#qbot_131222

1. #IOC #OptiData #VR #qakbot #qbot
2.  
3. https://pastebin.com/gR1iwSGn
4.  
5. previous_contact:
6. 25/08/20 https://pastebin.com/2EgQnFjW
7.  
8. FAQ:
9. https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot
10. https://research.splunk.com/stories/qakbot/
11.  
12. attack_vector
13. --------------
14. email > SCAN_WE2280.html > attachment.zip [pwd] > SCAN_WE2280.img > SCAN_WE2280.LNK > cmd.exe /c YouNewRules\NewIssues.cmd > load NewInvoice.patch [DLL] > wermgr.exe > C2
15.  
16.  
17. # # # # # # # #
18. email_headers
19. # # # # # # # #
20. Received: from unknown (HELO omta033.useast.a.cloudfilter.net) ([44.202.169.32])
21. Received: from eig-obgw-5010a.ext.cloudfilter.net ([10.0.29.199])
22. Received: from gator2021.hostgator.com ([50.87.144.41]) by cmsmtp
23. Received: from [24.53.62.209] (port=37501 helo=localhost) by gator2021.hostgator.com
24. From: <[email protected]>
25. Subject: Re: журнали
26. Date: Tue, 13 Dec 2022 00:15:44 +0300
27. MIME-Version: 1.0
28. X-Mailer: Microsoft Outlook 16.0
29. X-Email-Count: 106
30.  
31. # # # # # # # #
32. files
33. # # # # # # # #
34.  
35. SHA-256 c2b17bc002f4db968e771b34a64e74c5cb04ace0e7b16d5cf18382b5e2ad45d4
36. File name SCAN_WE2280.html [MITRE ATT&CK T1027.006]
37. File size 1.38 MB (1442011 bytes)
38.  
39. SHA-256 fda7ee3a400614bda8238a61d0f93c883329cf9b8912873b2c60d8f5c9deaea0
40. File name files.zip [ZIP, password = 057305]
41. File size 425.95 KB (436176 bytes)
42.  
43. SHA-256 bc080013aff169586dc5efb00ec3a7296791412c72ac3705bfd439da6d14f420
44. File name SCAN_WE2280.img [ISO 9660]
45. File size 1.01 MB (1058816 bytes)
46.  
47. SHA-256 b286440ca1c5d399582c6595d787045293f121152a02e62f4dcd5c2cbc8ed0ca
48. File name SCAN_WE2280.lnk [MS Windows shortcut]
49. File size 2.57 KB (2635 bytes)
50.  
51. SHA-256 ceb2378fc315e19c299ee8e33b23340b19273d7b31470fc1cd433fd0825fc0a2
52. File name Updates.txt [UTF-8 Unicode English text]
53. File size 233.68 KB (239286 bytes)
54.  
55. SHA-256 6295018e08b1d466e8787fcaad8da9e8c777a01816a2868eba0cd8d8ef757352
56. File name NewIssues.cmd [ASCII text]
57. File size
58.  
59. SHA-256 9953dc1dfb656c66ec4ca87d371a72a3d413a96610025d59ae3729e5cd232da5
60. File name NewInvoice.patch [ Win32 DLL ] - obfuscated
61. File size 733.00 KB (750592 bytes)
62.  
63. SHA-256 dc9ad9461c6f6b59555da3f88fa6a63a2e6a6cbfaf8b28336c7c3a411d7102ae
64. File name NewInvoice.patch [ Win32 DLL ] - deobfuscated
65. File size 4.00 KB (4096 bytes)
66.  
67.  
68. # # # # # # # #
69. activity
70. # # # # # # # #
71.  
72. PL_SCR email_attach
73.  
74.  
75. C2 94.105.123.53:443
76.  
77. other (extracted by Hatching Triage)
78.  
79. version: 404.46
80. botnet: azd
81. campaign: 1670585059
82.  
83. 173.239.94.212:443
84. 91.169.12.198:32100
85. 74.66.134.24:443
86. 66.191.69.18:995
87. 182.75.189.42:995
88. 78.69.251.252:2222
89. 98.145.23.67:443
90. 103.71.21.107:443
91. 197.94.219.133:443
92. 91.68.227.219:443
93. 12.172.173.82:993
94. 86.176.83.127:2222
95. 64.121.161.102:443
96. 41.98.21.114:443
97. 92.154.17.149:2222
98. 151.65.67.211:443
99. 89.129.109.27:2222
100. 76.11.14.249:443
101. 69.119.123.159:2222
102. 70.66.199.12:443
103. 12.172.173.82:990
104. 183.82.100.110:2222
105. 83.114.60.6:2222
106. 92.189.214.236:2222
107. 70.115.104.126:995
108. 190.18.236.175:443
109. 121.122.99.223:995
110. 72.53.103.56:443
111. 91.165.188.74:50000
112. 12.172.173.82:995
113. 156.220.229.249:993
114. 86.96.75.237:2222
115. 85.152.152.46:443
116. 181.118.183.44:443
117. 76.80.180.154:995
118. 81.248.77.37:2222
119. 90.66.229.185:2222
120. 86.130.9.250:2222
121. 172.117.139.142:995
122. 12.172.173.82:465
123. 75.143.236.149:443
124. 81.229.117.95:2222
125. 81.111.108.123:443
126. 50.68.204.71:995
127. 124.122.55.68:443
128. 139.5.239.14:443
129. 37.56.111.49:995
130. 46.10.198.106:443
131. 85.61.165.153:2222
132. 90.104.22.28:2222
133. 88.126.94.4:50000
134. 90.89.95.158:2222
135. 83.213.201.104:993
136. 73.223.248.31:443
137. 47.41.154.250:443
138. 2.99.47.198:2222
139. 190.199.169.127:993
140. 83.92.85.93:443
141. 184.68.116.146:2222
142. 73.161.176.218:443
143. 150.107.231.59:2222
144. 98.178.242.28:443
145. 213.67.255.57:2222
146. 174.104.184.149:443
147. 108.6.249.139:443
148. 84.35.26.14:995
149. 149.126.159.106:443
150. 184.68.116.146:3389
151. 37.14.229.220:2222
152. 24.206.27.39:443
153. 199.83.165.233:443
154. 84.215.202.22:443
155. 71.247.10.63:995
156. 50.68.204.71:443
157. 86.169.19.140:2222
158. 76.20.42.45:443
159. 70.55.120.16:2222
160. 69.133.162.35:443
161. 12.172.173.82:21
162. 72.200.109.104:443
163. 50.68.204.71:993
164. 2.83.12.243:443
165. 184.176.154.83:995
166. 176.177.136.35:443
167. 92.207.132.174:2222
168. 174.77.209.5:443
169. 142.161.27.232:2222
170. 86.159.48.25:2222
171. 100.6.8.7:443
172. 184.153.132.82:443
173. 27.109.19.90:2078
174. 94.105.123.53:443
175. 198.2.51.242:993
176. 70.120.228.205:443
177. 75.158.15.211:443
178. 181.164.194.223:443
179. 184.68.116.146:61202
180. 184.68.116.146:2078
181. 86.225.214.138:2222
182. 78.213.14.206:443
183. 176.142.207.63:443
184. 73.36.196.11:443
185. 197.26.142.159:443
186. 176.151.15.101:443
187. 87.65.160.87:995
188. 92.24.200.226:995
189. 87.221.197.110:2222
190. 77.86.98.236:443
191. 162.248.14.107:443
192. 84.113.121.103:443
193. 137.186.193.226:3389
194. 92.8.190.211:2222
195. 201.208.139.250:2222
196. 12.172.173.82:22
197. 75.98.154.19:443
198. 24.142.218.202:443
199. 70.77.116.233:443
200. 24.228.132.224:2222
201. 92.145.203.167:2222
202.  
203.  
204.  
205. netwrk
206. --------------
207. 94.105.123.53 443 TLSv1.2 Client Hello
208. or (second run)
209. 92.154.17.149 2222 TCP 49824 → 2222 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM=1
210.  
211.  
212. comp
213. --------------
214. wermgr.exe 3964 TCP 94.105.123.53 443 ESTABLISHED
215. or (second run)
216. wermgr.exe 4243 TCP 92.154.17.149 2222 ESTABLISHED
217.  
218.  
219. proc
220. --------------
221. C:\Windows\System32\cmd.exe /c YouNewRules\NewIssues.cmd A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 9
222. C:\Windows\system32\rundll32.exe /s newinvoice.patch,DrawThemeIcon
223. C:\Windows\SysWOW64\rundll32.exe rundll32 /s newinvoice.patch,DrawThemeIcon
224. C:\Windows\SysWOW64\wermgr.exe
225. C:\Windows\SysWOW64\net.exe view
226. C:\Windows\SysWOW64\cmd.exe /c set
227. C:\Windows\SysWOW64\arp.exe -a
228. C:\Windows\SysWOW64\ipconfig.exe /all
229. C:\Windows\SysWOW64\nslookup.exe -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.WORKGROUP
230. C:\Windows\SysWOW64\net.exe share
231. C:\Windows\SysWOW64\net1.exe share
232. C:\Windows\SysWOW64\route.exe print
233. C:\Windows\SysWOW64\netstat.exe -nao
234. C:\Windows\SysWOW64\net.exe localgroup
235. C:\Windows\SysWOW64\net1.exe localgroup
236. C:\Windows\SysWOW64\whoami.exe /all
237. C:\Windows\system32\msiexec.exe /V
238.  
239.  
240. persist
241. --------------
242. n/a
243.  
244.  
245. drop
246. --------------
247. n/a
248.  
249. # # # # # # # #
250. VT & Intezer
251. # # # # # # # #
252. https://www.virustotal.com/gui/file/c2b17bc002f4db968e771b34a64e74c5cb04ace0e7b16d5cf18382b5e2ad45d4/details
253. https://www.virustotal.com/gui/file/fda7ee3a400614bda8238a61d0f93c883329cf9b8912873b2c60d8f5c9deaea0/details
254. https://www.virustotal.com/gui/file/bc080013aff169586dc5efb00ec3a7296791412c72ac3705bfd439da6d14f420/details
255. https://www.virustotal.com/gui/file/b286440ca1c5d399582c6595d787045293f121152a02e62f4dcd5c2cbc8ed0ca/details
256. https://www.virustotal.com/gui/file/ceb2378fc315e19c299ee8e33b23340b19273d7b31470fc1cd433fd0825fc0a2/details
257. https://www.virustotal.com/gui/file/6295018e08b1d466e8787fcaad8da9e8c777a01816a2868eba0cd8d8ef757352/details
258. https://www.virustotal.com/gui/file/9953dc1dfb656c66ec4ca87d371a72a3d413a96610025d59ae3729e5cd232da5/details
259. https://analyze.intezer.com/analyses/be508a5c-6581-4ff6-8f2d-5e6e15db339e
260. https://www.virustotal.com/gui/file/dc9ad9461c6f6b59555da3f88fa6a63a2e6a6cbfaf8b28336c7c3a411d7102ae/details
261. https://analyze.intezer.com/analyses/e624e456-0bbc-44c6-87f5-fbbecf6fd567
262.  
263. VR