Overview
overview
10Static
static
Claim.lnk
windows7-x64
10Claim.lnk
windows10-2004-x64
10amended/concavity.cmd
windows7-x64
1amended/concavity.cmd
windows10-2004-x64
1amended/de...ze.cmd
windows7-x64
1amended/de...ze.cmd
windows10-2004-x64
1amended/unwarmed.dll
windows7-x64
10amended/unwarmed.dll
windows10-2004-x64
10General
-
Target
Claim_AF63.vhd
-
Size
2MB
-
Sample
221205-1fxwmshg72
-
MD5
ccd285444778719c21abe5f687072149
-
SHA1
29cdfe69ba447a262787d89b5778c960d7fbd07b
-
SHA256
c40963bc270afc2d94e76fc822ded2263f45f6c00f4b82459d34df5b632fa790
-
SHA512
0aae1622967ae55b9d34b1dbeca9b6dbd3a9e30973434d7a33e929b88770e882d5a28ec37f2d32a1c57a510ce69995af31682f874480edb8b5e1cc0b08ba025f
-
SSDEEP
12288:mV5p/JOIdHcY+7nQfVgWyGWZDZNFkHkmqnfsd5Ja46fDV3+QWc2:q/JZdptOZuHk2JajfRO8
Static task
static1
Behavioral task
behavioral1
Sample
Claim.lnk
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Claim.lnk
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
amended/concavity.cmd
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
amended/concavity.cmd
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
amended/depressurize.cmd
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
amended/depressurize.cmd
Resource
win10v2004-20220901-en
Behavioral task
behavioral7
Sample
amended/unwarmed.dll
Resource
win7-20221111-en
Malware Config
Extracted
Family |
qakbot |
Version |
404.46 |
Botnet |
obama225 |
Campaign |
1669974461 |
C2 |
85.59.61.52:2222 66.191.69.18:995 186.64.67.9:443 174.104.184.149:443 91.165.188.74:50000 213.22.188.57:2222 173.18.126.3:443 90.89.95.158:2222 172.90.139.138:2222 78.100.230.10:995 184.153.132.82:443 41.100.146.58:443 85.152.152.46:443 75.99.125.235:2222 83.92.85.93:443 173.239.94.212:443 24.64.114.59:2222 74.66.134.24:443 98.145.23.67:443 213.67.255.57:2222 92.24.200.226:995 91.68.227.219:443 12.172.173.82:993 70.120.228.205:2083 216.196.245.102:2078 176.142.207.63:443 217.128.91.196:2222 24.228.132.224:2222 69.119.123.159:2222 201.208.139.250:2222 91.169.12.198:32100 64.121.161.102:443 87.221.197.110:2222 86.159.48.25:2222 103.141.50.117:995 41.62.182.1:443 92.186.69.229:2222 37.14.229.220:2222 123.3.240.16:995 70.160.80.210:443 176.128.178.251:443 12.172.173.82:995 94.63.65.146:443 78.163.33.44:443 74.92.243.113:50000 75.98.154.19:443 197.204.18.30:443 121.122.99.223:995 58.247.115.126:995 78.69.251.252:2222 213.91.235.146:443 76.80.180.154:995 130.43.99.103:995 93.156.103.241:443 93.24.192.142:20 41.62.220.86:995 12.172.173.82:465 92.185.204.18:2078 75.143.236.149:443 90.119.197.132:2222 80.13.179.151:2222 47.41.154.250:443 81.229.117.95:2222 92.189.214.236:2222 108.162.6.34:443 72.68.175.55:2222 84.35.26.14:995 12.172.173.82:990 188.54.99.243:995 92.239.81.124:443 92.27.86.48:2222 83.114.60.6:2222 216.196.245.102:2083 71.247.10.63:995 58.162.223.233:443 184.155.91.69:443 178.153.195.40:443 116.74.162.186:443 76.100.159.250:443 88.171.156.150:50000 156.216.253.65:995 73.161.176.218:443 70.115.104.126:995 109.159.119.169:2222 24.64.114.59:3389 87.223.89.157:443 89.129.109.27:2222 70.66.199.12:443 183.82.100.110:2222 142.161.27.232:2222 108.6.249.139:443 69.133.162.35:443 76.127.192.23:443 12.172.173.82:21 199.83.165.233:443 174.77.209.5:443 87.202.101.164:50000 90.104.22.28:2222 83.7.54.186:443 184.176.154.83:995 90.116.219.167:2222 92.207.132.174:2222 136.232.184.134:995 92.149.205.238:2222 86.225.214.138:2222 24.64.114.59:61202 198.2.51.242:993 70.51.136.94:2222 12.172.173.82:50001 75.158.15.211:443 85.61.165.153:2222 181.164.194.228:443 47.34.30.133:443 86.195.32.149:2222 41.34.106.203:993 72.200.109.104:443 196.207.146.214:443 24.206.27.39:443 172.117.139.142:995 190.18.236.175:443 |
Attributes |
salt SoNuce]ugdiB3c[doMuce2s81*uXmcvP |
Targets
-
-
Target
Claim.lnk
-
Size
1KB
-
MD5
9b3f9ba6670ca4f7462263afea03300d
-
SHA1
05a28549badf8b9d83e5a9ea7c960d5a7e5e8a83
-
SHA256
a4f4049b71130cd9104cbef4f6aeb3e9d6b10bcf53e154a5148a09e859cf0fa6
-
SHA512
1d15aa99644718ba6bfda2e4bc56f7941ff229487601ef07ce0cf03cafbf1f5e80ecb851daa9729a608070d21a82a669d83296ea1a92624f55abef60d99379fa
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
amended/concavity.cmd
-
Size
225B
-
MD5
cf605826d7a1358aa8b936a7cdc486e3
-
SHA1
5bc66d8b6ba9200873f2c1fc15513c2ec5efce93
-
SHA256
be8947e2022457ae17805d261a38cf9379b05480caf94265175672ba86099dd8
-
SHA512
d6cc6c256162be004ea67d1a67bd04ca58656746a0268a3e619d197b50adf9d4fb6f2b8f3ab91994146bc0307368273fff8ebfed5b6dac5d495711b07995c613
Score1/10 -
-
-
Target
amended/depressurize.cmd
-
Size
294B
-
MD5
4478916ab6a542ba83d159f91d65c49a
-
SHA1
acf13927bc140cc3ae0e49de3c750adb78600002
-
SHA256
36754f9a2fe5f46e64976d49b253894de757a5fc9b1d7a81daf45c450529d0ad
-
SHA512
4ac53a5fbc1114095dba189edb0312fb8f1dd98f11dcf765281e10f977434795ccec172e4091187591006e677081a7c2ef100badefd9eb9504ec07ed69ccc558
Score1/10 -
-
-
Target
amended/unwarmed.tmp
-
Size
444KB
-
MD5
278dcd5147c869e6940e6baba52bb931
-
SHA1
cc8b2111b22a72a1d7831751c64ff9b107fc545d
-
SHA256
4a6fa75896f4dca8e3ad9c5024037b10b61bd4a723819aaf0ea941f37a763411
-
SHA512
2ddd45bbd30a11ac9816aa27053d6b9151468064de3245a46a82e35884814cd1a2dd8decbef540b92b22b106572c4bbe97f92f2a1ec01a5eab592d67c306654f
-
SSDEEP
12288:BWyGWZDZNFkHkmqnfsd5Ja46fDV3+QWc2:AOZuHk2JajfRO8
-
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation