Overview

overview

10

Static

static

8

#Qbot downloader.xls

windows7_x64

10

#Qbot downloader.xls

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    #Qbot downloader

  • Size

    126KB

  • Sample

    210927-xqzanshgg6

  • MD5

    b4b3a2223765ac84c9b1b05dbf7c6503

  • SHA1

    57bc35cb0c7a9ac6e7fcb5dea5c211fe5eda5fe0

  • SHA256

    3982ae3e61a6ba86d61bd8f017f6238cc9afeb08b785010d686716e8415b6a36

  • SHA512

    52b33c60f4f3b1043915fc595aaf1684fe558d82c778a8cb078916daa565f36f12d5fe023ea7611c39f0e2c48bb241eb481b02b2160ba4e97f402c9b75cae500

Score
10/10
macromacro_on_action

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://190.14.37.178/44466.7946528935.dat
xlm40.dropper

http://185.183.96.67/44466.7946528935.dat
xlm40.dropper

http://185.250.148.213/44466.7946528935.dat

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://190.14.37.178/44466.8783346065.dat
xlm40.dropper

http://185.183.96.67/44466.8783346065.dat
xlm40.dropper

http://185.250.148.213/44466.8783346065.dat

Targets

    • Target

      #Qbot downloader

    • Size

      126KB

    • MD5

      b4b3a2223765ac84c9b1b05dbf7c6503

    • SHA1

      57bc35cb0c7a9ac6e7fcb5dea5c211fe5eda5fe0

    • SHA256

      3982ae3e61a6ba86d61bd8f017f6238cc9afeb08b785010d686716e8415b6a36

    • SHA512

      52b33c60f4f3b1043915fc595aaf1684fe558d82c778a8cb078916daa565f36f12d5fe023ea7611c39f0e2c48bb241eb481b02b2160ba4e97f402c9b75cae500

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks