General
-
Target
Qbot.zip
-
Size
2.7MB
-
Sample
230316-s2de5abe67
-
MD5
17aef9d13b160afcb3712566829073cc
-
SHA1
a1b1b4fcc6a2537ea4b9b7e1f757e5f2b51eb3e9
-
SHA256
79f11e58225f2cbde139c3ce530297018be8e0b59bcf24681b95297884f12f04
-
SHA512
bdc2d0ca4144d38e046169193749edc06f3361b691b4b452e2fcb92884ccc258bcc52d3875df6a1a5b0208c09d7068d021aab9d91ecc52d5c976a73dd8d7f176
-
SSDEEP
49152:PIC8kLdZ/mKhCtq9TPLtOr7ilAn2EY4oUyXOz2gRbojwN4lno4Z4PUZ:PIyLz/mwCta6fbhTD7Yo2GO
Static task
static1
Behavioral task
behavioral1
Sample
5fa99dca32f66c0edd6d5f86da8be806a3217606ba0bf0ec0c559cb1f0632b69.xll
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
5fa99dca32f66c0edd6d5f86da8be806a3217606ba0bf0ec0c559cb1f0632b69.xll
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
e7c5a14367c05db6df9a4804137125064a7d6699940f1544586c1d036c350598.xll
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
e7c5a14367c05db6df9a4804137125064a7d6699940f1544586c1d036c350598.xll
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
2020a8611379d8236343da65155aab32ec37f597317560762625f9536c579474.xll
Resource
win7-20230220-en
Malware Config
Extracted
qakbot
404.266
obama242
1678805546
92.239.81.124:443
176.202.46.81:443
2.49.58.47:2222
86.225.214.138:2222
74.66.134.24:443
213.31.90.183:2222
12.172.173.82:50001
202.187.87.178:995
70.53.96.223:995
92.154.45.81:2222
186.64.67.54:443
81.158.112.20:2222
190.191.35.122:443
68.173.170.110:8443
12.172.173.82:993
98.145.23.67:443
12.172.173.82:22
37.186.55.60:2222
84.216.198.124:6881
73.161.176.218:443
94.30.98.134:32100
78.196.246.32:443
12.172.173.82:995
88.122.133.88:32100
173.18.126.3:443
201.244.108.183:995
24.178.201.230:2222
76.27.40.189:443
151.65.134.135:443
197.14.148.149:443
197.244.108.123:443
201.137.185.109:443
86.130.9.213:2222
190.75.139.66:2222
213.67.255.57:2222
90.104.22.28:2222
189.222.53.217:443
122.184.143.84:443
92.159.173.52:2222
70.121.198.103:2078
91.68.227.219:443
86.236.114.212:2222
80.12.88.148:2222
178.175.187.254:443
73.36.196.11:443
47.196.225.236:443
65.95.49.237:2222
12.172.173.82:2087
184.176.35.223:2222
186.48.181.17:995
2.14.105.160:2222
208.180.17.32:2222
190.218.125.145:443
109.11.175.42:2222
23.251.92.171:2222
196.70.212.80:443
75.156.125.215:995
184.189.41.80:443
31.48.18.52:443
103.12.133.134:2222
70.51.152.61:2222
47.203.229.168:443
104.35.24.154:443
190.28.116.106:443
92.154.17.149:2222
103.169.83.89:443
86.169.103.3:443
92.27.86.48:2222
92.1.170.110:995
183.87.163.165:443
85.241.180.94:443
76.170.252.153:995
92.20.204.198:2222
103.141.50.102:995
81.229.117.95:2222
50.68.204.71:995
47.34.30.133:443
173.178.151.233:443
47.16.77.194:2222
83.92.85.93:443
76.80.180.154:995
67.70.23.222:2222
24.117.237.157:443
35.143.97.145:995
87.202.101.164:50000
64.237.245.195:443
103.231.216.238:443
74.93.148.97:995
103.71.21.107:443
71.65.145.108:443
12.172.173.82:465
72.80.7.6:50003
184.153.132.82:443
86.178.33.20:2222
94.200.183.66:2222
70.55.187.152:2222
98.159.33.25:443
136.35.241.159:443
24.187.145.201:2222
72.88.245.71:443
65.94.87.200:2222
184.176.110.61:61202
49.245.82.178:2222
12.172.173.82:32101
46.10.198.134:443
84.35.26.14:995
103.252.7.231:443
187.199.103.21:32103
139.5.239.14:443
202.142.98.62:443
27.109.19.90:2078
86.190.223.11:2222
75.143.236.149:443
50.68.204.71:993
91.169.12.198:32100
88.126.94.4:50000
24.239.69.244:443
12.172.173.82:21
174.104.184.149:443
116.72.250.18:443
-
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Extracted
Extracted
Targets
-
-
Target
5fa99dca32f66c0edd6d5f86da8be806a3217606ba0bf0ec0c559cb1f0632b69
-
Size
589KB
-
MD5
aa6102c10a685f388d5ae16c5f146ecf
-
SHA1
b5943232258b93f8ff31846d62606ae4add162ce
-
SHA256
5fa99dca32f66c0edd6d5f86da8be806a3217606ba0bf0ec0c559cb1f0632b69
-
SHA512
c138ff44f7461c53f7d5b932a017b35bf8c13c4752ef5e5648f968070e2b510ca6607a1efa9b5696a31a2a736e3148904a32d4ea91eb34a8d47314c2fe0839bd
-
SSDEEP
6144:8cTaT6oGCNIamrNSYVnttpONtX7EmG2dOdQRG8l/dmMF7VndLmmmmmmm644tkw95:fVpSIm3OdQwgvpVndf42HXDiuJTMw4
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Loads dropped DLL
-
-
-
Target
e7c5a14367c05db6df9a4804137125064a7d6699940f1544586c1d036c350598
-
Size
2.3MB
-
MD5
548e4085cfc559640b0a935d87484cdd
-
SHA1
0cb8ffbb71e9ab9a74fa76700f6f677df9a6c967
-
SHA256
e7c5a14367c05db6df9a4804137125064a7d6699940f1544586c1d036c350598
-
SHA512
449af2fc126593d9452bf6fbd9890f15a4d24ca3c8d01405616419e8e5ffd81cc2f28c02a982dce19286ce13f6eb71ef6ce47c275a72ac1db10a7025ca1fa3ae
-
SSDEEP
49152:Wjrid3EfessB2KEAQ3PlAEIZ6QqrONloCt4nnM+DoRDPOjYvf9FB:arid028KEl39AdZ/6y+9M7RDPZB
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Loads dropped DLL
-
-
-
Target
2020a8611379d8236343da65155aab32ec37f597317560762625f9536c579474
-
Size
2.3MB
-
MD5
377f7e337efb013f05ae038a4a229d04
-
SHA1
e7e3e8b27e25de03434d62a0dc5101771f72eeda
-
SHA256
2020a8611379d8236343da65155aab32ec37f597317560762625f9536c579474
-
SHA512
9beb60575cb92e36bc6f14b720beff2ec318be35f4c31a1ec1de4e2470a85aeced6c278adda087cb10d8e0ed0538786d89f73103fe3300bc433d813e2fa94e7f
-
SSDEEP
49152:WjrNd3EfessB2KEAQ3PlAEIZ6QqrONloCt4nnM+DoRDPOjYvf9FB:arNd028KEl39AdZ/6y+9M7RDPZB
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Loads dropped DLL
-