Created 2020-09-28-IOCs-for-Qakbot-activity.txt

PaloAltoNetworks · Aug 29, 2023 · e26d86c · e26d86c
1 parent e4709c4
commit e26d86c
Showing 1 changed file with 71 additions and 0 deletions.
diff --git a/2020-09-28-IOCs-for-Qakbot-activity.txt b/2020-09-28-IOCs-for-Qakbot-activity.txt
@@ -0,0 +1,71 @@
+2020-09-28 (MONDAY) XLS SPREADSHEETS WITH MACROS FOR QAKBOT
+
+REFERENCE:
+
+- https://twitter.com/Unit42_Intel/status/1311052900882411536
+
+32 EXAMPLES OF SPREADSHEETS WITH MACROS FOR QAKBOT:
+
+- a05f104379b362a6a86170297749659c02d78c776a94e5cdb81e235203a4abf9  1331266036.xls
+- 8e0bef38e9fc4deffca816af591c114adb40149f308ca118f2d948e1a5ef4f25  1890045466.xls
+- f355eb0f2f613886df3bf7268f80f7690f4f7a3eaec043ac8732748b496168fd  1983509857.xls
+- e7892204068276a9339655dd252f3f1cb5819fe939bec6124193017b1d36ce9d  2601930534.xls
+- 10431ebb8514257c75e00e1d428e018a39e67c0c34dfbc0b320bd2bacef33f3a  2860574987.xls
+- 6d4ea2569fa09f6d9d64286668f41742029536b00f29dd8916f5043e4572a7c6  31536188242.xls
+- 83016b48397789f5215cffc5c1cc223846736ce2d795fb14bc1f3f7b87af0fa1  31996992331.xls
+- 2582f28c02b7aa7f23c3769e21292a5ea40249694acac347b9d3bf1462352a5a  3725084195.xls
+- a066c127cb82adb3964d27dd7525e64934ea57f802a6c1bb2d8cc7e056b7b180  3921117281.xls
+- d7e679017bae3d7ab05e80e406bb6ff06a3e46ba3078d007ae70065ec43d74f5  41267919185.xls
+- 04a6ee2063d0b4a6de76579d270fd58315208fab6cb1d1c6deeca3fab4f718e4  41889832605.xls
+- 1eb9920cccf0fff726a8ebd7344e1865cfffe3c99266b875d66cc2925a60a92a  Document-1164079473.xls
+- 664f4ab87eca073fe888f387f5a52f4f16c4283bd11505141dcd4a2b3f64c535  Document-1259872821.xls
+- b482fdc10e853fa08aca9304d2d3e2b8ef84541fecafb02a48a799f9d4cd9d36  Document-1294049503.xls
+- 977e4c0822bcae6d4ca37c8ea1f2dd5347d02f6a09309a26316417a92a1db894  Document-1332069614.xls
+- 701b36a63fa76c353d4e6425af52dc5e3872d44813c447ded8f6ea58a2f877fb  Document-1387774848.xls
+- 7d242b8c6f41717c953526495b1f702849846c56338c179fbb78df07ba498674  Document-1620206849.xls
+- ec4ea1d549b7402deb97b29a5b3326d44993a9c5adee63ff4975819c6ccd6b9a  Document-1666863422.xls
+- a90d64ff62e514acf92101034dde3f8e9a92a767efc34be2b5678380384daa21  Document-1795843336.xls
+- d4686f63adae1aa98f978db75adccc91e3eb30b2e3bb2d54f5ef1bec51f7fee4  Document-185004907.xls
+- 85a1db0ffba3fc8b753002fac199d790b430892ca3165b5b906faa870e3f55b3  Document-1936116087.xls
+- 6e8d0c4d192be8126d023e06e646683a9d754cdf2018ba0c79785530e2fec6c5  Document-1972551506.xls
+- bd8152527444a50f31db7697100fb97a5d44e40288275f293947b13259ca7b81  Document-2007049316.xls
+- 489f54798c12257c22af3b8107322df50ecd7c0540397e3df557c270f40e3028  Document-2020491689.xls
+- 75f3b48f942eca9006473b9581943181ab8b320c5991160b4c6882112f30b1bf  Document-360547067.xls
+- ce4c65f246e06beab38b74be1e7fbff936f74b37559525f41a60471658cdf6c4  Document-399394560.xls
+- 11bc50af49acfd081f56f7b0702e1793cad368b49574aa93d3ad39668109a9a9  Document-423180495.xls
+- 805b5c0354456cd90e1ff4aed2efc1f3e760216fb990e14685ffacbd24ad4edd  Document-652260790.xls
+- 2e1004bead368d06e82fa6bddb98ec4a0d5d2bf190e547e02ba629aba2e7735d  Document-749864098.xls
+- 0d14c1121400b163843ee8b1904bd4b065151540e54f171b3fe7a0a35198d749  Document-822504258.xls
+- cd8ad573fb6bee6e44a08c5b9bc6cbb3669153fc613043a12b6bbaaa7bb311e7  Document-832784617.xls
+- f2fb9e8d57be17edac4b1e71cb6b0eb553b77d97c1121dbfbed52a5df4ccc53e  Document-881026617.xls
+
+URLS GENERATED BY XLS MACROS TO RETRIEVE QAKBOT EXE:
+
+- hxxp://condochicks[.]com/ynwnx/222222.png
+- hxxp://ideskonline[.]com/vzpcwa/222222.png
+- hxxp://matterandhome[.]com/twtao/222222.png
+- hxxp://pramars[.]xyz/psswhqxs/222222.png
+
+- hxxps://exploshot[.]com/24.gif
+- hxxp://foundation.shanto-mariamfoundation[.]org/24.gif
+- hxxp://mahathi2.ondemandcreative[.]com/24.gif
+- hxxp://staging.stikbot[.]toys/24.gif
+
+16 EXAMPLES OF SHA256 HASHES FOR QAKBOT EXE:
+
+- 209899f6aee8d225c836bfec12336cdc14a31d5ae833b042203ac1cb1d863937
+- 24a766d198d5d3947b96bc736bdf89470477071bf2faf4e9b26ad5c92c407f4b
+- 2f9dd14eb2884a06aa2d0d8f071d5b49460a2b0c790dbf19994e281d2ea9d6b2
+- 464ce8619b8be7a6a724ac23777ecaf20be27686bd02ed7e9b4585c30d5e7d8d
+- 559767a95d3e72167ff0fe0efbae44f009877ad98fbaf03f50cce0369aad9d27
+- 5d538baadbd8a22f4d697c4598725f45a2fb032fa70891d8d03be4de905fe732
+- 5f26a176bf32ae9899089afc111edc42e175ec391e1f59c3f4340efda96174b7
+- 7a36691e0d6e2c9fadfd858c43bdb69b92e902830244526682e27098933633d7
+- 7e6d0713f152941a1c09c46d02f1a7692f0654e675eccf54203fb38167b8a194
+- 8f4481d551b6a29a1db38421b9b3d5f869f44cb0d5a6288d14118870b710438f
+- 9439095348654b59f46d31daef0765884e282205d96e63df8f462675b0b04d79
+- a311635084a2cf59ca51527cf308ab352ae75ca35c673062855882d11e6b95f1
+- cc520b6370f031e04970b527d7fcb85692e6882e2548787cb39281c0dc7cee47
+- d705b4cfd6e8b2c77fc358d1b5ff2cf34e26876743a69b38015a4484c73fad45
+- e3bb14251e5117e697d995db97ecc456c4dbdaf4f4e6187bbb33929135a362ab
+- fb06ebc9ddde4c52a9264c9097529658d80d280d2cc19fc7ed8c9f6a0bd69bb8