forked from PaloAltoNetworks/Unit42-timely-threat-intel
-
Notifications
You must be signed in to change notification settings - Fork 0
/
2021-11-04-IOCs-for-TR-Qakbot-with-Cobalt-Strike.txt
74 lines (53 loc) · 2.66 KB
/
2021-11-04-IOCs-for-TR-Qakbot-with-Cobalt-Strike.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
2021-11-04 (THURSDAY) - TR DISTRIBUTION QAKBOT (QBOT) WITH COBALT STRIKE
REFERENCE:
- https://twitter.com/Unit42_Intel/status/1458109892129173509
CHAIN OF EVENTS:
- malspam --> link --> zip archive --> Excel file --> enable macros --> three DLLs for Qakbot --> Qakbot post-infection traffic --> Cobalt Strike traffic
INITIAL ZIP/EXTRACTED EXCEL SPREADSHEET:
- SHA256 hash: ce1b3d798bfdcd7503d29ff5841039ef7cb3fec51d7dd56cd3344b39a15fd4be
- File size: 57,482 bytes
- File name: autquia-4403601.zip
- File location: hxxp://thepresentcupboard[.]com[.]au/aoptio/charts-297148749.zip
- SHA256 hash: bd445bae74162f8e6b8d8e855b91d292df13fe28f41d08867edb2a8668d8c734
- File size: 112,128 bytes
- File name: index-2009541103.xls
INITIAL QAKBOT DLL FILES:
- SHA256 hash: 43074ef8cd5c2c859b6d21fae25431101872d7f9e79acc9f16f04e7cd64be9b8
- File size: 995,253 bytes
- File location: hxxps://decinfo[.]com[.]br/s4hfZyv7NFEM/y9.html
- File location: C:\Datop\good.good
- Run method: regsvr32 [filename]
- Distribution tag: TR
- SHA256 hash: 080d33d769ff2c3d103174031d146d606bb0cb57a8fffaa18b4818b512e15c46
- File size: 649,249 bytes
- File location: hxxps://imprimija[.]com[.]br/BIt2Zlm3/y5.html
- File location: C:\Datop\good1.good
- Run method: regsvr32 [filename]
- Distribution tag: TR
- SHA256 hash: 0c8d1ba996e389aaf08269b7b9adf4360b86f4a70e8af1c2cbf32c34c7b3e887
- File size: 995,298 bytes
- File location: hxxps://stunningmax[.]com/JR3xNs7W7Wm1/y1.html
- File location: C:\Datop\good2.good
- Run method: regsvr32 [filename]
- Distribution tag: TR
PERSISTENT QAKBOT DLL FILE:
- SHA256 hash: 4ae2caea3ebe8e5891ad21cf1a8efab399cfcbe2cec21248fb4914f0329b9416
- File size: 1,071,616 bytes
- File location: C:\Users\[username]\AppData\Roaming\Microsoft\Ejuio\cmmgurwtmo.dll
- Run method: regsvr32.exe -s [filename]
- Distribution tag: notset
INITIAL URLS FOR ZIP DOWNLOAD:
- 103.20.200[.]193 port 80 - hxxp://thepresentcupboard[.]com[.]au/aoptio/autquia-4403601
- 103.20.200[.]193 port 80 - hxxp://thepresentcupboard[.]com[.]au/aoptio/charts-297148749.zip
URLS GENERATED BY EXCEL MACRO FOR QAKBOT DLL FILES:
- 108.179.193[.]34 port 443 - hxxps://decinfo[.]com[.]br/s4hfZyv7NFEM/y9.html
- 108.179.192[.]18 port 443 - hxxps://imprimija[.]com[.]br/BIt2Zlm3/y5.html
- 23.111.163[.]242 port 443 - hxxps://stunningmax[.]com/JR3xNs7W7Wm1/y1.html
QAKBOT POST-INFECTION TRAFFIC:
- 70.93.80[.]154 port 443 - attempted tcp connections
- 75.66.88[.]33 port 443 - HTTPS traffic
COBALT STRIKE TRAFFIC:
- 45.141.87[.]3 port 443 - HTTPS traffic
- 45.141.87[.]3 port 443 - decidedsecuritybusiness[.]com - HTTPS traffic
- 23.83.133[.]202 port 443 - xarovaw[.[com - HTTPS traffic
- 212.114.52[.]207 port 443 - dixeku[.]com - HTTPS traffic