API tools faq
paste
ExecuteMalware

2020-07-16 QNodeService IOCs

ExecuteMalware
Jul 16th, 2020
2,517
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.09 KB | None | 0 0
raw download clone embed print report
  1. THREAT ATTRIBUTION: QNODESERVICE
  2.  
  3. SUBJECTS OBSERVED
  4. Overdue Invoice
  5.  
  6. SENDERS OBSERVED
  7. Account Receivable <resosa@kamometour[.]co[.]jp>
  8.  
  9. EMAIL BODY
  10. Hi,
  11.  
  12. Please find attached our overdue invoice for payment.
  13.  
  14. Should you have any queries do not hesitate to contact me.
  15.  
  16. Kind Regards,
  17.  
  18. Accounts Receiveable
  19. ________________________________
  20. Confidentiality Notice: This e-mail transmission may contain confidential or legally privileged information intended only for the individual or entity named in the e-mail address. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or reliance upon the contents of this e-mail is strictly prohibited. If you have received this e-mail transmission in error, please delete the message from your inbox. Thank you.
  21. ________________________________
  22. Please note that the content of this e-mail is intended only for the confidential use of the person(s) to whom it is addressed above. If the reader of this e-mail is not the person to whom it is addressed, you are hereby notified that you have received this communication in error and that reading it, copying it, or in any way disseminating its content to any other person, is strictly prohibited. If you have received this e-mail in error, please notify the author by using the reply key immediately.
  23.  
  24. HTML FILE HASH
  25. Legal_Proceeding_concerning_Overdue_invoices_pdf.html
  26. d3c1118c1661513b5687a850ced4e690
  27.  
  28. JAR FILE HASH
  29. Legal_Proceeding_concerning_Overdue_invoices_pdf.jar
  30. 9ea1bfe46a31e9d5a3f6f1908787b06c
  31.  
  32. JAVASCRIPT FILE HASH
  33. wizard[.]js
  34. 87bbeb86ed0193965f361f9799febb16
  35.  
  36. CMD FILE HASH
  37. qnodejs-962b69d8[.]cmd
  38. b009cf56f71a0922ef6d6f11439bf614
  39.  
  40. ADDITIONAL IOCs
  41. user:1168@qhub-subscription[.]store[.]qua[.]one
  42.  
  43. QNODESERVICE PAYLOAD URL
  44. hxxps://legalproceedings[.]uc[.]r[.]appspot[.]com/Legal_Proceeding_concerning_Overdue_invoices_pdf[.]jar
  45.  
  46. QNODESERVICE C2
  47. environment[.]spdns[.]org:443
  48. environment[.]theworkpc[.]com:443
  49.  
  50. SUPPORTING EVIDENCE
  51. https://blog.trendmicro.com/trendlabs-security-intelligence/qnodeservice-node-js-trojan-spread-via-covid-19-lure/
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!