Description
This typically indicates the parent process was compromised via an exploit or macro.
document-1743692288.xls
88KB
210218-pnw1z6fjv2
fa1f35763e1c13386feca469dd16a22b
1cbfc5e62e085bba8366cc077dfc91923a8ceefd
c9def02fd0b90810e1ac5af1906e461c8c1a5534ee19b5b2ce7aac77f2943b54
31619aeebfdd1247252a9e3881c4ba5824b82558af2a814b1fe90b67b4403950f94f9ab02d968d30477031648cbf90c520b95f58f8beffa47952994a1c3b38dc
Language | xlm4.0 |
Source |
|
URLs |
xlm40.dropper
https://miraclecollagen.co.za/ds/1802.gif |
Family | qakbot |
Botnet | tr |
Campaign | 1613385567 |
C2 |
78.63.226.32:443 197.51.82.72:443 193.248.221.184:2222 95.77.223.148:443 71.199.192.62:443 77.211.30.202:995 80.227.5.69:443 77.27.204.204:995 81.97.154.100:443 173.184.119.153:995 38.92.225.121:443 81.150.181.168:2222 90.65.236.181:2222 83.110.103.152:443 73.153.211.227:443 188.25.63.105:443 89.137.211.239:995 202.188.138.162:443 98.173.34.212:995 87.202.87.210:2222 195.12.154.8:443 47.217.24.69:6881 182.48.193.200:443 108.160.123.244:443 96.57.188.174:2222 45.118.216.157:443 84.72.35.226:443 172.115.177.204:2222 86.236.77.68:2222 82.127.125.209:990 176.181.247.197:443 97.69.160.4:2222 90.101.117.122:2222 189.223.201.91:443 140.82.49.12:443 2.7.69.217:2222 83.110.12.140:2222 85.132.36.111:2222 197.45.110.165:995 149.28.99.97:995 45.63.107.192:2222 149.28.98.196:2222 149.28.99.97:2222 144.202.38.185:443 149.28.99.97:443 45.63.107.192:443 45.63.107.192:995 144.202.38.185:2222 149.28.101.90:995 149.28.101.90:2222 |
document-1743692288.xls
fa1f35763e1c13386feca469dd16a22b
88KB
1cbfc5e62e085bba8366cc077dfc91923a8ceefd
c9def02fd0b90810e1ac5af1906e461c8c1a5534ee19b5b2ce7aac77f2943b54
31619aeebfdd1247252a9e3881c4ba5824b82558af2a814b1fe90b67b4403950f94f9ab02d968d30477031648cbf90c520b95f58f8beffa47952994a1c3b38dc
This typically indicates the parent process was compromised via an exploit or macro.
Qbot or Qakbot is a sophisticated worm with banking capabilities.