Overview

overview

10

Static

static

8

Complaint-...21.xls

windows7_x64

10

Complaint-...21.xls

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Complaint-818191704-10012021.zip

  • Size

    87KB

  • Sample

    211001-tfdz7scba6

  • MD5

    24e0f258e987de04ffbb978578e4267c

  • SHA1

    9ced75c05ac79689cc1ee52ee526b5187349058b

  • SHA256

    bc29b497a95f0daba324ee877dca4b354b31d6179117ac1afb8f17d354358036

  • SHA512

    3659f4f4243a0b0b769e38435bec1685b6761ad5eecbea185ea9e1cdbd4780977efb8327cb74ac24e08bab451738aec67e1c0c4450e3ed0a7fb5491a70e6981a

Score
10/10
qakbotnotsetobama10716328195101633078880bankerevasionmacromacro_on_actionstealertrojan

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://101.99.90.18/44470.6666363426.dat
xlm40.dropper

http://194.36.191.19/44470.6666363426.dat
xlm40.dropper

http://45.144.29.109/44470.6666363426.dat

Extracted

Family

qakbot

Version

402.363

Botnet

obama107

Campaign

1633078880

C2

140.82.49.12:443

41.250.143.109:995

216.201.162.158:443

86.8.177.143:443

105.198.236.99:443

124.123.42.115:2222

217.17.56.163:443

37.210.152.224:995

190.198.206.189:2222

75.89.195.186:995

78.191.44.76:995

122.11.220.212:2222

68.186.192.69:443

159.2.51.200:2222

217.17.56.163:2222

217.17.56.163:2078

41.228.22.180:443

120.151.47.189:443

47.22.148.6:443

94.200.181.154:443

Extracted

Family

qakbot

Version

402.363

Botnet

notset

Campaign

1632819510

C2

196.217.156.63:995

120.150.218.241:995

95.77.223.148:443

185.250.148.74:443

181.118.183.94:443

105.198.236.99:443

140.82.49.12:443

37.210.152.224:995

89.101.97.139:443

81.241.252.59:2078

27.223.92.142:995

81.250.153.227:2222

73.151.236.31:443

47.22.148.6:443

122.11.220.212:2222

120.151.47.189:443

199.27.127.129:443

216.201.162.158:443

136.232.34.70:443

76.25.142.196:443

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://101.99.90.18/44470.7501645833.dat
xlm40.dropper

http://194.36.191.19/44470.7501645833.dat
xlm40.dropper

http://45.144.29.109/44470.7501645833.dat

Targets

    • Target

      Complaint-818191704-10012021.xls

    • Size

      129KB

    • MD5

      4867eebf4c3f7ee6b532e703d20d5585

    • SHA1

      d772036f1ca3eab516f016aa5073ffc2a65142f4

    • SHA256

      67173a667baf38b78448f969bcb53892536ddc279528553cadbf0a53d1637d5d

    • SHA512

      4b7ccb534a546b70f2453bf2dc456a8cc6a384cdb3f511a55bcaa933a4d2617cfcf1d0871add4d64d5037c762b805f4effafbe7395499be9266a3dc508e04662

    Score
    10/10
    qakbotnotsetobama10716328195101633078880bankerevasionstealertrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

      trojanbankerstealerqakbot

    • Windows security bypass

      evasiontrojan

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Command-Line Interface

1
T1059

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Disabling Security Tools

1
T1089

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks