General
-
Target
1040-14-0x0000000000400000-0x000000000052D000-memory.dmp
-
Size
1.2MB
-
MD5
2da43796fec77dd13f1b85071f85bb9a
-
SHA1
4c4a207797728000491c9089ef06b039546c92a2
-
SHA256
4376aba238a43c0d4745e71aa5f54c3600f1e6a7f8457bef4ac09a6ee3d6b8de
-
SHA512
89688eb7d23f401b66971e41cd364965fecbade952d3001750a62b87412bea05b63d19640b9ee06922d3b4115966b69f797c4ebde70697d02d71719b3b2d21de
-
SSDEEP
12288:c6yCZCzPMTA6HNWC4LINSjA/EMGU/SHoEa:VNFtWbjAsMGU/F
Malware Config
Extracted
qakbot
324.142
spx133
1591267427
49.144.84.21:443
189.159.133.162:995
173.245.152.231:443
77.237.181.212:995
207.255.161.8:2078
76.187.8.160:443
207.255.161.8:2087
98.219.77.197:443
66.222.88.126:995
207.255.161.8:32102
108.58.9.238:995
47.152.210.233:443
1.40.42.4:443
188.27.71.163:443
82.127.193.151:2222
104.50.141.139:995
67.83.54.76:2222
86.126.97.183:2222
73.94.229.115:443
47.35.182.97:443
72.29.181.77:2078
98.114.185.3:443
24.226.137.154:443
5.12.114.96:443
78.97.145.242:443
64.121.114.87:443
62.121.123.57:443
151.73.126.205:443
69.40.17.142:443
197.165.178.49:443
80.240.26.178:443
79.115.128.221:443
49.191.4.245:443
71.187.170.235:443
108.51.73.186:443
134.0.196.46:995
75.81.25.223:443
96.56.237.174:993
72.240.245.253:443
67.131.59.17:443
216.163.4.91:443
72.204.242.138:443
72.190.101.70:443
47.201.1.210:443
24.43.22.220:995
76.170.77.99:443
71.163.225.75:443
69.92.54.95:995
108.31.92.113:443
185.246.9.69:995
79.119.67.149:443
47.205.231.60:443
66.26.160.37:443
65.131.83.170:995
47.40.244.237:443
71.77.231.251:443
50.244.112.106:443
96.41.93.96:443
47.153.115.154:995
62.38.111.70:2222
72.16.212.108:465
24.46.40.189:2222
24.10.42.174:443
85.121.42.12:995
188.192.75.8:443
174.34.67.106:2222
70.174.3.241:443
65.24.76.114:443
128.234.46.27:443
100.38.123.22:443
67.5.28.72:465
96.18.240.158:443
85.186.141.62:995
207.255.18.67:443
207.255.161.8:2222
79.113.219.121:443
203.33.139.134:443
72.209.191.27:443
64.19.74.29:995
24.201.79.208:2078
98.115.138.61:443
68.174.15.223:443
75.87.161.32:995
50.244.112.10:443
173.175.29.210:443
173.22.120.11:2222
74.215.201.122:443
76.15.41.32:443
176.193.41.32:2222
50.29.181.193:995
207.255.161.8:32103
24.152.219.253:995
72.204.242.138:2078
173.187.169.73:443
24.43.22.220:443
71.88.104.107:995
89.44.195.186:2222
93.113.90.128:443
5.13.99.38:995
72.183.129.56:443
86.123.106.54:443
5.14.251.226:443
69.245.144.167:443
82.76.239.193:443
81.103.144.77:443
70.183.127.6:995
24.99.180.247:443
175.111.128.234:443
50.247.230.33:995
2.88.183.192:443
24.42.14.241:443
98.118.156.172:443
216.201.162.158:995
81.133.234.36:2222
173.172.205.216:443
184.98.104.7:995
47.146.169.85:443
108.27.217.44:443
74.56.167.31:443
80.195.103.146:2222
67.209.195.198:3389
96.37.137.42:443
108.58.9.238:993
173.79.220.156:443
98.32.60.217:443
78.96.192.26:443
79.117.161.67:21
72.28.255.159:995
207.162.184.228:443
189.140.112.184:443
105.184.48.142:443
97.93.211.17:443
47.153.115.154:443
188.192.75.8:995
142.129.227.86:443
72.69.180.183:61202
75.183.171.155:3389
140.82.21.191:443
71.185.60.227:443
137.103.143.124:443
173.49.122.160:995
96.35.170.82:2222
71.80.66.107:443
59.124.10.133:443
69.28.222.54:443
47.136.224.60:443
184.180.157.203:2222
72.177.157.217:995
104.221.4.11:2222
Signatures
-
Qakbot family
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource 1040-14-0x0000000000400000-0x000000000052D000-memory.dmp
Files
-
1040-14-0x0000000000400000-0x000000000052D000-memory.dmp.exe windows:5 windows x86
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Sections
.text Size: 38KB - Virtual size: 38KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 20KB - Virtual size: 19KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 1KB - Virtual size: 9KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rsrc Size: 152KB - Virtual size: 151KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 3KB - Virtual size: 2KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ