Overview

overview

10

Static

static

8

audit-1290630629.xlsb

windows7_x64

10

audit-1290630629.xlsb

windows10_x64

10

Resubmissions

14-06-2021 18:45

210614-yr76sav7we 10

11-06-2021 09:53

210611-mdzv8f2mls 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    audit-1290630629.xlsb

  • Size

    155KB

  • Sample

    210611-mdzv8f2mls

  • MD5

    4ba1fbc31761dc93b3957d77e6d87bb6

  • SHA1

    65843c8d1e72ef009e88093d7cbe74b22af217e6

  • SHA256

    b3adb44ad0055c7118d70dc49b3ff4ed51208f740e9dbc3f5041e7f5baa2589c

  • SHA512

    785c34e09dbd9a629c5e56ee7da4a9032945ccf095fe60c5e45d8436b426909301a6d7a8414f89b5f7406ddafd8fce1a0ea48d743de0b45608ad8c229c4b4437

Score
10/10
qakbottr1623225382bankermacrostealertrojanxlm

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://shadiinfo.com/2DP6mQeg/pt.html
xlm40.dropper

https://treasurechestcaribbean.com/pZ2Z61bqa/pt.html

Extracted

Family

qakbot

Version

402.68

Botnet

tr

Campaign

1623225382

C2

190.85.91.154:443

140.82.49.12:443

105.198.236.101:443

68.186.192.69:443

24.95.61.62:443

90.65.234.26:2222

197.45.110.165:995

96.61.23.88:995

172.78.51.35:443

184.185.103.157:443

71.163.222.223:443

27.223.92.142:995

24.179.77.236:443

97.69.160.4:2222

188.26.91.212:443

75.67.192.125:443

24.152.219.253:995

92.59.35.196:2222

47.22.148.6:443

216.201.162.158:443

Targets

    • Target

      audit-1290630629.xlsb

    • Size

      155KB

    • MD5

      4ba1fbc31761dc93b3957d77e6d87bb6

    • SHA1

      65843c8d1e72ef009e88093d7cbe74b22af217e6

    • SHA256

      b3adb44ad0055c7118d70dc49b3ff4ed51208f740e9dbc3f5041e7f5baa2589c

    • SHA512

      785c34e09dbd9a629c5e56ee7da4a9032945ccf095fe60c5e45d8436b426909301a6d7a8414f89b5f7406ddafd8fce1a0ea48d743de0b45608ad8c229c4b4437

    Score
    10/10
    qakbottr1623225382bankerstealertrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

      trojanbankerstealerqakbot

    • Loads dropped DLL

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks