Overview

overview

10

Static

static

Applicatio...5.xlsb

windows7_x64

10

Applicatio...5.xlsb

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7148ec965120fe96300787711be22c07519f87f3919b3fdedf608af5badbecfb

  • Size

    1.0MB

  • Sample

    220508-2q17gscehn

  • MD5

    890541a021169e0cfe0f218e15f37456

  • SHA1

    e9f35aef6804e72e821b73feddbda18bbcdcddd0

  • SHA256

    f50ff9877056f39350d45cdd947fc4c313886332d4728c32cc78ebfffb96c806

  • SHA512

    eded63874049599fbb74722c3c70dccadd05084abeba47e1f79bf76816b322576b93fb82f0df3dd74c475dd144cb2115c134fd95ecc601301dee98a9e48cef9c

Score
10/10
qakbotobama1801650959141bankerstealertrojan

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://103.155.93.53/221301482.dat
xlm40.dropper

http://87.236.146.69/221301482.dat
xlm40.dropper

http://94.140.114.172/221301482.dat

Extracted

Family

qakbot

Version

403.573

Botnet

obama180

Campaign

1650959141

C2

2.50.4.57:443

85.246.82.244:443

121.7.223.59:2222

197.161.137.67:993

38.70.253.226:2222

47.23.89.62:993

172.114.160.81:443

75.99.168.194:443

82.152.39.39:443

108.60.213.141:443

148.64.96.100:443

167.86.191.84:443

187.207.47.198:61202

103.107.113.120:443

203.122.46.130:443

106.51.48.170:50001

47.23.89.62:995

140.82.49.12:443

102.65.38.74:443

103.246.242.202:443
Attributes
  • salt

    jHxastDcds)oMc=jvh7wdUhxcsdt2

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://103.155.93.53/427803004.dat
xlm40.dropper

http://87.236.146.69/427803004.dat
xlm40.dropper

http://94.140.114.172/427803004.dat

Targets

    • Target

      ApplicationReject-668351985.xlsb

    • Size

      1.1MB

    • MD5

      9a785b87d4093c7174b22c2d2043a986

    • SHA1

      9d0f56486ebbb3e4b412029d64849920d4d95bc7

    • SHA256

      a34f9120bb63cf352d632da7df7edd3efc81052809b961db2e7629f18b8412e5

    • SHA512

      3e752f0a41c6c9dfbfabac8ae93be0c957a744a81aa287da2fa29abdaf52c4ae75763fb37c71d3eaec23163ec6f8ccfccc2cf84033f081140730fbd0d6afa950

    Score
    10/10
    qakbotobama1801650959141bankerstealertrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

      trojanbankerstealerqakbot

    • Downloads MZ/PE file

    • Loads dropped DLL

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks