General
-
Target
7148ec965120fe96300787711be22c07519f87f3919b3fdedf608af5badbecfb
-
Size
1.0MB
-
Sample
220508-2q17gscehn
-
MD5
890541a021169e0cfe0f218e15f37456
-
SHA1
e9f35aef6804e72e821b73feddbda18bbcdcddd0
-
SHA256
f50ff9877056f39350d45cdd947fc4c313886332d4728c32cc78ebfffb96c806
-
SHA512
eded63874049599fbb74722c3c70dccadd05084abeba47e1f79bf76816b322576b93fb82f0df3dd74c475dd144cb2115c134fd95ecc601301dee98a9e48cef9c
Static task
static1
Behavioral task
behavioral1
Sample
ApplicationReject-668351985.xlsb
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
ApplicationReject-668351985.xlsb
Resource
win10v2004-20220414-en
Malware Config
Extracted
http://103.155.93.53/221301482.dat
http://87.236.146.69/221301482.dat
http://94.140.114.172/221301482.dat
Extracted
qakbot
403.573
obama180
1650959141
2.50.4.57:443
85.246.82.244:443
121.7.223.59:2222
197.161.137.67:993
38.70.253.226:2222
47.23.89.62:993
172.114.160.81:443
75.99.168.194:443
82.152.39.39:443
108.60.213.141:443
148.64.96.100:443
167.86.191.84:443
187.207.47.198:61202
103.107.113.120:443
203.122.46.130:443
106.51.48.170:50001
47.23.89.62:995
140.82.49.12:443
102.65.38.74:443
103.246.242.202:443
67.209.195.198:443
75.99.168.194:61201
89.86.33.217:443
80.11.74.81:2222
172.115.177.204:2222
31.215.184.145:2222
174.95.174.163:2222
190.252.242.69:443
32.221.224.140:995
208.107.221.224:443
173.174.216.62:443
71.13.93.154:2222
149.28.238.199:995
45.9.20.200:443
149.28.238.199:443
144.202.3.39:443
140.82.63.183:443
45.63.1.12:995
45.63.1.12:443
140.82.63.183:995
45.76.167.26:443
45.76.167.26:995
144.202.2.175:443
144.202.2.175:995
144.202.3.39:995
70.46.220.114:443
103.87.95.133:2222
187.58.79.229:993
39.44.144.64:995
79.167.206.144:995
31.215.71.174:443
85.96.46.255:443
92.132.172.197:2222
172.114.160.81:995
37.186.54.254:995
174.69.215.101:443
91.177.173.10:995
197.89.17.104:443
24.139.72.117:443
120.150.218.241:995
217.128.122.65:2222
79.129.121.68:995
31.215.184.145:1194
24.178.196.158:2222
217.164.76.203:2078
148.0.57.85:443
83.110.93.205:443
37.210.160.58:2222
86.98.208.214:2222
118.161.9.45:995
202.134.152.2:2222
104.34.212.7:32103
24.152.219.253:995
176.67.56.94:443
183.88.61.229:2222
76.25.142.196:443
175.145.235.37:443
74.14.7.71:2222
103.88.226.30:443
197.94.84.67:443
182.191.92.203:995
118.161.9.45:443
86.98.78.42:993
117.248.109.38:21
191.99.191.28:443
173.21.10.71:2222
190.74.239.37:2222
121.74.167.191:995
39.41.217.75:995
101.51.79.185:443
180.129.20.164:995
47.156.191.217:443
73.151.236.31:443
67.165.206.193:993
41.38.167.179:995
187.250.114.15:443
189.146.73.62:443
187.208.137.144:443
72.76.94.99:443
72.252.157.172:995
37.34.253.233:443
187.251.132.144:22
72.252.157.172:990
100.1.108.246:443
72.12.115.71:22
101.50.120.166:995
201.172.23.68:2222
179.99.49.37:32101
40.134.246.185:995
24.55.67.176:443
179.158.105.44:443
187.52.231.156:443
109.12.111.14:443
89.101.97.139:443
102.140.71.74:443
187.102.135.142:2222
70.51.153.227:2222
45.46.53.140:2222
31.51.7.55:2078
41.84.246.159:995
41.107.165.110:443
120.61.3.50:443
86.195.158.178:2222
84.241.8.23:32103
5.32.41.45:443
196.203.37.215:80
39.52.93.195:995
181.208.248.227:443
39.49.42.164:995
177.27.225.16:32101
87.70.74.86:443
210.246.4.69:995
89.137.52.44:443
102.182.232.3:995
187.172.250.117:443
191.112.22.196:443
78.96.235.245:443
189.27.113.73:443
41.230.62.211:993
83.79.122.192:2222
63.143.92.99:995
93.48.80.198:995
94.36.195.250:2222
111.125.245.118:995
85.104.122.231:443
109.228.220.196:443
140.0.79.30:2222
67.69.166.79:2222
116.253.204.85:2222
90.120.65.153:2078
-
salt
jHxastDcds)oMc=jvh7wdUhxcsdt2
Extracted
http://103.155.93.53/427803004.dat
http://87.236.146.69/427803004.dat
http://94.140.114.172/427803004.dat
Targets
-
-
Target
ApplicationReject-668351985.xlsb
-
Size
1.1MB
-
MD5
9a785b87d4093c7174b22c2d2043a986
-
SHA1
9d0f56486ebbb3e4b412029d64849920d4d95bc7
-
SHA256
a34f9120bb63cf352d632da7df7edd3efc81052809b961db2e7629f18b8412e5
-
SHA512
3e752f0a41c6c9dfbfabac8ae93be0c957a744a81aa287da2fa29abdaf52c4ae75763fb37c71d3eaec23163ec6f8ccfccc2cf84033f081140730fbd0d6afa950
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Downloads MZ/PE file
-
Loads dropped DLL
-