General
-
Target
documents (82).zip
-
Size
271KB
-
Sample
210218-6mdya9wc6n
-
MD5
d067948863f243ebcaf0402bb2fa5033
-
SHA1
bbc0eb370be4bc69894263415be9fa44b77ff2ed
-
SHA256
5c985c2e76397d46585737bd46535b63750d61def038986fa5430289f7fb7c8f
-
SHA512
a7a0545fc7538203dc009cbf1f93fbf0625e272b8841b3a5157c9966399a4a6f6b909c796697880cd4cf3ae438a2c331c71f9c77255498254f13a4628ac186e9
Malware Config
Extracted
https://spititourism.com/ds/1702.gif
Extracted
qakbot
tr
1613385567
78.63.226.32:443
197.51.82.72:443
193.248.221.184:2222
95.77.223.148:443
71.199.192.62:443
77.211.30.202:995
80.227.5.69:443
77.27.204.204:995
81.97.154.100:443
173.184.119.153:995
38.92.225.121:443
81.150.181.168:2222
90.65.236.181:2222
83.110.103.152:443
73.153.211.227:443
188.25.63.105:443
89.137.211.239:995
202.188.138.162:443
98.173.34.212:995
87.202.87.210:2222
Targets
-
-
Target
document-653100451.xls
-
Size
315KB
-
MD5
34ffbbaef6f1dc7543f0ce0479da4c37
-
SHA1
6bef991b4d85650d6dd349599e43bc777deaff1f
-
SHA256
babcb2a335500b2639c2a3b435ffc630f80290d465e0d49c09902e115bc34f4b
-
SHA512
284640e9d147d9d06c3babd95fa17e7ec7705f6eb6b04615d9291ac84b0e748f88994c273408b35f9df07d54c766adb76971f83cce6444967ee7a292983d09ca
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
-
Loads dropped DLL
-