2020-04-22 - URLs/hashes for Qakbot (Qbot) spx102 files

1. 2020-04-22 (WEDNESDAY) - URLS/HASHES FOR QAKBOT (QBOT) SPX102, THE "/PUMP/" WAVE
2.  
3. URLS FOR THE INITIAL ZIP ARCHIVES:
4.  
5. - hxxp://157[.]245[.]69[.]233/wordpress/wp-content/themes/mapro/pump/Judgement_04212020_3804.zip
6. - hxxp://157[.]245[.]69[.]233/wordpress/wp-content/themes/mapro/pump/Judgement_04212020_8178.zip
7. - hxxp://akfoundationbd[.]xyz/wp/wp-content/themes/mapro/pump/Judgement_04212020_2373.zip
8. - hxxp://atelierdegaia[.]fr/wp-content/themes/mapro/pump/Judgement_04212020_2760.zip
9. - hxxp://baiseyapian[.]com/wp-content/themes/mapro/pump/6034/Judgement_04212020_6034.zip
10. - hxxp://baiseyapian[.]com/wp-content/themes/mapro/pump/7514/Judgement_04212020_7514.zip
11. - hxxp://beachview[.]co[.]za/wp-content/themes/mapro/pump/1636/Judgement_04212020_1636.zip
12. - hxxp://beachview[.]co[.]za/wp-content/themes/mapro/pump/9056/Judgement_04212020_9056.zip
13. - hxxp://chicare[.]aguademo[.]com/blog/wp-content/themes/mapro/pump/6338/Judgement_04212020_6338.zip
14. - hxxp://cirkuscloudhosting[.]site/wp-content/themes/mapro/pump/1529/Judgement_04212020_1529.zip
15. - hxxp://cirkuscloudhosting[.]site/wp-content/themes/mapro/pump/Judgement_04212020_2975.zip
16. - hxxp://cirkuscloudhosting[.]site/wp-content/themes/mapro/pump/Judgement_04212020_4918.zip
17. - hxxps://comedyticket[.]nl/wp-2Dcontent/themes/mapro/pump/2231/Judgement-04212020-5F2231.zip
18. - hxxps://comedyticket[.]nl/wp-content/themes/mapro/pump/2988/Judgement_04212020_2988.zip
19. - hxxps://comedyticket[.]nl/wp-content/themes/mapro/pump/5897/Judgement_04212020_5897.zip
20. - hxxps://comedyticket[.]nl/wp-content/themes/mapro/pump/Judgement_04212020_1592.zip
21. - hxxps:/comedyticket[.]nl/wp-content/themes/mapro/pump/5897/judgement_04212020_5897.zip
22. - hxxp://garage[.]themebuffets[.]com/wp-content/themes/mapro/pump/0416/judgement_04212020_0416.zip
23. - hxxp://longform[.]harker[.]org/wp-content/themes/mapro/pump/2495/Judgement_04212020_2495.zip
24. - hxxp://longform[.]harker[.]org/wp-content/themes/mapro/pump/Judgement_04212020_3626.zip
25. - hxxp://longform[.]harker[.]org/wp-content/themes/mapro/pump/Judgement_04212020_9352.zip
26. - hxxp://pruebas2[.]reformasginesta[.]es/wp-content/themes/mapro/pump/Judgement_04212020_7512.zip
27. - hxxp://sofil-photographe[.]com/wp-content/themes/mapro/pump/judgement_04212020_2594.zip
28. - hxxp://swissblock[.]acorn[.]studio/wp-content/themes/mapro/pump/4345/Judgement_04212020_4345.zip
29. - hxxp://tedxtest[.]devbyopeneyes[.]com/wp-content/themes/mapro/pump/7281/Judgement_04212020_7281.zip
30. - hxxp://tedxtest[.]devbyopeneyes[.]com/wp-content/themes/mapro/pump/9916/Judgement_04212020_9916.zip
31. - hxxp://tedxtest[.]devbyopeneyes[.]com/wp-content/themes/mapro/pump/Judgement_04212020_0183.zip
32.  
33. URLS FOR THE QAKBOT EXE FILES:
34.  
35. - NOTE: These were first noted by @lazyactivist192 on Twitter and posted at https://pastebin.com/L0g5fRgv (see the link for more info)
36. - hxxp://hasumvina[.]nrglobal[.]top/wp-content/themes/mapro/pump/55555.png?uid=[base64 string]
37. - hxxp://4mco[.]com[.]pk/wp/wp-content/themes/mapro/pump/55555.png?uid=[base64 string]
38. - hxxp://cloud[.]wmsinfo[.]com[.]br/wordpress/wp-content/themes/mapro/pump/55555.png?uid=[base64 string]
39. - hxxp://jeromenetpanel[.]ml/wp-content/themes/mapro/pump/55555.png?uid=[base64 string]
40. - hxxp://cheshirecheetah[.]com/wp-content/themes/mapro/pump/55555.png?uid=[base64 string]
41.  
42. EXAMPLES OF DOWNLOADED ZIP ARCHIVES:
43.  
44. - 4b4460e7d427625a874f2a53f897b040bb454ae266b9ae40972033df225e1ef4 Judgement_04212020_2760.zip
45. - a7a88ae558770b24d319e816c880cbc04fcd1468275583a06de4e33fe551af10 Judgement_04212020_3804.zip
46. - 48a9cb2b82c3450f7621e4a6043184d933bb5464b3555916600ef32b185ccd23 Judgement_04212020_4918.zip
47. - 1788d2f0645938522801f8292368510d7aecb500435f924f6ed85bbac7a17cd3 Judgement_04212020_9352.zip
48.  
49. EXAMPLES OF EXTRACTED VBS FILES:
50.  
51. - bfdcca2a12c2ff5a0ab1eb6ac97bd2d36a56da84bff50d6e1ca0cb7f61cb3f7b Judgement_04212020_0755.vbs
52. - ff13874bc66e2a33a34f1101d26cd587bd97527bd6c1f4dfafefdcafa723b92d Judgement_04212020_4965.vbs
53. - b257869e181f5738629664d8e3306140e779c88b09dbf6734ee9db6f315b746f Judgement_04212020_7334.vbs
54. - db74909654809c9b2f29b03138b201e0ae70ad09758e2d517b5bd4a578e74d23 Judgement_04212020_9417.vbs
55.  
56. EXAMPLES OF QAKBOT EXE FILES (ALL 2,372,096 BYTES):
57.  
58. - 93fd86961cdee0ad33cdeb0cfd54f1de40147b2c8495ee8d23cdb14c775a8e04 C:\Users\[username]\AppData\Local\Temp\PaintHelper.exe
59. - a4d999070596e7c7591b52e55078ad11b8c9fa2e19d2713d3730cd738c6cb08e C:\Users\[username]\AppData\Local\Temp\PaintHelper.exe
60. - e391c8507178761ba50d98390881a235cba253ae59221c543812aa7b5c1fbc5a C:\Users\[username]\AppData\Local\Temp\PaintHelper.exe
61. - e56ffc3eb0da05c10aa295ff906140b2b6802f4b446ccf5ed1d0f81f87f9d75b C:\Users\[username]\AppData\Local\Temp\PaintHelper.exe