Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // MalwareMustDie Qakbot /Qbot infection (request handles)
- // samples:
- 92fcc60aa15c8eabfd5d93c2c0076e3908322c9582da2a78223ef4e3fc37ee8d
- 2cafaa0a30f6ff894d181d874d51e5cfc86793c5b25c239a15888d5b6e255377
- // VT
- https://www.virustotal.com/en/file/2cafaa0a30f6ff894d181d874d51e5cfc86793c5b25c239a15888d5b6e255377/analysis/
- https://www.virustotal.com/en/file/92fcc60aa15c8eabfd5d93c2c0076e3908322c9582da2a78223ef4e3fc37ee8d/analysis/
- // installation:
- %AppData\Roaming\Microsoft\[a-z]{7}\[a-z]{7}.exe (self-copy)
- %AppData\Roaming\Microsoft\[a-z]{7}\[a-z]{7}.dll (96 bytes)
- %System32\cmd.exe /c ping.exe -n 6 127.0.0.1 & type C:\Windows\\System32\\autoconv.exe > SAMPLE & del /F /Q SAMPLE
- // qakbot DGA
- rkdxaovlaoltxnorwhtqo,com <== active
- gdfqutzvshhgzheqksxj,biz <=== active
- uitutnmieyxfk,org <=== NS
- // qakbot A rec / cnc IP (botnet):
- 109.161.126.218|109-161-126-218.pppoe.yaroslavl.ru.|13118 | 109.161.124.0/22 | ASN | RU | rostelecom.ru | OJSC Rostelecom
- 176.105.44.140||48683 | 176.105.0.0/17 | BI-LINK | UA | 10.bilink.ua | Bilink LLC
- 176.110.22.247|host-176-110-22-247.la.net.ua.|41911 | 176.110.16.0/20 | LANETUA2 | UA | la.net.ua | Trk Efir Ltd.
- 178.167.69.30|178-167-69-30.dynvpn.flex.ru.|21453 | 178.167.64.0/19 | FLEX | RU | flex.ru | Flex Ltd.
- 178.206.194.207||28840 | 178.206.192.0/19 | TATTELECOM | RU | kgts.ru | Tatarstan Broad-band Access Pools
- 178.92.117.18|18-117-92-178.pool.ukrtel.net.|6849 | 178.92.116.0/23 | UKRTELNET | UA | ukrtelecom.ua | JSC Ukrtelecom
- 194.44.113.243||3255 | 194.44.113.0/24 | UARNET | UA | uar.net | State Enterprise Scientific and Telecommunication Centre Ukrainian Academic and Research Network of the Institute for Condensed Matter Physics of the National Academy of Science of Ukraine (UARNET)
- 212.34.99.217|212-34-99-217.domolink.elcom.ru.|34168 | 212.34.96.0/19 | ELCOM-ISP | RU | rostelecom.ru | OJSC Rostelecom
- 221.167.99.178||4766 | 221.160.0.0/13 | KIXS-AS | KR | kt.com | Korea Telecom
- 24.70.124.49|S0106bcd16565796e.ok.shawcable.net.|6327 | 24.70.0.0/15 | SHAW | CA | shawcable.net | Shaw Communications Inc.
- 37.229.246.30|37-229-246-30-broadband.kyivstar.net.|15895 | 37.229.0.0/16 | KSNET | UA | kyivstar.ua | Kyivstar PJSC
- 37.49.177.38||12688 | 37.49.160.0/19 | BAIKALTRANSTELECOM | RU | ttk.ru | TTK-Baikal/BRAS in Irkutsk
- 46.211.60.80|46-211-60-80-ter.broadband.kyivstar.net.|15895 | 46.211.0.0/16 | KSNET | UA | kyivstar.ua | Kyivstar PJSC
- 46.237.9.56|46-237-9-56.pppoe.yaroslavl.ru.|13118 | 46.237.0.0/20 | ASN | RU | rostelecom.ru | OJSC Rostelecom Yaroslavl Branch
- 79.119.40.243|79-119-40-243.rdsnet.ro.|8708 | 79.112.0.0/13 | RCS | RO | rdsnet.ro | RCS & RDS Residential
- 91.237.202.4||52040 | 91.237.200.0/22 | KITEJ-TELECOM | RU | kitejtelecom.ru | Kitej-Telecom LLC
- 94.154.225.197|ip-e1c5.d-net.kiev.ua.|48279 | 94.154.192.0/18 | DELTANETUA-NET | UA | d-net.kiev.ua | Delta-Net LLC
- 94.190.14.124|124.14.190.94.interra.ru.|48524 | 94.190.0.0/18 | INTERRA | RU | interra.ru | Interra Telecommunications Group Ltd.
- 94.41.110.86|94.41.110.86.dynamic.str.ufanet.ru.|24955 | 94.41.110.0/24 | UBN | RU | ufanet.ru | OJSC Ufanet
- // DNS
- ;; QUESTION SECTION:
- ;rkdxaovlaoltxnorwhtqo.com. IN A
- ;; ANSWER SECTION:
- rkdxaovlaoltxnorwhtqo.com. 139 IN A 37.49.177.38
- rkdxaovlaoltxnorwhtqo.com. 139 IN A 94.154.225.197
- rkdxaovlaoltxnorwhtqo.com. 139 IN A 212.34.99.217
- rkdxaovlaoltxnorwhtqo.com. 139 IN A 79.119.40.243
- rkdxaovlaoltxnorwhtqo.com. 139 IN A 94.190.14.124
- rkdxaovlaoltxnorwhtqo.com. 139 IN A 176.105.44.140
- rkdxaovlaoltxnorwhtqo.com. 139 IN A 194.44.113.243
- rkdxaovlaoltxnorwhtqo.com. 139 IN A 91.237.202.4
- rkdxaovlaoltxnorwhtqo.com. 139 IN A 46.237.9.56
- rkdxaovlaoltxnorwhtqo.com. 139 IN A 178.167.69.30
- ;; AUTHORITY SECTION:
- rkdxaovlaoltxnorwhtqo.com. 148 IN NS ns3.uitutnmieyxfk.org.
- rkdxaovlaoltxnorwhtqo.com. 148 IN NS ns1.uitutnmieyxfk.org.
- rkdxaovlaoltxnorwhtqo.com. 148 IN NS ns4.uitutnmieyxfk.org.
- rkdxaovlaoltxnorwhtqo.com. 148 IN NS ns2.uitutnmieyxfk.org.
- ;; ADDITIONAL SECTION:
- ns1.uitutnmieyxfk.org. 141 IN A 92.112.85.119
- ns1.uitutnmieyxfk.org. 141 IN A 141.101.8.164
- ns1.uitutnmieyxfk.org. 141 IN A 158.46.63.39
- ns1.uitutnmieyxfk.org. 141 IN A 178.44.170.61
- ns1.uitutnmieyxfk.org. 141 IN A 46.211.60.80
- ns1.uitutnmieyxfk.org. 141 IN A 91.236.96.123
- ns2.uitutnmieyxfk.org. 137 IN A 92.112.85.119
- ns2.uitutnmieyxfk.org. 137 IN A 141.101.8.164
- ns2.uitutnmieyxfk.org. 137 IN A 158.46.63.39
- ns2.uitutnmieyxfk.org. 137 IN A 178.44.170.61
- ns2.uitutnmieyxfk.org. 137 IN A 46.211.60.80
- ns2.uitutnmieyxfk.org. 137 IN A 91.236.96.123
- ns3.uitutnmieyxfk.org. 130 IN A 178.44.170.61
- ns3.uitutnmieyxfk.org. 130 IN A 46.211.60.80
- ns3.uitutnmieyxfk.org. 130 IN A 91.236.96.123
- ns3.uitutnmieyxfk.org. 130 IN A 92.112.85.119
- ns3.uitutnmieyxfk.org. 130 IN A 141.101.8.164
- ns3.uitutnmieyxfk.org. 130 IN A 158.46.63.39
- ns4.uitutnmieyxfk.org. 134 IN A 92.112.85.119
- ns4.uitutnmieyxfk.org. 134 IN A 141.101.8.164
- ns4.uitutnmieyxfk.org. 134 IN A 158.46.63.39
- ns4.uitutnmieyxfk.org. 134 IN A 178.44.170.61
- ns4.uitutnmieyxfk.org. 134 IN A 46.211.60.80
- ns4.uitutnmieyxfk.org. 134 IN A 91.236.96.123
- ;; Query time: 880 msec
- ;; WHEN: Wed Jan 27 13:45:11 JST 2016
- ;; MSG SIZE rcvd: 687
- ;; QUESTION SECTION:
- ;gdfqutzvshhgzheqksxj.biz. IN A
- ;; ANSWER SECTION:
- gdfqutzvshhgzheqksxj.biz. 140 IN A 86.125.175.52
- gdfqutzvshhgzheqksxj.biz. 140 IN A 93.77.115.10
- gdfqutzvshhgzheqksxj.biz. 140 IN A 178.151.114.33
- gdfqutzvshhgzheqksxj.biz. 140 IN A 87.253.10.27
- gdfqutzvshhgzheqksxj.biz. 140 IN A 193.254.233.26
- gdfqutzvshhgzheqksxj.biz. 140 IN A 188.126.44.139
- gdfqutzvshhgzheqksxj.biz. 140 IN A 213.231.8.10
- gdfqutzvshhgzheqksxj.biz. 140 IN A 31.202.223.141
- gdfqutzvshhgzheqksxj.biz. 140 IN A 37.115.100.35
- gdfqutzvshhgzheqksxj.biz. 140 IN A 178.150.237.24
- ;; AUTHORITY SECTION:
- GDFQUTZVSHHGZHEQKSXJ.biz. 131 IN NS ns3.uitutnmieyxfk.org.
- GDFQUTZVSHHGZHEQKSXJ.biz. 131 IN NS ns1.uitutnmieyxfk.org.
- GDFQUTZVSHHGZHEQKSXJ.biz. 131 IN NS ns4.uitutnmieyxfk.org.
- GDFQUTZVSHHGZHEQKSXJ.biz. 131 IN NS ns2.uitutnmieyxfk.org.
- ;; ADDITIONAL SECTION:
- ns1.uitutnmieyxfk.org. 129 IN A 37.115.100.35
- ns1.uitutnmieyxfk.org. 129 IN A 78.97.194.152
- ns1.uitutnmieyxfk.org. 129 IN A 94.190.14.124
- ns1.uitutnmieyxfk.org. 129 IN A 141.101.20.204
- ns1.uitutnmieyxfk.org. 129 IN A 213.231.8.10
- ns1.uitutnmieyxfk.org. 129 IN A 37.53.253.49
- ns2.uitutnmieyxfk.org. 135 IN A 141.101.20.204
- ns2.uitutnmieyxfk.org. 135 IN A 213.231.8.10
- ns2.uitutnmieyxfk.org. 135 IN A 37.53.253.49
- ns2.uitutnmieyxfk.org. 135 IN A 37.115.100.35
- ns2.uitutnmieyxfk.org. 135 IN A 78.97.194.152
- ns2.uitutnmieyxfk.org. 135 IN A 94.190.14.124
- ns3.uitutnmieyxfk.org. 142 IN A 37.53.253.49
- ns3.uitutnmieyxfk.org. 142 IN A 37.115.100.35
- ns3.uitutnmieyxfk.org. 142 IN A 78.97.194.152
- ns3.uitutnmieyxfk.org. 142 IN A 94.190.14.124
- ns3.uitutnmieyxfk.org. 142 IN A 141.101.20.204
- ns3.uitutnmieyxfk.org. 142 IN A 213.231.8.10
- ns4.uitutnmieyxfk.org. 136 IN A 78.97.194.152
- ns4.uitutnmieyxfk.org. 136 IN A 94.190.14.124
- ns4.uitutnmieyxfk.org. 136 IN A 141.101.20.204
- ns4.uitutnmieyxfk.org. 136 IN A 213.231.8.10
- ns4.uitutnmieyxfk.org. 136 IN A 37.53.253.49
- ns4.uitutnmieyxfk.org. 136 IN A 37.115.100.35
- // whois
- Domain Name: RKDXAOVLAOLTXNORWHTQO.COM
- Registrar: INTERNET DOMAIN SERVICE BS CORP
- Sponsoring Registrar IANA ID: 2487
- Whois Server: whois.internet.bs
- Referral URL: http://www.internetbs.net
- Name Server: NS1.UITUTNMIEYXFK.ORG
- Name Server: NS2.UITUTNMIEYXFK.ORG
- Name Server: NS3.UITUTNMIEYXFK.ORG
- Name Server: NS4.UITUTNMIEYXFK.ORG
- Status: clientTransferProhibited https://www.icann.org/epp#clientTransferProhibited
- Updated Date: 20-jan-2016
- Creation Date: 20-jan-2016
- Expiration Date: 20-jan-2017
- >>> Last update of whois database: Wed, 27 Jan 2016 04:47:05 GMT <<<
- Domain Name: RKDXAOVLAOLTXNORWHTQO.COM
- Registry Domain ID: 1995999746_DOMAIN_COM-VRSN
- Registrar WHOIS Server: whois.internet.bs
- Registrar URL: http://www.internetbs.net
- Updated Date: 2016-01-20T19:28:07Z
- Creation Date: 2016-01-20T19:21:03Z
- Registrar Registration Expiration Date: 2017-01-20T19:21:03Z
- Registrar: Internet Domain Service BS Corp.
- Registrar IANA ID: 2487
- Registrar Abuse Contact Email: abuse@internet.bs
- Registrar Abuse Contact Phone: +1.5167401179
- Reseller:
- Domain Status: clientTransferProhibited - http://www.icann.org/epp#clientTransferProhibited
- Registry Registrant ID:
- Registrant Name: Domain Admin
- Registrant Organization: Whois Privacy Corp.
- Registrant Street: Ocean Centre, Montagu Foreshore, East Bay Street
- Registrant City: Nassau
- Registrant State/Province: New Providence
- Registrant Postal Code: 0000
- Registrant Country: BS
- Registrant Phone: +1.5163872248
- Registrant Phone Ext:
- Registrant Fax:
- Registrant Fax Ext:
- Registrant Email: rkdxaovlaoltxnorwhtqo.com-owner@customers.whoisprivacycorp.com
- Registry Admin ID:
- Admin Name: Domain Admin
- Admin Organization: Whois Privacy Corp.
- Admin Street: Ocean Centre, Montagu Foreshore, East Bay Street
- Admin City: Nassau
- Admin State/Province: New Providence
- Admin Postal Code: 0000
- Admin Country: BS
- Admin Phone: +1.5163872248
- Admin Phone Ext:
- Admin Fax:
- Admin Fax Ext:
- Admin Email: rkdxaovlaoltxnorwhtqo.com-admin@customers.whoisprivacycorp.com
- Registry Tech ID:
- Tech Name: Domain Admin
- Tech Organization: Whois Privacy Corp.
- Tech Street: Ocean Centre, Montagu Foreshore, East Bay Street
- Tech City: Nassau
- Tech State/Province: New Providence
- Tech Postal Code: 0000
- Tech Country: BS
- Tech Phone: +1.5163872248
- Tech Phone Ext:
- Tech Fax:
- Tech Fax Ext:
- Tech Email: rkdxaovlaoltxnorwhtqo.com-tech@customers.whoisprivacycorp.com
- Name Server: ns1.uitutnmieyxfk.org
- Name Server: ns2.uitutnmieyxfk.org
- Name Server: ns3.uitutnmieyxfk.org
- Name Server: ns4.uitutnmieyxfk.org
- DNSSEC: unsigned
- URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
- >>> Last update of WHOIS database: 2016-01-27T04:37:22Z <<<
- Domain Name: GDFQUTZVSHHGZHEQKSXJ.BIZ
- Domain ID: D68628366-BIZ
- Sponsoring Registrar: INTERNET DOMAIN SERVICE BS CORP
- Sponsoring Registrar IANA ID: 2487
- Registrar URL (registration services): www.internet.bs
- Domain Status: clientTransferProhibited
- Variant: GDFQUTZVSHHGZHEQKSXJ.BIZ
- Registrant ID: INTE0NGUMP9C71GQ
- Registrant Name: Domain Admin
- Registrant Organization: Whois Privacy Corp.
- Registrant Address1: Ocean Centre, Montagu Foreshore
- Registrant Address2: East Bay Street
- Registrant City: Nassau
- Registrant State/Province: New Providence
- Registrant Postal Code: 0000
- Registrant Country: Bahamas
- Registrant Country Code: BS
- Registrant Phone Number: +1.5163872248
- Registrant Email: gdfqutzvshhgzheqksxj.biz-owner@customers.whoisprivacycorp.com
- Administrative Contact ID: INTEXQVZEEJQ81F6
- Administrative Contact Name: Domain Admin
- Administrative Contact Organization: Whois Privacy Corp.
- Administrative Contact Address1: Ocean Centre, Montagu Foreshore
- Administrative Contact Address2: East Bay Street
- Administrative Contact City: Nassau
- Administrative Contact State/Province: New Providence
- Administrative Contact Postal Code: 0000
- Administrative Contact Country: Bahamas
- Administrative Contact Country Code: BS
- Administrative Contact Phone Number: +1.5163872248
- Administrative Contact Email: gdfqutzvshhgzheqksxj.biz-admin@customers.whoisprivacycorp.com
- Billing Contact ID: INTEBZNFN9H5LVRV
- Billing Contact Name: Domain Admin
- Billing Contact Organization: Whois Privacy Corp.
- Billing Contact Address1: Ocean Centre, Montagu Foreshore
- Billing Contact Address2: East Bay Street
- Billing Contact City: Nassau
- Billing Contact State/Province: New Providence
- Billing Contact Postal Code: 0000
- Billing Contact Country: Bahamas
- Billing Contact Country Code: BS
- Billing Contact Phone Number: +1.5163872248
- Billing Contact Email: gdfqutzvshhgzheqksxj.biz-bill@customers.whoisprivacycorp.com
- Technical Contact ID: INTEQTCUBE3IRNVA
- Technical Contact Name: Domain Admin
- Technical Contact Organization: Whois Privacy Corp.
- Technical Contact Address1: Ocean Centre, Montagu Foreshore
- Technical Contact Address2: East Bay Street
- Technical Contact City: Nassau
- Technical Contact State/Province: New Providence
- Technical Contact Postal Code: 0000
- Technical Contact Country: Bahamas
- Technical Contact Country Code: BS
- Technical Contact Phone Number: +1.5163872248
- Technical Contact Email: gdfqutzvshhgzheqksxj.biz-tech@customers.whoisprivacycorp.com
- Name Server: NS1.UITUTNMIEYXFK.ORG
- Name Server: NS2.UITUTNMIEYXFK.ORG
- Name Server: NS3.UITUTNMIEYXFK.ORG
- Name Server: NS4.UITUTNMIEYXFK.ORG
- Created by Registrar: INTERNET DOMAIN SERVICE BS CORP
- Last Updated by Registrar: INTERNET DOMAIN SERVICE BS CORP
- Domain Registration Date: Wed Jan 20 19:21:01 GMT 2016
- Domain Expiration Date: Thu Jan 19 23:59:59 GMT 2017
- Domain Last Updated Date: Wed Jan 20 19:27:28 GMT 2016
- DNSSEC: false
- >>>> Whois database was last updated on: Wed Jan 27 04:48:41 GMT 2016 <<<<
- // ioc: https://otx.alienvault.com/pulse/56a852ac67db8c6aaee0192a/
- #MalwareMustDie
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement