Skip to content

Instantly share code, notes, and snippets.

@TheMuntu

TheMuntu/2023-05_Qakbot_C2_Shodan.txt

Last active May 23, 2023 10:03
Show Gist options
  • Save TheMuntu/694c7a2745efd7cd4e4cbba80102249a to your computer and use it in GitHub Desktop.
Save TheMuntu/694c7a2745efd7cd4e4cbba80102249a to your computer and use it in GitHub Desktop.
Download ZIP
Multiple Malware IOCs and Artifacts collection
Raw
2023-05_Qakbot_C2_Shodan.txt
72.197.253.239 | United States | seiauoalth.info
63.140.106.181 | United States | apeiome.mobi
63.140.106.183 | United States | apeiome.mobi
41.97.23.103 | Algeria | arinu.biz
122.184.143.86 | India | aotineabvut.biz
173.22.114.208 | United States | ghnxsrb.org
70.118.31.26 | United States | aiea.mobi
144.202.15.58 | United States | hayvygpxclb.mobi
173.88.135.179 | United States | axajn.info
65.190.242.244 | United States | jkjea.info
66.230.104.103 | United States | apeiome.mobi
207.107.71.54 | Canada | rjnwxeutz.com
47.199.241.39 | United States | awkec.org
207.107.71.48 | Canada | rjnwxeutz.com
72.188.103.221 | United States | ntax.mobi
72.134.124.16 | United States | xtqtaqyi.net
70.46.220.114 | United States | totieclge.org
184.153.132.82 | United States | yjyenqafs.us
76.16.49.134 | United States | zoolret.mobi
73.41.215.237 | United States | maoaretv.net
70.112.206.5 | United States | uewasoiewh.mobi
157.119.85.203 | India | befjoliwxz.mobi
63.140.106.180 | United States | apeiome.mobi
207.107.71.51 | Canada | yfgozyu.mobi
41.228.22.180 | Tunisia | oejciku.info
207.107.71.50 | Canada | yfgozyu.mobi
184.182.66.109 | United States | eaohoug.info
70.28.50.223 | Canada | yqadkcf.org
67.219.197.94 | United States | jirtehtie.info
89.101.97.139 | Ireland | ptnrumh.org
70.160.67.203 | United States | vtmyfu.info
98.145.23.67 | United States | oysgtfoeiej.biz
70.64.77.115 | Canada | escmcz.us
99.230.89.236 | Canada | maibeuguc.com
148.64.96.100 | United States | evaq.org
75.98.154.19 | United States | deoltctat.us
172.114.160.81 | United States | elbi.info
50.68.186.195 | Canada | wetpalyspo.org
88.249.231.161 | Turkey | aezaj.com
80.6.50.34 | United Kingdom | etatd.info
213.91.235.146 | Bulgaria | cfbivshk.com
73.22.121.210 | United States | wayabrigai.us
75.109.111.89 | United States | vkbkayf.mobi
197.1.253.66 | Tunisia | rouheure.org
47.21.51.138 | United States | tqhiaey.net
23.30.173.133 | United States | jegadaqeydn.us
115.3.201.101 | Korea, Republic of | jwzdhemzdot.biz
92.188.241.102 | France | unpcnbyuois.info
162.248.14.107 | United States | nekt.com
108.61.159.44 | United States | wemkiepw.net
211.248.50.162 | Korea, Republic of | jwzdhemzdot.biz
76.86.31.59 | United States | hetiaxuozbo.mobi
58.186.75.42 | Viet Nam | clfqnok.com
174.4.89.3 | Canada | avbxl.us
122.186.210.254 | India | tdowvt.biz
72.205.104.134 | United States | xaigmbjimp.info
183.82.107.190 | India | oeacote.org
84.108.200.161 | Israel | opnika.org
75.99.168.194 | United States | hoveohntx.biz
151.21.133.82 | Italy | tbnzi.biz
190.141.193.170 | Panama | trjyiouilhc.us
50.68.204.71 | Canada | peitqtciwo.com
27.0.48.233 | India | oeovb.info
102.157.31.224 | Tunisia | shoflmsoiws.info
102.159.148.198 | Tunisia | goreoti.info
102.159.164.122 | Tunisia | shoflmsoiws.info
38.2.18.164 | United States | akpaiy.info
70.28.50.223 | Canada | axaitoqo.net
173.18.122.24 | United States | jameft.org
104.35.24.154 | United States | toxupoi.biz
63.140.106.182 | United States | apeiome.mobi
47.34.30.133 | United States | ecxibjyllat.org
24.139.11.137 | Canada | areomikc.info
144.64.226.144 | Portugal | syfeyrswn.us
183.87.163.165 | India | epooohruieo.us
68.229.150.95 | United States | ezspcoa.com
2.82.8.80 | Portugal | pujalhdekd.com
179.158.101.198 | Brazil | ltwgirv.biz
125.99.76.102 | India | aiueuebdep.org
47.205.25.170 | United States | preg.biz
172.248.42.122 | United States | heivr.com
174.69.215.101 | United States | dipbi.info
68.109.240.71 | United States | kxce.biz
136.35.241.159 | United States | tnodk.com
75.143.236.149 | United States | obajfyeera.org
108.190.115.159 | United States | ientoztz.com
71.74.12.34 | United States | nsnvadcskwj.biz
69.242.31.249 | United States | aouzguwmnu.com
69.133.162.35 | United States | bkehavtkr.com
75.115.14.189 | United States | imifeikekt.biz
76.185.132.46 | United States | oioj.org
116.75.63.128 | India | nozme.info
66.181.164.43 | Mongolia | ylzen.org
94.5.98.77 | United Kingdom | tfhwyiakz.mobi
151.62.97.204 | Italy | nltapwej.net
12.172.173.82 | United States | tjasdrn.mobi
68.68.170.218 | United States | kblnfxjf.mobi
147.219.4.194 | United States | uaqoaoza.com
174.118.63.123 | Canada | ezmc.org
94.63.65.146 | Portugal | fourtpoapx.biz
183.87.192.196 | India | oomedtoei.biz
115.241.215.16 | India | yzagzidoano.us
179.158.103.236 | Brazil | atwazlg.biz
24.150.188.234 | Canada | cnade.com
77.126.185.173 | Israel | esogmia.biz
98.37.25.99 | United States | iamfeqtonf.net
70.160.80.210 | United States | uotonac.mobi
47.132.248.132 | United States | iqecqryotwz.org
64.121.161.102 | United States | epwa.info
43.243.215.210 | India | gadth.mobi
77.86.98.236 | United Kingdom | fski.info
197.0.39.204 | Tunisia | fumwamit.biz
193.201.9.154 | Russian Federation | zjia.biz
74.66.134.24 | United States | favze.com
151.65.213.208 | Italy | ueazktzxinr.info
71.171.83.69 | United States | eqjc.org
23.30.22.225 | United States | ngtaoewju.biz
Raw
OneNote_Payload_Deliveries.txt
## OneNote_Payload_Deliveries
https://energizett.com/1llNOC1/300123.gif
http://49.50.84.121/33896.dat
http://141.164.35.94/27863.dat
http://139.99.117.17/49860.dat
http://91.235.234.97/77589.dat
http://49.50.84.121/56348.dat
http://95.179.215.225/13139.dat
https://plasticsurgerydubaiuae.com/43wxl/OI.png
https://myvigyan.com/m1YPt/300123.gif
https://preproddemo.com/CS40KM/d.gif
https://rmbonlineshop.com/VV71d8/300123.gif
http://49.50.84.121/19371.dat
https://unitedmedicalspecialties.com/T1Gpp/OI.png
http://185.104.195.95/76676.dat
http://185.104.195.95/87350.dat
http://77.75.230.128/17932.dat
http://141.164.35.94/82255.dat
http://141.164.35.94/67262.dat
http://49.50.84.121/17618.dat
http://95.179.215.225/66486.dat
https://codezian.com/Nt57/300123.gif
http://95.179.215.225/30077.dat
http://141.164.35.94/59649.dat
http://49.50.84.121/24267.dat
http://91.234.254.213/78585.dat
http://95.179.215.225/74483.dat
http://141.164.35.94/60892.dat
http://139.99.117.17/37381.dat
http://49.50.84.121/19342.dat
http://91.234.254.213/74334.dat
http://185.104.195.95/84216.dat
http://49.50.84.121/67639.dat
http://185.104.195.95/64557.dat
http://45.155.37.124/44408.dat
http://141.164.35.94/55199.dat
http://139.99.117.17/15674.dat
http://103.214.71.45/55528.dat
http://139.99.117.17/70039.dat
http://185.104.195.95/81895.dat
https://fcs-courier.com/ntDAqGR/OI.png
http://185.104.195.95/53762.dat
http://139.99.117.17/79875.dat
http://139.99.117.17/24856.dat
http://141.164.35.94/60934.dat
http://95.179.215.225/80352.dat
https://ezintern.com/QdQjTTR/OI.png
http://49.50.84.121/57885.dat
http://139.99.117.17/52809.dat
http://95.179.215.225/31227.dat
http://141.164.35.94/14711.dat
http://139.99.117.17/20830.dat
http://103.214.71.45/14703.dat
http://103.214.71.45/47993.dat
http://91.235.234.97/59105.dat
http://91.235.234.97/64460.dat
http://77.75.230.128/42095.dat
http://95.179.215.225/79114.dat
http://141.164.35.94/50074.dat
http://185.104.195.95/17117.dat
http://103.214.71.45/19680.dat
http://185.104.195.95/32752.dat
http://185.104.195.95/55035.dat
http://91.235.234.97/55909.dat
http://49.50.84.121/81082.dat
http://77.75.230.128/45702.dat
http://91.235.234.97/43975.dat
http://45.77.63.210/760433.dat
http://85.239.41.55/703558.dat
http://45.155.37.170/300332.dat
http://174.139.150.45/653219.dat
http://98.142.254.89/452845.dat
http://5.42.221.116/197928.dat
http://146.59.43.159/780683.dat
http://87.236.146.155/553145.dat
http://216.120.201.100/60852.dat
http://213.169.148.78/83327.dat
http://154.7.253.191/72363.dat
http://216.146.25.57/11747.dat
http://45.86.231.23/39222.dat
http://87.236.146.31/38199.dat
http://5.42.221.117/41067.dat
http://185.231.204.245/73175.dat
Raw
Panchan_botnet.txt
## Panchan Botnet IOC 17/10/2022
### Main malware:
00411a05a7374d64ce8be4ef85999c1434d867cd8db46c38cd03f76072c91460
b9e643a8e78d2ce745fbe73eb505c8a0cc49842803077809b2267817979d10b0
### Extracted crypto miners:
a819b4a95f386ae3bd8f0edc64e8e10fae0c21c9ae713b73dfc64033e5a845a1
6f445252494a0908ab51d526e09134cebc33a199384771acd58c4a87f1ffc063
### Embedded public key:
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwaZwxk7A5U7cejo/8STO\x0a6TjEArLaG+EXhWQxjg2jwgtmNfYTOHg5Ss9e3vHdZCTEo/OIdJQC6If7POa+NbbR\x0a9HkagE0ZYjTXTWNP0PgUxEmcboYkO38fxMpI7Gp+331xzaYT4VY8t5Ko01lvkIoV\x0amxjDKJhSiUbCnFkz76qbjZHpLa0hcpXgO1sXx1IciwaVqlLpzncbmK7Ok3ymS3Ee\x0aG3KWQ/NEm4x8yHx07NI6b/cV/z5YOja9jul7POK8Owo17HuFIhfICgFk8Goc1VnM\x0aiypx91Thqz7IWaF5fTFdBp+0p/cUajcA6vDd3TM0FDzT4HafWppjsofOSoLvTwnq\x0aCwIDAQAB
Raw
RapperBot.txt
## RapperBot IOCs 17/10/2022
### Sample Hashes
92ae77e9dd22e7680123bb230ce43ef602998e6a1c6756d9e2ce5822a09b37b4
a31f4caa0be9e588056c92fd69c8ac970ebc7e85a68615b1d9407a954d4df45d
e8d06ac196c7852ff71c150b2081150be9996ff670550717127db8ab855175a8
23a415d0ec6d3131f1d537836d3c0449097e98167b18fbdbf2efca789748818a
c83f318339e9c4072010b625d876558d14eaa0028339db9edf12bbcafe6828bb
05c78eaf32af9647f178dff981e6e4e43b1579d95ccd4f1c2f1436dbfa0727ad
88bbb772b8731296822646735aacbfb53014fbb7f90227b44523d7577e0a7ce6
e8f1e8ec6b94ea54488d5f714e71e51d58dcdfe4be3827c55970d6f3b06edf73
23256f231f3d91b0136b44d649b924552607a29b43a195024dbe6cde5b4a28ad
77b2e5fb5b72493bde35a6b29a66e6250b6a5a0c9b9c5653957f64a12c793cd5
dcdeedee4736ec528d1a30a585ec4a1a4f3462d6d25b71f6c1a4fef7f641e7ae
ebb860512a55c1cdc8be1399eec44c4481aedb418f15dbda4612e6d38e9b9010
9d234e975e4df539a217d1c4386822be1f56cea35f7dd2aa606ae4995894da42
1975851c916587e057fa5862884cbac3fa1e80881ddd062392486f5390c86865
8380321c1bd250424a0a167e0f319511611f73b53736895a8d3a2ad58ffcd5d5
f5ff9d1261af176d7ff1ef91aa8c892c70b40caa02c17a25de22539e9d0cdd26
2298071b6ba7baa5393be064876efcdbd9217c212e0c764ba62a6f0ffc83cc5a
2479932a6690f070fa344e5222e3fbb6ad9c880294d5b822d7a3ec27f1b8b8d5
1d5e6624a2ce55616ef078a72f25c9d71a3dbc0175522c0d8e07233115824f96
746106403a98aea357b80f17910b641db9c4fedbb3968e75d836e8b1d5712a62
ddf5aff0485f395c7e6c3de868b15212129962b4b9c8040bef6679ad880e3f31
e56edaa1e06403757e6e2362383d41db4e4453aafda144bb36080a1f1b899a02
55ff25b090dc1b380d8ca152428ba28ec14e9ef13a48b3fd162e965244b0d39b
8e9f87bb25ff83e4ad970366bba47afb838028f7028ea3a7c73c4d08906ec102
d86d158778a90f6633b41a10e169b25e3cb1eb35b369a9168ec64b2d8b3cbeec
ff09cf7dfd1dc1466815d4df098065510eec504099ebb02b830309067031fe04
### C2 servers:
185.225.73.196:443
2.58.149.116:9999
31.44.185.235
194.31.98.244
### SSH public key:
AAAAB3NzaC1yc2EAAAADAQABAAACAQC/yU0iqklqw6etPlUon4mZzxslFWq8G8sRyluQMD3i8tpQWT2cX/mwGgSRCz7HMLyxt87olYIPemTIRBiyqk8SLD3ijQpfZwQ9vsHc47hdTBfj89FeHJGGm1KpWg8lrXeMW+5jIXTFmEFhbJ18wc25Dcds4QCM0DvZGr/Pg4+kqJ0gLyqYmB2fdNzBcU05QhhWW6tSuYcXcyAz8Cp73JmN6TcPuVqHeFYDg05KweYqTqThFFHbdxdqqrWy6fNt8q/cgI30NBa5W2LyZ4b1v6324IEJuxImARIxTc96Igaf30LUza8kbZyc3bewY6IsFUN1PjQJcJi0ubVLyWyyJ554Tv8BBfPdY4jqCr4PzaJ2Rc1JFJYUSVVT4yX2p7L6iRpW212eZmqLMSoR5a2a/tO2s1giIlb+0EHtFWc2QH7yz/ZBjnun7opIoslLVvYJ9cxMoLeLr5Ig+zny+IEA3x090xtcL62X0jea6btVnYo7UN2BARziisZze6oVuOTCBijuyvOM6ROZ6s/wl4CQAOSLDeFIP5L1paP9V1XLaYLDBAodNaUPFfTxggH3tZrnnU8Dge5/1JNa08F3WNUPM1S1x8L2HMatwc82x35jXyBSp3AMbdxMPhvyYI8v2J1PqJH8OqGTVjdWe40mD2osRgLo1EOfP/SFBTD5VEo95K2ZLQ==
### Root user:
/etc/passwd suhelper:x:0:0::/:
/etc/shadow suhelper:$1$1OJBlhUV$E9DMK0xdoZb8W8wVOibPQ/:19185:0:99999:7:::
Raw
Remcos.txt
## Remcos RAT JS IOCs 17/10/2022
### Next Stage IPs/Domains:
185.20.186.53
185.29.10.41
209.127.20.13
mamonci.ga
server-goeif8.cf
stronghoodserver.xyz
tpergtbe2.ml
### Next Stage URLs (PowerShell Next Stage):
http://185.20.186.53/08368248.txt
http://185.20.186.53/576283692.txt
http://185.20.186.53/80273926.txt
http://185.29.10.41/660826186.txt
http://185.29.10.41/90538283.txt
http://209.127.20.13/boop.txt
http://209.127.20.13/goat.txt
http://209.127.20.13/time.txt
http://mamonci.ga/cgertyu/attack.txt
http://server-goeif8.cf/duijkomk/attack.txt
https://stronghoodserver.xyz/fb/attach.txt
https://stronghoodserver.xyz/net/at.txt
https://stronghoodserver.xyz/net/xx.txt
http://tpergtbe2.ml/duyiojy/attack.txt
### JS Sample Hashes:
268e27660600464b87afacbc404248ec00e1754ddd9e3ed2b2ce4fb49b27ec53
3380d9578f860b0cd470e0bef533f38f1baad8240d923e6ca2eb4ad2d0dcac27
37a6b17e9660a3db4693282a0b132bc6966fc8d48898f07715cf20aaaa244c2f
461960297b7e51e3daa2edd396ad4bf80170224e4d7b76c2e2e9af72ee477cc4
4d9550c9ce3638c531b4be427760f74a5d3b2db074f9dd1ef9eedb9916279b53
58d035d35c53d717da1d0bd68dc99ae241acf9489374c73bca7c93767d9d829f
88ea9121e9c6aed51843e5e0567ee1c3f467680a02cd8c222e3b43c074ed1593
8938f080347aa0b5a42882e6c0262d32323fc6aa75810b2bbbd68467754c1a37
925c759cb2cbc261d42e76b3e6a809589eaed1ffa0299fc1c02b47c0c6c1a5d4
b16ff5477ed1e60e82a495a3b7cbe42371243670be0250f3f05d49a6ea37a4d3
ca75cb16ad94f52796575789a24e0530210e537b95e0e6903c4e8181e615248d
d57d108d656b409214fc86d91022f54a5e4caf91d68f3becfeabf8f81e7d9f18
dafc3fb6d788dd57ec9fa08455c7410382f9dc12f826532f4f701013f9d85ad0
eba266f6fe3d8faea13b7866c5e50c4c68de716922c8b0df76b2e8defcc723ca
f0acb76d6d0cd7f1d276d2b18783c7fc9e8e38e9705c033af6ef10095aaa8aff
f300f3c9ee1d722fa3460dfef58fae49568bfb14f7576d7c4ecf27a34408d0f7
@TheMuntu
Copy link
Author

Last update 17/10/2022

@TheMuntu
Copy link
Author

Will be continuously updated.
An interesting blog post on Panchan Botnet detection and mitigation to read by @Is3x

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment