Overview

overview

10

Static

static

8

a.xlsb

windows7_x64

10

a.xlsb

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a.xlsb

  • Size

    155KB

  • Sample

    210611-9j3ej9yg6a

  • MD5

    79d94d53703ee58ab2aac1782cbd6939

  • SHA1

    16a918e278d56ed854a3314d2a4ea907001195fc

  • SHA256

    80afad8cad6c0a84c232d5d17354b11ff9e5920d65c2552047801bc73a8bec82

  • SHA512

    912a3ea6a5f75b35376ac34b03605ffd660376ad2f201648a0b73b79159c35f051842ba0585ad075bdd2424940dc671082f2cdf178e53c4c6cfdd072c3a7dcd9

Score
10/10
qakbottr1623225382bankermacrostealertrojanxlm

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://shadiinfo.com/2DP6mQeg/pt.html
xlm40.dropper

https://treasurechestcaribbean.com/pZ2Z61bqa/pt.html

Extracted

Family

qakbot

Version

402.68

Botnet

tr

Campaign

1623225382

C2

190.85.91.154:443

140.82.49.12:443

105.198.236.101:443

68.186.192.69:443

24.95.61.62:443

90.65.234.26:2222

197.45.110.165:995

96.61.23.88:995

172.78.51.35:443

184.185.103.157:443

71.163.222.223:443

27.223.92.142:995

24.179.77.236:443

97.69.160.4:2222

188.26.91.212:443

75.67.192.125:443

24.152.219.253:995

92.59.35.196:2222

47.22.148.6:443

216.201.162.158:443

Targets

    • Target

      a.xlsb

    • Size

      155KB

    • MD5

      79d94d53703ee58ab2aac1782cbd6939

    • SHA1

      16a918e278d56ed854a3314d2a4ea907001195fc

    • SHA256

      80afad8cad6c0a84c232d5d17354b11ff9e5920d65c2552047801bc73a8bec82

    • SHA512

      912a3ea6a5f75b35376ac34b03605ffd660376ad2f201648a0b73b79159c35f051842ba0585ad075bdd2424940dc671082f2cdf178e53c4c6cfdd072c3a7dcd9

    Score
    10/10
    qakbottr1623225382bankerstealertrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

      trojanbankerstealerqakbot

    • Loads dropped DLL

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks