2018-03-05 Quantloader -> Ammyy RAT IOCs

SENDER (SPOOFED):
accounts@%domain%.com

ORIGINATING IP:
37.186.140.201
185.6.113.194

SUBJECT(S):
Receipt No 6276610
[] Receipt No 557082096

DATE:
Mon, 05 Mar 2018 14:19:05 +0200

ATTACHMENT(S):
109f06034ad1e309829e5758e87b7bde (Receipt 6276610.zip)
93fb3c6de030ca1518bada43ae15cb0a (Receipt 557082096.zip)

ARCHIVE CONTENT:
181ee5dd2538926fec579b15bd6ed1c9 (I62345074320.url)

SHORTCUT CONTENT:
[{000214A0-0000-0000-C000-000000000046}]
Prop3=19,9
[InternetShortcut]
IDList=
URL=file://buyviagraoverthecounterusabb[.]net/documents/I62345074320.js
HotKey=0
IconIndex=3
IconFile=C:\Windows\System32\shell32.dll

BUYVIAGRAOVERTHECOUNTERUSABB.NET RESOLUTION:
91.102.153.90

JS DELIVERED:
6de7f9c587cbc52aa05548396c34f083  (I62345074320.js)

HTTP TRAFFIC:
hxxp://intra.cfecgcaquitaine[.]com/kjdhc783
hxxp://wassronledorhad[.]in/q2/index.php?id=
hxxp://wassronledorhad[.]in/q2/index.php?id=
hxxp://balzantruck[.]com/45rt.exe

DNS TRAFFIC:
wassronledorhad[.]in (49.51.228.205)
intra.cfecgcaquitaine[.]com (94.247.178.77)
balzantruck[.]com (69.156.240.29)

DROPS QUANTLOADER:
4394536e9a53b94a2634c68043e76ef8 (kjdhc783 / dwm.exe)
f950fbd4755624d5f73b9f5b0b2d568d (kjdhc783 / dwm.exe)

MODIFIES WINDOWS FW CONFIG:
netsh advfirewall firewall add rule name="Quant" program="c:\users\user1\appdata\roaming\74212434\dwm.exe" dir=Out action=allow

QUANTLOADER DOWNLOADS AMMYY RAT:
hxxp://balzantruck[.]com/45rt.exe
6c6d772704abf4426c5d7e5a52c847d7 (45rt.exe )

PERSISTENCE MECHANISM:
dwm.exe
->
regini.exe regini C:\Users\user1\AppData\Local\Temp\per

PER CONTENT:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

QUANTLOADER C2:
hxxp://wassronledorhad[.]in/q2/index.php

AMMYY C2:
179.60.146.3

REF:
https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat