-
Notifications
You must be signed in to change notification settings - Fork 85
/
Copy path2021-11-01 Qakbot Campaign 1 IOCs
121 lines (107 loc) · 3.75 KB
/
2021-11-01 Qakbot Campaign 1 IOCs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
THREAT IDENTIFICATION: QAKBOT
ANALYST NOTES
This is from the first of 2 Qakbot campaigns that I saw today.
The email continues to use stolen email threads.
Instead of having a .zip file attachment, the email just refers to a couple of urls.
These urls are just text-based (no hyperlinks) and contain Latin folder names.
Visiting the urls will download a .zip file that contains an .xls file.
All of these maldoc filenames begin with "chat-" + a 9 digit string starting with the number 4.
The .xls file theme is green and white and it reads: "This document protected by Microsoft Office".
The author on all .xls files is: Админ.
SUBJECTS OBSERVED
All subjects were from stolen email threads.
SENDERS OBSERVED
ZIP FILE REDIRECT URLS
http://aips.com.au/facerequaerat/etsit-2521362
http://beaconsfieldpistol.org.au/expeditavoluptas/etin-2211561
http://beaconsfieldpistol.org.au/expeditavoluptas/quaeut-1663580
http://dev3.mybeautyexchange.com/fugitmaiores/doloremmolestiae-1663579
http://ordermyfood.mydemosystems.com/magnamimpedit/debitisomnis-1663581
http://pragati5.mydemosystems.com/quaeratconsequatur/distinctionostrum-2521362
http://pragati5.mydemosystems.com/quaeratconsequatur/quiquidem-1663581
http://puhek.slovenijanet.com/doloremqueplaceat/debitisdistinctio-1663580
http://puhek.slovenijanet.com/doloremqueplaceat/providentet-2211561
ZIP FILE DOWNLOAD URLS
http://aips.com.au/facerequaerat/charts-2866750997.zip
https://beaconsfieldpistol.org.au/expeditavoluptas/charts-2866750997.zip
https://dev3.mybeautyexchange.com/fugitmaiores/charts-2866750997.zip
https://ordermyfood.mydemosystems.com/magnamimpedit/charts-2866750997.zip
https://pragati5.mydemosystems.com/quaeratconsequatur/charts-2866750997.zip
https://puhek.slovenijanet.com/doloremqueplaceat/charts-2866750997.zip
aips.com.au
beaconsfieldpistol.org.au
mybeautyexchange.com
mydemosystems.com
slovenijanet.com
ZIP FILE HASHES
1cac720fe7d0179b017014d19049201f
2750c6e95e8039575c1fe909bb283d14
966cd58e7a9cc3481f1d492600f3843a
b8267da4a467bdc673a6f374cddcab12
cc84ed96869d800e71dec27b5f289584
f799fe6ff603e5222a9b150073808009
f85afd3219a927c35328c258a48621ba
ffcd93c4c2167bbca49af03cf38c0ed2
EXCEL FILE HASHES
0d8c8fcf16b326f1cb08f0e7a6553f9e
2af24a9f6c29cc22e84b229d064876a5
323dd806deb3118c36205d6df489d523
71a026ae9fcef63bdf095f912efc7427
78ac5bb481f003593fe9aa57620e5dca
a9c2988c722f4e8f29494b29bbea9e54
d3d58326a80062e0de07c00f910c387a
f822f9321c7a23c2081bae75dae37d41
PAYLOAD DOWNLOAD URLS
https://houstonmarinediesel.com/riFcZvXl/n.html
https://arboretum-abracaral.com.ar/Ipubi8Fcp5V/n.html
https://ritelteamindonesia.co.id/basdS1syf/n.html
PAYLOAD FILE HASHES
n.html (test.test)
6850a68cbe49bbf6aa3fb20dabb79f48
n.html (test1.test)
c8c96e46ae9ad6966963d29e28bc63be
n.html (test2.test)
ca6ec472847da2293ea37e230977956c
QAKBOT C2s
https://140.82.49.12/t4
https://185.107.66.221/t4
https://70.93.80.154/t4
https://72.252.201.69:465/t4
https://87.99.107.124/t4
https://89.101.97.139/t4
OTHER OBSERVED TLS TRAFFIC (LIKELY BUT NOT CERTAIN C2s)
https://103.143.8.71
https://115.96.64.9:995
https://136.232.34.70
https://176.78.108.235
https://185.53.147.51
https://189.218.20.252
https://189.223.33.109
https://196.207.140.40:995
https://216.201.162.158
https://216.238.71.31
https://216.238.72.121:995
https://39.49.31.210:995
https://5.224.28.151:995
https://68.186.192.69
https://72.252.201.69:995
https://73.151.236.31
https://73.25.109.183:2222
https://75.188.35.168
https://75.66.88.33
https://77.79.56.210
https://78.191.49.39:995
https://85.54.179.210:2222
https://86.173.96.126
https://86.8.177.143
https://86.97.8.204
https://88.253.105.24
https://89.137.52.44
https://89.38.183.229
https://92.59.35.196:2222
https://94.110.12.148:995
https://94.200.181.154
https://94.60.254.81