malware_traffic

2020-07-21 (Tuesday) - Emotet infection with Qakbot

Jul 21st, 2020
6,450
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-07-21 (TUESDAY) - EMOTET INFECTION WITH QAKBOT
  2.  
  3. REFERENCE:
  4.  
  5. - https://www.malware-traffic-analysis.net/2020/07/21/index.html
  6.  
  7. INFECTION CHAIN:
  8.  
  9. - Malspam link --> Word doc --> enable macros --> Emotet infection --> Qakbot infection
  10.  
  11. NOTES:
  12.  
  13. - This happened from a US location
  14. - I saw Qakbot as follow-up malware when I tried both Emotet epoch 2 and Emotet epoch 3 infections.
  15. - These IOCs are for the Emotet epoch 2 infection with Qakbot
  16.  
  17. MALWARE:
  18.  
  19. - SHA256 hash: e8eff9852fefe1a01b140600735f3b9abecfd2f1bb93929c8955778bb11d0681
  20. - File size: 175,150 bytes
  21. - File location: hxxp://umeedupvanfoundation[.]com/blogs/JB5HY27RGXBM90/
  22. - File name: RSH_070120_FLV_072120.doc
  23. - File description: Word doc with macro for Emotet (epoch 2)
  24.  
  25. - SHA256 hash: 915a61faf42b819b836fe6901544b30562b93113fbf7626eec63a1b33b011d09
  26. - File size: 770,048 bytes
  27. - File location: hxxps://www.thelibrarysamui[.]com/wp-content/themes/stockholm/t9/
  28. - File location: C:\Users\[username]\332.exe
  29. - File location: C:\Users\[username]\AppData\Local\proquota\wvc.exe
  30. - File description: Initial Emotet EXE retrieved by Word macro (epoch 2)
  31. - Note 1: The file name 332.exe may be a different 3-digit number in the name for a diffent host.
  32. - Note 2: The file path & name proquota\wvc.exe is different for each infection.
  33.  
  34. - SHA256 hash: a7f46b14baa4d0df476385bdb7316c774842d39faf6efc1f2b0f09ad3c5060de
  35. - File size: 427,520 bytes
  36. - File location: C:\Users\[username]\AppData\Local\proquota\wvc.exe
  37. - File description: Emotet EXE updated shortly after the initial infection
  38. - Note 2: The file path & name proquota\wvc.exe is different for each infection.
  39.  
  40. - SHA256 hash: 576029dbd4166e9d6548f877bea422da5d7a07adfc5ca60c93dabbecfab3d6c7
  41. - File size: 811,536 bytes
  42. - File location: C:\Users\[username]\AppData\Local\proquota\KBDHU17cd.exe
  43. - File location: C:\Users\[username]\AppData\Roaming\Microsoft\Whimnooaor\jpkwoqx.exe
  44. - File description: Qakbot EXE retrieved by Emotet-infected host
  45. - Note 1: The file name KBDHU17cd.exe is different for each infection.
  46. - Note 2: The file path & name Whimnooaor\jpkwoqx.exe is different for each infected host.
  47.  
  48. INFECTION TRAFFIC:
  49.  
  50. WEB TRAFFIC TO DOWNLOAD WORD DOCUMENT FROM EMOTET MALSPAM (EPOCH 2):
  51.  
  52. - 182.50.151[.]87 port 80 - umeedupvanfoundation[.]com - GET /blogs/JB5HY27RGXBM90/
  53.  
  54. WEB TRAFFIC BY WORD MACROS TO RETRIEVE THE INITIAL EMOTET EXE:
  55.  
  56. - 104.238.82[.]165 port 443 (HTTPS) - kipliani[.]com - GET /sys-cache/w84tjs1/
  57. - 163.44.168[.]22 port 80 - phamthuan[.]com - GET /wp-admin/h/
  58. - 134.209.38[.]89 port 80 - rmacadetstore[.]com - GET /cwu/l6y/
  59. - 134.209.38[.]89 port 443 (HTTPS) - rmacadetstore[.]com - GET /cwu/l6y/
  60. - 104.28.22[.]107 port 80 - fivestarcleanerstx[.]com - GET /h/procurement/9uvmim/
  61. - 139.59.228[.]88 port 443 (HTTPS) - www.thelibrarysamui[.]com - /h/procurement/9uvmim/
  62.  
  63. EMOTET POST-INFECTION TRAFFIC:
  64.  
  65. - 124.45.106[.]173 port 443 - 124.45.106[.]173:443 - POST /Edif/
  66. - 124.45.106[.]173 port 443 - 124.45.106[.]173:443 - POST /G3tJeBBYQ455y/YocO7QfQZ1QRAAW/
  67. - 124.45.106[.]173 port 443 - 124.45.106[.]173:443 - POST /L0Ekr/IFWDb8/
  68. - 124.45.106[.]173 port 443 - 124.45.106[.]173:443 - POST /O1G3KKGd/
  69. - 124.45.106[.]173 port 443 - 124.45.106[.]173:443 - POST /LFKovAiCaYStgjSr/79emciYyrsQ90JeqAW/0WeN/q8HqypuBr8I/q1oJ2kQ6W/
  70. - 198.144.158[.]120 port 443 - 198.144.158[.]120:443 - POST /SyijpY8HtMg7yG/doPfqxoTHOiNmmTlzMY/KctCHNQ8jDAgfR/
  71. - 124.45.106[.]173 port 443 - 124.45.106[.]173:443 - POST /qlQ1/XqzH/lp9O87HKvTCVyd/ZYyi3rQR2pIm4w/PDqn0JWecLQHmo7sZ/
  72. - 124.45.106[.]173 port 443 - 124.45.106[.]173:443 - POST /0f68oLBb/Bl7lsW2ppvf2D3h/qLMDW/LMhHiMMrZ73oI/1Kb98oiQNUBNb8WF/
  73. - 124.45.106[.]173 port 443 - 124.45.106[.]173:443 - POST /AvPxevvvO/NNo7xktyceeX/bm0jvwGUrLs/dKYYGfX0GZrR5k/
  74. - 124.45.106[.]173 port 443 - 124.45.106[.]173:443 - POST /rkaLBO7N/
  75. - 124.45.106[.]173 port 443 - 124.45.106[.]173:443 - POST /iTOzKRl/z0hIjDx6c0cq0xO/
  76. - 198.144.158[.]120 port 443 - 198.144.158[.]120:443 - POST /NnDwHpG
  77. - 124.45.106[.]173 port 443 - 124.45.106[.]173:443 - POST /PXX8rq7y23jiXtOL7zR/YINnNyNRVgf/
  78. - 198.144.158[.]120 port 443 - 198.144.158[.]120:443 - POST /Jevuka8q8RYAKW5/40cu7wK8ecnI1l/l1zq0aNhvrb/qhBYRz/
  79. - 198.144.158[.]120 port 443 - 198.144.158[.]120:443 - POST /xBtHgDZq92bco
  80. - 124.45.106[.]173 port 443 - 124.45.106[.]173:443 - POST /69W36/RzDkJoOrfDOLC/
  81. - 124.45.106[.]173 port 443 - 124.45.106[.]173:443 - POST /VRgpDSSw7Y2m5W/QZna2EW8/u3jJ6cI6LEmkY0o45A/e0iO6MnC/FRioD/
  82. - 94.49.254[.]194 port 80 - 94.49.254[.]194 - POST /giPRh9IB2ksBRG36p/R4aRVfgRdYf9KtjwY/rsBcW7TrytfZoU/mBDg9WWwy/pdgso31rnTMTy5uIW/z5pNWkPilsOGJ/
  83. - 94.49.254[.]194 port 80 - 94.49.254[.]194 - POST /dZHhFxlmbYSyC/WAs7SsslRpphq/
  84.  
  85. QAKBOT (QBOT) POST-INFECTION TRAFFIC:
  86.  
  87. - 24.234.86[.]201 port 995 - HTTPS traffic
  88. - 82.118.22[.]125 port 443 - HTTPS traffic
  89. - port 443 - cdn.speedof[.]me - HTTPS traffic
  90. - 89.105.198[.]119 port 80 - a.strandsglobal[.]com - GET /redir_chrome.html
  91. - 54.36.108[.]120 port 65400
  92.  
  93. ATTEMPTED TCP CONNECTIONS BUT NO RESPONSE FROM THE SERVER (PROBABLY CAUSED BY QAKBOT):
  94.  
  95. - 70.183.127[.]6 port 995
  96. - 190.220.8[.]10 port 443
  97. - 98.116.62[.]242 port 443
  98. - 72.204.242[.]138 port 20
  99. - 76.187.8[.]160 port 443
  100. - 2.50.47[.]97 port 2222
  101. - 104.235.72[.]17 port 443
  102. - 179.51.23[.]31 port 443
  103. - 24.234.86[.]201 port 995
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×