API tools faq
paste
Advertisement
VRad

#qbot_131222

VRad
Dec 13th, 2022 (edited)
301
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.39 KB | None | 0 0
raw download clone embed print report
  1. #IOC #OptiData #VR #qakbot #qbot
  2.  
  3. https://pastebin.com/gR1iwSGn
  4.  
  5. previous_contact:
  6. 25/08/20 https://pastebin.com/2EgQnFjW
  7.  
  8. FAQ:
  9. https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot
  10. https://research.splunk.com/stories/qakbot/
  11.  
  12. attack_vector
  13. --------------
  14. email > SCAN_WE2280.html > attachment.zip [pwd] > SCAN_WE2280.img > SCAN_WE2280.LNK > cmd.exe /c YouNewRules\NewIssues.cmd > load NewInvoice.patch [DLL] > wermgr.exe > C2
  15.  
  16.  
  17. # # # # # # # #
  18. email_headers
  19. # # # # # # # #
  20. Received: from unknown (HELO omta033.useast.a.cloudfilter.net) ([44.202.169.32])
  21. Received: from eig-obgw-5010a.ext.cloudfilter.net ([10.0.29.199])
  22. Received: from gator2021.hostgator.com ([50.87.144.41]) by cmsmtp
  23. Received: from [24.53.62.209] (port=37501 helo=localhost) by gator2021.hostgator.com
  24. From: <bigmomma@michaelp.net>
  25. Subject: Re: журнали
  26. Date: Tue, 13 Dec 2022 00:15:44 +0300
  27. MIME-Version: 1.0
  28. X-Mailer: Microsoft Outlook 16.0
  29. X-Email-Count: 106
  30.  
  31. # # # # # # # #
  32. files
  33. # # # # # # # #
  34.  
  35. SHA-256 c2b17bc002f4db968e771b34a64e74c5cb04ace0e7b16d5cf18382b5e2ad45d4
  36. File name SCAN_WE2280.html [MITRE ATT&CK T1027.006]
  37. File size 1.38 MB (1442011 bytes)
  38.  
  39. SHA-256 fda7ee3a400614bda8238a61d0f93c883329cf9b8912873b2c60d8f5c9deaea0
  40. File name files.zip [ZIP, password = 057305]
  41. File size 425.95 KB (436176 bytes)
  42.  
  43. SHA-256 bc080013aff169586dc5efb00ec3a7296791412c72ac3705bfd439da6d14f420
  44. File name SCAN_WE2280.img [ISO 9660]
  45. File size 1.01 MB (1058816 bytes)
  46.  
  47. SHA-256 b286440ca1c5d399582c6595d787045293f121152a02e62f4dcd5c2cbc8ed0ca
  48. File name SCAN_WE2280.lnk [MS Windows shortcut]
  49. File size 2.57 KB (2635 bytes)
  50.  
  51. SHA-256 ceb2378fc315e19c299ee8e33b23340b19273d7b31470fc1cd433fd0825fc0a2
  52. File name Updates.txt [UTF-8 Unicode English text]
  53. File size 233.68 KB (239286 bytes)
  54.  
  55. SHA-256 6295018e08b1d466e8787fcaad8da9e8c777a01816a2868eba0cd8d8ef757352
  56. File name NewIssues.cmd [ASCII text]
  57. File size
  58.  
  59. SHA-256 9953dc1dfb656c66ec4ca87d371a72a3d413a96610025d59ae3729e5cd232da5
  60. File name NewInvoice.patch [ Win32 DLL ] - obfuscated
  61. File size 733.00 KB (750592 bytes)
  62.  
  63. SHA-256 dc9ad9461c6f6b59555da3f88fa6a63a2e6a6cbfaf8b28336c7c3a411d7102ae
  64. File name NewInvoice.patch [ Win32 DLL ] - deobfuscated
  65. File size 4.00 KB (4096 bytes)
  66.  
  67.  
  68. # # # # # # # #
  69. activity
  70. # # # # # # # #
  71.  
  72. PL_SCR email_attach
  73.  
  74.  
  75. C2 94.105.123.53:443
  76.  
  77. other (extracted by Hatching Triage)
  78.  
  79. version: 404.46
  80. botnet: azd
  81. campaign: 1670585059
  82.  
  83. 173.239.94.212:443
  84. 91.169.12.198:32100
  85. 74.66.134.24:443
  86. 66.191.69.18:995
  87. 182.75.189.42:995
  88. 78.69.251.252:2222
  89. 98.145.23.67:443
  90. 103.71.21.107:443
  91. 197.94.219.133:443
  92. 91.68.227.219:443
  93. 12.172.173.82:993
  94. 86.176.83.127:2222
  95. 64.121.161.102:443
  96. 41.98.21.114:443
  97. 92.154.17.149:2222
  98. 151.65.67.211:443
  99. 89.129.109.27:2222
  100. 76.11.14.249:443
  101. 69.119.123.159:2222
  102. 70.66.199.12:443
  103. 12.172.173.82:990
  104. 183.82.100.110:2222
  105. 83.114.60.6:2222
  106. 92.189.214.236:2222
  107. 70.115.104.126:995
  108. 190.18.236.175:443
  109. 121.122.99.223:995
  110. 72.53.103.56:443
  111. 91.165.188.74:50000
  112. 12.172.173.82:995
  113. 156.220.229.249:993
  114. 86.96.75.237:2222
  115. 85.152.152.46:443
  116. 181.118.183.44:443
  117. 76.80.180.154:995
  118. 81.248.77.37:2222
  119. 90.66.229.185:2222
  120. 86.130.9.250:2222
  121. 172.117.139.142:995
  122. 12.172.173.82:465
  123. 75.143.236.149:443
  124. 81.229.117.95:2222
  125. 81.111.108.123:443
  126. 50.68.204.71:995
  127. 124.122.55.68:443
  128. 139.5.239.14:443
  129. 37.56.111.49:995
  130. 46.10.198.106:443
  131. 85.61.165.153:2222
  132. 90.104.22.28:2222
  133. 88.126.94.4:50000
  134. 90.89.95.158:2222
  135. 83.213.201.104:993
  136. 73.223.248.31:443
  137. 47.41.154.250:443
  138. 2.99.47.198:2222
  139. 190.199.169.127:993
  140. 83.92.85.93:443
  141. 184.68.116.146:2222
  142. 73.161.176.218:443
  143. 150.107.231.59:2222
  144. 98.178.242.28:443
  145. 213.67.255.57:2222
  146. 174.104.184.149:443
  147. 108.6.249.139:443
  148. 84.35.26.14:995
  149. 149.126.159.106:443
  150. 184.68.116.146:3389
  151. 37.14.229.220:2222
  152. 24.206.27.39:443
  153. 199.83.165.233:443
  154. 84.215.202.22:443
  155. 71.247.10.63:995
  156. 50.68.204.71:443
  157. 86.169.19.140:2222
  158. 76.20.42.45:443
  159. 70.55.120.16:2222
  160. 69.133.162.35:443
  161. 12.172.173.82:21
  162. 72.200.109.104:443
  163. 50.68.204.71:993
  164. 2.83.12.243:443
  165. 184.176.154.83:995
  166. 176.177.136.35:443
  167. 92.207.132.174:2222
  168. 174.77.209.5:443
  169. 142.161.27.232:2222
  170. 86.159.48.25:2222
  171. 100.6.8.7:443
  172. 184.153.132.82:443
  173. 27.109.19.90:2078
  174. 94.105.123.53:443
  175. 198.2.51.242:993
  176. 70.120.228.205:443
  177. 75.158.15.211:443
  178. 181.164.194.223:443
  179. 184.68.116.146:61202
  180. 184.68.116.146:2078
  181. 86.225.214.138:2222
  182. 78.213.14.206:443
  183. 176.142.207.63:443
  184. 73.36.196.11:443
  185. 197.26.142.159:443
  186. 176.151.15.101:443
  187. 87.65.160.87:995
  188. 92.24.200.226:995
  189. 87.221.197.110:2222
  190. 77.86.98.236:443
  191. 162.248.14.107:443
  192. 84.113.121.103:443
  193. 137.186.193.226:3389
  194. 92.8.190.211:2222
  195. 201.208.139.250:2222
  196. 12.172.173.82:22
  197. 75.98.154.19:443
  198. 24.142.218.202:443
  199. 70.77.116.233:443
  200. 24.228.132.224:2222
  201. 92.145.203.167:2222
  202.  
  203.  
  204.  
  205. netwrk
  206. --------------
  207. 94.105.123.53 443 TLSv1.2 Client Hello
  208. or (second run)
  209. 92.154.17.149 2222 TCP 49824 → 2222 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM=1
  210.  
  211.  
  212. comp
  213. --------------
  214. wermgr.exe 3964 TCP 94.105.123.53 443 ESTABLISHED
  215. or (second run)
  216. wermgr.exe 4243 TCP 92.154.17.149 2222 ESTABLISHED
  217.  
  218.  
  219. proc
  220. --------------
  221. C:\Windows\System32\cmd.exe /c YouNewRules\NewIssues.cmd A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 9
  222. C:\Windows\system32\rundll32.exe /s newinvoice.patch,DrawThemeIcon
  223. C:\Windows\SysWOW64\rundll32.exe rundll32 /s newinvoice.patch,DrawThemeIcon
  224. C:\Windows\SysWOW64\wermgr.exe
  225. C:\Windows\SysWOW64\net.exe view
  226. C:\Windows\SysWOW64\cmd.exe /c set
  227. C:\Windows\SysWOW64\arp.exe -a
  228. C:\Windows\SysWOW64\ipconfig.exe /all
  229. C:\Windows\SysWOW64\nslookup.exe -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.WORKGROUP
  230. C:\Windows\SysWOW64\net.exe share
  231. C:\Windows\SysWOW64\net1.exe share
  232. C:\Windows\SysWOW64\route.exe print
  233. C:\Windows\SysWOW64\netstat.exe -nao
  234. C:\Windows\SysWOW64\net.exe localgroup
  235. C:\Windows\SysWOW64\net1.exe localgroup
  236. C:\Windows\SysWOW64\whoami.exe /all
  237. C:\Windows\system32\msiexec.exe /V
  238.  
  239.  
  240. persist
  241. --------------
  242. n/a
  243.  
  244.  
  245. drop
  246. --------------
  247. n/a
  248.  
  249. # # # # # # # #
  250. VT & Intezer
  251. # # # # # # # #
  252. https://www.virustotal.com/gui/file/c2b17bc002f4db968e771b34a64e74c5cb04ace0e7b16d5cf18382b5e2ad45d4/details
  253. https://www.virustotal.com/gui/file/fda7ee3a400614bda8238a61d0f93c883329cf9b8912873b2c60d8f5c9deaea0/details
  254. https://www.virustotal.com/gui/file/bc080013aff169586dc5efb00ec3a7296791412c72ac3705bfd439da6d14f420/details
  255. https://www.virustotal.com/gui/file/b286440ca1c5d399582c6595d787045293f121152a02e62f4dcd5c2cbc8ed0ca/details
  256. https://www.virustotal.com/gui/file/ceb2378fc315e19c299ee8e33b23340b19273d7b31470fc1cd433fd0825fc0a2/details
  257. https://www.virustotal.com/gui/file/6295018e08b1d466e8787fcaad8da9e8c777a01816a2868eba0cd8d8ef757352/details
  258. https://www.virustotal.com/gui/file/9953dc1dfb656c66ec4ca87d371a72a3d413a96610025d59ae3729e5cd232da5/details
  259. https://analyze.intezer.com/analyses/be508a5c-6581-4ff6-8f2d-5e6e15db339e
  260. https://www.virustotal.com/gui/file/dc9ad9461c6f6b59555da3f88fa6a63a2e6a6cbfaf8b28336c7c3a411d7102ae/details
  261. https://analyze.intezer.com/analyses/e624e456-0bbc-44c6-87f5-fbbecf6fd567
  262.  
  263. VR
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!