6 months of QuantLoader

Last december 2017, I started to actively hunt for Malware c2 web panels via virustotal submissions and open source data. I encountered 37 families of malware that had an HTTP web panels. Some are very common, like lokibot, pony, some are old, like AthenaHTTP etc…

While there is no novelty to this article, it is more a compilation of my observation on QuantLoader activities for the last 6 months approximatly and a collection of IOCs.

During that period I observed 25 different C2 web panels of QuantLoader. Some have been up not even for 24hrs while one has been up for almost half a year.

My methodology is simple, I look at submissions on virustotal after searching for specific queries. Searching for specififc queries permits to narrow down the submission to target families of malware. This is far from perfect as I could miss a few activities of certain family but seems to work relatively well.

Here is the list of observed panels with their first seen date, last seen date and numbers of days being up:

Panel_urlFirst_seenLast_seenDays
http://dackdack.online/api2/admin/2017121720180610175
http://dnspod.pro/pro/admin/2018022020180610110
http://apple-shop.tech/Gtf7xfRd3bnj/admin/201712252018040298
http://195.22.127.170/q/admin/201803102018061092
http://aleaha.info/q/admin/201803092018052981
http://data.michaelorth.eu/q/admin/201804052018061066
http://login.americapsolutions.com/q/admin/201804092018061062
http://mts2015stm.myjino.ru/q/admin/201712172018012640
http://dandiesinoz.com/scripts/backup/admin/201712172018012438
http://tytoldran.win/q/admin/201802222018032632
http://windowsreport.stream/q/admin/201712172018011529
http://rolwiluld.win/q/admin/201802262018032628
http://myyu.ru/q/admin/201712172018011024
http://heroskatopirango.com/391f4jda9s/a/admin/201805182018061023
http://myothow.com/q2/admin/201802082018022719
http://fortresmuch.com/q2/admin/201802082018022719
http://dada.grantflaskparty.com/admin/201805142018052713
http://rec-tube.date/carting/admin/201803112018032413
http://javelinkay.club/reader/admin/201803312018041010
http://serolotb.com/q/admin/201712172017122710
http://cynagotceter.in/q2/admin/20180327201804037
http://wassronledorhad.in/q2/admin/20180307201803136
http://warpje.xyz/quant/admin/20180111201801154
http://bima.website/admin/20180318201803202
http://newdawncheat.club/q/admin/20180223201802230

Here is the dump of IOCs group by C2 panel urls:

http://195.22.127.170/q/admin/
195.22.127.170
eae17082ded2153c4b9c7dc7ad7f6b7e

http://aleaha.info/q/admin/
aleaha.info
94.154.14.150
a412294a2d5bc43e929d4be7f679b956
35d727cf1e8dfc74d81043536f458840

http://apple-shop.tech/Gtf7xfRd3bnj/admin/
apple-shop.tech
37.1.201.91
8b6f7b420072d95e8da65df7f4aa1b5d

http://bima.website/admin/
bima.website
185.241.55.242
3a2534afc6e50555e18d34030a356f94

http://cynagotceter.in/q2/admin/
cynagotceter.in
49.51.230.174
e6bbc52ff5f1ca8d5a705e16db96797d
8bbffeabfce5932a31349333c3b13929
1350d30aa6e02baa48af3411646d55e5

http://dackdack.online/api2/admin/
dackdack.online
104.168.140.87
45.79.218.235
206.189.77.19
431c3a0f52955313121038dcc8b8f021
ca9d18db1dfc3ad5a52402525ce0e52b
04ce2ca848782de8278340787af03e6b
e282e93caffd4affd50096bb4f009b31
ceb24f0dfd5867c59c292cd6eef9d4dd

http://dada.grantflaskparty.com/admin/
dada.grantflaskparty.com
185.148.147.152
bdb58831b33c3d3009490d16ff520386
734d0a1cf0c233f1a30865c6c5a2d9b3
3f7625566c2f3a35acfd7a14642e1bbd
21cbba5bda95d96313881378d250f08e
013f456bac4268047d917236a2ff262f
e996e9b252991d87e6908bb3beddb393

http://dandiesinoz.com/scripts/backup/admin/
dandiesinoz.com
116.0.23.244
a22c6aa5c0c470f2130720d0a1a4ad7c

http://data.michaelorth.eu/q/admin/
data.michaelorth.eu
194.58.119.193
32ee820b1a32b23ad95cbff42790821a
ac8de3d1d37e9cea76deb8bea8149f65
c140241e3d820d7bd9a132c5f83e99bf
10e8ea5b0391319f5a2794cd0f634624
456c88705ef023d28327f7d1a86b81f3
2eef86c9a85199249ecc5a867fd86390
a384f4f75c88de6dd7f8533a5c400843
9b29ab7418e2d09893b9c0c66760b554
03175a6b6691964c2ed1bf123fb2d0ba
4030b46d23eb1f00abb09d8c42f18a0c
269870263ec4e37684da241752f4b5d7
9bab405d34afa66fba19ec044dee3174
8df4e1260345f6d54d1963b95820deda
3316d264fa5a13cf6cf8ce6a71b0055d
22502e23ca6970cb0571b56f69c37a65
1e0ed91b51897400a4ca65b35f6ded5b
913a742cf8f822e36702b728688aa692
79536b1ecd2e4b91ac771553f74fefe1
b663605f5ee5934f2adc45d768ac80ff
1d84da6610ac43dc7112168fb406fb22
1cc936f7c244ea822178b5a3c4ff3c7c
90e31c2c541294836c227f8daa19125a
58d3799f25096d766eda4f28066a93a9
b41d1d1c60ca99c85906ca75a0ff3fa5
10c02a83ac93a708b2c631b7fa5a559b
1a22573774c891fc4f86a99f45dbc809
64ff0ccf4a668c683ff3715116267c41
467f40798700f10e8cbd9d482ad4dc9a
b32803bfe5626409995a1300de76a700
34a3e10080caefd4787334d2d438249b
11912cd4ce45e06c1559802b66a77489
58ef78d8b51caeb750ab10fd56197f79

http://dnspod.pro/pro/admin/
dnspod.pro
185.117.119.29
588eace9102a9f67ef2a1f24322cc5b0

http://fortresmuch.com/q2/admin/
fortresmuch.com
119.28.111.49
cf8165ddc1ce44835cb57ec226c08c4d
07da5d3088a13d4db7d5300e84b11ca4

http://heroskatopirango.com/391f4jda9s/a/admin/
heroskatopirango.com
204.155.30.106
0942974fbe31b4be3e12dd6d65f85478

http://javelinkay.club/reader/admin/
javelinkay.club
49.51.135.204
6955ed0b43b3a5d33a1d9daf1f482923

http://login.americapsolutions.com/q/admin/
login.americapsolutions.com
194.58.119.193
595eaef63066c95296fad6f0fe9ee41a

http://mts2015stm.myjino.ru/q/admin/
mts2015stm.myjino.ru
81.177.135.151
88a0c0fcee3e8f46766dd25ce70c11b9
47bb80b54e11d0ce1dc3179b46414cac

http://myyu.ru/q/admin/
myyu.ru
95.46.114.96
a263ad4e55c797fa551ca9f9c576ff48
ab87aa8d0818c6c9f99794f6c93f6d36

http://newdawncheat.club/q/admin/
newdawncheat.club
191.101.245.36
0d0838e8c347d6f71c48bd3316cb0103

http://rec-tube.date/carting/admin/
rec-tube.date
191.101.245.46
ce9c9edab5b8fc2905e90613a092a808

http://rolwiluld.win/q/admin/
rolwiluld.win
194.1.236.115
dc3cb327730bd9ce48c6303bcb768b9c
d54b25a98667215ae3958160f3ebd76d
186b0653e11b870bdd173d8fa0d214ca
e1468b0743822bed071274f0d2e7384f

http://serolotb.com/q/admin/
serolotb.com
185.117.75.92
0370e27514bfd6282b5708b5b01b893d

http://tytoldran.win/q/admin/
tytoldran.win
194.1.236.115
ed6f9b51cd3dd3d5cf2a9011c67b204b
4fcab10c59be02cc0a50e2c280247ff0
432b18e36bfd91dad68edfba581ef3ed
0d1ce7055e828bbedd5be16e75841fed

http://warpje.xyz/quant/admin/
warpje.xyz
37.97.183.120
438b06bfd279e7430d3a9a62246c93a6

http://wassronledorhad.in/q2/admin/
wassronledorhad.in
45.32.236.220
e6e2025afee1679005a94438c924f58c

http://windowsreport.stream/q/admin/
windowsreport.stream
104.24.114.159
c639b0b9ee0407051fc656a28f2b0e97
98b94529813f27aafce8818b49288397
54e6ab371b04161963c793796d90bc37

Leave a Reply

Your email address will not be published. Required fields are marked *