2021-11-01 Qakbot Campaign 2 IOCs

THREAT IDENTIFICATION:  QAKBOT

ANALYST NOTES
I also found additional Qakbot emails from a separate campaign today.
These emails are also using stolen email threads.
A .zip file is attached to each email and each .zip file contains an .xls file.
The .xls file theme for this campaign is a white, black and blue Docusign theme.
The spreadsheet reads: "This document encrypted by DocuSign Protect Service".
In this case, the emails have a .zip file attachment which contains an .xls file.
Today, however, I was unable to get a payload.

SUBJECTS OBSERVED
All of the subjects were from stolen email threads.

SENDERS OBSERVED
accounting@zapaterofilms.com
admin@3arrows.co.th
aichasylla@crg.com.gn
benjamin@metropolitan.com.sg
brendan.m@pingsecure.com
careers@fidelitylife.co.zw
dele.medupin@ariltechnologies.com
drmanju@atriaresearch.com
factotay@grupoplascencia.com
info@academiagalileofuengirola.es
kaushal@imp-powers.com
m_martinez@airpower.com.mx
mendoza.u@integra-electrical.com
miguel.garcia@mtintegral.com
noreply@richs.com
support@ascendlearn.com

ZIP FILE ATTACHMENT HASHES
CMPL-1350280706-Nov-01.zip
ac766727e813d33c495d2bec20303474

CMPL-1988482936-Nov-01.zip
d3bc4a220ef744b9abcc8b5fb643022e

CMPL-2091226883-Nov-01.zip
f2920553f8d7dd8602dbef836c7735aa

CMPL-207238559-Nov-01.zip
90fea123b4dac32519f05fe41253fff0

EXCEL FILE HASHES
CMPL-1988482936-Nov-01.xls
472fac24bc88d789ca7580da80112f4e

CMPL-207238559-Nov-01.xls
4fc07e7009e3e31abdfb2de2a9d7e20d

CMPL-2091226883-Nov-01.xls
50c8b62fc3f229ab54fa925a649bab07

CMPL-1350280706-Nov-01.xls
d37b0317b980008a81ba27dd3d35e39d

PAYLOAD DOWNLOAD URLS
http://111.90.150.195/44501.731121412.dat
http://185.106.120.116/44501.731121412.dat
http://51.89.115.115/44501.731121412.dat

PAYLOAD FILE HASHES
I was not able to download a payload.

QAKBOT C2s
I was not able to download a payload.