Blog

Qakbot infection with Cobalt Strike, (Wed, Mar 3rd)

Introduction

On Tuesday 2021-03-02, I generated a Qakbot (Qbot) infection on a Windows host in one of my Active Directory (AD) test environments, where I saw Cobalt Strike as follow-up activity.  I’ve seen Cobalt Strike from Qakbot infections before.  Below are two that I documented in December 2020.

I haven’t documented one for the ISC yet, so today’s diary reviews my Qakbot infection with Cobalt Strike seen on Tuesday 2021-03-02.


Shown above:  Flow chart for the Qakbot infection with Cobalt Strike from Tuesday 2021-03-02.

Images


Shown above:  Spreadsheet extracted from a zip archive attached to malspam pushing Qakbot.


Shown above:  Traffic from the infection filtered in Wireshark (image 1 of 3).


Shown above:  Traffic from the infection filtered in Wireshark (image 2 of 3).


Shown above:  Traffic from the infection filtered in Wireshark (image 3 of 3).


Shown above:  Initial DLL saved a the victim’s Windows host.


Shown above:  Artifact saved to disk during the Qakbot infection.


Shown above:  Registry updates caused by Qakbot.

Indicators of Compromise (IOCs)

Malware from the infected Windows host:

SHA256 hash: 16a0c2f741a14c423b7abe293e26f711fdb984fc52064982d874bf310c520b12

SHA256 hash: 24753d9f0d691b6d582da3e301b98f75abbdb5382bb871ee00713c5029c56d44

Traffic to retrieve the initial Qakbot DLL:

  • 8.209.64[.]96 port 80 – kfzhm28pwzrlk02bmjy[.]com – GET /mrch.gif

Qakbot C2 traffic:

  • 207.246.77[.]75 port 995 – HTTPS traffic

Cobalt Strike traffic:

  • 45.144.29[.]185 port 443 – HTTPS traffic
  • 45.144.29[.]185 port 443 – logon.securewindows[.]xyz – HTTPS traffic
  • 45.144.29[.]185 port 8080 – 45.144.29[.]185:8080 – GET /WjSH
  • 45.144.29[.]185 port 8080 – logon.securewindows[.]xyz:8080 – GET /cx
  • 45.144.29[.]185 port 8080 – 45.144.29[.]185:8080 – GET /en_US/all.js
  • 45.144.29[.]185 port 8080 – 45.144.29[.]185:8080 – POST /submit.php?id=248927919

Final words

A pcap of the infection traffic and the associated malware can be found here.

Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) ↓