Overview
overview
10Static
static
Cancellation#W94.iso
windows7-x64
3Cancellation#W94.iso
windows10-2004-x64
3Cancellation-W94.wsf
windows7-x64
10Cancellation-W94.wsf
windows10-2004-x64
10escapists/data.txt
windows7-x64
1escapists/data.txt
windows10-2004-x64
1escapists/header
windows7-x64
1escapists/header
windows10-2004-x64
1escapists/...ly.txt
windows7-x64
1escapists/...ly.txt
windows10-2004-x64
1escapists/...ic.txt
windows7-x64
1escapists/...ic.txt
windows10-2004-x64
1escapists/shacked.txt
windows7-x64
1escapists/shacked.txt
windows10-2004-x64
1escapists/treason.png
windows7-x64
3escapists/treason.png
windows10-2004-x64
3escapists/...ed.gif
windows7-x64
1escapists/...ed.gif
windows10-2004-x64
1escapists/...es.txt
windows7-x64
1escapists/...es.txt
windows10-2004-x64
1General
-
Target
Cancellation#W94.iso
-
Size
102.7MB
-
Sample
221227-rva6raab9t
-
MD5
2bc421b028b1463a5eca13eab798c996
-
SHA1
85c3d0400d4b2167b0d5c8f58371db90c795f604
-
SHA256
2e1cd7881d0fc154569126eb6a50de0ae98d45dc0a68f443a71b8511ee783dae
-
SHA512
7ad8de827e54b8dd24fc593bf37cdbc67a655c7a465d9354e6b95eb6276c4a84b0c7720c27e06365e41f3286c4a5eeccd83a7321c3a1fa175d9f5f923937a844
-
SSDEEP
24576:E9UiBqyTIUgN/nNE2cPHHHHYwgBHp8wOHeHwwHyCcPg:E9Ui3PHHHHYwgBHp8wOHeHwwHZcPg
Static task
static1
Behavioral task
behavioral1
Sample
Cancellation#W94.iso
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Cancellation#W94.iso
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
Cancellation-W94.wsf
Resource
win7-20221111-en
Behavioral task
behavioral4
Sample
Cancellation-W94.wsf
Resource
win10v2004-20221111-en
Behavioral task
behavioral5
Sample
escapists/data.txt
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
escapists/data.txt
Resource
win10v2004-20221111-en
Behavioral task
behavioral7
Sample
escapists/header
Resource
win7-20221111-en
Behavioral task
behavioral8
Sample
escapists/header
Resource
win10v2004-20220812-en
Behavioral task
behavioral9
Sample
escapists/invaluably.txt
Resource
win7-20220901-en
Behavioral task
behavioral10
Sample
escapists/invaluably.txt
Resource
win10v2004-20220812-en
Behavioral task
behavioral11
Sample
escapists/psychophysic.txt
Resource
win7-20221111-en
Behavioral task
behavioral12
Sample
escapists/psychophysic.txt
Resource
win10v2004-20221111-en
Behavioral task
behavioral13
Sample
escapists/shacked.txt
Resource
win7-20220812-en
Behavioral task
behavioral14
Sample
escapists/shacked.txt
Resource
win10v2004-20220812-en
Behavioral task
behavioral15
Sample
escapists/treason.png
Resource
win7-20221111-en
Behavioral task
behavioral16
Sample
escapists/treason.png
Resource
win10v2004-20220901-en
Behavioral task
behavioral17
Sample
escapists/unapproved.gif
Resource
win7-20221111-en
Behavioral task
behavioral18
Sample
escapists/unapproved.gif
Resource
win10v2004-20221111-en
Behavioral task
behavioral19
Sample
escapists/whimsies.txt
Resource
win7-20220812-en
Behavioral task
behavioral20
Sample
escapists/whimsies.txt
Resource
win10v2004-20220812-en
Malware Config
Extracted
qakbot
404.62
obama233
1671781480
51.199.123.42:443
213.67.255.57:2222
70.51.134.110:2222
116.74.162.173:443
206.166.209.170:2222
193.154.124.4:443
65.30.139.145:995
92.189.214.236:2222
73.29.92.128:443
188.52.183.146:995
175.139.207.179:2222
190.78.77.15:993
162.248.14.107:443
184.153.132.82:443
199.83.165.233:443
12.172.173.82:995
12.172.173.82:50001
37.15.128.31:2222
178.142.126.181:443
176.142.207.63:443
136.232.184.134:995
93.147.134.85:443
41.237.141.34:993
27.0.48.205:443
64.237.240.3:443
75.99.125.238:2222
184.68.116.146:3389
182.66.197.35:443
184.68.116.146:2222
66.191.69.18:995
27.0.62.241:995
221.161.103.6:443
76.170.252.153:995
12.172.173.82:21
76.20.42.45:443
125.20.112.94:443
72.200.109.104:443
47.34.30.133:443
75.143.236.149:443
49.175.72.56:443
69.159.156.133:2222
84.35.26.14:995
31.120.202.209:443
89.129.109.27:2222
216.160.116.140:2222
67.235.138.14:443
181.4.227.82:443
76.80.180.154:995
181.118.183.50:443
72.80.7.6:995
184.68.116.146:2078
88.126.94.4:50000
70.77.116.233:443
50.68.204.71:443
190.199.157.49:2222
108.162.6.34:443
87.65.160.87:995
73.36.196.11:443
222.35.203.59:995
12.172.173.82:465
156.217.79.168:995
79.13.202.140:443
70.115.104.126:995
77.86.98.236:443
2.82.10.152:443
181.118.206.65:995
103.141.50.151:995
190.35.44.194:443
150.107.231.59:2222
130.43.25.249:995
185.13.180.250:443
80.0.74.165:443
50.68.204.71:995
121.121.100.148:995
87.252.106.197:995
172.90.139.138:2222
172.248.42.122:443
76.100.159.250:443
24.142.218.202:443
92.8.187.85:2222
2.14.140.222:2222
69.133.162.35:443
100.16.107.117:443
213.191.164.70:443
51.211.219.211:443
70.95.236.129:443
202.187.239.67:995
12.172.173.82:993
12.172.173.82:990
85.72.107.2:2222
73.155.10.79:443
92.98.72.220:2222
86.96.75.237:2222
103.42.86.42:995
202.142.98.62:443
60.254.51.168:443
84.113.121.103:443
202.142.98.62:995
90.89.95.158:2222
90.104.22.28:2222
174.104.184.149:443
184.68.116.146:61202
24.71.120.191:443
198.2.51.242:993
50.68.204.71:993
73.161.176.218:443
59.28.84.65:443
201.244.108.183:995
71.31.101.183:443
74.33.196.114:443
46.10.198.106:443
78.101.91.215:2222
79.77.142.22:2222
12.172.173.82:22
12.172.173.82:32101
98.145.23.67:443
173.76.49.61:443
86.225.214.138:2222
173.18.126.3:443
-
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Targets
-
-
Target
Cancellation#W94.iso
-
Size
102.7MB
-
MD5
2bc421b028b1463a5eca13eab798c996
-
SHA1
85c3d0400d4b2167b0d5c8f58371db90c795f604
-
SHA256
2e1cd7881d0fc154569126eb6a50de0ae98d45dc0a68f443a71b8511ee783dae
-
SHA512
7ad8de827e54b8dd24fc593bf37cdbc67a655c7a465d9354e6b95eb6276c4a84b0c7720c27e06365e41f3286c4a5eeccd83a7321c3a1fa175d9f5f923937a844
-
SSDEEP
24576:E9UiBqyTIUgN/nNE2cPHHHHYwgBHp8wOHeHwwHyCcPg:E9Ui3PHHHHYwgBHp8wOHeHwwHZcPg
Score3/10 -
-
-
Target
Cancellation-W94.wsf
-
Size
487B
-
MD5
1eb424ed65c282df367169d2c95f5e64
-
SHA1
ec82152577fd11be15c5a658077fe169d329d883
-
SHA256
86a065377605b5cd585054a42468517cb4e4b89c5d60a4beb732bb7b903dd158
-
SHA512
240c7c409cdb4b33e0a7c86bc92a66a443c1ff0c2d787935b6c8ee2af72dff76dbd94aa2696324f8230fac9a5fe8883974cbc495b95da2c4e28974cda1476cad
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
-
-
Target
escapists/data.txt
-
Size
1KB
-
MD5
c50bc0e676d4a797fa15e7cef6e18ae5
-
SHA1
7684609531a4f5683bda0b629f565d06b1e20f66
-
SHA256
5216c0f4ba65ab5c5865ff3703192bf1ce0350a99cb8d8a552a97ba157377b45
-
SHA512
ff60b4dd7d18ebbd43f5118378161ffd6b4b19ae3656d305ad0991b40a26e2767318b3c95fb13f5b098c36dd07a3b8bd9919bd4d2d95febc1b88348d5eb46619
Score1/10 -
-
-
Target
escapists/header
-
Size
100.0MB
-
MD5
5937fb14ca678edd47fca8acbf0f12d0
-
SHA1
c1ff9be307e47212d858e3bd534a32e94eba0d75
-
SHA256
cd1f2a4b7893d1c70893ed2ba347e140d34bdcd2794097424083d9367fa5caa6
-
SHA512
b552f74ee4dc974b9f42feeb7a97a70c7c3bb94817478c571195d6d91156ea7d4d90a426df0fef975c91a549b19763c3a7a87c0a564a11cabc95630ebaf9ff09
-
SSDEEP
3:Wttkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkw:Yu
Score1/10 -
-
-
Target
escapists/invaluably.txt
-
Size
78KB
-
MD5
d306ed84c61a2c1165238273ce718b4e
-
SHA1
84ee6d80487bf493f9fd3a5b972020ac07684e75
-
SHA256
e85d120eb1f356331305e657cddbdff25d2dca7e89d5a3c15bcff8a6674ba1e8
-
SHA512
0532845588a67193a6187e27b67dd7cb7d4a454534a504176096a5adf8fe3a28243f701b57808bb38a8dd1c5e43e9e62283752edeb15cd3f9f7a10cd0effd275
-
SSDEEP
768:sxviRxI+LbxIcMyrD3nlbUzAhnEQkLr+nxINKoxIhKxvi9oxIbohKxFqhKniifj3:sxvqTMaO8nEQk9KOxvmZfxF5n1BlpV
Score1/10 -
-
-
Target
escapists/psychophysic.txt
-
Size
2.1MB
-
MD5
77276574fb4672b3e42ea766478779fc
-
SHA1
e8ba77d2a4914710b5f8a7ad5abe830c916d2134
-
SHA256
7f5a479345e7ed0efb1f137689f0b6668f0a32886a35984566fc875c5f8d32a7
-
SHA512
3fcf9fa2647ec29289b27cb2d889ddb39556f7cc19c5b3962366188fb4b7fb7166404ac07bfe99c31be671f847c8e3f8dbb14f41c92cf4784dd5aaded833ed55
-
SSDEEP
12288:fTqyEYU/UgNPzJ2bTXPPj8I8aigEXTJcn8NT8:7qyTIUgN/nNE28
Score1/10 -
-
-
Target
escapists/shacked.txt
-
Size
212KB
-
MD5
2e5fd5448d4acaa5ce095605fdb05b27
-
SHA1
b2c538fec0da920bb44d9e87760d76eb12860e83
-
SHA256
20a0840783660eb867c10613528ef2fc8b78645c50b19cbe275a8e58f7137aa7
-
SHA512
ee1262dc6226c4edf7dfee5c1628bef48b925422edb2a8c443bfd3d2e0faeb6a067e40b338c0fb5c58ea9fac785c5292bd201b2856718f744ebf4d1ec5968293
-
SSDEEP
6144:9TBFPO4HHHHRTqwpCOuBHpDdTSNwsc2W8HeHc3wPOsjoTKM:PZO4HHHHYwIOuBHp8wOHeHwwPOsq
Score1/10 -
-
-
Target
escapists/treason.png
-
Size
24KB
-
MD5
dfb824248cc166b7b57209a7ea25b27e
-
SHA1
a2464b4f8df7396ed4d02b15ee0e934a7e542f81
-
SHA256
9c3a9f924a70e79c9a8328b7b661540a819f0002bdaad19f18f3c4896a2ca613
-
SHA512
a795a227a2e04d8066e3359c7eb8860e00067a2c309c3b87f2ccbf9a4b39b8454b80a864bef609e4cb8f44f2ded40f5c53919d32d082b2a78ae7bc693074d090
-
SSDEEP
384:XXhhKsfKI4TgkJN04AwU6dGQHRPV9X/AzetdiuhY675nalCGOS:XXusfKua9Aw3dGwh4e3bnuUS
Score3/10 -
-
-
Target
escapists/unapproved.gif
-
Size
14KB
-
MD5
090aed4f6643abc24889f6fa079be9ce
-
SHA1
601d5e504982e991e567b7861e33bbab87ea016c
-
SHA256
24a8ec9fccea3ceefa9202e78b42c81be7c358f69a07c5fe9e7718e8a6a8b515
-
SHA512
5d824d90b7708b0d4c4cd6546fe755d27c10f836fa117d19584443389a1367ea64a2e932acc67ce9d97e0cf194cd8c50e798e95bcd8d4d43781f900e619cf3f3
-
SSDEEP
384:lXrga0FiadvgvlA6z+lEFZgwjTIkEfIbjI:NgZcaRaAjlE/v5E+k
Score1/10 -
-
-
Target
escapists/whimsies.txt
-
Size
160KB
-
MD5
7ade1f8eda3e35e527f75b673286b8e9
-
SHA1
1b6f9f08c8b18d7abbb4f23efc289d1981930486
-
SHA256
b9e2648c2a25667f3f241b8b89c250afcda4fba402207e8ead76f5efa71386df
-
SHA512
f202d705fa99ce9489aa3313ae77cd961d2c712c299b20d4011ba8aa822991b444b3335dbc3bc15ecad0cba7a98d6d8f06dcb654f457147ecb351904be3ad0a6
-
SSDEEP
1536:0uM+lc8nHU8ZfxF6fnrPPxTvGtZtQ8kU8Z6xvFZZ8ymb87S9fxvzxFTx0MjkFd:VMyJurPPsxJ2FOMjkv
Score1/10 -