Qakbot_BB04_27.10.2022.txt

27.10.2022 | Qakbot | BB04 | Campaign 1666863975 | Version 404.2

*************************************************

.url https://thefoxsinn.net/eiv/itsJustMagic
.zip 5c6b6e4585e5fec1a4fdbfb3c225aa9dbdc229c6dc56d4408f1842efb17b1918  - PG1
.iso 3bebd76eb6378332f99abc21e1969f57ff212095581ec4db71f7025cb0a61688
.dll e248f7a1cbd369a2111834664fa805b489c8610e0d9b7fa506c3a1fc882dd331

*************************************************

Code Signing Certificate

Organisation:  RIWQRMKSGCVXTNIIYV
Issuer:  RIWQRMKSGCVXTNIIYV
Algorithm:  sha1WithRSA
Valid from: 2022-10-25T05:18:50Z
Valid to:   2039-12-31T23:59:59Z
Serial number:  028b4a1fe90aa2994ef5c1cf9facb19d
Thumbprint Algorithm:   SHA256
Thumbprint:  c1ad7096af626d9d952cae71c64e215e6db6b201f2a85b1b1d97abb09a77b844
Source:  This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

*************************************************

lnk content:

C:\Windows\System32\cmd.exe /c gropes\aries.cmd vr 32. exe

>> Tracker database block
   Machine ID:  desktop-32db5f9
   MAC Address: e0:d4:e8:7c:13:74
   MAC Vendor:  (Unknown vendor)
   Creation:    2022-10-05 14:33:26

   Volume Droid:       cf15fa5c-89d3-4bdf-844b-9fb891604f9a
   Volume Droid Birth: cf15fa5c-89d3-4bdf-844b-9fb891604f9a
   File Droid:         ac9ceaf9-44ba-11ed-a8be-e0d4e87c1374
   File Droid birth:   ac9ceaf9-44ba-11ed-a8be-e0d4e87c1374

*************************************************

cmd /c C:\Users\Admin\AppData\Local\Temp\Details.lnk

cmd.exe" /c gropes\aries.cmd vr 32. exe

regsvr32.exe gropes\cueing.dat

replace.exe  C:\Windows\\system32\\regsvr32.exe C:\Users\Admin\AppData\Local\Temp /A

regsvr32.exe gropes\cueing.dat

wermgr.exe

*************************************************

c2's

27.110.134.202:995
156.220.47.67:993
142.115.84.88:2222
156.216.134.70:995
58.247.115.126:995
24.9.220.167:443
24.116.45.121:443
186.188.80.134:443
190.199.101.37:2222
24.206.27.39:443
181.164.194.228:443
105.96.198.88:443
112.141.184.246:995
64.207.237.118:443
118.200.83.226:443
149.126.159.224:443
181.118.183.124:443
144.202.15.58:443
172.117.139.142:995
200.233.108.153:995
109.136.174.200:995
193.3.19.137:443
201.68.209.47:32101
45.48.36.226:2087
45.35.97.45:443
167.58.254.85:443
41.96.102.114:443
41.200.117.82:443
188.49.56.189:443
102.159.110.79:995
117.254.35.107:443
14.227.159.197:443
201.223.169.238:32100
181.141.3.126:443
70.187.0.87:2078
190.74.248.136:443
190.199.97.108:993
190.24.45.24:995
190.37.174.11:2222
45.230.169.132:995
68.62.199.70:443
190.18.236.175:443
201.210.92.3:2222
186.154.189.162:995
97.118.223.249:443
105.157.133.175:443
151.213.183.141:995
45.49.137.80:443
70.51.139.148:2222
64.123.103.123:443
152.170.17.136:443
172.112.37.112:2222
181.56.171.3:995
187.135.132.84:443
109.133.67.116:995
102.159.236.29:443
41.97.169.44:443
186.93.152.82:2222
70.60.142.214:2222
45.230.169.132:995
206.1.183.242:443
75.84.234.68:443
186.48.161.130:995
72.88.245.71:443
27.109.19.90:2078
186.188.96.197:443
45.230.169.132:993
78.179.135.247:443
197.244.36.215:443
191.33.187.192:2222
41.100.163.127:443
220.134.54.185:2222
66.170.93.10:443
83.244.63.21:443
154.237.240.209:995
41.47.249.185:443
154.181.228.27:995
175.205.2.54:443
216.131.22.236:995
206.1.251.6:443
201.249.100.208:995
190.33.241.216:443
198.2.51.242:993
90.165.109.4:2222
71.199.168.185:443
41.103.27.50:443
24.207.97.117:443
105.157.86.118:443
47.14.229.4:443
142.181.183.42:2222
41.97.205.96:443
186.18.210.16:443
41.98.248.133:443
160.176.151.70:995
98.207.190.55:443
196.65.217.253:995
78.50.124.220:443
91.171.72.214:32100
101.109.44.197:995
97.92.4.205:8443
70.115.104.126:443
181.44.34.172:443
88.240.75.201:443
24.130.228.100:443
41.109.228.108:995
24.177.111.153:443
60.54.65.27:443
189.129.38.158:2222
222.117.141.133:443
105.108.223.181:443
41.104.155.245:443
65.140.11.170:443
184.159.76.47:443
105.98.223.169:443
197.0.225.39:443
105.155.151.29:995
196.207.146.151:443
190.37.112.223:2222
14.54.83.15:443
93.156.96.171:443