General
-
Target
SquirrelWaffle_13Oct.zip
-
Size
8.9MB
-
Sample
211031-k1bwxacfaq
-
MD5
ec83f517a76991c651605295f3dcb01a
-
SHA1
6fe41b2304b595a821aeca4d00dfd7466ecf5f50
-
SHA256
9c4807666747c9befea4427e5b9791193fdb105d53400639e8cc401d92463be2
-
SHA512
b4847e665d4debf75dfca30ce79229cb27cef44047804253c67c8c7134fb7e617e2a597d3cec4dc28875d142dca3aa90ff46fc84a196bcd37ba2baeb21a02ed8
Malware Config
Extracted
qakbot
402.363
notset
1632819510
196.217.156.63:995
120.150.218.241:995
95.77.223.148:443
185.250.148.74:443
181.118.183.94:443
105.198.236.99:443
140.82.49.12:443
37.210.152.224:995
89.101.97.139:443
81.241.252.59:2078
27.223.92.142:995
81.250.153.227:2222
73.151.236.31:443
47.22.148.6:443
122.11.220.212:2222
120.151.47.189:443
199.27.127.129:443
216.201.162.158:443
136.232.34.70:443
76.25.142.196:443
-
salt
jHxastDcds)oMc=jvh7wdUhxcsdt2
Extracted
qakbot
402.363
tr
1633597626
120.150.218.241:995
185.250.148.74:443
89.137.52.44:443
66.103.170.104:2222
86.8.177.143:443
216.201.162.158:443
174.54.193.186:443
103.148.120.144:443
188.50.169.158:443
124.123.42.115:2222
140.82.49.12:443
199.27.127.129:443
81.241.252.59:2078
209.142.97.161:995
209.50.20.255:443
73.230.205.91:443
200.232.214.222:995
103.142.10.177:443
2.222.167.138:443
41.228.22.180:443
-
salt
jHxastDcds)oMc=jvh7wdUhxcsdt2
Extracted
qakbot
402.363
tr
1633334141
75.75.179.226:443
185.250.148.74:443
122.11.220.212:2222
120.150.218.241:995
103.148.120.144:443
140.82.49.12:443
40.131.140.155:995
206.47.134.234:2222
73.230.205.91:443
190.198.206.189:2222
103.157.122.198:995
81.250.153.227:2222
167.248.100.227:443
96.57.188.174:2078
217.17.56.163:2222
217.17.56.163:2078
41.228.22.180:443
136.232.34.70:443
68.186.192.69:443
167.248.111.245:443
-
salt
jHxastDcds)oMc=jvh7wdUhxcsdt2
Extracted
squirrelwaffle
http://agora.360cyberlink.com/wpuDolwbH9c9
http://panel.betfredtakeaway.com/awJPDGElQ
http://believeinus.net/S6y8WsHm
http://onlinecourses.mirrainternationaluniversity.com/VnCSkt13PkuT
http://reward.tyrehamperpromotion.co.uk/GWJ3gHMtUdk
http://panels.betfredtakeaway.com/0PKIQI4OFxD
http://ambassade-mauritanie-rabat.net/hovwkJJaIt8
http://bitcoinup.bafflepoetry.org/uTyCcQUDkCX3
http://pwcgov-x.gq/doMZFSHYs
http://business-a.ml/lDyw7Vs3x
http://unifarma.com.br/6GREencD
http://digitalmaster.online/rgzce1W5g
http://patatec.com/OTfcXmew
http://megasoftsol.com/R26csFnDY
http://authentification.scanandrace.com/m1xwraBcBFN
http://new.actsgeneration.org/1vXSPxRR3bR
http://lagochapala.com.mx/DplUgNSqWfc
http://acdlimited.com/2u6aW9Pfe
http://jornaldasoficinas.com/ZF8GKIGVDupL
http://orldofjain.com/lMsTA7tSYpe
-
blocklist
94.46.179.80
206.189.205.251
88.242.66.45
85.75.110.214
87.104.3.136
207.244.91.171
49.230.88.160
91.149.252.75
91.149.252.88
92.211.109.152
178.0.250.168
88.69.16.230
95.223.77.160
99.234.62.23
2.206.105.223
84.222.8.201
89.183.239.142
5.146.132.101
77.7.60.154
45.41.106.122
45.74.72.13
74.58.152.123
88.87.68.197
109.70.100.25
185.67.82.114
207.102.138.19
204.101.161.14
193.128.108.251
111.7.100.17
111.7.100.16
Extracted
qakbot
402.343
tr
1632730751
95.77.223.148:443
47.22.148.6:443
89.101.97.139:443
27.223.92.142:995
120.151.47.189:443
136.232.34.70:443
120.150.218.241:995
185.250.148.74:443
181.118.183.94:443
140.82.49.12:443
67.165.206.193:993
103.148.120.144:443
71.74.12.34:443
76.25.142.196:443
73.151.236.31:443
173.21.10.71:2222
75.188.35.168:443
2.178.88.145:61202
71.80.168.245:443
45.46.53.140:2222
-
salt
jHxastDcds)oMc=jvh7wdUhxcsdt2
Extracted
qakbot
402.318
obama101
1632228858
47.22.148.6:443
24.55.112.61:443
140.82.49.12:443
24.139.72.117:443
136.232.34.70:443
24.229.150.54:995
71.74.12.34:443
73.151.236.31:443
120.150.218.241:995
105.198.236.99:443
76.25.142.196:443
45.46.53.140:2222
144.139.47.206:443
96.37.113.36:993
173.21.10.71:2222
67.165.206.193:993
189.210.115.207:443
109.12.111.14:443
68.204.7.158:443
95.77.223.148:443
-
salt
jHxastDcds)oMc=jvh7wdUhxcsdt2
Extracted
qakbot
402.363
tr
1632817399
105.198.236.99:443
140.82.49.12:443
37.210.152.224:995
89.101.97.139:443
81.241.252.59:2078
27.223.92.142:995
81.250.153.227:2222
73.151.236.31:443
47.22.148.6:443
122.11.220.212:2222
120.151.47.189:443
199.27.127.129:443
216.201.162.158:443
136.232.34.70:443
76.25.142.196:443
181.118.183.94:443
120.150.218.241:995
185.250.148.74:443
95.77.223.148:443
75.66.88.33:443
-
salt
jHxastDcds)oMc=jvh7wdUhxcsdt2
Extracted
qakbot
402.363
tr
1633943125
140.82.49.12:443
89.137.52.44:443
24.107.165.50:443
66.216.193.114:443
75.131.217.182:443
41.86.42.158:995
24.119.214.7:443
67.166.233.75:443
105.198.236.99:443
120.151.47.189:443
2.222.167.138:443
41.228.22.180:443
78.105.213.151:995
5.193.125.67:995
41.86.42.158:443
96.57.188.174:2078
120.150.218.241:995
66.177.215.152:0
122.11.220.212:2222
73.52.50.32:443
-
salt
jHxastDcds)oMc=jvh7wdUhxcsdt2
Extracted
qakbot
402.318
obama102
1632302707
120.150.218.241:995
47.22.148.6:443
105.198.236.99:443
95.77.223.148:443
140.82.49.12:443
27.223.92.142:995
73.151.236.31:443
136.232.34.70:443
144.139.47.206:443
45.46.53.140:2222
76.25.142.196:443
173.21.10.71:2222
75.188.35.168:443
71.74.12.34:443
96.37.113.36:993
67.165.206.193:993
189.210.115.207:443
72.252.201.69:443
24.139.72.117:443
24.229.150.54:995
-
salt
jHxastDcds)oMc=jvh7wdUhxcsdt2
Extracted
qakbot
402.363
tr
1633597816
120.150.218.241:995
185.250.148.74:443
89.137.52.44:443
66.103.170.104:2222
86.8.177.143:443
216.201.162.158:443
174.54.193.186:443
103.148.120.144:443
188.50.169.158:443
124.123.42.115:2222
140.82.49.12:443
199.27.127.129:443
81.241.252.59:2078
209.142.97.161:995
209.50.20.255:443
73.230.205.91:443
200.232.214.222:995
103.142.10.177:443
2.222.167.138:443
41.228.22.180:443
-
salt
jHxastDcds)oMc=jvh7wdUhxcsdt2
Targets
-
-
Target
029b714502283599a5efb86d41c48fd46751ab727b707bde620e517ec3aa3c39
-
Size
288KB
-
MD5
6baeb5a0cd83e3a9878dc4d6d7a5509c
-
SHA1
93e655f671e4485473f0803787097e1f6a48a64c
-
SHA256
029b714502283599a5efb86d41c48fd46751ab727b707bde620e517ec3aa3c39
-
SHA512
dacd268b6bfad43f6c800a4c133b2e9d59477b77a93018d4c1c1cbf7086d5cdb400073bcc06a55a88fa80dd49d4e214332695ef9ed2ff6ea323c26441c8531b8
Score10/10-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
Bazar/Team9 Backdoor payload
-
Bazar/Team9 Loader payload
-
Tries to connect to .bazar domain
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
061dfb6a251e536f700a295239652dafab34aee5e5145320d1d57e3fca5e5d52
-
Size
605KB
-
MD5
b166029cc6b11b16e9d29b22db5398df
-
SHA1
899238df1e045ed91034fc589e32ea9d19d0c09b
-
SHA256
061dfb6a251e536f700a295239652dafab34aee5e5145320d1d57e3fca5e5d52
-
SHA512
aea6569743fc4d3d6180e93018e7a8184e4f657cc6807652840a48d9f269f534dc15072e94e27f28f40e6cedd65a0ecc4408db274b2a48854da38578ab500616
Score10/10-
Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
-
-
-
Target
06d55f75d7c76d6924c0b8439fa3cda28b89284204a6db982e4baf3a37fb35d2
-
Size
676KB
-
MD5
dd119e4cab8169c27e5bb65f306ed792
-
SHA1
a93b6b76b8427caa20f2c041fbf50ba27d2b6aac
-
SHA256
06d55f75d7c76d6924c0b8439fa3cda28b89284204a6db982e4baf3a37fb35d2
-
SHA512
74f86cab700fe211152ce8b74166156c4feebc71c9f5907fafafca531b2f47af7e9d4d52409411e488e6dd4109e4823b915ff7129d7b2f9a416dde765a3a18cb
Score10/10-
Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
-
Windows security bypass
-
Loads dropped DLL
-
Drops file in System32 directory
-
-
-
Target
24401ac43b6dbb7048cb27425b4f0f76a9b20b6b4fffa33ff8091c3c11ef8365
-
Size
488KB
-
MD5
8c778eded8caf98e71730b164b805e1b
-
SHA1
8f2180d092ac3b623d2372cb01eaccde0f5e402c
-
SHA256
24401ac43b6dbb7048cb27425b4f0f76a9b20b6b4fffa33ff8091c3c11ef8365
-
SHA512
666aa5d99be4efa4a3a9c9021a116d8484e05120224c463b66246bf99f0d925a37b54c8e6902b7c7d8c7929c6748cc2ca45801525346de5bcef205a6fac33b18
Score3/10 -
-
-
Target
260e2d5769f0a50a7b49d4c43059221eb7acc4b9fc460763e0cfcd793f2a6840
-
Size
1.0MB
-
MD5
10c150a949585ba3603cce27707331f0
-
SHA1
9eeb1747902951835245545b7b3b1e6408c708c2
-
SHA256
260e2d5769f0a50a7b49d4c43059221eb7acc4b9fc460763e0cfcd793f2a6840
-
SHA512
668ea267488635b88ef6a929501f8f6b34a02ccb2fa01a311caf89f5c683f0dd6877d8714ddf8b6b24e7a447c40f2cf5c42698638a52ff7b27e6c47ce4f4578b
Score10/10-
Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
-
Windows security bypass
-
Loads dropped DLL
-
Drops file in System32 directory
-
-
-
Target
26cd03696045fb93b415b022fa6bc832098394bf362f4b4c4e897e9550d12618
-
Size
518KB
-
MD5
c9b2167e784286fcf1835c0d9ba0eade
-
SHA1
8035bf4ada5abdffa9a7566c965b3caf897f3fed
-
SHA256
26cd03696045fb93b415b022fa6bc832098394bf362f4b4c4e897e9550d12618
-
SHA512
aef1eaadf55f3a49182588d348e985775960eec11e2240ca874cc5b502b1825ab61f29edbc72b9e8b6d9e68713325ef8c3a5a21606603e477a6bc09b7b841138
Score10/10-
SquirrelWaffle is a simple downloader written in C++.
SquirrelWaffle.
-
suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)
suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)
-
Squirrelwaffle Payload
-
Blocklisted process makes network request
-
-
-
Target
2a0a88a2e5f9cafa10a48d63bdfcdf965b72c25978ab46cf28e795dbedc9624a
-
Size
506KB
-
MD5
803768a34f7e59b8a9a2f3969624c47e
-
SHA1
09a38940ef023929897fdc9c996de0b0f39116e2
-
SHA256
2a0a88a2e5f9cafa10a48d63bdfcdf965b72c25978ab46cf28e795dbedc9624a
-
SHA512
21e4aa621360a4ec4a0c73fad494e133f2584f92d058a72772e390c7bf1e1ad3e4d0778e95b590c663fe5efed3cfbecb08d5e78e1216c1bfbef729062806722f
Score3/10 -
-
-
Target
2f33217d51117cf3d6c6ed3ab50724964367fc7a85e1bb1dc87d241b8d953894
-
Size
172KB
-
MD5
2c55997f5febc79d8aec77991f178138
-
SHA1
9d6d02ba0d021b6cdbf1fb8f594ebab3214325da
-
SHA256
2f33217d51117cf3d6c6ed3ab50724964367fc7a85e1bb1dc87d241b8d953894
-
SHA512
099ad760edaf05a1b180f451c48762627bfc374c8ed2e1ff8969d18787a366495b3576cf7f3724c932d52fa34897e4ee57b7824df9c11d6f6784ec310ee40820
Score10/10-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
Bazar/Team9 Backdoor payload
-
Bazar/Team9 Loader payload
-
Tries to connect to .bazar domain
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
336cdd146beca939c6d1e3e3c00cc10ec2d6e859a18d350bff937ad5194c27da
-
Size
833KB
-
MD5
97406f2cee93cdb660848c99e6d291e6
-
SHA1
17aa4ce85e931fdf383b864144a3c1b6e68f91e2
-
SHA256
336cdd146beca939c6d1e3e3c00cc10ec2d6e859a18d350bff937ad5194c27da
-
SHA512
4884d65111c7da44832d30eb0cd7bcee9aceb6de24a610eb0709960d1276ad963214b8c620b14960a43319b0d77da7af3f622a5d6f1d36f31190ac2c641be4ef
Score10/10-
Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
417c1828d98ba4f05f7a2edb71a9105f0aebf3d554393970b96e59d4db7b4473
-
Size
359KB
-
MD5
4f18fd01d6afd232553fbbf602b2a4e2
-
SHA1
e50a8e3bfb891dc723f5c7fc2276055102d0a097
-
SHA256
417c1828d98ba4f05f7a2edb71a9105f0aebf3d554393970b96e59d4db7b4473
-
SHA512
750493256643799b3de954298874f6df1d87bf6fd3afa259689af2ba9159374f274937490be6159650237a74778e5565e4f9d4e5e359f9e71cc1c5fd385b4dd3
Score10/10-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
suricata: ET MALWARE BazaLoader Activity (GET)
suricata: ET MALWARE BazaLoader Activity (GET)
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
Bazar/Team9 Loader payload
-
Tries to connect to .bazar domain
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
-
Suspicious use of SetThreadContext
-
-
-
Target
4d3095c7965c7bdd32b81b72c95f767134915cf08ebe1237721ed5208de4beee
-
Size
488KB
-
MD5
7f0b9d11c95a65e9e9f87b2341bb01ad
-
SHA1
93abbf5758c39672d69502690b5e4003a47f9e72
-
SHA256
4d3095c7965c7bdd32b81b72c95f767134915cf08ebe1237721ed5208de4beee
-
SHA512
eb81b291a55ab91dfaef4a64661b2325c594890ebbcb71b00d5029275c1b7ec43880d85737fceba3c0de1cd20ed94ffa7a9112424c3ef25fd0e21e586a329648
Score10/10-
Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
-
-
-
Target
54e526fe059a3f25cdaed954e32f44eadffb3e51548658409468dcf2d63b634c
-
Size
398KB
-
MD5
36e57cea07affea16fa5921d348021dc
-
SHA1
822d62e274e51516318fea9a12a0c6237d964782
-
SHA256
54e526fe059a3f25cdaed954e32f44eadffb3e51548658409468dcf2d63b634c
-
SHA512
3bfd989132682eaf3a14f143a7d93e00ba3a2d35ead9cffd5aeb394e8d9040b679191094e0ab1c1393aa22cc2a20e59b9c0ca88bc661793ab2b02fdb92d90c54
Score1/10 -
-
-
Target
6402b33d729c8bb44881747a8f397f4aec408bf5e18b9af6fd86cdfa3f96323b
-
Size
235KB
-
MD5
8e37795097400f6a609525749d154cd0
-
SHA1
8e1502c2aa56e6a8c7c1d2c75f3946332a5bb8c0
-
SHA256
6402b33d729c8bb44881747a8f397f4aec408bf5e18b9af6fd86cdfa3f96323b
-
SHA512
c7453b8f50e557a5990ac3708931845eeb6dc2992cd907d5534733524f523226d8d013be6e09bb2b5210f6f5ad2303625f8998a5111d3b0925bb4228b6c9152a
Score10/10-
SquirrelWaffle is a simple downloader written in C++.
SquirrelWaffle.
-
suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)
suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)
-
Squirrelwaffle Payload
-
Blocklisted process makes network request
-
-
-
Target
64c044cb3ec26babdd17107b2aa6ded60b22473c4e2943e1fcc03df8bc2e0edb
-
Size
439KB
-
MD5
22aef4558853a72dd07ff9513a6b9dbf
-
SHA1
52a914b43dfa44910ab649be77a57db631d038ee
-
SHA256
64c044cb3ec26babdd17107b2aa6ded60b22473c4e2943e1fcc03df8bc2e0edb
-
SHA512
550f72f4d6186869893b2dc6536b3ce9bcb7843b0db726a1d9fb118291b1e96d642dfb57369b85ff58c41b38d6c40f6853d1da752f589aa419cb1f4d35381be4
Score10/10-
SquirrelWaffle is a simple downloader written in C++.
SquirrelWaffle.
-
Squirrelwaffle Payload
-
-
-
Target
671f477c3039786c5f3553760377be03b91bfb66f31ba9370ed2193192cf5b4e
-
Size
334KB
-
MD5
84a32095bcbc0ed694f09f1dd8f2a70f
-
SHA1
23f7334db6979f04d5a2a9a846f82c526bfe6736
-
SHA256
671f477c3039786c5f3553760377be03b91bfb66f31ba9370ed2193192cf5b4e
-
SHA512
e3db14700e24210d1e2f1c19fcbb1b7074d73f5cdc4cbaf737b9a92a4f3b8d9b71efaa450aac9f7f4baef1ca8463f0668a3d72b888e0d39195e4c6115de5012a
Score10/10-
SquirrelWaffle is a simple downloader written in C++.
SquirrelWaffle.
-
suricata: ET MALWARE Possible SQUIRRELWAFFLE Server Response
suricata: ET MALWARE Possible SQUIRRELWAFFLE Server Response
-
suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)
suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)
-
suricata: ET MALWARE SQUIRRELWAFFLE Server Response
suricata: ET MALWARE SQUIRRELWAFFLE Server Response
-
Squirrelwaffle Payload
-
Blocklisted process makes network request
-
-
-
Target
67785724b67ecd79b7cd4c64a249794b9abda8b680fe52a0ce85bb83ddfb6cce
-
Size
1.4MB
-
MD5
c00e0c5f7cf5ca5a1ecaf2f52cb0fe3f
-
SHA1
943f28aaad96f667c5afc9480f14f06701b6faf1
-
SHA256
67785724b67ecd79b7cd4c64a249794b9abda8b680fe52a0ce85bb83ddfb6cce
-
SHA512
685b3472e5a9f11fa21bc21b4c213256aaa23ed12db109ceb410f018df4e24114628ae9c6088d43e438d8f756f18dcad83797ee39562eb17c0131f1aa4133078
Score3/10 -
-
-
Target
6c6934613abde41f82043bb7c269a1e614920a83a2b90eaf325ca7b998183efb
-
Size
172KB
-
MD5
f943853cddc15b59823962b28f08b809
-
SHA1
3e46675756a6f0dc722c620f3bc12610fe27c010
-
SHA256
6c6934613abde41f82043bb7c269a1e614920a83a2b90eaf325ca7b998183efb
-
SHA512
1a524916b6af5b071e2d4e533fb302b062383c2edb941a7a6e3d9e92897b2e7f612aa444eeff8c4de6499421f3823d54efa9b375b22c0fe6d301ff1bcb632985
Score10/10-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
Bazar/Team9 Backdoor payload
-
Bazar/Team9 Loader payload
-
Tries to connect to .bazar domain
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
6f63742c25fd3a2dae5995f182254c253003066488ef86e754f661e8ba1d76fd
-
Size
471KB
-
MD5
687550f98527483a1c49ab185a2105ea
-
SHA1
42d0db4cdc64e1fc2e57025f031f285cf0ba45a3
-
SHA256
6f63742c25fd3a2dae5995f182254c253003066488ef86e754f661e8ba1d76fd
-
SHA512
2b92d4cb037c0a6dd6855819d8e44ec036bc3fac71d7c2ee537bb6dfe907888b69b97958ebaa7b102e473f76ce6d1811ce090fb1e7ab38c18d2b1c6098403fc5
Score10/10-
Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
813a9b03c6c1caec4eca8a867dcfbda7860bca6a5d481acb4c131c1a868d4b48
-
Size
316KB
-
MD5
2e81d980351ef546bde5459decd02b63
-
SHA1
2166e54daf42356b61a6c07754aa8d7a1f085109
-
SHA256
813a9b03c6c1caec4eca8a867dcfbda7860bca6a5d481acb4c131c1a868d4b48
-
SHA512
40c9916efd82a11e1c4afe64b0109b11de8e323c43ac43fdc21203c32d4c04c2f808e5688f281a20f8d05985cca7e6aed3db0f6ddd89241480a1f553a8da1009
Score10/10-
SquirrelWaffle is a simple downloader written in C++.
SquirrelWaffle.
-
suricata: ET MALWARE Possible SQUIRRELWAFFLE Server Response
suricata: ET MALWARE Possible SQUIRRELWAFFLE Server Response
-
suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)
suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)
-
suricata: ET MALWARE SQUIRRELWAFFLE Server Response
suricata: ET MALWARE SQUIRRELWAFFLE Server Response
-
Squirrelwaffle Payload
-
Blocklisted process makes network request
-
-
-
Target
839ac59a78a0f2c446edb3cccbaf0bc5781605a1f848878f9e96cd5e0e425fe3
-
Size
1.1MB
-
MD5
2eb9fcc198e5adc902797ad4cf6b44d6
-
SHA1
4e3451336ed44af410fdd4fa91316f80fc695fb2
-
SHA256
839ac59a78a0f2c446edb3cccbaf0bc5781605a1f848878f9e96cd5e0e425fe3
-
SHA512
2cac97e753a35a328a273f72eeec97cc143c0c245d0a59dbac8cffb06f7862ee723c54428d11366b3cabc5673751893ce85d62bdb531e6fdc32676c10c1b9104
Score10/10-
Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
-
Windows security bypass
-
Loads dropped DLL
-
Drops file in System32 directory
-
-
-
Target
85d0b72fe822fd6c22827b4da1917d2c1f2d9faa838e003e78e533384ea80939
-
Size
316KB
-
MD5
5ec89ea30af2cc38ae183d12ffacbcf7
-
SHA1
bee82e104c1082442c7ff029b2781a04a3e80cd5
-
SHA256
85d0b72fe822fd6c22827b4da1917d2c1f2d9faa838e003e78e533384ea80939
-
SHA512
7e25703e68ec87d1da4b8d5f2bfe4e1e09b6bd88bb3e662b82cda77496badd5c6c1b3685ade9c4d4a100fb43972d3356bb22c7089a4edc2e1c174aa3fbf639cf
Score10/10-
SquirrelWaffle is a simple downloader written in C++.
SquirrelWaffle.
-
suricata: ET MALWARE Possible SQUIRRELWAFFLE Server Response
suricata: ET MALWARE Possible SQUIRRELWAFFLE Server Response
-
suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)
suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)
-
suricata: ET MALWARE SQUIRRELWAFFLE Server Response
suricata: ET MALWARE SQUIRRELWAFFLE Server Response
-
Squirrelwaffle Payload
-
Blocklisted process makes network request
-
-
-
Target
a34cb4049eb43d455d8619607cc6e1a8c380e9d8507306e9c5bc17eaed6459c4
-
Size
833KB
-
MD5
5f00035c9fb5b740abaee795979b82ed
-
SHA1
6c980a4d7cc1461645acd4c763a86b9c4e896707
-
SHA256
a34cb4049eb43d455d8619607cc6e1a8c380e9d8507306e9c5bc17eaed6459c4
-
SHA512
92f917f67ae59140909c9e6f42821c6b6396ad10e8a51b3bdfcdb86051d0967c95fe5886ae67be6cfbeef970ea8a75e6ec3f5aa56661334e6de843ed353dd46f
Score10/10-
Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
-
Windows security bypass
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
-
-
Target
a55c19c552f579041ad7289aceeb400da215fe29aedbf0c14e8a66be1bee8360
-
Size
172KB
-
MD5
7a70755b8388c0bc73c7cdc557150dca
-
SHA1
8ed83eeadcda38d92ab079a7b8483cbdb8cc3ac1
-
SHA256
a55c19c552f579041ad7289aceeb400da215fe29aedbf0c14e8a66be1bee8360
-
SHA512
a9347e82c9cb77be18841badf0fccece9a860a48fa17ad3ad410120cc6bd6fa585758c9071c4627d22b8a49eee615032cc4448cfb1860be87b3ea77311e5616f
Score10/10-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
Bazar/Team9 Backdoor payload
-
Bazar/Team9 Loader payload
-
Tries to connect to .bazar domain
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
a98e988f03fd5be37c66878017a3dcd741adf75bf1df1ed6dde2c15ee213bb48
-
Size
539KB
-
MD5
767d96c69b79aaee30d86f0e6de31f66
-
SHA1
491f958fe118bf0bcc5f4d33d3fc1b9933202300
-
SHA256
a98e988f03fd5be37c66878017a3dcd741adf75bf1df1ed6dde2c15ee213bb48
-
SHA512
60b53ff68d2042c709ba7f6113962d2f0fd13b6fdb28ab91a57f0a0bdcf8628bd94d8f1b283ca6f74e8ecd1154bdb0b9fbbffb051dc180a8758d01b8ce5a12f5
Score10/10-
Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
-
Loads dropped DLL
-
-
-
Target
acc31f97c3124a317f2939944777e103311f4b0c51788d2e562c24a08e2afe27
-
Size
611KB
-
MD5
650393a4720518176d8bc503cf686cf6
-
SHA1
ea2a8f0aab617f00a532a68a91ee96be427ce372
-
SHA256
acc31f97c3124a317f2939944777e103311f4b0c51788d2e562c24a08e2afe27
-
SHA512
5b889d3c5a918f8c5f971ecb3a2ff5518974250ad7ddbc536b596933fd81ba90db5cb63fc9be7d70b94257de45980ff3979d1eb9cb5ff8868d699c5bfa8f2f37
Score10/10-
Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
-
-
-
Target
b194eec1e599feeadfd463b06727e8b3c73a72a4c20017e5cfaf89fbf6d365c7
-
Size
448KB
-
MD5
879628efe6fb566fc83cb019a4d90f5d
-
SHA1
b4eb4da4ed99f50c0e02b12c23b2ea65dceed706
-
SHA256
b194eec1e599feeadfd463b06727e8b3c73a72a4c20017e5cfaf89fbf6d365c7
-
SHA512
4c5ec0815de1112bc633afb96f50f03bc9506246ce1e4bc6aa8c5b6690941339b16a26f33f7999ba02dc5c460f846da51b4ed2a8f041a68c4bc8991fe2cd8a1c
Score10/10-
Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
-
Windows security bypass
-
Loads dropped DLL
-
Drops file in System32 directory
-
-
-
Target
bac73f9ccebf93009a6037145a9c71a2e8b916956f6a7e6a4f4b53b4b50b7a00
-
Size
605KB
-
MD5
603a1d8b3f20334204e552072eadabd1
-
SHA1
995aa3f702a7925f18c7febef2289358f7bbf788
-
SHA256
bac73f9ccebf93009a6037145a9c71a2e8b916956f6a7e6a4f4b53b4b50b7a00
-
SHA512
1f8378f17ad8de55ec445c9301730a34b235b4b04381dc1146c2950c3475c7d7b0250ac6ac5182bf9c4efd9e3c94a85035757f61625ae34f4640aa64e8f2cdaa
Score10/10-
Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
-
-
-
Target
c5d2f0da18fb33a25b53fd8b9b98f0bfa95458e3c0feb687852f469167a0110c
-
Size
359KB
-
MD5
b2c85051f93825721307c34cd0f0cb34
-
SHA1
ca3a01d833dafaef66c2614dc3039f9c2a376229
-
SHA256
c5d2f0da18fb33a25b53fd8b9b98f0bfa95458e3c0feb687852f469167a0110c
-
SHA512
490a972e0bcbb88011829e0834c2f2dc163c91d9f078755413dd88eb48580f8adb37b7fdc20264f2e642c58e07ff2f7503f47ec05c152839d31954b22e869377
Score10/10-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
suricata: ET MALWARE BazaLoader Activity (GET)
suricata: ET MALWARE BazaLoader Activity (GET)
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
Bazar/Team9 Loader payload
-
Tries to connect to .bazar domain
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
-
Suspicious use of SetThreadContext
-
-
-
Target
d559ee0a26fa500cd57fac25d58ba4319a794f329c8711e89afac3c281f9dd7e
-
Size
115KB
-
MD5
c20d92be3da1b2e4ac470f0b34d60b83
-
SHA1
cb17bf7e2bee12261930baa304d8f73417a283d8
-
SHA256
d559ee0a26fa500cd57fac25d58ba4319a794f329c8711e89afac3c281f9dd7e
-
SHA512
1fee9d1825fc6b71f6830f0d9451f49b993a14f0b1ec79c18beb3d897b2a390df2a69f7076ca9d97760f9495d126d803fd6991692e4eeab250fe391bd5e6e626
Score1/10 -
-
-
Target
db5276c0d5ecd3b338a98983001a5b8cbbf5b488bf420d8cc0267801b963f479
-
Size
172KB
-
MD5
6feafb5aa21e924e2a7dfc0cb87653e6
-
SHA1
eae7d011f43747b9a67b115733dc906dcbf976e7
-
SHA256
db5276c0d5ecd3b338a98983001a5b8cbbf5b488bf420d8cc0267801b963f479
-
SHA512
b21704bc4b06eed4d3468d144f90132af87af031dd9f6ad3ac771f75d9b02227eecbac79a53079955bbd9ea3a050d14a52af5829a50eaec745b7c617c16bc1a1
Score10/10-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
Bazar/Team9 Backdoor payload
-
Bazar/Team9 Loader payload
-
Tries to connect to .bazar domain
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
e5efde974017a12a573548f12b5473887601c897e8660eb57803c18523f72815
-
Size
518KB
-
MD5
3e809308f937a1252c9d4975dd21f47f
-
SHA1
ae9e57fac6310a27e31ebc1e67d0cf6b206d455a
-
SHA256
e5efde974017a12a573548f12b5473887601c897e8660eb57803c18523f72815
-
SHA512
d0312291cb56bdce01ba3067520bf22daa69814f7dc9812d87fb54f20a60f639d05af8cc7db9c7f10d4451386044cb941303f6c9dbc274ac08922d9bd30a0906
Score10/10-
SquirrelWaffle is a simple downloader written in C++.
SquirrelWaffle.
-
suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)
suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)
-
Squirrelwaffle Payload
-
Blocklisted process makes network request
-
-
-
Target
fe028e6f99a02a016643a2db14534fa977a78f45b36ff9db5b60e7e709f5541c
-
Size
172KB
-
MD5
a3d0c939bd3ecb8d11bd06c2bd15f45e
-
SHA1
b7fcdacc3507ed2f84752068fb0039c600003536
-
SHA256
fe028e6f99a02a016643a2db14534fa977a78f45b36ff9db5b60e7e709f5541c
-
SHA512
40a6bf12a8aedf563ae762249b8d5c44c39a1002ec581f07f1ff0f5b91dd6dfe6badadd71ae15efa608e129e5b3389390bf62d40dca9fddca2e04bd37e045f52
Score10/10-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
Bazar/Team9 Backdoor payload
-
Bazar/Team9 Loader payload
-
Tries to connect to .bazar domain
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-