malware_traffic

2020-08-03 (Monday) - Qakbot (Qbot) spx147

Aug 3rd, 2020
11,213
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-08-03 (MONDAY) - QAKBOT (QBOT) SPX147
  2.  
  3. NOTES:
  4.  
  5. - Qakbot is back to spamming today, the first time since 2020-06-23 (spx146)
  6.  
  7. REFERENCES:
  8.  
  9. - https://twitter.com/mesa_matt/status/1290315727912738816
  10. - https://twitter.com/lazyactivist192/status/1290321073997860868
  11. - https://pastebin.com/gWxajTRN
  12. - https://www.malware-traffic-analysis.net/2020/08/03/index.html
  13.  
  14. 34 EXAMPLES OF URLS FROM MALSPAM TO DOWNLOAD THE INITIAL ZIP ARCHIVE:
  15.  
  16. - hxxp://acaimaniaecia.acaimenu[.]com/gmpqqeevpkab/Ht/WC/a4Rnasoi.zip
  17. - hxxp://alldgm[.]in/ubmrbyhjxtgf/9r/vh/Ca9h34GN.zip
  18. - hxxp://alldgm[.]in/ubmrbyhjxtgf/ou/7H/DkHgYqzW.zip
  19. - hxxp://alldgm[.]in/ubmrbyhjxtgf/WsHyx7T7L6.zip
  20. - hxxp://allthingstravel[.]co[.]uk/vrimncsnfh/c/P9cQaB6w1.zip
  21. - hxxp://arssilim[.]com/gotbolkwgk/FkbbS6QT6b.zip
  22. - hxxp://bilal.newtechnologyxperts[.]com/xlzlwbn/jDXcgdjyB4.zip
  23. - hxxp://bridalmasks[.]com/ifhbij/9h/QS/kwdpaes6.zip
  24. - hxxp://bridalmasks[.]com/ifhbij/FOzD8nfKgO.zip
  25. - hxxp://correctordeortografia[.]com/ygamaikfr/e/aIudlGY31.zip
  26. - hxxp://correctordeortografia[.]com/ygamaikfr/Io/XW/dN7PA9Mn.zip
  27. - hxxp://dca.district9211[.]org/ahgrxqesc/pzjsD3bbYo.zip
  28. - hxxp://dca.district9211[.]org/ahgrxqesc/S/Z1HzZBxmm.zip
  29. - hxxp://dehkadehzaferan[.]com/vkahlrwruo/9/y6weCEdm4.zip
  30. - hxxp://diamondbraintutor[.]com/yucsomjbz/gE/NI/sq1RHXCO.zip
  31. - hxxp://digitalservicecare[.]in/pzdggpg/iu/3g/w5evoSA6.zip
  32. - hxxp://escuelajosesanabria[.]com/dpfpfl/2c/zM/eVUfmt02.zip
  33. - hxxp://findthemlocal[.]co[.]uk/bbhgt/w/rz6Pok2I4.zip
  34. - hxxp://gartengestaltung-hoellerer[.]de/fnfttgll/GRAKA0qxNw.zip
  35. - hxxp://gofaststrap[.]com/cbiacoah/y9/Ps/MfuPLZLK.zip
  36. - hxxp://itc-sr[.]ru/iozipuqbw/5hYQTPaxwI.zip
  37. - hxxp://izi-jobs[.]net/qslbf/hB/GF/byiKCv7U.zip
  38. - hxxp://kalamelk[.]ir/ikyevsry/4f0Nr7EsFc.zip
  39. - hxxp://learntus[.]co[.]in/vadisbbvn/w79cc9nfiI.zip
  40. - hxxp://m.exoticcarrentalorlando[.]com/waqkvdyhl/a/FrQxzjviN.zip
  41. - hxxp://paarcell[.]com/whxutsxylnos/I/HgdVnXLbX.zip
  42. - hxxp://pslrn.com[.]br/jfjmtdy/UC/m5/L6YFAxZa.zip
  43. - hxxp://sharkbum[.]com/njwbnb/rKiPJCuwZM.zip
  44. - hxxp://startseunegocio[.]com/exwtz/p/LzCYqITKk.zip
  45. - hxxp://vitinhphamgia[.]com/pcjynxvxwr/ly/Lt/lSR9GDFV.zip
  46. - hxxp://www.mira-blau[.]de/oubkdxb/gBi4l66lrI.zip
  47. - hxxp://www.officeautomationltd[.]com/njghv/K/bqVDeP9hU.zip
  48. - hxxp://www.sportingpro[.]com[.]ar/vicldxvutk/HA/pG/21wGqfI9.zip
  49. - hxxp://xltc-dta[.]be/hwpaz/j/H9pJyYiax.zip
  50.  
  51. 5 EXAMPLES OF THE INITIAL ZIP ARCHIVE:
  52.  
  53. - 6258d0ffd544a3ff02fd74d162c6e1aab40a44d4a2b7447970374f9f4ca29ac9 21wGqfI9.zip
  54. - 9bc92658cc86ca82be3881fb21eaa840a111c024cd65ce7d8630653bc2256866 aIudlGY31.zip
  55. - 5cfd15470a434f048d29051ce733cae8063479d706e2b6156d4dfaddef386894 byiKCv7U.zip
  56. - fc5702b536d817baa13dedcc80b280c74453c845b4d713f13ae6ff2325a97ff5 jDXcgdjyB4.zip
  57. - bff02c0926e6d805c7f6324c4a0cdc8b68df253d2181f22296fa8baf483d3fcd pzjsD3bbYo.zip
  58.  
  59. 5 EXAMPLES OF EXTRACTED VBS FILES:
  60.  
  61. - f7eebe0b84ebcf549c278263c83944bb3adcedc16e5d5488309d2de426040c38 PH1917019.vbs
  62. - ee02d31a24d420570fd9bb5d8a9ae09505db317562137c0938ac173c23d0271d PH2987153.vbs
  63. - 2ea11e59848878d6af8d0318fb2f23e7f445a98aedf1be0f4d6ac9e3a5dc4c0f PH3497638.vbs
  64. - 029aecca7652215a52c2de9e4c914867bfe4899914169696068c7c39515ef027 PH4318217.vbs
  65. - 8def7a6f1f6dea6c73a22504b0b79c51fcc329fa68e6408f678270e8908f405d PH6580048.vbs
  66.  
  67. 6 URLS FOR THE QAKBOT SPX147 EXE:
  68.  
  69. - hxxp://ttt.s-host[.]net/heaqwhmudzc/8888888.png
  70. - hxxp://izi-jobs[.]re/zklvxtelxlw/8888888.png
  71. - hxxp://astamvillagelodge[.]com/rbntjp/8888888.png
  72. - hxxp://fresh-organic-food[.]com/ddpauqvq/8888888.png
  73. - hxxp://fareapp[.]com[.]br/ffvbpqjsjfwp/8888888.png
  74. - hxxp://frenchsporting[.]bts2020[.]fr/nwgjc/8888888.png
  75.  
  76. QAKBOT SPX147 EXE INITIALLY SAVED TO:
  77.  
  78. - C:\Users\[username]\AppData\Local\Temp\Direct3DMX.exe
  79.  
  80. 5 EXAMPLES OF QAKBOT SPX147 EXE:
  81.  
  82. - 0636479f9f0ae8ad2c4288da3aad038bc69977674a18afbd52d43cc7b9931f74
  83. - 0930678a148689d3b2eab8f68acb2b8b857375a97e1701505c347ae30848dd6a
  84. - 342ac51b292bbd8185b2c6fc44b343a5e6d7a45af5398847434f00092cddf2ad
  85. - 6a41a49bfe9db6c5b638d4438dbf7c84451a22b74f2c0f7a5e6f7a034712c1da
  86. - a330e49a6bb1ccc8c05de0e241f4faf2b15a2d4dd004301c3320a597347b5e5f
  87.  
  88. EXAMPLE OF QAKBOT SPX147 EXE PERSISTENT ON AN INFECTED WINDOWS HOST:
  89.  
  90. - Resitry Key Name: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  91. - Value Name: ehjsqfs
  92. - Value Type: REG_SZ
  93. - Value Data: "C:\Users\[username]\AppData\Roaming\Microsoft\Xjzpf\eidfii.exe"
  94.  
  95. TRAFFIC FROM AN INFECTED WINDOWS 10 HOST:
  96.  
  97. - 107.180.91[.]64 port 80 - correctordeortografia[.]com - GET /ygamaikfr/e/aIudlGY31.zip
  98. - 185.253.219[.]218 port 80 - ttt.s-host[.]net - GET /heaqwhmudzc/8888888.png
  99.  
  100. - 24.136.34[.]71 port 2222 - attempted TCP connections, but no response from the server
  101. - 35.209.218[.]146 port 443 - HTTPS traffic
  102. - 82.118.22[.]125 port 443 - HTTPS traffic
  103.  
  104. - 54.36.108[.]120 port 65400 - TCP traffic
  105.  
  106. - port 443 - cdn.speedof[.]me - HTTPS traffic (not inherently malicious)
  107. - port 443 - api.ipify[.]org - IP address check (not inherently malicious
  108.  
  109. - 89.105.198[.]119 port 80 - a.strandsglobal[.]com - GET /redir_chrome.html
  110. - 89.105.198[.]119 port 80 - a.strandsglobal[.]com - GET /redir_ff.html
  111. - 89.105.198[.]119 port 80 - a.strandsglobal[.]com - GET /redir_ie.html
  112.  
  113. - various IP addresses over various ports - spambot activity from the Qakbot-infected host
  114.  
  115. - 109.234.161[.]51 port 80 - izi-services[.]re - POST /vds.php
  116. - 35.213.169[.]136 port 80 - pattayafootball[.]com - POST /vds.php
  117. - 107.180.40[.]62 port 80 - bridalmasks[.]com - POST /vds.php
  118. - 112.213.89[.]168 port 80 - gymhub[.]vn - POST /vds.php
  119. - 152.32.211[.]197 port 80 - phpyb[.]com - POST /vds.php
  120. - 152.32.211[.]197 port 80 - phpyb[.]com - GET /tryxf/test.zip
RAW Paste Data