malware_traffic

2020-08-03 (Monday) - Qakbot (Qbot) spx147

Aug 3rd, 2020
11,965
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-08-03 (MONDAY) - QAKBOT (QBOT) SPX147
  2.  
  3. NOTES:
  4.  
  5. - Qakbot is back to spamming today, the first time since 2020-06-23 (spx146)
  6.  
  7. REFERENCES:
  8.  
  9. - https://twitter.com/mesa_matt/status/1290315727912738816
  10. - https://twitter.com/lazyactivist192/status/1290321073997860868
  11. - https://pastebin.com/gWxajTRN
  12. - https://www.malware-traffic-analysis.net/2020/08/03/index.html
  13.  
  14. 34 EXAMPLES OF URLS FROM MALSPAM TO DOWNLOAD THE INITIAL ZIP ARCHIVE:
  15.  
  16. - hxxp://acaimaniaecia.acaimenu[.]com/gmpqqeevpkab/Ht/WC/a4Rnasoi.zip
  17. - hxxp://alldgm[.]in/ubmrbyhjxtgf/9r/vh/Ca9h34GN.zip
  18. - hxxp://alldgm[.]in/ubmrbyhjxtgf/ou/7H/DkHgYqzW.zip
  19. - hxxp://alldgm[.]in/ubmrbyhjxtgf/WsHyx7T7L6.zip
  20. - hxxp://allthingstravel[.]co[.]uk/vrimncsnfh/c/P9cQaB6w1.zip
  21. - hxxp://arssilim[.]com/gotbolkwgk/FkbbS6QT6b.zip
  22. - hxxp://bilal.newtechnologyxperts[.]com/xlzlwbn/jDXcgdjyB4.zip
  23. - hxxp://bridalmasks[.]com/ifhbij/9h/QS/kwdpaes6.zip
  24. - hxxp://bridalmasks[.]com/ifhbij/FOzD8nfKgO.zip
  25. - hxxp://correctordeortografia[.]com/ygamaikfr/e/aIudlGY31.zip
  26. - hxxp://correctordeortografia[.]com/ygamaikfr/Io/XW/dN7PA9Mn.zip
  27. - hxxp://dca.district9211[.]org/ahgrxqesc/pzjsD3bbYo.zip
  28. - hxxp://dca.district9211[.]org/ahgrxqesc/S/Z1HzZBxmm.zip
  29. - hxxp://dehkadehzaferan[.]com/vkahlrwruo/9/y6weCEdm4.zip
  30. - hxxp://diamondbraintutor[.]com/yucsomjbz/gE/NI/sq1RHXCO.zip
  31. - hxxp://digitalservicecare[.]in/pzdggpg/iu/3g/w5evoSA6.zip
  32. - hxxp://escuelajosesanabria[.]com/dpfpfl/2c/zM/eVUfmt02.zip
  33. - hxxp://findthemlocal[.]co[.]uk/bbhgt/w/rz6Pok2I4.zip
  34. - hxxp://gartengestaltung-hoellerer[.]de/fnfttgll/GRAKA0qxNw.zip
  35. - hxxp://gofaststrap[.]com/cbiacoah/y9/Ps/MfuPLZLK.zip
  36. - hxxp://itc-sr[.]ru/iozipuqbw/5hYQTPaxwI.zip
  37. - hxxp://izi-jobs[.]net/qslbf/hB/GF/byiKCv7U.zip
  38. - hxxp://kalamelk[.]ir/ikyevsry/4f0Nr7EsFc.zip
  39. - hxxp://learntus[.]co[.]in/vadisbbvn/w79cc9nfiI.zip
  40. - hxxp://m.exoticcarrentalorlando[.]com/waqkvdyhl/a/FrQxzjviN.zip
  41. - hxxp://paarcell[.]com/whxutsxylnos/I/HgdVnXLbX.zip
  42. - hxxp://pslrn.com[.]br/jfjmtdy/UC/m5/L6YFAxZa.zip
  43. - hxxp://sharkbum[.]com/njwbnb/rKiPJCuwZM.zip
  44. - hxxp://startseunegocio[.]com/exwtz/p/LzCYqITKk.zip
  45. - hxxp://vitinhphamgia[.]com/pcjynxvxwr/ly/Lt/lSR9GDFV.zip
  46. - hxxp://www.mira-blau[.]de/oubkdxb/gBi4l66lrI.zip
  47. - hxxp://www.officeautomationltd[.]com/njghv/K/bqVDeP9hU.zip
  48. - hxxp://www.sportingpro[.]com[.]ar/vicldxvutk/HA/pG/21wGqfI9.zip
  49. - hxxp://xltc-dta[.]be/hwpaz/j/H9pJyYiax.zip
  50.  
  51. 5 EXAMPLES OF THE INITIAL ZIP ARCHIVE:
  52.  
  53. - 6258d0ffd544a3ff02fd74d162c6e1aab40a44d4a2b7447970374f9f4ca29ac9 21wGqfI9.zip
  54. - 9bc92658cc86ca82be3881fb21eaa840a111c024cd65ce7d8630653bc2256866 aIudlGY31.zip
  55. - 5cfd15470a434f048d29051ce733cae8063479d706e2b6156d4dfaddef386894 byiKCv7U.zip
  56. - fc5702b536d817baa13dedcc80b280c74453c845b4d713f13ae6ff2325a97ff5 jDXcgdjyB4.zip
  57. - bff02c0926e6d805c7f6324c4a0cdc8b68df253d2181f22296fa8baf483d3fcd pzjsD3bbYo.zip
  58.  
  59. 5 EXAMPLES OF EXTRACTED VBS FILES:
  60.  
  61. - f7eebe0b84ebcf549c278263c83944bb3adcedc16e5d5488309d2de426040c38 PH1917019.vbs
  62. - ee02d31a24d420570fd9bb5d8a9ae09505db317562137c0938ac173c23d0271d PH2987153.vbs
  63. - 2ea11e59848878d6af8d0318fb2f23e7f445a98aedf1be0f4d6ac9e3a5dc4c0f PH3497638.vbs
  64. - 029aecca7652215a52c2de9e4c914867bfe4899914169696068c7c39515ef027 PH4318217.vbs
  65. - 8def7a6f1f6dea6c73a22504b0b79c51fcc329fa68e6408f678270e8908f405d PH6580048.vbs
  66.  
  67. 6 URLS FOR THE QAKBOT SPX147 EXE:
  68.  
  69. - hxxp://ttt.s-host[.]net/heaqwhmudzc/8888888.png
  70. - hxxp://izi-jobs[.]re/zklvxtelxlw/8888888.png
  71. - hxxp://astamvillagelodge[.]com/rbntjp/8888888.png
  72. - hxxp://fresh-organic-food[.]com/ddpauqvq/8888888.png
  73. - hxxp://fareapp[.]com[.]br/ffvbpqjsjfwp/8888888.png
  74. - hxxp://frenchsporting[.]bts2020[.]fr/nwgjc/8888888.png
  75.  
  76. QAKBOT SPX147 EXE INITIALLY SAVED TO:
  77.  
  78. - C:\Users\[username]\AppData\Local\Temp\Direct3DMX.exe
  79.  
  80. 5 EXAMPLES OF QAKBOT SPX147 EXE:
  81.  
  82. - 0636479f9f0ae8ad2c4288da3aad038bc69977674a18afbd52d43cc7b9931f74
  83. - 0930678a148689d3b2eab8f68acb2b8b857375a97e1701505c347ae30848dd6a
  84. - 342ac51b292bbd8185b2c6fc44b343a5e6d7a45af5398847434f00092cddf2ad
  85. - 6a41a49bfe9db6c5b638d4438dbf7c84451a22b74f2c0f7a5e6f7a034712c1da
  86. - a330e49a6bb1ccc8c05de0e241f4faf2b15a2d4dd004301c3320a597347b5e5f
  87.  
  88. EXAMPLE OF QAKBOT SPX147 EXE PERSISTENT ON AN INFECTED WINDOWS HOST:
  89.  
  90. - Resitry Key Name: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  91. - Value Name: ehjsqfs
  92. - Value Type: REG_SZ
  93. - Value Data: "C:\Users\[username]\AppData\Roaming\Microsoft\Xjzpf\eidfii.exe"
  94.  
  95. TRAFFIC FROM AN INFECTED WINDOWS 10 HOST:
  96.  
  97. - 107.180.91[.]64 port 80 - correctordeortografia[.]com - GET /ygamaikfr/e/aIudlGY31.zip
  98. - 185.253.219[.]218 port 80 - ttt.s-host[.]net - GET /heaqwhmudzc/8888888.png
  99.  
  100. - 24.136.34[.]71 port 2222 - attempted TCP connections, but no response from the server
  101. - 35.209.218[.]146 port 443 - HTTPS traffic
  102. - 82.118.22[.]125 port 443 - HTTPS traffic
  103.  
  104. - 54.36.108[.]120 port 65400 - TCP traffic
  105.  
  106. - port 443 - cdn.speedof[.]me - HTTPS traffic (not inherently malicious)
  107. - port 443 - api.ipify[.]org - IP address check (not inherently malicious
  108.  
  109. - 89.105.198[.]119 port 80 - a.strandsglobal[.]com - GET /redir_chrome.html
  110. - 89.105.198[.]119 port 80 - a.strandsglobal[.]com - GET /redir_ff.html
  111. - 89.105.198[.]119 port 80 - a.strandsglobal[.]com - GET /redir_ie.html
  112.  
  113. - various IP addresses over various ports - spambot activity from the Qakbot-infected host
  114.  
  115. - 109.234.161[.]51 port 80 - izi-services[.]re - POST /vds.php
  116. - 35.213.169[.]136 port 80 - pattayafootball[.]com - POST /vds.php
  117. - 107.180.40[.]62 port 80 - bridalmasks[.]com - POST /vds.php
  118. - 112.213.89[.]168 port 80 - gymhub[.]vn - POST /vds.php
  119. - 152.32.211[.]197 port 80 - phpyb[.]com - POST /vds.php
  120. - 152.32.211[.]197 port 80 - phpyb[.]com - GET /tryxf/test.zip
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×