2021-10-19 Qakbot IOCs

THREAT IDENTIFICATION:  QAKBOT

CAMPAIGN ID: obama118

SUBJECTS OBSERVED
Email subjects were from stolen email threads.

SENDERS OBSERVED
asoriano@bartonhealthcare.org
staffing@wittercoin.com

ZIP FILE ATTACHMENT HASHES
Calculation-10192021-1209325989.zip
16fdc9a640b00987414d4b0228894b87

Calculation-10192021-1015439176.zip
6a9689c5cf6e08c9053441604bacf008

EXCEL FILE HASHES
Calculation-10192021-1015439176.xls
477e86a86d62e1e763257379f8bd18ef

Calculation-10192021-1209325989.xls
4faebd558aa11680e9908d035fa67ce9

PAYLOAD DOWNLOAD URLS
http://94.140.112.22/44488.5289787037.dat
http://80.92.206.79/44488.5289787037.dat
http://23.106.125.39/44488.5289787037.dat

PAYLOAD FILE HASHES
44488.5289787037.dat
7189fce41a70c87129111b811350e6fa

QAKBOT C2s
https://103.148.120.144/t4
https://181.4.53.6:465/t4
https://2.222.167.138/t4
https://31.167.109.100:443/t4
https://42.111.139.96:995/t4
https://81.241.252.59:2078/t4

SUPPORTING EVIDENCE
https://urlhaus.abuse.ch/url/1696598/