Overview

overview

10

Static

static

8

Cancellati...5.xlsb

windows7_x64

10

Cancellati...5.xlsb

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c3fcb8713025afa39dc381d4c2a6c07a07b76330a628b34e9dd8b9ae4204a631

  • Size

    54KB

  • Sample

    220509-1bzvfaech5

  • MD5

    1d941d4be4be69f78eade8f4678f0184

  • SHA1

    a93f248cc14f36c76fd3c6d26243e4617efabae3

  • SHA256

    9a37133667c56323770ac450f523ecedfefe4795a0396b8b4516f6424d2511d4

  • SHA512

    a8bc61cf7c05fb0842d76da2c36ab7c1791fc96ef880217997bf11d2ef1fc8d22d6328df489691da2312966deecf1aa3bf881961d22dfa6161e2d160aaf7e07b

Score
10/10
qakbotobama1821651756499bankermacrostealertrojanxlm

Malware Config

Extracted

Language
xlm4.0
Source

Extracted

Language
xlm4.0
Source

Extracted

Family

qakbot

Version

403.683

Botnet

obama182

Campaign

1651756499

C2

103.107.113.120:443

80.11.74.81:2222

177.102.2.175:32101

24.178.196.158:2222

91.177.173.10:995

181.208.248.227:443

176.67.56.94:443

202.134.152.2:2222

148.0.57.85:443

179.179.162.9:993

40.134.246.185:995

37.186.54.254:995

196.203.37.215:80

120.150.218.241:995

208.107.221.224:443

113.53.151.59:443

70.46.220.114:443

69.14.172.24:443

108.60.213.141:443

24.55.67.176:443
Attributes
  • salt

    jHxastDcds)oMc=jvh7wdUhxcsdt2

Targets

    • Target

      Cancellation-1209065499$-May5.xlsb

    • Size

      65KB

    • MD5

      35c57b549478f7ab03f9d212069d8566

    • SHA1

      e2f79848af012270c33a686ed4fb16a906e3cd66

    • SHA256

      068c3649694a07a03ecb131b889b98d5ecc2f1f35bfd11456a7a0f9e635c6182

    • SHA512

      2ec2a6c2c080f45f141d91688f3d4af0aa08af4c2dcff2845bbb405f8a0e47c6cf01856eef9f0d411d7dc12bbc00e386fa4c005504904d42ca786ed36cf3b7a4

    Score
    10/10
    qakbotobama1821651756499bankerstealertrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

      trojanbankerstealerqakbot

    • Downloads MZ/PE file

    • Loads dropped DLL

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks