General
-
Target
whatever.zip
-
Size
193KB
-
Sample
210929-npjzxsegd8
-
MD5
0fcc679ab6e866ef8a83eead78573dae
-
SHA1
fa852f5739cf764984787decec49a8962adcfd31
-
SHA256
9a163f08baa5283bf4b87e4a1d7eb2b83c5780ec7767a6af1359042138f63aaf
-
SHA512
2190391be62c593020639e2c3c479aa45d624d4117edd51ca64d0de4c000d3cf920b12d75ff96f376e5f6d0edb949e9e76b8e202f3dbb1d3d05b8563509bb5cc
Static task
static1
Behavioral task
behavioral1
Sample
recital-1267320846.xls
Resource
win7-en-20210920
Malware Config
Extracted
https://gillcart.com/Cdpmoyhr/key.xml
https://geit.in/MeOlE9Xxd/key.xml
https://mercanets.com/9DPZqAfZdq5z/key.xml
Extracted
qakbot
402.363
tr
1632817399
105.198.236.99:443
140.82.49.12:443
37.210.152.224:995
89.101.97.139:443
81.241.252.59:2078
27.223.92.142:995
81.250.153.227:2222
73.151.236.31:443
47.22.148.6:443
122.11.220.212:2222
120.151.47.189:443
199.27.127.129:443
216.201.162.158:443
136.232.34.70:443
76.25.142.196:443
181.118.183.94:443
120.150.218.241:995
185.250.148.74:443
95.77.223.148:443
75.66.88.33:443
45.46.53.140:2222
173.25.166.81:443
103.148.120.144:443
173.21.10.71:2222
186.18.205.199:995
71.74.12.34:443
67.165.206.193:993
47.40.196.233:2222
68.204.7.158:443
24.229.150.54:995
109.12.111.14:443
177.130.82.197:2222
72.252.201.69:443
24.55.112.61:443
24.139.72.117:443
187.156.138.172:443
71.80.168.245:443
105.157.55.133:995
82.77.137.101:995
173.234.155.233:443
75.188.35.168:443
5.238.149.235:61202
73.77.87.137:443
182.176.112.182:443
96.37.113.36:993
162.244.227.34:443
92.59.35.196:2222
196.218.227.241:995
68.207.102.78:443
2.188.27.77:443
189.210.115.207:443
181.163.96.53:443
75.107.26.196:465
185.250.148.74:2222
68.186.192.69:443
Targets
-
-
Target
recital-1267320846.xls
-
Size
244KB
-
MD5
fa6369788a5f5490d4c506e65b82a166
-
SHA1
f12d615a708cd6e83c669e3a16c1bebbf2510718
-
SHA256
3f3f21189390158abe6d01848ce995c762f3b0e908ea27192778effb160a6014
-
SHA512
a0cf692797d8a9c232de08f15fe251380cdeb54835f5025a5605782d5a55fe4975a0d3fc2174093350b7d533a55ac2bbbea7dbf443a3389abf8c559c1e0f63e9
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Loads dropped DLL
-