Overview

overview

10

Static

static

8

Cancellati...5.xlsb

windows7_x64

10

Cancellati...5.xlsb

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e7a8181725e5263bf5059a42d3b59a4de9cbef8de548287fbebdc72e97629565

  • Size

    54KB

  • Sample

    220509-pvvt2sdbb3

  • MD5

    ddf90c7e898bde0330241c624889e7b8

  • SHA1

    b708c1758efb33c90e82c5c7b8dc36689ebea81a

  • SHA256

    5597159f5b250a487e4f0eb7242dc938f6e335839131601d8ec22d34756489aa

  • SHA512

    75e394d1446821444c694725cbf3c798061718121b5b7e39be75486b040f7dcd258f5f351857fdb7807c8e7fc3e71e48abb9c46a494c5aae49dcb85050519b0a

Score
10/10
qakbotobama1821651756499bankerevasionmacrostealertrojanxlm

Malware Config

Extracted

Language
xlm4.0
Source

Extracted

Family

qakbot

Version

403.683

Botnet

obama182

Campaign

1651756499

C2

103.107.113.120:443

80.11.74.81:2222

177.102.2.175:32101

24.178.196.158:2222

91.177.173.10:995

181.208.248.227:443

176.67.56.94:443

202.134.152.2:2222

148.0.57.85:443

179.179.162.9:993

40.134.246.185:995

37.186.54.254:995

196.203.37.215:80

120.150.218.241:995

208.107.221.224:443

113.53.151.59:443

70.46.220.114:443

69.14.172.24:443

108.60.213.141:443

24.55.67.176:443
Attributes
  • salt

    jHxastDcds)oMc=jvh7wdUhxcsdt2

Extracted

Language
xlm4.0
Source

Targets

    • Target

      Cancellation-1228813013$-May5.xlsb

    • Size

      65KB

    • MD5

      4ed18e5cf0345e1fec51922960217b52

    • SHA1

      1dd2279ce4c569ff462884c1a283c6c9d5505dc7

    • SHA256

      8aa260005950bb9d062fa127e0f7fa615b02fafb15000cac4ff52e4aa97f1d16

    • SHA512

      df53c2ce7788cbce925014ce03c6efbb6e4354c73b9fe14615e5a3798203d18dc0f67117602472c2743e043f51993e4327334ac90fd0de185708a0c9bf3a89f3

    Score
    10/10
    qakbotobama1821651756499bankerstealertrojanevasion

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

      trojanbankerstealerqakbot

    • Windows security bypass

      evasiontrojan

    • Downloads MZ/PE file

    • Loads dropped DLL

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Disabling Security Tools

1
T1089

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks