Mirrors/cyber_threat_intelligence
6
0
Fork 0
mirror of https://github.com/vuldb/cyber_threat_intelligence synced 2024-07-05 18:01:41 +00:00
Code Issues Packages Projects Releases Wiki Activity
fefe3a088d
cyber_threat_intelligence/actors/Qakbot/README.md
Marc Ruef fefe3a088d Update
2022-05-24 10:19:11 +02:00

14 KiB
Raw Blame History

Qakbot - Cyber Threat Intelligence

These indicators were reported, collected, and generated during the VulDB CTI analysis of the actor known as Qakbot. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique predictive model uses big data to forecast activities and their characteristics.

Live data and more analysis capabilities are available at https://vuldb.com/?actor.qakbot

Countries

These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Qakbot:

There are 12 more country items available. Please use our online service to access the data.

IOC - Indicator of Compromise

These indicators of compromise (IOC) indicate associated network resources which are known to be part of research and attack activities of Qakbot.

ID IP address Hostname Campaign Confidence
1 2.7.116.188 lfbn-lyo-1-277-188.w2-7.abo.wanadoo.fr - High
2 2.50.47.97 - - High
3 2.50.171.142 - - High
4 2.51.240.61 - - High
5 2.88.186.229 - - High
6 5.12.111.213 5-12-111-213.residential.rdsnet.ro - High
7 5.12.243.211 5-12-243-211.residential.rdsnet.ro - High
8 5.13.74.26 5-13-74-26.residential.rdsnet.ro - High
9 5.13.84.186 5-13-84-186.residential.rdsnet.ro - High
10 5.15.81.52 5-15-81-52.residential.rdsnet.ro - High
11 5.136.131.34 - - High
12 5.193.61.212 - - High
13 5.193.178.241 - - High
14 8.209.64.96 - - High
15 12.5.37.3 - - High
16 12.167.151.78 - - High
17 12.167.151.79 - - High
18 12.167.151.81 - - High
19 12.167.151.85 - - High
20 12.167.151.87 - - High
21 12.167.151.89 - - High
22 23.111.114.52 - - High
23 24.42.14.241 - - High
24 24.43.22.221 rrcs-24-43-22-221.west.biz.rr.com - High
25 24.55.112.61 dynamic.libertypr.net - High
26 24.90.160.91 cpe-24-90-160-91.nyc.res.rr.com - High
27 24.95.61.62 cpe-24-95-61-62.columbus.res.rr.com - High
28 24.110.14.40 - - High
29 24.110.96.149 - - High
30 24.117.107.120 24-117-107-120.cpe.sparklight.net - High
31 24.139.72.117 - - High
32 24.139.132.70 dynamic.libertypr.net - High
33 24.152.219.253 24.152.219.253.res-cmts.sm.ptd.net - High
34 24.164.79.147 cpe-24-164-79-147.cinci.res.rr.com - High
35 24.165.87.61 cpe-24-165-87-61.san.res.rr.com - High
36 24.183.39.93 024-183-039-093.res.spectrum.com - High
37 24.202.42.48 modemcable048.42-202-24.mc.videotron.ca - High
38 24.226.156.153 24-226-156-153.resi.cgocable.ca - High
39 24.229.150.54 24.229.150.54.cmts-static.sm.ptd.net - High
40 24.234.86.201 wsip-24-234-86-201.lv.lv.cox.net - High
41 27.223.92.142 - - High
42 35.142.12.163 035-142-012-163.dhcp.bhn.net - High
43 35.208.146.4 4.146.208.35.bc.googleusercontent.com - Medium
44 36.77.151.211 - - High
45 37.156.243.67 - - High
46 37.182.238.170 net-37-182-238-170.cust.vodafonedsl.it - High
47 39.36.61.58 - - High
48 41.34.91.90 host-41.34.91.90.tedata.net - High
49 41.97.138.74 - - High
50 41.225.231.43 - - High
51 41.228.22.180 - - High
52 41.228.206.99 - - High
53 45.32.211.207 45.32.211.207.vultr.com - Medium
54 45.45.51.182 modemcable182.51-45-45.mc.videotron.ca - High
55 45.46.53.140 cpe-45-46-53-140.maine.res.rr.com - High
56 45.63.107.192 45.63.107.192.vultr.com - Medium
57 45.67.231.247 vm272927.pq.hosting - High
58 45.77.115.208 45.77.115.208.vultr.com - Medium
59 45.77.117.108 45.77.117.108.vultr.com - Medium
60 45.77.215.141 45.77.215.141.vultr.com - Medium
61 45.230.228.26 - - High
62 46.214.62.199 46-214-62-199.next-gen.ro - High
63 46.228.199.235 vps2231940.fastwebserver.de - High
64 47.22.148.6 ool-2f169406.static.optonline.net - High
65 47.24.47.218 047-024-047-218.res.spectrum.com - High
66 47.28.135.155 047-028-135-155.res.spectrum.com - High
67 47.44.217.98 047-044-217-098.biz.spectrum.com - High
68 47.138.200.85 - - High
69 47.153.115.154 - - High
70 47.180.66.10 static-47-180-66-10.lsan.ca.frontiernet.net - High
71 47.196.192.184 - - High
72 49.144.81.46 dsl.49.144.81.46.pldt.net - High
73 49.191.4.245 n49-191-4-245.mrk1.qld.optusnet.com.au - High
74 49.207.105.25 broadband.actcorp.in - High
75 50.29.166.232 50.29.166.232.res-cmts.sth3.ptd.net - High
76 50.87.150.203 mail.euroanatolia.eu - High
77 50.91.114.38 050-091-114-038.res.spectrum.com - High
78 50.104.68.223 50-104-68-223.prtg.in.frontiernet.net - High
79 50.244.112.106 50-244-112-106-static.hfc.comcastbusiness.net - High
80 51.210.14.58 vps-e6e2a926.vps.ovh.net - High
81 52.45.143.178 ec2-52-45-143-178.compute-1.amazonaws.com - Medium
82 52.201.200.28 ec2-52-201-200-28.compute-1.amazonaws.com - Medium
83 54.36.108.120 ns3112762.ip-54-36-108.eu - High
84 58.233.220.182 - - High
85 59.90.246.200 static.bb.chn.59.90.246.200.bsnl.in - High
86 59.124.10.133 59-124-10-133.hinet-ip.hinet.net - High
87 62.38.114.12 ppp062038114012.dsl.hol.gr - High
88 62.121.123.57 - - High
89 64.19.74.29 primhall.com - High
90 64.29.151.102 mail.myfairpoint.net - High
91 64.34.169.244 srv1.1572.activeminds.net - High
92 64.121.114.87 64-121-114-87.s597.c3-0.smt-ubr1.atw-smt.pa.cable.rcncustomer.com - High
93 [65.100.174.]105](https://vuldb.com/?ip.65.100.174.]105) - - High
94 [65.100.174.]106](https://vuldb.com/?ip.65.100.174.]106) - - High
95 [65.100.174.]107](https://vuldb.com/?ip.65.100.174.]107) - - High
96 ... ... ... ...

There are 381 more IOC items available. Please use our online service to access the data.

TTP - Tactics, Techniques, Procedures

Tactics, techniques, and procedures (TTP) summarize the suspected MITRE ATT&CK techniques used by Qakbot. This data is unique as it uses our predictive model for actor profiling.

ID Technique Weakness Description Confidence
1 T1059.007 CWE-79, CWE-80 Cross Site Scripting High
2 T1068 CWE-264, CWE-266, CWE-284 Execution with Unnecessary Privileges High
3 T1110.001 CWE-798 Improper Restriction of Excessive Authentication Attempts High
4 ... ... ... ...

There are 8 more TTP items available. Please use our online service to access the data.

IOA - Indicator of Attack

These indicators of attack (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Qakbot. This data is unique as it uses our predictive model for actor profiling.

ID Type Indicator Confidence
1 File /+CSCOE+/logon.html High
2 File /../conf/config.properties High
3 File /auth/session High
4 File /cgi-bin/ExportALLSettings.sh High
5 File /cgi-bin/webproc High
6 File /config/getuser High
7 File /etc/passwd Medium
8 File /exponent_constants.php High
9 File /front/document.form.php High
10 File /ibi_apps/WFServlet.cfg High
11 File /include/chart_generator.php High
12 File /proc/sysvipc/sem High
13 File /replication Medium
14 File /rest/collectors/1.0/template/custom High
15 File /RestAPI Medium
16 File /search.php Medium
17 File /trigger Medium
18 File /uncpath/ Medium
19 File /user/login/oauth High
20 File /usr/bin/pkexec High
21 File /var/log/messages High
22 File /WEB-INF/web.xml High
23 File /webpages/data High
24 File /websocket/exec High
25 File /wp-admin/admin-ajax.php High
26 File /wp-json Medium
27 File /wp-json/oembed/1.0/embed?url High
28 ... ... ...

There are 238 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

References

The following list contains external sources which discuss the actor and the associated activities:

Literature

The following articles explain our unique predictive cyber threat intelligence:

License

(c) 1997-2022 by vuldb.com. All data on this page is shared under the license CC BY-NC-SA 4.0. Questions? Check the FAQ, read the documentation or contact us!