General
-
Target
Complaint-818191704-10012021.zip
-
Size
87KB
-
Sample
211001-tfdz7scba6
-
MD5
24e0f258e987de04ffbb978578e4267c
-
SHA1
9ced75c05ac79689cc1ee52ee526b5187349058b
-
SHA256
bc29b497a95f0daba324ee877dca4b354b31d6179117ac1afb8f17d354358036
-
SHA512
3659f4f4243a0b0b769e38435bec1685b6761ad5eecbea185ea9e1cdbd4780977efb8327cb74ac24e08bab451738aec67e1c0c4450e3ed0a7fb5491a70e6981a
Static task
static1
Behavioral task
behavioral1
Sample
Complaint-818191704-10012021.xls
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
Complaint-818191704-10012021.xls
Resource
win10v20210408
Malware Config
Extracted
http://101.99.90.18/44470.6666363426.dat
http://194.36.191.19/44470.6666363426.dat
http://45.144.29.109/44470.6666363426.dat
Extracted
qakbot
402.363
obama107
1633078880
140.82.49.12:443
41.250.143.109:995
216.201.162.158:443
86.8.177.143:443
105.198.236.99:443
124.123.42.115:2222
217.17.56.163:443
37.210.152.224:995
190.198.206.189:2222
75.89.195.186:995
78.191.44.76:995
122.11.220.212:2222
68.186.192.69:443
159.2.51.200:2222
217.17.56.163:2222
217.17.56.163:2078
41.228.22.180:443
120.151.47.189:443
47.22.148.6:443
94.200.181.154:443
81.241.252.59:2078
76.25.142.196:443
89.101.97.139:443
217.17.56.163:0
185.250.148.74:443
174.54.58.170:443
73.130.180.25:443
73.52.50.32:443
174.59.35.191:443
181.118.183.94:443
120.150.218.241:995
73.230.205.91:443
174.54.193.186:443
136.232.34.70:443
71.74.12.34:443
95.77.223.148:443
103.148.120.144:443
75.188.35.168:443
39.52.213.1:995
45.46.53.140:2222
73.151.236.31:443
173.21.10.71:2222
24.34.58.116:443
62.23.194.38:443
62.23.194.41:995
47.40.196.233:2222
67.165.206.193:993
72.252.201.69:443
173.25.166.81:443
199.27.127.129:443
68.204.7.158:443
191.191.38.8:443
109.12.111.14:443
24.139.72.117:443
24.229.150.54:995
189.210.115.207:443
174.59.226.6:443
73.130.237.36:443
81.250.153.227:2222
69.253.197.100:443
174.59.242.9:443
177.130.82.197:2222
67.214.30.12:995
24.55.112.61:443
174.59.120.69:443
47.181.84.61:443
73.130.239.166:443
103.157.122.198:995
217.165.163.21:995
77.57.204.78:443
93.8.66.216:443
73.52.114.202:443
186.18.205.199:995
38.10.202.214:443
78.191.44.76:443
96.83.180.29:443
124.123.42.115:2078
105.159.144.186:995
27.223.92.142:995
109.190.253.11:2222
217.17.56.163:465
38.10.201.211:443
92.148.59.207:2222
92.157.171.41:2222
186.87.135.68:995
80.6.192.58:443
75.66.88.33:443
187.156.138.172:443
82.77.137.101:995
173.234.155.233:443
2.178.116.91:61202
73.77.87.137:443
182.176.112.182:443
96.37.113.36:993
162.244.227.34:443
92.59.35.196:2222
196.218.227.241:995
68.207.102.78:443
2.188.27.77:443
181.163.96.53:443
75.107.26.196:465
185.250.148.74:2222
Extracted
qakbot
402.363
notset
1632819510
196.217.156.63:995
120.150.218.241:995
95.77.223.148:443
185.250.148.74:443
181.118.183.94:443
105.198.236.99:443
140.82.49.12:443
37.210.152.224:995
89.101.97.139:443
81.241.252.59:2078
27.223.92.142:995
81.250.153.227:2222
73.151.236.31:443
47.22.148.6:443
122.11.220.212:2222
120.151.47.189:443
199.27.127.129:443
216.201.162.158:443
136.232.34.70:443
76.25.142.196:443
75.66.88.33:443
45.46.53.140:2222
173.25.166.81:443
103.148.120.144:443
173.21.10.71:2222
186.18.205.199:995
71.74.12.34:443
67.165.206.193:993
47.40.196.233:2222
68.204.7.158:443
24.229.150.54:995
109.12.111.14:443
177.130.82.197:2222
72.252.201.69:443
24.55.112.61:443
24.139.72.117:443
187.156.138.172:443
71.80.168.245:443
82.77.137.101:995
173.234.155.233:443
75.188.35.168:443
5.238.149.235:61202
73.77.87.137:443
182.176.112.182:443
96.37.113.36:993
162.244.227.34:443
92.59.35.196:2222
196.218.227.241:995
68.207.102.78:443
2.188.27.77:443
189.210.115.207:443
181.163.96.53:443
75.107.26.196:465
185.250.148.74:2222
68.186.192.69:443
Extracted
http://101.99.90.18/44470.7501645833.dat
http://194.36.191.19/44470.7501645833.dat
http://45.144.29.109/44470.7501645833.dat
Targets
-
-
Target
Complaint-818191704-10012021.xls
-
Size
129KB
-
MD5
4867eebf4c3f7ee6b532e703d20d5585
-
SHA1
d772036f1ca3eab516f016aa5073ffc2a65142f4
-
SHA256
67173a667baf38b78448f969bcb53892536ddc279528553cadbf0a53d1637d5d
-
SHA512
4b7ccb534a546b70f2453bf2dc456a8cc6a384cdb3f511a55bcaa933a4d2617cfcf1d0871add4d64d5037c762b805f4effafbe7395499be9266a3dc508e04662
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Downloads MZ/PE file
-
Loads dropped DLL
-
Drops file in System32 directory
-