-
Notifications
You must be signed in to change notification settings - Fork 14
/
Quakbot- 14072022
159 lines (154 loc) · 3.85 KB
/
Quakbot- 14072022
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
Qbot
------------------------
Bot ID - obama201
Campaign - 1657815129
Version - 403.780
------------------------
Used Subjects:
thread hijacking attack, all subjects starts with RE:
------------------------
Used Senders:
chloe.carter@missioncriticalservices.com
reception@almaanimalhospital.com
kyra.oneill@murraychev.com
rcordova@perfect-home.com.mx
alsadoon@seattleautomotiveinc.com
------------------------
Html hash:
Report Jul 14 71645.html
54688153cd5a861b26da6a8c191aabe01bb5bfd31d1ab1dd848788b40cc3a38c
(all alternative files have the same pattern: "^Report Jul 14 [0-9]{5}\.html$")
------------------------
Delivery archive hash:
Report Jul 14 71645.zip
258fe5a68ff2b39ec791c973553337648b8db8b856f72a31c7a75699cf22da5a
(all alternative files have the same pattern: "^Report Jul 14 [0-9]{5}\.zip$")
------------------------
Iso hash:
Report Jul 14 71645.iso
fa84855beb93702d514210074c8419cb1bd74f5e8cccbc929dbe890c7558be9a
(all alternative files have the same pattern: "^Report Jul 14 [0-9]{5}\.iso$")
------------------------
Payload hash:
Report Jul 14 71645.lnk
87e0b52eff04e28bc5b041592d628a3500b147dd8e2164642b00d4a6602cd45a
(all alternative files have the same pattern: "^Report Jul 14 [0-9]{5}\.lnk$")
7533.dll
9f28ec04f677bb01646176058c6964248406970b83ce63552c56776a8d280a70
WindowsCodecs.dll
8760c4b4cc8fdcd144651d5ba02195d238950d3b70abd7d7e1e2d42b6bda9751
------------------------
behaviour:
- LNK file target:
C:\Windows\System32\cmd.exe /q /c calc.exe
- payload hash:
calc.exe - 80c10ee5f21f92f89cbc293a59d2fd4c01c7958aacad15642558db700943fa22 (same from obama200)
- schedule task:
schtasks.exe /Create /RU "NT AUTHORITY\SYSTEM" /Z /ST 20:33 /tn dvnkwqu /ET 20:44 /tr "powershell.exe -encodedCommand cgBlAGcAcwB2AHIAMwAyAC4AZQB4AGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwANwA1ADMAMwAuAGQAbABsACIA" /SC ONCE
- Powershell command (decoded):
regsvr32.exe C:\Users\Admin\AppData\Local\Temp\7533.dll
------------------------
C2:
70.46.220.114:443
179.111.8.52:32101
208.107.221.224:443
176.45.218.138:995
24.158.23.166:995
24.54.48.11:443
89.101.97.139:443
24.55.67.176:443
24.139.72.117:443
120.150.218.241:995
174.69.215.101:443
38.70.253.226:2222
41.228.22.180:443
217.165.157.202:995
172.115.177.204:2222
173.21.10.71:2222
69.14.172.24:443
47.23.89.60:993
104.34.212.7:32103
66.230.104.103:443
81.158.239.251:2078
179.158.105.44:443
189.253.167.141:443
24.178.196.158:2222
174.80.15.101:2083
187.116.126.216:32101
100.38.242.113:995
74.14.5.179:2222
40.134.246.185:995
172.114.160.81:443
72.252.157.93:995
70.51.137.244:2222
82.41.63.217:443
197.89.11.218:443
37.34.253.233:443
67.209.195.198:443
67.165.206.193:993
93.48.80.198:995
111.125.245.116:995
1.161.118.53:443
76.25.142.196:443
148.64.96.100:443
217.128.122.65:2222
32.221.224.140:995
47.180.172.159:443
39.57.56.11:995
186.90.153.162:2222
37.186.58.99:995
86.97.10.37:443
39.44.116.107:995
182.191.92.203:995
86.98.78.118:993
117.248.109.38:21
39.52.44.132:995
1.161.118.53:995
91.75.85.128:1194
121.7.223.45:2222
39.41.90.210:995
46.107.48.202:443
190.252.242.69:443
187.172.31.52:443
72.252.157.93:993
72.252.157.93:990
47.145.130.171:443
63.143.92.99:995
197.92.136.122:443
45.46.53.140:2222
196.203.37.215:80
94.59.138.43:2222
92.132.132.81:2222
39.49.48.167:995
103.246.242.202:443
84.241.8.23:32103
94.59.15.180:2222
89.211.209.234:2222
94.36.193.176:2222
47.156.129.52:443
201.172.20.105:2222
109.12.111.14:443
85.6.232.221:2222
96.37.113.36:993
2.178.120.112:61202
193.136.1.58:443
103.133.11.10:995
120.61.3.142:443
182.52.159.24:443
78.100.219.38:50010
173.174.216.62:443
106.51.48.188:50001
67.69.166.79:2222
45.241.254.69:993
88.240.59.52:443
86.213.75.30:2078
24.43.99.75:443
101.50.67.155:995
108.56.213.219:995
5.32.41.45:443
39.53.139.2:995
80.11.74.81:2222
------------------------
Supporting Evidences:
https://tria.ge/220714-w5yr1sacbn/
https://bazaar.abuse.ch/browse/tag/obama201/