General

  • Target

    111fb452bdc34c120d2cce1ee80099ad96fdd8fccf8fe5a0e1185d372efb9363

  • Size

    1.0MB

  • Sample

    220509-e8k7nacda4

  • MD5

    a1d2a5d76015aaa3bc2e61411141f18c

  • SHA1

    f511a2cea217419011879ecb42a2c5625d93c39a

  • SHA256

    1803f9390c070076b7c4eb751ab74160cbe5eacaeb2f69f4a0b0ba765bc5c110

  • SHA512

    4b528053c82358ba900b8bd800132e3c57a275b5c8c21268cb86b2ca079974e6f2c3e7758bfa286d4d8c2844e6a770378b59998c8342c587fd59575486e8985c

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://103.155.93.53/694416531.dat

xlm40.dropper

http://87.236.146.69/694416531.dat

xlm40.dropper

http://94.140.114.172/694416531.dat

Extracted

Family

qakbot

Version

403.573

Botnet

obama180

Campaign

1650959141

C2

2.50.4.57:443

85.246.82.244:443

121.7.223.59:2222

197.161.137.67:993

38.70.253.226:2222

47.23.89.62:993

172.114.160.81:443

75.99.168.194:443

82.152.39.39:443

108.60.213.141:443

148.64.96.100:443

167.86.191.84:443

187.207.47.198:61202

103.107.113.120:443

203.122.46.130:443

106.51.48.170:50001

47.23.89.62:995

140.82.49.12:443

102.65.38.74:443

103.246.242.202:443

Attributes
  • salt

    jHxastDcds)oMc=jvh7wdUhxcsdt2

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://103.155.93.53/75369921.dat

xlm40.dropper

http://87.236.146.69/75369921.dat

xlm40.dropper

http://94.140.114.172/75369921.dat

Targets

    • Target

      ApplicationReject-706073812.xlsb

    • Size

      1.1MB

    • MD5

      82eefe190e22d87e535c9dc375fe039e

    • SHA1

      6b2e5804508f58cfcfa76eca249e11f025490d77

    • SHA256

      9b14898f42362545794c7400c889d19cc6df0bc8536414b5a13772185d1d2be3

    • SHA512

      14d0f9ef03435ddca7be4c23b0d83c3d61ab81cb7860a925af3d2c0aa9701cb29c06f1ff71bc0e8b8ef49667504af5d743fd24770106d3c6f4cb2f1dc12522a1

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • Downloads MZ/PE file

    • Loads dropped DLL

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks