General
-
Target
mpver.exe
-
Size
36.5MB
-
Sample
210719-rp1l7bgr7x
-
MD5
07a25e7f4f3a756e64c07c07d82591a4
-
SHA1
ff3f1f7e82d1721fa0d28cad127bca6d799f40b8
-
SHA256
6f5d3879c4a516661a93499e64d7595333fb51d6a87677de25d9b7a19b41b362
-
SHA512
efd1acbc61603c810b5048d5f71cfaddba3430ecf49e6a815f76b7ffa9fc48a91e1d371986199569bc15cd8051d0a67c24e8d6c6c3303ffcac0448395233b5d4
Static task
static1
Behavioral task
behavioral1
Sample
mpver.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
mpver.exe
Resource
win10v20210410
Malware Config
Extracted
https://www.allens-treasure-house.com/books_files/001.ps1
Extracted
qakbot
322.109
1515090054
Protocol: ftp- Host:
66.96.133.9 - Port:
21 - Username:
help - Password:
eT5TerAcnFe6~
Protocol: ftp- Host:
174.123.38.58 - Port:
21 - Username:
log@thebrainregistry.com - Password:
4BQ1MeeRAwNZEVu
Protocol: ftp- Host:
61.221.12.26 - Port:
21 - Username:
logger@ostergift.com - Password:
346HZGCMlwecz9S
Protocol: ftp- Host:
67.222.137.18 - Port:
21 - Username:
logger@grupocrepusculo.net - Password:
p4a8k6fE1FtA3pR
Protocol: ftp- Host:
107.6.152.61 - Port:
21 - Username:
logger@trussedup.com - Password:
RoP4Af0RKAAQ74V
151.202.46.113:443
108.58.129.90:995
96.85.138.153:443
108.35.21.79:443
68.83.130.163:443
75.83.30.135:443
216.201.159.118:443
76.98.128.87:443
65.73.215.139:990
50.195.161.2:995
216.187.170.2:443
74.93.207.181:993
75.97.144.106:995
73.186.100.187:443
86.27.41.234:443
96.70.92.177:465
68.173.55.51:443
165.225.38.208:443
71.190.202.120:443
117.195.250.175:443
108.49.159.2:993
47.37.99.212:995
50.44.183.216:443
108.49.159.2:990
173.72.96.50:443
65.218.249.250:443
174.70.133.56:995
70.118.18.242:443
173.72.96.50:995
96.85.138.153:6881
66.189.228.49:995
67.247.220.195:443
96.91.53.117:443
76.179.72.219:443
47.223.78.244:993
136.61.161.102:443
206.169.107.58:995
96.70.92.177:993
209.212.131.66:443
73.198.142.130:995
76.188.197.130:443
50.42.189.206:993
24.119.224.202:2222
189.155.215.219:995
108.49.159.2:995
189.155.215.219:993
173.247.186.90:2222
23.240.50.137:443
47.22.21.180:995
107.184.242.19:443
96.85.138.153:995
216.51.79.71:443
66.76.136.65:1194
100.35.65.82:995
98.102.37.174:2222
151.181.38.50:6881
70.95.129.59:443
62.113.27.30:443
38.101.195.44:443
66.222.48.40:443
73.250.49.41:443
88.238.150.110:995
85.100.134.140:995
98.191.134.121:443
104.159.220.171:443
41.40.59.182:443
97.89.112.190:443
50.198.141.161:2222
105.186.189.149:443
63.154.103.30:995
27.3.93.3:443
118.174.161.47:995
75.189.247.81:443
73.211.20.57:443
72.20.132.2:443
71.85.72.9:443
75.110.246.15:443
216.251.203.253:443
73.77.96.186:443
73.255.36.173:443
98.220.248.132:443
69.118.17.150:995
67.165.82.207:443
24.187.255.116:443
76.64.116.148:2222
70.88.214.41:443
41.142.143.68:443
76.189.128.63:443
98.196.247.150:443
24.243.42.72:443
24.45.230.32:443
12.166.108.82:995
174.81.187.84:443
98.26.2.182:443
24.14.39.10:443
173.185.75.235:995
151.202.46.113:995
174.231.135.91:443
65.33.119.17:443
172.87.188.2:443
52.119.82.82:2222
174.44.157.249:2222
96.29.42.70:443
172.75.241.225:995
50.206.74.2:443
40.138.12.210:443
66.76.136.65:443
71.28.5.188:443
64.40.70.150:443
73.183.141.219:443
24.255.118.75:443
216.228.55.13:443
216.15.14.104:443
198.57.88.73:443
73.163.155.82:443
71.12.171.133:995
73.211.72.58:443
65.92.11.213:2222
174.194.13.181:443
208.102.147.26:443
73.171.208.223:443
184.155.19.94:2222
73.210.183.3:443
173.49.95.92:443
47.223.166.146:443
24.163.66.146:443
70.57.122.178:443
70.189.67.15:443
88.224.109.128:443
12.45.162.90:2078
176.232.73.217:443
76.95.241.114:443
73.8.165.2:443
24.224.117.142:2222
98.121.199.219:443
205.201.144.27:443
71.245.117.42:32102
70.100.0.90:443
156.199.175.72:443
165.138.13.253:995
206.246.140.25:6882
75.150.236.59:443
50.76.117.233:2083
Extracted
https://www.allens-treasure-house.com/books_files/001.ps1
Targets
-
-
Target
mpver.exe
-
Size
36.5MB
-
MD5
07a25e7f4f3a756e64c07c07d82591a4
-
SHA1
ff3f1f7e82d1721fa0d28cad127bca6d799f40b8
-
SHA256
6f5d3879c4a516661a93499e64d7595333fb51d6a87677de25d9b7a19b41b362
-
SHA512
efd1acbc61603c810b5048d5f71cfaddba3430ecf49e6a815f76b7ffa9fc48a91e1d371986199569bc15cd8051d0a67c24e8d6c6c3303ffcac0448395233b5d4
Score10/10-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-