General
-
Target
update2.exe
-
Size
746KB
-
Sample
191104-athqk1tjxn
-
MD5
0bfb4a1efbb20a7291fcc022dec7d58b
-
SHA1
faec2a0afe296224f980ac059cf63f18eba800ce
-
SHA256
73ae67036a0d291c18208037010de359520cd613dda2f9eabfde3fec5558324f
-
SHA512
eae0e585ef29f56f27da897783ec582b228124437a6355cfd7b56be229558913dfd87d3005482c0fe54ba8f5e79fb1d50f869bd0e619b0ca7318ac055c62b425
Task
task1
Sample
update2.exe
Resource
win7v191014
Malware Config
Extracted
qakbot
1572863946
Protocol: ftp- Host:
192.185.5.208 - Port:
21 - Username:
[email protected] - Password:
NxdkxAp4dUsY
Protocol: ftp- Host:
162.241.218.118 - Port:
21 - Username:
[email protected] - Password:
EcOV0DyGVgVN
Protocol: ftp- Host:
69.89.31.139 - Port:
21 - Username:
[email protected] - Password:
fcR7OvyLrMW6!
Protocol: ftp- Host:
169.207.67.14 - Port:
21 - Username:
[email protected] - Password:
eQyicNLzzqPN
112.171.126.153:443
67.200.146.98:2222
174.16.234.171:993
71.30.56.170:443
71.77.231.251:443
72.213.98.233:443
2.50.170.151:443
184.180.157.203:2222
96.35.170.82:2222
64.19.74.29:995
104.32.185.213:2222
104.3.91.20:995
173.22.120.11:2222
173.3.132.17:995
74.194.4.181:443
75.131.72.82:443
68.238.144.55:443
100.4.185.8:443
104.34.122.18:443
65.30.12.240:443
24.201.68.105:2087
32.208.1.239:443
168.245.228.71:443
47.153.115.154:995
24.201.68.105:2078
23.240.185.215:443
72.47.115.182:443
187.163.139.200:993
75.81.25.223:995
5.182.39.156:443
75.130.117.134:443
73.145.189.17:443
181.47.60.21:995
72.29.181.77:2083
81.147.42.195:2222
68.238.56.27:443
116.72.208.166:2222
78.94.55.26:50003
50.246.229.50:443
98.186.90.192:995
185.219.83.73:443
108.45.183.59:443
66.214.75.176:443
67.10.18.112:993
184.74.101.234:995
107.12.140.181:443
172.78.45.13:995
50.78.93.74:995
67.246.16.250:995
47.148.143.146:443
67.5.33.229:2078
47.23.101.26:993
12.5.37.3:995
24.30.71.200:443
72.29.181.77:2078
65.16.241.150:443
190.120.196.18:443
182.56.27.125:995
71.93.60.90:443
72.46.151.196:995
137.25.72.175:443
196.194.76.68:2222
76.116.128.81:443
105.246.75.20:995
197.89.140.129:995
62.0.67.88:995
190.217.1.149:443
188.52.115.139:443
47.180.66.10:443
107.12.131.249:443
75.142.59.167:443
181.94.163.26:443
98.186.155.8:443
61.98.155.61:443
47.202.98.230:443
2.50.41.185:443
217.162.149.212:443
75.110.90.155:443
166.62.180.194:2078
62.103.70.217:995
108.227.161.27:443
47.146.169.85:443
181.126.80.118:443
12.5.37.3:443
162.244.225.30:443
174.130.203.235:443
205.250.79.62:443
162.244.224.166:443
104.235.94.7:443
106.51.0.228:443
123.252.128.47:443
96.59.11.86:443
174.131.181.120:995
207.162.184.228:443
76.80.66.226:443
173.178.129.3:443
47.23.101.26:465
206.51.202.106:50002
201.152.111.120:995
75.131.72.82:995
174.48.72.160:443
75.70.218.193:443
12.176.32.146:443
68.174.15.223:443
199.126.92.231:995
173.178.129.3:990
72.16.212.107:995
200.104.249.67:443
207.179.194.91:443
75.110.250.89:443
108.160.123.244:443
50.247.230.33:443
47.214.144.253:443
99.228.242.183:995
72.142.106.198:465
73.226.220.56:443
45.37.57.119:2222
67.214.201.117:2222
173.247.186.90:443
98.148.177.77:443
111.125.70.30:2222
80.14.209.42:2222
2.177.101.143:443
67.160.63.127:443
70.185.229.3:443
184.191.62.78:443
47.155.19.205:443
88.111.255.235:2222
75.110.219.10:443
76.169.19.193:443
116.58.100.130:443
173.91.254.236:443
72.132.145.25:443
73.137.187.150:443
24.180.7.155:443
75.165.132.69:443
71.197.126.250:443
75.165.162.33:443
65.189.49.227:443
100.38.164.182:443
36.236.235.213:443
76.174.122.204:443
70.180.100.156:443
75.174.33.205:443
174.82.131.155:995
200.104.40.85:443
172.116.85.178:443
75.182.115.93:443
24.42.250.18:443
179.36.62.217:443
Targets
-
-
Target
update2.exe
-
Size
746KB
-
MD5
0bfb4a1efbb20a7291fcc022dec7d58b
-
SHA1
faec2a0afe296224f980ac059cf63f18eba800ce
-
SHA256
73ae67036a0d291c18208037010de359520cd613dda2f9eabfde3fec5558324f
-
SHA512
eae0e585ef29f56f27da897783ec582b228124437a6355cfd7b56be229558913dfd87d3005482c0fe54ba8f5e79fb1d50f869bd0e619b0ca7318ac055c62b425
-
Executes dropped EXE
-
Turns off Windows Defender SpyNet reporting
-
Loads dropped DLL
-
Adds Run entry to start application
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
Modifies service
-