Overview

overview

10

Static

static

8

Cancellati...5.xlsb

windows7_x64

10

Cancellati...5.xlsb

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5fd74f3bd1060884c93af949bd95dd5efd4055daa471edb25a21f0804c4db269

  • Size

    54KB

  • Sample

    220509-3yv6waeeb3

  • MD5

    67e74117995fc2c32bb16bd73643705e

  • SHA1

    68926feeb03addd328bd62bd3229c02f45f122a6

  • SHA256

    08713b548ad4cd818ac03227d1b5fd453e7af13313feeac7e4e564ff125e3efe

  • SHA512

    899da36bd97deec5f84a048d4a1a10e4b6402f4d7215c01b78d7df882a4115e477b2a4bd8330fccfd7a38118de367b6e30495539030cc93e944d936b53e69c41

Score
10/10
qakbotobama1821651756499bankerevasionmacrostealertrojanxlm

Malware Config

Extracted

Language
xlm4.0
Source

Extracted

Family

qakbot

Version

403.683

Botnet

obama182

Campaign

1651756499

C2

103.107.113.120:443

80.11.74.81:2222

177.102.2.175:32101

24.178.196.158:2222

91.177.173.10:995

181.208.248.227:443

176.67.56.94:443

202.134.152.2:2222

148.0.57.85:443

179.179.162.9:993

40.134.246.185:995

37.186.54.254:995

196.203.37.215:80

120.150.218.241:995

208.107.221.224:443

113.53.151.59:443

70.46.220.114:443

69.14.172.24:443

108.60.213.141:443

24.55.67.176:443
Attributes
  • salt

    jHxastDcds)oMc=jvh7wdUhxcsdt2

Extracted

Language
xlm4.0
Source

Targets

    • Target

      Cancellation-1070520191$-May5.xlsb

    • Size

      65KB

    • MD5

      34fee3c22bb8083223fd247fcdd37105

    • SHA1

      a7d976dd7e40e5d96195cc0d596e6853f1c5fca9

    • SHA256

      cf466f71763ed24dfdb8504a79c0866cf9f13ff57a3aeee2f726bc9242b50525

    • SHA512

      defa15e90117fbb2d86a53ba645630d62cf6f387360eddae51f19ec89c1038d71a1b2c574446e2c6a21f50009d7dd81633dc88d0a000134b3bf3952a3430edfa

    Score
    10/10
    qakbotobama1821651756499bankerstealertrojanevasion

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

      trojanbankerstealerqakbot

    • Windows security bypass

      evasiontrojan

    • Downloads MZ/PE file

    • Loads dropped DLL

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Disabling Security Tools

1
T1089

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks