Overview
overview
10Static
static
DS.lnk
windows7-x64
10DS.lnk
windows10-2004-x64
10bellicosity/duff.cmd
windows7-x64
1bellicosity/duff.cmd
windows10-2004-x64
1bellicosity/tzars.dll
windows7-x64
3bellicosity/tzars.dll
windows10-2004-x64
3bellicosit...er.cmd
windows7-x64
1bellicosit...er.cmd
windows10-2004-x64
1General
-
Target
EC56.vhd
-
Size
2.0MB
-
Sample
221206-r1wpmsfg56
-
MD5
1ba6752028d8b55d0610548dddd1d738
-
SHA1
3cfb08726615448a5207e37e9287ed530bdbc1af
-
SHA256
6ae21c50f918517d704fe382bc462b32175bb71e3c98341954b0778ab187ec83
-
SHA512
462b4e39f776b75d5b7ca17bc4801e4f40f77f4cae50deacbdfa571007d22a7a0ef4c78fbdeee16b8f5b530cffcb2d30f5368030c200076fa2bc0d2a54167bbf
-
SSDEEP
12288:r72tSVHIPZBmBHmmHD/cJminEGEY7+wO/49T3/lSAH:r72tSVHSBmHRHr/0xH
Static task
static1
Behavioral task
behavioral1
Sample
DS.lnk
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
DS.lnk
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
bellicosity/duff.cmd
Resource
win7-20220901-en
Behavioral task
behavioral4
Sample
bellicosity/duff.cmd
Resource
win10v2004-20221111-en
Behavioral task
behavioral5
Sample
bellicosity/tzars.dll
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
bellicosity/tzars.dll
Resource
win10v2004-20220901-en
Behavioral task
behavioral7
Sample
bellicosity/wallower.cmd
Resource
win7-20221111-en
Behavioral task
behavioral8
Sample
bellicosity/wallower.cmd
Resource
win10v2004-20221111-en
Malware Config
Extracted
qakbot
404.46
BB09
1670354428
216.82.134.218:443
49.175.72.56:443
12.172.173.82:22
12.172.173.82:50001
190.24.45.24:995
103.144.201.62:2078
24.142.218.202:443
70.160.80.210:443
24.228.132.224:2222
117.186.222.30:993
173.18.126.3:443
75.99.125.235:2222
172.90.139.138:2222
136.232.184.134:995
123.3.240.16:995
76.100.159.250:443
66.191.69.18:995
181.118.183.44:443
31.167.254.199:995
183.82.100.110:2222
83.92.85.93:443
91.169.12.198:32100
24.64.114.59:2222
74.66.134.24:443
78.69.251.252:2222
91.68.227.219:443
12.172.173.82:993
24.177.111.153:443
85.7.61.22:2222
70.181.149.227:443
173.239.94.212:443
92.24.200.226:995
104.152.223.133:443
80.13.179.151:2222
69.119.123.159:2222
70.95.236.129:443
64.121.161.102:443
70.115.104.126:995
12.172.173.82:995
221.161.103.6:443
66.131.25.6:443
200.109.14.93:2222
213.91.235.146:443
76.80.180.154:995
2.83.12.243:443
81.248.77.37:2222
12.172.173.82:465
70.64.77.115:443
75.143.236.149:443
81.229.117.95:2222
75.98.154.19:443
121.122.99.223:995
47.34.30.133:443
92.189.214.236:2222
216.196.245.102:2083
136.244.25.165:443
188.48.123.229:995
90.104.22.28:2222
204.210.210.7:443
78.92.133.215:443
47.41.154.250:443
50.68.204.71:995
65.30.139.145:995
71.247.10.63:995
58.162.223.233:443
50.68.204.71:443
73.161.176.218:443
58.247.115.126:995
199.83.165.233:443
98.145.23.67:443
84.35.26.14:995
24.64.114.59:3389
149.126.159.106:443
116.74.164.2:443
24.206.27.39:443
12.172.173.82:21
77.86.98.236:443
50.68.204.71:993
190.206.70.80:2222
41.44.19.36:995
137.186.193.226:3389
139.216.164.122:443
184.176.154.83:995
92.207.132.174:2222
142.161.27.232:2222
73.155.10.79:443
176.142.207.63:443
103.55.67.180:443
184.153.132.82:443
76.20.42.45:443
174.104.184.149:443
108.6.249.139:443
69.133.162.35:443
198.2.51.242:993
184.101.163.128:443
70.77.116.233:443
24.64.114.59:61202
66.176.250.180:443
75.158.15.211:443
181.164.194.228:443
72.200.109.104:443
174.101.111.4:443
86.225.214.138:2222
86.98.23.199:443
84.113.121.103:443
86.96.75.237:2222
162.248.14.107:443
90.89.95.158:2222
80.0.74.165:443
73.36.196.11:443
27.32.171.38:443
176.151.15.101:443
87.65.160.87:995
78.247.21.20:443
24.64.114.59:2078
74.93.148.97:995
82.9.210.36:443
-
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Targets
-
-
Target
DS.lnk
-
Size
1KB
-
MD5
158c24960fde958a773298a18014f149
-
SHA1
ca86d377abe8c0a0b790b2248389e13488443ceb
-
SHA256
c5e36defbfe344686b3268200767a16e7447ae94c4a512c5c8af4362a92842e5
-
SHA512
a9592db696be9ef6305e3d86288cc280d9e8a8b0984ab2d6bb3826c0e263f8025d52ffaab7d881a11a776ed64d2993e3570b9a77de08e9eda65a835f7a283a77
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
bellicosity/duff.cmd
-
Size
226B
-
MD5
0892b897e57de88f8f439445cecdfe5b
-
SHA1
147220bdf3da03ffeaa8a97ae0079efdf4eed42d
-
SHA256
73d402ce14b57d946a13c60f0ec1f717e961348006d5e57557c40d7fba3c8ab7
-
SHA512
bafa8b8c7f62c2d260c572e0d4f29dcca9e6ebd4e188a3c40fba03289cdcfc005545dd17d4bff0a0ad266fd1fde7f221fbbf9d5b139766ad5c1198c30354bd16
Score1/10 -
-
-
Target
bellicosity/tzars.tmp
-
Size
599KB
-
MD5
b0b58b26f984d1ea73672bf8020e7f2a
-
SHA1
c798568abd23480c4845146b31503112c87ec971
-
SHA256
f5ec1a93a830f536d9a01206348065412094d6572ab2d02e4d35f1b12fee5868
-
SHA512
555c293296fc2d7085f4b2a18a216e8badcb450765227e3b8231aa4a75210454c15448f5ef08a0eac6ca244d24ec3353e642877f1a5ba19b290ffd6865233bc6
-
SSDEEP
12288:8PZBmBHmmHD/cJminEGEY7+wO/49T3/lSAH:uBmHRHr/0xH
Score3/10 -
-
-
Target
bellicosity/wallower.cmd
-
Size
289B
-
MD5
4ade8c72f998844d82c5d7185d20283f
-
SHA1
1746d2ffc470af8f8a3e6ddca03e9f9089629d71
-
SHA256
8ef88a6c6a6d1f9d4710cee841af29b94f0abb4c0d438ff750cac637ecbb6090
-
SHA512
5255dea1dd2dae5fa7daf55ff4df51e827f51c894f9df1d937ebef12dbee95d3e3db132e45b54421617f9e3e578c958119f52b78dbc061275039410a1a89ab9c
Score1/10 -