forked from executemalware/Malware-IOCs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path2021-09-24 SquirrelWaffle IOCs
61 lines (46 loc) · 1.27 KB
/
2021-09-24 SquirrelWaffle IOCs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
THREAT ATTRIBUTION: SQUIRREL WAFFLE / QAKBOT
SUBJECTS OBSERVED
Subjects are from stolen email threads
SENDERS OBSERVED
ZIP FILE DISTRIBUTION URLS
https://doanalytics.net/architecto-quibusdam/nesciunt.zip
https://eventninjas.ng/quisquam-ex/sunt.zip
https://civilengineeringportal.info/atque-excepturi/molestias.zip
ZIP FILE HASHES
nesciunt.zip
466ae99a5729f2f00cc0109088d8d67b
sunt.zip
f2dacd13ee9eb5ccfd65905c14d36ad3
molestias.zip
1e021d1a69ea7d0f4d5ded4e0e4bd446
MALDOC FILE HASHES
chart-1222591379.xls
875cb506c11586ee78b0b34fa3178d18
chart-1559695834.xls
f6c6d6397d5432ab53cbe23307acb08a
chart-1559444630.xls
10fef60076537a5a5cd969fbae26c862
CONTACTED DOMAINS/PAYLOAD DOWNLOAD DOMAINS
https://finejewels.com.au/w3wU4YqfP/say.html
https://new.americold.com/4Tn6Vu2ML/say.html
PAYLOAD FILE HASHES
test.test
0c099b192deef5fc50b22fceec78b1dd
test2.test
55853f675f55fcd0dfc444fb6a3387c7
SQUIRREL WAFFLE C2 (POST DATA TO)
No Squirrel Waffle C2 traffic was observed
QAKBOT C2 TRAFFIC
148.72.192.206:443
148.72.53.144:443
207.246.77.75:2222
210.245.90.247:443
222.153.169.147:995
24.122.118.18:443
45.63.107.192:443
71.74.12.34:443
89.137.211.239:995
98.252.118.134:443