On Tuesday 2021-03-02, I generated a Qakbot (Qbot) infection on a Windows host in one of my Active Directory (AD) test environments, where I saw Cobalt Strike as follow-up activity. I've seen Cobalt Strike from Qakbot infections before. Below are two that I documented in December 2020.
I haven't documented one for the ISC yet, so today's diary reviews my Qakbot infection with Cobalt Strike seen on Tuesday 2021-03-02.
Shown above: Flow chart for the Qakbot infection with Cobalt Strike from Tuesday 2021-03-02.
Shown above: Spreadsheet extracted from a zip archive attached to malspam pushing Qakbot.
Shown above: Traffic from the infection filtered in Wireshark (image 1 of 3).
Shown above: Traffic from the infection filtered in Wireshark (image 2 of 3).
Shown above: Traffic from the infection filtered in Wireshark (image 3 of 3).
Shown above: Initial DLL saved a the victim's Windows host.
Shown above: Artifact saved to disk during the Qakbot infection.
Shown above: Registry updates caused by Qakbot.
Indicators of Compromise (IOCs)
Malware from the infected Windows host:
SHA256 hash: 16a0c2f741a14c423b7abe293e26f711fdb984fc52064982d874bf310c520b12
SHA256 hash: 24753d9f0d691b6d582da3e301b98f75abbdb5382bb871ee00713c5029c56d44
Traffic to retrieve the initial Qakbot DLL:
- 8.209.64[.]96 port 80 - kfzhm28pwzrlk02bmjy[.]com - GET /mrch.gif
Qakbot C2 traffic:
- 207.246.77[.]75 port 995 - HTTPS traffic
Cobalt Strike traffic:
- 45.144.29[.]185 port 443 - HTTPS traffic
- 45.144.29[.]185 port 443 - logon.securewindows[.]xyz - HTTPS traffic
- 45.144.29[.]185 port 8080 - 45.144.29[.]185:8080 - GET /WjSH
- 45.144.29[.]185 port 8080 - logon.securewindows[.]xyz:8080 - GET /cx
- 45.144.29[.]185 port 8080 - 45.144.29[.]185:8080 - GET /en_US/all.js
- 45.144.29[.]185 port 8080 - 45.144.29[.]185:8080 - POST /submit.php?id=248927919
A pcap of the infection traffic and the associated malware can be found here.
brad [at] malware-traffic-analysis.net
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.