-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathQilin Ransomware
95 lines (84 loc) · 3.13 KB
/
Qilin Ransomware
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
INTEL
====
🚨FTP Server📂of QILIN Ransomware found!
ftp://dataShare:[email protected]
📍IP: 85.209.11.49
📍Location: 🇷🇺
📌ASN: Chang Way Tech
📍ASN Location: HongKong 🇭🇰
💡Web Server: IIS (FTP)
💡Running on: Windows Server 2019 with Windows 10
💡Host Machine: WIN-LIVFRVQFMKO
85.209.11.49
============
📌Presence of Cobalt Strike, Vidar Stealer🔑
📌Used as Reverse Proxy for Cobalt Strike on attacks
MARCH 2025 - UPDATE
-------------------
🚨QILIN's FTP Migrated to a another less-Malicious Infrastructure
=================================================================
176.113.115.97 🇭🇰
176.113.115.209 🇭🇰
ASN: AS57678
ftp://dataShare:[email protected]
ftp://dataShare:[email protected]
📌An FTP shift from Russian Server 🇷🇺 to Hong Kong Server 🇭🇰 observed in March 2024 by Qilin Ransomware Operators
📌Though the IP has not yet been recorded any abuse; the ASN is highly malicious with the presence of Vidar Stealer, Lumma Stealer, AsyncRAT, SystemBC, Amadey etc
📌Promotes Bearhost Bulletproof Servers
📌Wikileaksv2 - Qilin's Surface blog registered with Red Bytes LLC, based in Russia
📌Red Bytes LLC was notably associated with SliverC2, Cobalt Strike previously and also used by Russian Hackers against US networks in 2020
IOC
===
http://ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onion/
wikileaks-v2.com
wikileaks-v2.net
wikileaksv2.com
ftp://dataShare:[email protected]
ftp://dataShare:[email protected]
ftp://dataShare:[email protected]
ftp://dataShare:[email protected]
http://ozsxj4hwxub7gio347ac7tyqqozvfioty37skqilzo2oqfs4cw2mgtyd.onion/
http://24kckepr3tdbcomkimbov5nqv2alos6vmrmlxdr76lfmkgegukubctyd.onion
http://wlh3dpptx2gt7nsxcor37a3kiyaiy6qwhdv7o6nl6iuniu5ycze5ydid.onion/blog
http://kbsqoivihgdmwczmxkbovk7ss2dcynitwhhfu5yw725dboqo5kthfaad.onion/
31.41.244.100
85.209.11.49
176.113.115.209
176.113.115.97
188.119.66.189
WIN-LIVFRVQFMKO
MD5
===
2bb209ccfc5103eccab523c875050cfa
a7e7d00d531cb7ca27d0f3bee448573f
964c13b68dc6b6b918b66a9a10469d2a
3b10127e65fa3e215d21e0a2e7fd32be
d1c331c17ddd4abe0d53755461c1ec9a
417ad60624345ef85e648038e18902ab
b04e8ee43aba85fa5c585b9335c953c2
59d756280b06cf113ca43abc0050edd5
88bb86494cb9411a9692f9c8e67ed32c
37155f0bca29ccd6b6d4f5b2bc42eb4d
e01776ec67b9f1ae780c3e24ecc4bf06
417ad60624345ef85e648038e18902ab
11d795baafa44b73766e850d13b8e254
88630916b0c6633ca28c8896416a93ee
dd42c3e017889c107a81da78d87dc8af
1c4bea81c0da22badd9b7eab574c51cd
ab05a1925fee8334a2114811d5283364
64a590760fdbb84356544cc90ac3d50f
2020979e080d7ac9c0403172573c7de8
bed0f34673cc93560c17e3ab04ea5d19
4a3f22021e4415e8211633fb3735a046
6fc6164b3a08669992acad3764fb1922
d309e3d77ed6a336eb3ad263ddf9db90
575b26c1cc06609722f98e2beaed6a8a
a6302fdb63e2244c1246a73a7d65d09e
1bde76f3197123dcc2ecd0bfef567484
ea1f8794c73b26724314e5356f1f4128
9befad1d56d2bd8195813aea1f37f921
9f510626c7327a7c2328bc5131726638
08a2405cd32f044a69737e77454ee2da
fdc6848dad660414bed9ad1b381cf6e3
19ff6488a259d750ec18902fe75a713b
4ea8adecc5bd45a76cc61430c560924f