API tools faq
paste
malware_traffic

2020-05-06 (Wednesday) - Qakbot (Qbot) spx114 info

malware_traffic
May 6th, 2020
10,343
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 12.35 KB | None | 0 0
raw download clone embed print report
  1. 2020-05-06 (WEDNESDAY) - QAKBOT (QBOT) SPX114 INFO:
  2.  
  3. EXAMPLES OF URLS FOR THE INITIAL ZIP ARCHIVE:
  4.  
  5. - hxxp://bukatrip[.]id/iorndshiun/EmploymentVerification_50338766_05052020.zip
  6. - hxxp://bukatrip[.]id/iorndshiun/EmploymentVerification_8793_05052020.zip
  7. - hxxp://bukatrip[.]id/iorndshiun/EmploymentVerification_93625_05052020.zip
  8. - hxxp://cleversoft[.]vn/dplbtdsv/71636087/EmploymentVerification_71636087_05052020.zip
  9. - hxxp://cleversoft[.]vn/dplbtdsv/7825/EmploymentVerification_7825_05052020.zip
  10. - hxxp://cmecobrancas[.]com/wp-content/uploads/2020/05/kxsjxok/929459/EmploymentVerification_929459_05052020.zip
  11. - hxxp://desighiza[.]com/wp-content/plugins/apikey/xrlhwudjg/854319/EmploymentVerification_854319_05052020.zip
  12. - hxxp://dienmayminhan[.]com/iyhomh/89202970/EmploymentVerification_89202970_05052020.zip
  13. - hxxp://dienmayminhan[.]com/iyhomh/EmploymentVerification_2817182_05052020.zip
  14. - hxxp://famitaa[.]com/vsijmfio/13627971/EmploymentVerification_13627971_05052020.zip
  15. - hxxp://gamebazaar[.]club/vxpfxrresyf/EmploymentVerification_167910_05052020.zip
  16. - hxxp://genstaff[.]gov[.]kg/seqacbxy/EmploymentVerification_2084312_05052020.zip
  17. - hxxp://gundemdekihaber[.]com/wp-content/uploads/2020/05/dxgupkiuvyht/33423050/EmploymentVerification_33423050_05052020.zip
  18. - hxxp://hevizapartments[.]net/wp-content/plugins/apikey/rcaphcwriz/1126/EmploymentVerification_1126_05052020.zip
  19. - hxxp://hevizapartments[.]net/wp-content/plugins/apikey/rcaphcwriz/EmploymentVerification_41601806_05052020.zip
  20. - hxxp://hevizapartments[.]net/wp-content/plugins/apikey/rcaphcwriz/EmploymentVerification_58032421_05052020.zip
  21. - hxxp://hevizapartments[.]net/wp-content/plugins/apikey/rcaphcwriz/EmploymentVerification_720370_05052020.zip
  22. - hxxp://hevizapartments[.]net/wp-content/plugins/apikey/rcaphcwriz/EmploymentVerification_7320635_05052020.zip
  23. - hxxp://himmelsbygardshotell[.]se/xgzajbeanow/EmploymentVerification_13576_05052020.zip
  24. - hxxp://himmelsbygardshotell[.]se/xgzajbeanow/EmploymentVerification_46405582_05052020.zip
  25. - hxxp://hotel[.]my[.]id/hzcxydevppho/EmploymentVerification_3573558_05052020.zip
  26. - hxxp://ilya-popov[.]ru/wp-content/uploads/2020/05/iqcvmbdj/EmploymentVerification_02252_05052020.zip
  27. - hxxp://ilya-popov[.]ru/wp-content/uploads/2020/05/iqcvmbdj/EmploymentVerification_303549_05052020.zip
  28. - hxxp://ilya-popov[.]ru/wp-content/uploads/2020/05/iqcvmbdj/EmploymentVerification_54000889_05052020.zip
  29. - hxxp://ilya-popov[.]ru/wp-content/uploads/2020/05/iqcvmbdj/EmploymentVerification_766753_05052020.zip
  30. - hxxp://infogue[.]id/bznunvrfrue/EmploymentVerification_31024_05052020.zip
  31. - hxxp://maliban[.]ir/gtjpdy/2618/EmploymentVerification_2618_05052020.zip
  32. - hxxp://maliban[.]ir/gtjpdy/34780/EmploymentVerification_34780_05052020.zip
  33. - hxxp://maliban[.]ir/gtjpdy/41477270/EmploymentVerification_41477270_05052020.zip
  34. - hxxp://maliban[.]ir/gtjpdy/EmploymentVerification_23896314_05052020.zip
  35. - hxxp://maliban[.]ir/gtjpdy/EmploymentVerification_268631_05052020.zip
  36. - hxxp://maliban[.]ir/gtjpdy/EmploymentVerification_73588_05052020.zip
  37. - hxxp://maynenkhivinhphat[.]com/oyzrdcue/3120184/EmploymentVerification_3120184_05052020.zip
  38. - hxxp://maynenkhivinhphat[.]com/oyzrdcue/5922585/EmploymentVerification_5922585_05052020.zip
  39. - hxxp://maynenkhivinhphat[.]com/oyzrdcue/EmploymentVerification_26191956_05052020.zip
  40. - hxxp://mudita[.]vn/arsmjdgyacy/1950/EmploymentVerification_1950_05052020.zip
  41. - hxxp://mudita[.]vn/arsmjdgyacy/EmploymentVerification_53486_05052020.zip
  42. - hxxp://myrotiplace[.]com/ckvnkl/434334/EmploymentVerification_434334_05052020.zip
  43. - hxxp://myrotiplace[.]com/ckvnkl/6769120/EmploymentVerification_6769120_05052020.zip
  44. - hxxp://myrotiplace[.]com/ckvnkl/EmploymentVerification_42297_05052020.zip
  45. - hxxp://olofi[.]k2fwebsolutions[.]com/eelgjefunp/2699433/EmploymentVerification_2699433_05052020.zip
  46. - hxxp://olofi[.]k2fwebsolutions[.]com/eelgjefunp/6832/EmploymentVerification_6832_05052020.zip
  47. - hxxp://olofi[.]k2fwebsolutions[.]com/eelgjefunp/EmploymentVerification_4218_05052020.zip
  48. - hxxp://paperbrick[.]peachtest[.]com/tqoddpmjm/2445/EmploymentVerification_2445_05052020.zip
  49. - hxxp://paperbrick[.]peachtest[.]com/tqoddpmjm/9305290/EmploymentVerification_9305290_05052020.zip
  50. - hxxp://paperbrick[.]peachtest[.]com/tqoddpmjm/EmploymentVerification_46486767_05052020.zip
  51. - hxxp://peachtest[.]com/wkonksvuyxrr/2952/EmploymentVerification_2952_05052020.zip
  52. - hxxp://peachtest[.]com/wkonksvuyxrr/EmploymentVerification_97696470_05052020.zip
  53. - hxxp://pokids[.]vn/etvrastgnk/19064/EmploymentVerification_19064_05052020.zip
  54. - hxxp://pokids[.]vn/etvrastgnk/EmploymentVerification_04908907_05052020.zip
  55. - hxxp://rosdal[.]abouttobeawesome[.]com/wp-content/uploads/2020/05/xnmeul/0817935/EmploymentVerification_0817935_05052020.zip
  56. - hxxp://rosdal[.]abouttobeawesome[.]com/wp-content/uploads/2020/05/xnmeul/98482/EmploymentVerification_98482_05052020.zip
  57. - hxxp://rosdal[.]abouttobeawesome[.]com/wp-content/uploads/2020/05/xnmeul/EmploymentVerification_361027_05052020.zip
  58. - hxxp://rosdal[.]abouttobeawesome[.]com/wp-content/uploads/2020/05/xnmeul/EmploymentVerification_7966228_05052020.zip
  59. - hxxp://rosdal[.]abouttobeawesome[.]com/wp-content/uploads/2020/05/xnmeul/EmploymentVerification_9348_05052020.zip
  60. - hxxp://sakersaker[.]sakeronline[.]se/jbvbvmqcn/5101/EmploymentVerification_5101_05052020.zip
  61. - hxxp://sakersaker[.]sakeronline[.]se/jbvbvmqcn/882525/EmploymentVerification_882525_05052020.zip
  62. - hxxp://sakersaker[.]sakeronline[.]se/jbvbvmqcn/903661/EmploymentVerification_903661_05052020.zip
  63. - hxxp://sakersaker[.]sakeronline[.]se/jbvbvmqcn/7801769/EmploymentVerification_7801769_05052020.zip
  64. - hxxp://sakersaker[.]sakeronline[.]se/jbvbvmqcn/EmploymentVerification_6484124_05052020.zip
  65. - hxxp://samanyavigyan[.]com/wp-content/uploads/2020/05/qchtv/26814313/EmploymentVerification_26814313_05052020.zip
  66. - hxxp://samanyavigyan[.]com/wp-content/uploads/2020/05/qchtv/EmploymentVerification_07320859_05052020.zip
  67. - hxxp://samanyavigyan[.]com/wp-content/uploads/2020/05/qchtv/EmploymentVerification_618889_05052020.zip
  68. - hxxp://schielerelocationservices[.]com/xplesfkzi/EmploymentVerification_15887414_05052020.zip
  69. - hxxp://schielerelocationservices[.]com/xplesfkzi/EmploymentVerification_4440866_05052020.zip
  70. - hxxp://sheconomy[.]in/wp-content/uploads/2020/05/zfomndrr/0788520/EmploymentVerification_0788520_05052020.zip
  71. - hxxp://sheconomy[.]in/wp-content/uploads/2020/05/zfomndrr/EmploymentVerification_03764_05052020.zip
  72. - hxxp://sitephilip[.]k2fwebsolutions[.]com/czkmtgkfua/05092/EmploymentVerification_05092_05052020.zip
  73. - hxxp://socialhelp[.]ir/wp-content/uploads/2020/05/saptzonrskv/56963715/EmploymentVerification_56963715_05052020.zip
  74. - hxxp://socialhelp[.]ir/wp-content/uploads/2020/05/saptzonrskv/8365519/EmploymentVerification_8365519_05052020.zip
  75. - hxxp://socialhelp[.]ir/wp-content/uploads/2020/05/saptzonrskv/9881915/EmploymentVerification_9881915_05052020.zip
  76. - hxxp://test[.]presta-com[.]ru/wp-content/uploads/2020/05/wktjtemiy/297241/employmentverification_297241_05052020.zip
  77. - hxxp://test[.]presta-com[.]ru/wp-content/uploads/2020/05/wktjtemiy/37860/EmploymentVerification_37860_05052020.zip
  78. - hxxp://tripstory[.]id/ghdmb/56378/EmploymentVerification_56378_05052020.zip
  79. - hxxp://tripstory[.]id/ghdmb/8117713/EmploymentVerification_8117713_05052020.zip
  80. - hxxp://utv[.]sakeronline[.]se/hzepew/83423/EmploymentVerification_83423_05052020.zip
  81. - hxxp://utv[.]sakeronline[.]se/hzepew/9257/EmploymentVerification_9257_05052020.zip
  82. - hxxp://utv[.]sakeronline[.]se/hzepew/EmploymentVerification_57364_05052020.zip
  83. - hxxp://www[.]bergamote[.]org/wp-content/uploads/2020/05/uwmolhhjxwwq/EmploymentVerification_53536_05052020.zip
  84. - hxxp://www[.]gundemdekihaber[.]com/wp-content/uploads/2020/05/dxgupkiuvyht/84862/EmploymentVerification_84862_05052020.zip
  85. - hxxp://www[.]theabigailbloomcakecompany[.]co[.]uk/wp-content/uploads/2020/05/tlclp/30344/EmploymentVerification_30344_05052020.zip
  86. - hxxp://www[.]theabigailbloomcakecompany[.]co[.]uk/wp-content/uploads/2020/05/tlclp/EmploymentVerification_5062988_05052020.zip
  87. - hxxps://classmedical[.]uk/gokhboprd/EmploymentVerification_0555_05052020.zip
  88. - hxxps://classmedical[.]uk/gokhboprd/1715544/EmploymentVerification_1715544_05052020.zip
  89. - hxxps://classmedical[.]uk/wp-content/uploads/2020/05/ruclklrhse/5566/EmploymentVerification_5566_05052020.zip
  90. - hxxps://classmedical[.]uk/wp-content/uploads/2020/05/ruclklrhse/EmploymentVerification_6112_05052020.zip
  91. - hxxps://classmedical[.]uk/wp-content/uploads/2020/05/ruclklrhse/EmploymentVerification_7568738_05052020.zip
  92. - hxxps://desighiza[.]com/wp-content/plugins/apikey/xrlhwudjg/983801/EmploymentVerification_983801_05052020.zip
  93. - hxxps://evergreenpainters[.]in/wp-content/plugins/apikey/ohoarwt/16573744/EmploymentVerification_16573744_05052020.zip
  94. - hxxps://gamebazaar[.]club/vxpfxrresyf/706433/EmploymentVerification_706433_05052020.zip
  95. - hxxps://gamebazaar[.]club/vxpfxrresyf/EmploymentVerification_167910_05052020.zip
  96. - hxxps://paperbrick[.]peachtest[.]com/tqoddpmjm/EmploymentVerification_46486767_05052020.zip
  97. - hxxps://www[.]sreebalajiprints[.]com/wp-content/uploads/2020/05/uveiec/1262581/EmploymentVerification_1262581_05052020.zip
  98. - hxxps://www[.]sreebalajiprints[.]com/wp-content/uploads/2020/05/uveiec/86260336/EmploymentVerification_86260336_05052020.zip
  99. - hxxps://www[.]sreebalajiprints[.]com/wp-content/uploads/2020/05/uveiec/9866/EmploymentVerification_9866_05052020.zip
  100. - hxxps://www[.]sreebalajiprints[.]com/wp-content/uploads/2020/05/uveiec/EmploymentVerification_071328_05052020.zip
  101. - hxxps://www[.]sreebalajiprints[.]com/wp-content/uploads/2020/05/uveiec/EmploymentVerification_31086391_05052020.zip
  102.  
  103. URLS FOR THE INITIAL QABKOT EXE FILE:
  104.  
  105. - NOTE: These were first noted by @lazyactivist192 on Twitter and posted at https://pastebin.com/iU5VQgfM (see the link for more info)
  106. - hxxp://alhussain[.]pk/ioxix/88888.png?uid=[base64 string]
  107. - hxxp://beta[.]enerbras[.]com[.]br/muvolifvmg/88888.png?uid=[base64 string]
  108. - hxxp://blog[.]saigon247[.]vn/wp-content/uploads/2020/05/axtcud/88888.png?uid=[base64 string]
  109. - hxxp://it[.]shopforever[.]pk/ewbaleo/88888.png?uid=[base64 string]
  110. - hxxp://limonauto[.]com[.]ua/gdjcigc/88888.png?uid=[base64 string]
  111.  
  112. - NOTE: This is related to the spx114 wave, and it was entered in URLhaus @notwhickey by at https://urlhaus.abuse.ch/url/358949/
  113. - hxxp://akademikomunitas[.]id/tlmmor/88888.png
  114.  
  115. SHA256 HASHES FOR EXAMPLES OF DOWNLOADED ZIP ARCHIVES:
  116.  
  117. - 09ddf9bbedba685a03b497d4c08f89bbdf322a6a1610707360f6240387287196 EmploymentVerification_2084312_05052020.zip
  118. - 92022322d0e1a7b66690b7af7ced5a97f9733d5ed393f8874c81728fd9c314ab EmploymentVerification_46405582_05052020.zip
  119. - 2ea2d21a512f19fda00c23151ee8f2ea082c3eae8ef9f1b986a2faad3e9f71e5 EmploymentVerification_5517337_05052020.zip
  120. - 5d10fa838bf9ef1a993bab0f45e82127de02dbb7d40eb419b861bfa033bb7294 EmploymentVerification_84862_05052020.zip
  121.  
  122. - NOTE: The above zip archives have been submitted to VirusTotal and Any.Run:
  123.  
  124. -- https://app.any.run/tasks/2e706945-3f4a-4280-aea4-fa9c05a09935
  125. -- https://app.any.run/tasks/d3233564-d2db-46e6-8baf-1cd6d114f29e
  126. -- https://app.any.run/tasks/debf3bc2-463c-4e1a-88f4-144ae7b3536a
  127. -- https://app.any.run/tasks/6a0e22bc-d8b6-4dac-862b-e4edb205bc32
  128.  
  129. SHA256 HASHES FOR EXAMPLES OF EXTRACTED VBS FILES:
  130.  
  131. - 7f4f96f85ab67d8774826fd6b44cd3a1de4681471a9375ebe3ba50dcec405e49 EmploymentVerification_153080080_05052020.vbs
  132. - eae777e15de3e21fd736db95eb718f0249325f148f5d0ad607ea455ccae3291c EmploymentVerification_164058459_05052020.vbs
  133. - 45981fd923767142df8fe8b0974cc94e2c328d0b01459217a17bba915357ad7a EmploymentVerification_167975332_05052020.vbs
  134. - d9956e9970e36cb7783b6574197ac25121a5b7db6385805b657f5e2bc4253b0c EmploymentVerification_279591068_05052020.vbs
  135.  
  136. SHA256 HASHES FOR EXAMPLES OF INITIAL QAKBOT EXE RETRIEVED BY THE VBS FILES:
  137.  
  138. - 49f8420986b541a0a6a1178f17627e1296cdea1159302a874b9d571c821c3668 PicturesViewer.exe
  139. - 9477b92c6270b1fe98f53d12fa99280c4b7f078eb8c2691adf3387c8e351b48d PicturesViewer.exe
  140. - f51f0d16811fcec281c57895d839e2c4a7b52ee4957221c23e8781200c3f7c33 PicturesViewer.exe
  141. - ff5e672eb9e4eac7bed059b524a891853b5fb9a9d58f60d6f827bc59400b651c PicturesViewer.exe
  142.  
  143. - NOTE: The above EXE files have been submitted to VirusTotal and Any.Run:
  144.  
  145. -- https://app.any.run/tasks/d843ad6c-f9d1-4099-9310-72f7d867d549
  146. -- https://app.any.run/tasks/d116bd6e-f8ef-4872-956f-0919e1550ca4
  147. -- https://app.any.run/tasks/5293ae91-3f5a-439b-bf2a-59d62f1f71ed
  148. -- https://app.any.run/tasks/e61b60f7-8d26-49ed-9af4-e4425bbb95bc
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!