.49.12:443

190.85.91.154:443

96.37.113.36:993

71.41.184.10:3389

186.31.46.121:443

73.25.124.140:2222

109.12.111.14:443

24.229.150.54:995

45.32.211.207:443

45.77.117.108:443

45.77.117.108:8443

149.28.98.196:443

149.28.98.196:2222

144.202.38.185:443

144.202.38.185:995

45.32.211.207:995

207.246.116.237:995

149.28.99.97:995

45.63.107.192:2222

149.28.101.90:995

Targets

    • Target

      catalog-101660541.xlsm

    • Size

      109KB

    • MD5

      65f4ca3b9c15bddd065d2ae31868c044

    • SHA1

      ec8c10e4ea017dc1e2f4eaff64f7f78ac8bd7281

    • SHA256

      8795349c5c77646383f490600a88d661dfb900b34f1e28d4c759b9d7d3a1e355

    • SHA512

      d7c6019c2b9b6d06f86b7b6b27bf0c5d136c9d35774fd2f41cdad2eae1d3d506d117e1d0d3e36d52ddda04ccda8de9f107aa64f7a7b949fcebdea1e7e810464d

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • Loads dropped DLL

MITRE ATT&CK Enterprise v6

Tasks