General
-
Target
25e4f8f33ec6b1d498b24622f833a2fb2b3a9a470e92759f31cd74d5726f5009
-
Size
830KB
-
Sample
220521-d7c9zsbhhq
-
MD5
8760a07ac17e0eb381d1d0559a713daa
-
SHA1
859de08700dc8ed97febe6f4c7bfe26076a39cbe
-
SHA256
25e4f8f33ec6b1d498b24622f833a2fb2b3a9a470e92759f31cd74d5726f5009
-
SHA512
25f76da0b99886f5157d11bef9cb30e4c0fab83f5f66dc936e7dc3a9fefc422abc1d16bbb85989b7522b397bd46c9258f76ad383adf5485dca0fd9cca86c0b0b
Static task
static1
Behavioral task
behavioral1
Sample
DEBT_07854_06162020.vbs
Resource
win7-20220414-en
Malware Config
Extracted
qakbot
324.142
spx142
1592381263
173.175.29.210:443
201.248.102.4:2078
182.185.94.24:995
41.97.182.19:443
37.182.238.170:2222
193.248.44.2:2222
188.26.243.186:443
84.247.55.190:443
58.233.220.182:443
82.79.67.68:443
217.162.149.212:443
173.49.122.160:995
117.216.177.27:443
219.92.104.54:443
5.107.220.84:2222
96.41.93.96:443
122.147.204.4:443
117.199.5.99:443
68.60.221.169:465
78.96.192.26:443
78.96.190.54:443
69.11.247.242:443
207.255.161.8:32100
68.204.164.222:443
82.81.172.21:443
78.97.145.242:443
216.163.4.132:443
68.190.152.98:443
73.217.4.42:443
76.116.90.159:443
75.110.250.89:443
35.142.12.163:2222
74.134.46.7:443
80.195.103.146:2222
41.34.91.90:995
39.62.15.131:443
70.93.151.141:443
81.245.66.237:995
86.144.150.29:2222
172.242.243.186:443
59.88.168.3:443
73.200.219.143:443
35.143.205.199:443
24.42.14.241:995
98.121.187.78:443
73.78.149.206:443
81.133.234.36:2222
154.56.71.73:443
188.241.243.175:443
77.69.206.106:443
207.255.161.8:32102
69.92.54.95:995
83.110.222.11:443
108.227.161.27:995
74.222.204.82:443
74.135.37.79:443
187.155.74.5:443
80.14.209.42:2222
24.44.180.236:2222
74.75.216.202:443
24.43.22.220:993
108.188.116.179:443
100.4.173.223:443
70.95.118.217:443
134.0.196.46:995
68.225.56.31:443
140.82.21.191:443
110.142.29.212:443
72.36.59.46:2222
207.162.184.228:443
59.26.204.210:443
108.39.93.45:443
97.93.211.17:443
24.122.228.88:443
72.132.249.144:995
72.16.212.108:465
47.153.115.154:993
47.153.115.154:443
66.222.88.126:995
72.204.242.138:53
203.198.96.69:443
72.29.181.77:2078
67.83.54.76:2222
2.50.171.142:443
24.122.157.93:443
47.146.169.85:443
174.34.67.106:2222
122.147.204.4:995
82.77.169.118:2222
178.221.64.104:995
77.237.181.168:995
86.126.97.183:2222
76.111.128.194:443
67.209.195.198:3389
72.190.101.70:443
74.56.167.31:443
24.42.14.241:443
5.193.61.212:2222
5.15.81.52:443
24.201.79.208:2078
94.52.160.116:443
188.192.75.8:995
208.82.44.203:443
207.255.161.8:443
67.170.137.8:443
62.38.111.70:2222
24.164.79.147:443
70.183.127.6:995
185.246.9.69:995
67.165.206.193:995
50.104.68.223:443
211.24.72.253:443
184.180.157.203:2222
173.245.152.231:443
95.77.223.148:443
68.4.137.211:443
71.88.168.176:443
5.13.68.129:443
199.250.149.110:443
47.153.115.154:465
98.115.138.61:443
79.117.243.157:443
201.215.29.153:443
189.231.198.212:443
188.27.6.170:443
24.43.22.220:995
92.17.167.87:2222
24.43.22.220:443
72.209.191.27:443
72.204.242.138:80
78.101.142.240:443
72.204.242.138:443
71.187.170.235:443
96.56.237.174:32103
71.187.7.239:443
184.98.104.7:995
137.99.224.198:443
151.205.102.42:443
98.32.60.217:443
64.224.76.152:443
72.204.242.138:32100
76.170.77.99:443
70.174.3.241:443
96.37.137.42:443
47.153.115.154:995
203.33.138.230:443
175.141.238.131:443
36.77.151.211:443
78.101.133.124:443
Targets
-
-
Target
DEBT_07854_06162020.vbs
-
Size
2.6MB
-
MD5
66222018f11f64892cf65efeaade4e51
-
SHA1
c9a4282e5ba84aaeb136bf47b8ae04185f32af86
-
SHA256
116905c43d121cc4e1fdaa9ef2e89bb2f83a4c89b5fb400024f94c5cb06b9b09
-
SHA512
1b1fe70395a322e8e7450e881cda37a58ff614146f1f7e66346b4e13bddad66c1a1f7b5f3f7c2aa81e6e58d1379fe9f00eb1f481250fba4af2c6015814e18980
-
Turns off Windows Defender SpyNet reporting
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-