Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #qakbot #qbot
- https://pastebin.com/gR1iwSGn
- previous_contact:
- 25/08/20 https://pastebin.com/2EgQnFjW
- FAQ:
- https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot
- https://research.splunk.com/stories/qakbot/
- attack_vector
- --------------
- email > SCAN_WE2280.html > attachment.zip [pwd] > SCAN_WE2280.img > SCAN_WE2280.LNK > cmd.exe /c YouNewRules\NewIssues.cmd > load NewInvoice.patch [DLL] > wermgr.exe > C2
- # # # # # # # #
- email_headers
- # # # # # # # #
- Received: from unknown (HELO omta033.useast.a.cloudfilter.net) ([44.202.169.32])
- Received: from eig-obgw-5010a.ext.cloudfilter.net ([10.0.29.199])
- Received: from gator2021.hostgator.com ([50.87.144.41]) by cmsmtp
- Received: from [24.53.62.209] (port=37501 helo=localhost) by gator2021.hostgator.com
- From: <bigmomma@michaelp.net>
- Subject: Re: журнали
- Date: Tue, 13 Dec 2022 00:15:44 +0300
- MIME-Version: 1.0
- X-Mailer: Microsoft Outlook 16.0
- X-Email-Count: 106
- # # # # # # # #
- files
- # # # # # # # #
- SHA-256 c2b17bc002f4db968e771b34a64e74c5cb04ace0e7b16d5cf18382b5e2ad45d4
- File name SCAN_WE2280.html [MITRE ATT&CK T1027.006]
- File size 1.38 MB (1442011 bytes)
- SHA-256 fda7ee3a400614bda8238a61d0f93c883329cf9b8912873b2c60d8f5c9deaea0
- File name files.zip [ZIP, password = 057305]
- File size 425.95 KB (436176 bytes)
- SHA-256 bc080013aff169586dc5efb00ec3a7296791412c72ac3705bfd439da6d14f420
- File name SCAN_WE2280.img [ISO 9660]
- File size 1.01 MB (1058816 bytes)
- SHA-256 b286440ca1c5d399582c6595d787045293f121152a02e62f4dcd5c2cbc8ed0ca
- File name SCAN_WE2280.lnk [MS Windows shortcut]
- File size 2.57 KB (2635 bytes)
- SHA-256 ceb2378fc315e19c299ee8e33b23340b19273d7b31470fc1cd433fd0825fc0a2
- File name Updates.txt [UTF-8 Unicode English text]
- File size 233.68 KB (239286 bytes)
- SHA-256 6295018e08b1d466e8787fcaad8da9e8c777a01816a2868eba0cd8d8ef757352
- File name NewIssues.cmd [ASCII text]
- File size
- SHA-256 9953dc1dfb656c66ec4ca87d371a72a3d413a96610025d59ae3729e5cd232da5
- File name NewInvoice.patch [ Win32 DLL ] - obfuscated
- File size 733.00 KB (750592 bytes)
- SHA-256 dc9ad9461c6f6b59555da3f88fa6a63a2e6a6cbfaf8b28336c7c3a411d7102ae
- File name NewInvoice.patch [ Win32 DLL ] - deobfuscated
- File size 4.00 KB (4096 bytes)
- # # # # # # # #
- activity
- # # # # # # # #
- PL_SCR email_attach
- C2 94.105.123.53:443
- other (extracted by Hatching Triage)
- version: 404.46
- botnet: azd
- campaign: 1670585059
- 173.239.94.212:443
- 91.169.12.198:32100
- 74.66.134.24:443
- 66.191.69.18:995
- 182.75.189.42:995
- 78.69.251.252:2222
- 98.145.23.67:443
- 103.71.21.107:443
- 197.94.219.133:443
- 91.68.227.219:443
- 12.172.173.82:993
- 86.176.83.127:2222
- 64.121.161.102:443
- 41.98.21.114:443
- 92.154.17.149:2222
- 151.65.67.211:443
- 89.129.109.27:2222
- 76.11.14.249:443
- 69.119.123.159:2222
- 70.66.199.12:443
- 12.172.173.82:990
- 183.82.100.110:2222
- 83.114.60.6:2222
- 92.189.214.236:2222
- 70.115.104.126:995
- 190.18.236.175:443
- 121.122.99.223:995
- 72.53.103.56:443
- 91.165.188.74:50000
- 12.172.173.82:995
- 156.220.229.249:993
- 86.96.75.237:2222
- 85.152.152.46:443
- 181.118.183.44:443
- 76.80.180.154:995
- 81.248.77.37:2222
- 90.66.229.185:2222
- 86.130.9.250:2222
- 172.117.139.142:995
- 12.172.173.82:465
- 75.143.236.149:443
- 81.229.117.95:2222
- 81.111.108.123:443
- 50.68.204.71:995
- 124.122.55.68:443
- 139.5.239.14:443
- 37.56.111.49:995
- 46.10.198.106:443
- 85.61.165.153:2222
- 90.104.22.28:2222
- 88.126.94.4:50000
- 90.89.95.158:2222
- 83.213.201.104:993
- 73.223.248.31:443
- 47.41.154.250:443
- 2.99.47.198:2222
- 190.199.169.127:993
- 83.92.85.93:443
- 184.68.116.146:2222
- 73.161.176.218:443
- 150.107.231.59:2222
- 98.178.242.28:443
- 213.67.255.57:2222
- 174.104.184.149:443
- 108.6.249.139:443
- 84.35.26.14:995
- 149.126.159.106:443
- 184.68.116.146:3389
- 37.14.229.220:2222
- 24.206.27.39:443
- 199.83.165.233:443
- 84.215.202.22:443
- 71.247.10.63:995
- 50.68.204.71:443
- 86.169.19.140:2222
- 76.20.42.45:443
- 70.55.120.16:2222
- 69.133.162.35:443
- 12.172.173.82:21
- 72.200.109.104:443
- 50.68.204.71:993
- 2.83.12.243:443
- 184.176.154.83:995
- 176.177.136.35:443
- 92.207.132.174:2222
- 174.77.209.5:443
- 142.161.27.232:2222
- 86.159.48.25:2222
- 100.6.8.7:443
- 184.153.132.82:443
- 27.109.19.90:2078
- 94.105.123.53:443
- 198.2.51.242:993
- 70.120.228.205:443
- 75.158.15.211:443
- 181.164.194.223:443
- 184.68.116.146:61202
- 184.68.116.146:2078
- 86.225.214.138:2222
- 78.213.14.206:443
- 176.142.207.63:443
- 73.36.196.11:443
- 197.26.142.159:443
- 176.151.15.101:443
- 87.65.160.87:995
- 92.24.200.226:995
- 87.221.197.110:2222
- 77.86.98.236:443
- 162.248.14.107:443
- 84.113.121.103:443
- 137.186.193.226:3389
- 92.8.190.211:2222
- 201.208.139.250:2222
- 12.172.173.82:22
- 75.98.154.19:443
- 24.142.218.202:443
- 70.77.116.233:443
- 24.228.132.224:2222
- 92.145.203.167:2222
- netwrk
- --------------
- 94.105.123.53 443 TLSv1.2 Client Hello
- or (second run)
- 92.154.17.149 2222 TCP 49824 → 2222 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM=1
- comp
- --------------
- wermgr.exe 3964 TCP 94.105.123.53 443 ESTABLISHED
- or (second run)
- wermgr.exe 4243 TCP 92.154.17.149 2222 ESTABLISHED
- proc
- --------------
- C:\Windows\System32\cmd.exe /c YouNewRules\NewIssues.cmd A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 9
- C:\Windows\system32\rundll32.exe /s newinvoice.patch,DrawThemeIcon
- C:\Windows\SysWOW64\rundll32.exe rundll32 /s newinvoice.patch,DrawThemeIcon
- C:\Windows\SysWOW64\wermgr.exe
- C:\Windows\SysWOW64\net.exe view
- C:\Windows\SysWOW64\cmd.exe /c set
- C:\Windows\SysWOW64\arp.exe -a
- C:\Windows\SysWOW64\ipconfig.exe /all
- C:\Windows\SysWOW64\nslookup.exe -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.WORKGROUP
- C:\Windows\SysWOW64\net.exe share
- C:\Windows\SysWOW64\net1.exe share
- C:\Windows\SysWOW64\route.exe print
- C:\Windows\SysWOW64\netstat.exe -nao
- C:\Windows\SysWOW64\net.exe localgroup
- C:\Windows\SysWOW64\net1.exe localgroup
- C:\Windows\SysWOW64\whoami.exe /all
- C:\Windows\system32\msiexec.exe /V
- persist
- --------------
- n/a
- drop
- --------------
- n/a
- # # # # # # # #
- VT & Intezer
- # # # # # # # #
- https://www.virustotal.com/gui/file/c2b17bc002f4db968e771b34a64e74c5cb04ace0e7b16d5cf18382b5e2ad45d4/details
- https://www.virustotal.com/gui/file/fda7ee3a400614bda8238a61d0f93c883329cf9b8912873b2c60d8f5c9deaea0/details
- https://www.virustotal.com/gui/file/bc080013aff169586dc5efb00ec3a7296791412c72ac3705bfd439da6d14f420/details
- https://www.virustotal.com/gui/file/b286440ca1c5d399582c6595d787045293f121152a02e62f4dcd5c2cbc8ed0ca/details
- https://www.virustotal.com/gui/file/ceb2378fc315e19c299ee8e33b23340b19273d7b31470fc1cd433fd0825fc0a2/details
- https://www.virustotal.com/gui/file/6295018e08b1d466e8787fcaad8da9e8c777a01816a2868eba0cd8d8ef757352/details
- https://www.virustotal.com/gui/file/9953dc1dfb656c66ec4ca87d371a72a3d413a96610025d59ae3729e5cd232da5/details
- https://analyze.intezer.com/analyses/be508a5c-6581-4ff6-8f2d-5e6e15db339e
- https://www.virustotal.com/gui/file/dc9ad9461c6f6b59555da3f88fa6a63a2e6a6cbfaf8b28336c7c3a411d7102ae/details
- https://analyze.intezer.com/analyses/e624e456-0bbc-44c6-87f5-fbbecf6fd567
- VR
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement