API tools faq
paste
Advertisement
MalwareMustDie

Qakbot Report (IR) Handles + CNC to block

MalwareMustDie
Jan 26th, 2016
804
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Lua 15.17 KB | None | 0 0
raw download clone embed print report
  1. // MalwareMustDie Qakbot /Qbot infection (request handles)
  2. // samples:
  3. 92fcc60aa15c8eabfd5d93c2c0076e3908322c9582da2a78223ef4e3fc37ee8d
  4. 2cafaa0a30f6ff894d181d874d51e5cfc86793c5b25c239a15888d5b6e255377
  5.  
  6. // VT
  7. https://www.virustotal.com/en/file/2cafaa0a30f6ff894d181d874d51e5cfc86793c5b25c239a15888d5b6e255377/analysis/
  8. https://www.virustotal.com/en/file/92fcc60aa15c8eabfd5d93c2c0076e3908322c9582da2a78223ef4e3fc37ee8d/analysis/
  9.  
  10. // installation:
  11. %AppData\Roaming\Microsoft\[a-z]{7}\[a-z]{7}.exe (self-copy)
  12. %AppData\Roaming\Microsoft\[a-z]{7}\[a-z]{7}.dll (96 bytes)
  13. %System32\cmd.exe /c ping.exe -n 6 127.0.0.1 & type C:\Windows\\System32\\autoconv.exe > SAMPLE & del /F /Q SAMPLE
  14.  
  15. // qakbot DGA
  16.  
  17. rkdxaovlaoltxnorwhtqo,com <== active
  18. gdfqutzvshhgzheqksxj,biz <=== active
  19. uitutnmieyxfk,org <=== NS
  20.  
  21. // qakbot A rec / cnc IP (botnet):
  22.  
  23. 109.161.126.218|109-161-126-218.pppoe.yaroslavl.ru.|13118 | 109.161.124.0/22 | ASN | RU | rostelecom.ru | OJSC Rostelecom
  24. 176.105.44.140||48683 | 176.105.0.0/17 | BI-LINK | UA | 10.bilink.ua | Bilink LLC
  25. 176.110.22.247|host-176-110-22-247.la.net.ua.|41911 | 176.110.16.0/20 | LANETUA2 | UA | la.net.ua | Trk Efir Ltd.
  26. 178.167.69.30|178-167-69-30.dynvpn.flex.ru.|21453 | 178.167.64.0/19 | FLEX | RU | flex.ru | Flex Ltd.
  27. 178.206.194.207||28840 | 178.206.192.0/19 | TATTELECOM | RU | kgts.ru | Tatarstan Broad-band Access Pools
  28. 178.92.117.18|18-117-92-178.pool.ukrtel.net.|6849 | 178.92.116.0/23 | UKRTELNET | UA | ukrtelecom.ua | JSC Ukrtelecom
  29. 194.44.113.243||3255 | 194.44.113.0/24 | UARNET | UA | uar.net | State Enterprise Scientific and Telecommunication Centre Ukrainian Academic and Research Network of the Institute for Condensed Matter Physics of the National Academy of Science of Ukraine (UARNET)
  30. 212.34.99.217|212-34-99-217.domolink.elcom.ru.|34168 | 212.34.96.0/19 | ELCOM-ISP | RU | rostelecom.ru | OJSC Rostelecom
  31. 221.167.99.178||4766 | 221.160.0.0/13 | KIXS-AS | KR | kt.com | Korea Telecom
  32. 24.70.124.49|S0106bcd16565796e.ok.shawcable.net.|6327 | 24.70.0.0/15 | SHAW | CA | shawcable.net | Shaw Communications Inc.
  33. 37.229.246.30|37-229-246-30-broadband.kyivstar.net.|15895 | 37.229.0.0/16 | KSNET | UA | kyivstar.ua | Kyivstar PJSC
  34. 37.49.177.38||12688 | 37.49.160.0/19 | BAIKALTRANSTELECOM | RU | ttk.ru | TTK-Baikal/BRAS in Irkutsk
  35. 46.211.60.80|46-211-60-80-ter.broadband.kyivstar.net.|15895 | 46.211.0.0/16 | KSNET | UA | kyivstar.ua | Kyivstar PJSC
  36. 46.237.9.56|46-237-9-56.pppoe.yaroslavl.ru.|13118 | 46.237.0.0/20 | ASN | RU | rostelecom.ru | OJSC Rostelecom Yaroslavl Branch
  37. 79.119.40.243|79-119-40-243.rdsnet.ro.|8708 | 79.112.0.0/13 | RCS | RO | rdsnet.ro | RCS & RDS Residential
  38. 91.237.202.4||52040 | 91.237.200.0/22 | KITEJ-TELECOM | RU | kitejtelecom.ru | Kitej-Telecom LLC
  39. 94.154.225.197|ip-e1c5.d-net.kiev.ua.|48279 | 94.154.192.0/18 | DELTANETUA-NET | UA | d-net.kiev.ua | Delta-Net LLC
  40. 94.190.14.124|124.14.190.94.interra.ru.|48524 | 94.190.0.0/18 | INTERRA | RU | interra.ru | Interra Telecommunications Group Ltd.
  41. 94.41.110.86|94.41.110.86.dynamic.str.ufanet.ru.|24955 | 94.41.110.0/24 | UBN | RU | ufanet.ru | OJSC Ufanet
  42.  
  43. // DNS
  44.  
  45. ;; QUESTION SECTION:
  46. ;rkdxaovlaoltxnorwhtqo.com.     IN      A
  47.  
  48. ;; ANSWER SECTION:
  49. rkdxaovlaoltxnorwhtqo.com. 139  IN      A       37.49.177.38
  50. rkdxaovlaoltxnorwhtqo.com. 139  IN      A       94.154.225.197
  51. rkdxaovlaoltxnorwhtqo.com. 139  IN      A       212.34.99.217
  52. rkdxaovlaoltxnorwhtqo.com. 139  IN      A       79.119.40.243
  53. rkdxaovlaoltxnorwhtqo.com. 139  IN      A       94.190.14.124
  54. rkdxaovlaoltxnorwhtqo.com. 139  IN      A       176.105.44.140
  55. rkdxaovlaoltxnorwhtqo.com. 139  IN      A       194.44.113.243
  56. rkdxaovlaoltxnorwhtqo.com. 139  IN      A       91.237.202.4
  57. rkdxaovlaoltxnorwhtqo.com. 139  IN      A       46.237.9.56
  58. rkdxaovlaoltxnorwhtqo.com. 139  IN      A       178.167.69.30
  59.  
  60. ;; AUTHORITY SECTION:
  61. rkdxaovlaoltxnorwhtqo.com. 148  IN      NS      ns3.uitutnmieyxfk.org.
  62. rkdxaovlaoltxnorwhtqo.com. 148  IN      NS      ns1.uitutnmieyxfk.org.
  63. rkdxaovlaoltxnorwhtqo.com. 148  IN      NS      ns4.uitutnmieyxfk.org.
  64. rkdxaovlaoltxnorwhtqo.com. 148  IN      NS      ns2.uitutnmieyxfk.org.
  65.  
  66. ;; ADDITIONAL SECTION:
  67. ns1.uitutnmieyxfk.org.  141     IN      A       92.112.85.119
  68. ns1.uitutnmieyxfk.org.  141     IN      A       141.101.8.164
  69. ns1.uitutnmieyxfk.org.  141     IN      A       158.46.63.39
  70. ns1.uitutnmieyxfk.org.  141     IN      A       178.44.170.61
  71. ns1.uitutnmieyxfk.org.  141     IN      A       46.211.60.80
  72. ns1.uitutnmieyxfk.org.  141     IN      A       91.236.96.123
  73. ns2.uitutnmieyxfk.org.  137     IN      A       92.112.85.119
  74. ns2.uitutnmieyxfk.org.  137     IN      A       141.101.8.164
  75. ns2.uitutnmieyxfk.org.  137     IN      A       158.46.63.39
  76. ns2.uitutnmieyxfk.org.  137     IN      A       178.44.170.61
  77. ns2.uitutnmieyxfk.org.  137     IN      A       46.211.60.80
  78. ns2.uitutnmieyxfk.org.  137     IN      A       91.236.96.123
  79. ns3.uitutnmieyxfk.org.  130     IN      A       178.44.170.61
  80. ns3.uitutnmieyxfk.org.  130     IN      A       46.211.60.80
  81. ns3.uitutnmieyxfk.org.  130     IN      A       91.236.96.123
  82. ns3.uitutnmieyxfk.org.  130     IN      A       92.112.85.119
  83. ns3.uitutnmieyxfk.org.  130     IN      A       141.101.8.164
  84. ns3.uitutnmieyxfk.org.  130     IN      A       158.46.63.39
  85. ns4.uitutnmieyxfk.org.  134     IN      A       92.112.85.119
  86. ns4.uitutnmieyxfk.org.  134     IN      A       141.101.8.164
  87. ns4.uitutnmieyxfk.org.  134     IN      A       158.46.63.39
  88. ns4.uitutnmieyxfk.org.  134     IN      A       178.44.170.61
  89. ns4.uitutnmieyxfk.org.  134     IN      A       46.211.60.80
  90. ns4.uitutnmieyxfk.org.  134     IN      A       91.236.96.123
  91. ;; Query time: 880 msec
  92. ;; WHEN: Wed Jan 27 13:45:11 JST 2016
  93. ;; MSG SIZE  rcvd: 687
  94.  
  95.  
  96. ;; QUESTION SECTION:
  97. ;gdfqutzvshhgzheqksxj.biz.      IN      A
  98.  
  99. ;; ANSWER SECTION:
  100. gdfqutzvshhgzheqksxj.biz. 140   IN      A       86.125.175.52
  101. gdfqutzvshhgzheqksxj.biz. 140   IN      A       93.77.115.10
  102. gdfqutzvshhgzheqksxj.biz. 140   IN      A       178.151.114.33
  103. gdfqutzvshhgzheqksxj.biz. 140   IN      A       87.253.10.27
  104. gdfqutzvshhgzheqksxj.biz. 140   IN      A       193.254.233.26
  105. gdfqutzvshhgzheqksxj.biz. 140   IN      A       188.126.44.139
  106. gdfqutzvshhgzheqksxj.biz. 140   IN      A       213.231.8.10
  107. gdfqutzvshhgzheqksxj.biz. 140   IN      A       31.202.223.141
  108. gdfqutzvshhgzheqksxj.biz. 140   IN      A       37.115.100.35
  109. gdfqutzvshhgzheqksxj.biz. 140   IN      A       178.150.237.24
  110.  
  111. ;; AUTHORITY SECTION:
  112. GDFQUTZVSHHGZHEQKSXJ.biz. 131   IN      NS      ns3.uitutnmieyxfk.org.
  113. GDFQUTZVSHHGZHEQKSXJ.biz. 131   IN      NS      ns1.uitutnmieyxfk.org.
  114. GDFQUTZVSHHGZHEQKSXJ.biz. 131   IN      NS      ns4.uitutnmieyxfk.org.
  115. GDFQUTZVSHHGZHEQKSXJ.biz. 131   IN      NS      ns2.uitutnmieyxfk.org.
  116.  
  117. ;; ADDITIONAL SECTION:
  118. ns1.uitutnmieyxfk.org.  129     IN      A       37.115.100.35
  119. ns1.uitutnmieyxfk.org.  129     IN      A       78.97.194.152
  120. ns1.uitutnmieyxfk.org.  129     IN      A       94.190.14.124
  121. ns1.uitutnmieyxfk.org.  129     IN      A       141.101.20.204
  122. ns1.uitutnmieyxfk.org.  129     IN      A       213.231.8.10
  123. ns1.uitutnmieyxfk.org.  129     IN      A       37.53.253.49
  124. ns2.uitutnmieyxfk.org.  135     IN      A       141.101.20.204
  125. ns2.uitutnmieyxfk.org.  135     IN      A       213.231.8.10
  126. ns2.uitutnmieyxfk.org.  135     IN      A       37.53.253.49
  127. ns2.uitutnmieyxfk.org.  135     IN      A       37.115.100.35
  128. ns2.uitutnmieyxfk.org.  135     IN      A       78.97.194.152
  129. ns2.uitutnmieyxfk.org.  135     IN      A       94.190.14.124
  130. ns3.uitutnmieyxfk.org.  142     IN      A       37.53.253.49
  131. ns3.uitutnmieyxfk.org.  142     IN      A       37.115.100.35
  132. ns3.uitutnmieyxfk.org.  142     IN      A       78.97.194.152
  133. ns3.uitutnmieyxfk.org.  142     IN      A       94.190.14.124
  134. ns3.uitutnmieyxfk.org.  142     IN      A       141.101.20.204
  135. ns3.uitutnmieyxfk.org.  142     IN      A       213.231.8.10
  136. ns4.uitutnmieyxfk.org.  136     IN      A       78.97.194.152
  137. ns4.uitutnmieyxfk.org.  136     IN      A       94.190.14.124
  138. ns4.uitutnmieyxfk.org.  136     IN      A       141.101.20.204
  139. ns4.uitutnmieyxfk.org.  136     IN      A       213.231.8.10
  140. ns4.uitutnmieyxfk.org.  136     IN      A       37.53.253.49
  141. ns4.uitutnmieyxfk.org.  136     IN      A       37.115.100.35
  142.  
  143.  
  144. // whois
  145.  
  146.    Domain Name: RKDXAOVLAOLTXNORWHTQO.COM
  147.    Registrar: INTERNET DOMAIN SERVICE BS CORP
  148.    Sponsoring Registrar IANA ID: 2487
  149.    Whois Server: whois.internet.bs
  150.    Referral URL: http://www.internetbs.net
  151.    Name Server: NS1.UITUTNMIEYXFK.ORG
  152.    Name Server: NS2.UITUTNMIEYXFK.ORG
  153.    Name Server: NS3.UITUTNMIEYXFK.ORG
  154.    Name Server: NS4.UITUTNMIEYXFK.ORG
  155.    Status: clientTransferProhibited https://www.icann.org/epp#clientTransferProhibited
  156.    Updated Date: 20-jan-2016
  157.    Creation Date: 20-jan-2016
  158.    Expiration Date: 20-jan-2017
  159. >>> Last update of whois database: Wed, 27 Jan 2016 04:47:05 GMT <<<
  160. Domain Name: RKDXAOVLAOLTXNORWHTQO.COM
  161. Registry Domain ID: 1995999746_DOMAIN_COM-VRSN
  162. Registrar WHOIS Server: whois.internet.bs
  163. Registrar URL: http://www.internetbs.net
  164. Updated Date: 2016-01-20T19:28:07Z
  165. Creation Date: 2016-01-20T19:21:03Z
  166. Registrar Registration Expiration Date: 2017-01-20T19:21:03Z
  167. Registrar: Internet Domain Service BS Corp.
  168. Registrar IANA ID: 2487
  169. Registrar Abuse Contact Email: abuse@internet.bs
  170. Registrar Abuse Contact Phone: +1.5167401179
  171. Reseller:
  172. Domain Status: clientTransferProhibited - http://www.icann.org/epp#clientTransferProhibited
  173. Registry Registrant ID:
  174. Registrant Name: Domain Admin
  175. Registrant Organization: Whois Privacy Corp.
  176. Registrant Street: Ocean Centre, Montagu Foreshore, East Bay Street
  177. Registrant City: Nassau
  178. Registrant State/Province: New Providence
  179. Registrant Postal Code: 0000
  180. Registrant Country: BS
  181. Registrant Phone: +1.5163872248
  182. Registrant Phone Ext:
  183. Registrant Fax:
  184. Registrant Fax Ext:
  185. Registrant Email: rkdxaovlaoltxnorwhtqo.com-owner@customers.whoisprivacycorp.com
  186. Registry Admin ID:
  187. Admin Name: Domain Admin
  188. Admin Organization: Whois Privacy Corp.
  189. Admin Street: Ocean Centre, Montagu Foreshore, East Bay Street
  190. Admin City: Nassau
  191. Admin State/Province: New Providence
  192. Admin Postal Code: 0000
  193. Admin Country: BS
  194. Admin Phone: +1.5163872248
  195. Admin Phone Ext:
  196. Admin Fax:
  197. Admin Fax Ext:
  198. Admin Email: rkdxaovlaoltxnorwhtqo.com-admin@customers.whoisprivacycorp.com
  199. Registry Tech ID:
  200. Tech Name: Domain Admin
  201. Tech Organization: Whois Privacy Corp.
  202. Tech Street: Ocean Centre, Montagu Foreshore, East Bay Street
  203. Tech City: Nassau
  204. Tech State/Province: New Providence
  205. Tech Postal Code: 0000
  206. Tech Country: BS
  207. Tech Phone: +1.5163872248
  208. Tech Phone Ext:
  209. Tech Fax:
  210. Tech Fax Ext:
  211. Tech Email: rkdxaovlaoltxnorwhtqo.com-tech@customers.whoisprivacycorp.com
  212. Name Server: ns1.uitutnmieyxfk.org
  213. Name Server: ns2.uitutnmieyxfk.org
  214. Name Server: ns3.uitutnmieyxfk.org
  215. Name Server: ns4.uitutnmieyxfk.org
  216. DNSSEC: unsigned
  217. URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
  218. >>> Last update of WHOIS database: 2016-01-27T04:37:22Z <<<
  219.  
  220. Domain Name:                                 GDFQUTZVSHHGZHEQKSXJ.BIZ
  221. Domain ID:                                   D68628366-BIZ
  222. Sponsoring Registrar:                        INTERNET DOMAIN SERVICE BS CORP
  223. Sponsoring Registrar IANA ID:                2487
  224. Registrar URL (registration services):       www.internet.bs
  225. Domain Status:                               clientTransferProhibited
  226. Variant:                                     GDFQUTZVSHHGZHEQKSXJ.BIZ
  227. Registrant ID:                               INTE0NGUMP9C71GQ
  228. Registrant Name:                             Domain Admin
  229. Registrant Organization:                     Whois Privacy Corp.
  230. Registrant Address1:                         Ocean Centre, Montagu Foreshore
  231. Registrant Address2:                         East Bay Street
  232. Registrant City:                             Nassau
  233. Registrant State/Province:                   New Providence
  234. Registrant Postal Code:                      0000
  235. Registrant Country:                          Bahamas
  236. Registrant Country Code:                     BS
  237. Registrant Phone Number:                     +1.5163872248
  238. Registrant Email:                            gdfqutzvshhgzheqksxj.biz-owner@customers.whoisprivacycorp.com
  239. Administrative Contact ID:                   INTEXQVZEEJQ81F6
  240. Administrative Contact Name:                 Domain Admin
  241. Administrative Contact Organization:         Whois Privacy Corp.
  242. Administrative Contact Address1:             Ocean Centre, Montagu Foreshore
  243. Administrative Contact Address2:             East Bay Street
  244. Administrative Contact City:                 Nassau
  245. Administrative Contact State/Province:       New Providence
  246. Administrative Contact Postal Code:          0000
  247. Administrative Contact Country:              Bahamas
  248. Administrative Contact Country Code:         BS
  249. Administrative Contact Phone Number:         +1.5163872248
  250. Administrative Contact Email:                gdfqutzvshhgzheqksxj.biz-admin@customers.whoisprivacycorp.com
  251. Billing Contact ID:                          INTEBZNFN9H5LVRV
  252. Billing Contact Name:                        Domain Admin
  253. Billing Contact Organization:                Whois Privacy Corp.
  254. Billing Contact Address1:                    Ocean Centre, Montagu Foreshore
  255. Billing Contact Address2:                    East Bay Street
  256. Billing Contact City:                        Nassau
  257. Billing Contact State/Province:              New Providence
  258. Billing Contact Postal Code:                 0000
  259. Billing Contact Country:                     Bahamas
  260. Billing Contact Country Code:                BS
  261. Billing Contact Phone Number:                +1.5163872248
  262. Billing Contact Email:                       gdfqutzvshhgzheqksxj.biz-bill@customers.whoisprivacycorp.com
  263. Technical Contact ID:                        INTEQTCUBE3IRNVA
  264. Technical Contact Name:                      Domain Admin
  265. Technical Contact Organization:              Whois Privacy Corp.
  266. Technical Contact Address1:                  Ocean Centre, Montagu Foreshore
  267. Technical Contact Address2:                  East Bay Street
  268. Technical Contact City:                      Nassau
  269. Technical Contact State/Province:            New Providence
  270. Technical Contact Postal Code:               0000
  271. Technical Contact Country:                   Bahamas
  272. Technical Contact Country Code:              BS
  273. Technical Contact Phone Number:              +1.5163872248
  274. Technical Contact Email:                     gdfqutzvshhgzheqksxj.biz-tech@customers.whoisprivacycorp.com
  275. Name Server:                                 NS1.UITUTNMIEYXFK.ORG
  276. Name Server:                                 NS2.UITUTNMIEYXFK.ORG
  277. Name Server:                                 NS3.UITUTNMIEYXFK.ORG
  278. Name Server:                                 NS4.UITUTNMIEYXFK.ORG
  279. Created by Registrar:                        INTERNET DOMAIN SERVICE BS CORP
  280. Last Updated by Registrar:                   INTERNET DOMAIN SERVICE BS CORP
  281. Domain Registration Date:                    Wed Jan 20 19:21:01 GMT 2016
  282. Domain Expiration Date:                      Thu Jan 19 23:59:59 GMT 2017
  283. Domain Last Updated Date:                    Wed Jan 20 19:27:28 GMT 2016
  284. DNSSEC:                                      false
  285.  
  286. >>>> Whois database was last updated on: Wed Jan 27 04:48:41 GMT 2016 <<<<
  287.  
  288. // ioc: https://otx.alienvault.com/pulse/56a852ac67db8c6aaee0192a/
  289.  
  290. #MalwareMustDie
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!