malware_traffic

2020-07-21 (Tuesday) - Emotet infection with Qakbot

Jul 21st, 2020
5,284
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-07-21 (TUESDAY) - EMOTET INFECTION WITH QAKBOT
  2.  
  3. REFERENCE:
  4.  
  5. - https://www.malware-traffic-analysis.net/2020/07/21/index.html
  6.  
  7. INFECTION CHAIN:
  8.  
  9. - Malspam link --> Word doc --> enable macros --> Emotet infection --> Qakbot infection
  10.  
  11. NOTES:
  12.  
  13. - This happened from a US location
  14. - I saw Qakbot as follow-up malware when I tried both Emotet epoch 2 and Emotet epoch 3 infections.
  15. - These IOCs are for the Emotet epoch 2 infection with Qakbot
  16.  
  17. MALWARE:
  18.  
  19. - SHA256 hash: e8eff9852fefe1a01b140600735f3b9abecfd2f1bb93929c8955778bb11d0681
  20. - File size: 175,150 bytes
  21. - File location: hxxp://umeedupvanfoundation[.]com/blogs/JB5HY27RGXBM90/
  22. - File name: RSH_070120_FLV_072120.doc
  23. - File description: Word doc with macro for Emotet (epoch 2)
  24.  
  25. - SHA256 hash: 915a61faf42b819b836fe6901544b30562b93113fbf7626eec63a1b33b011d09
  26. - File size: 770,048 bytes
  27. - File location: hxxps://www.thelibrarysamui[.]com/wp-content/themes/stockholm/t9/
  28. - File location: C:\Users\[username]\332.exe
  29. - File location: C:\Users\[username]\AppData\Local\proquota\wvc.exe
  30. - File description: Initial Emotet EXE retrieved by Word macro (epoch 2)
  31. - Note 1: The file name 332.exe may be a different 3-digit number in the name for a diffent host.
  32. - Note 2: The file path & name proquota\wvc.exe is different for each infection.
  33.  
  34. - SHA256 hash: a7f46b14baa4d0df476385bdb7316c774842d39faf6efc1f2b0f09ad3c5060de
  35. - File size: 427,520 bytes
  36. - File location: C:\Users\[username]\AppData\Local\proquota\wvc.exe
  37. - File description: Emotet EXE updated shortly after the initial infection
  38. - Note 2: The file path & name proquota\wvc.exe is different for each infection.
  39.  
  40. - SHA256 hash: 576029dbd4166e9d6548f877bea422da5d7a07adfc5ca60c93dabbecfab3d6c7
  41. - File size: 811,536 bytes
  42. - File location: C:\Users\[username]\AppData\Local\proquota\KBDHU17cd.exe
  43. - File location: C:\Users\[username]\AppData\Roaming\Microsoft\Whimnooaor\jpkwoqx.exe
  44. - File description: Qakbot EXE retrieved by Emotet-infected host
  45. - Note 1: The file name KBDHU17cd.exe is different for each infection.
  46. - Note 2: The file path & name Whimnooaor\jpkwoqx.exe is different for each infected host.
  47.  
  48. INFECTION TRAFFIC:
  49.  
  50. WEB TRAFFIC TO DOWNLOAD WORD DOCUMENT FROM EMOTET MALSPAM (EPOCH 2):
  51.  
  52. - 182.50.151[.]87 port 80 - umeedupvanfoundation[.]com - GET /blogs/JB5HY27RGXBM90/
  53.  
  54. WEB TRAFFIC BY WORD MACROS TO RETRIEVE THE INITIAL EMOTET EXE:
  55.  
  56. - 104.238.82[.]165 port 443 (HTTPS) - kipliani[.]com - GET /sys-cache/w84tjs1/
  57. - 163.44.168[.]22 port 80 - phamthuan[.]com - GET /wp-admin/h/
  58. - 134.209.38[.]89 port 80 - rmacadetstore[.]com - GET /cwu/l6y/
  59. - 134.209.38[.]89 port 443 (HTTPS) - rmacadetstore[.]com - GET /cwu/l6y/
  60. - 104.28.22[.]107 port 80 - fivestarcleanerstx[.]com - GET /h/procurement/9uvmim/
  61. - 139.59.228[.]88 port 443 (HTTPS) - www.thelibrarysamui[.]com - /h/procurement/9uvmim/
  62.  
  63. EMOTET POST-INFECTION TRAFFIC:
  64.  
  65. - 124.45.106[.]173 port 443 - 124.45.106[.]173:443 - POST /Edif/
  66. - 124.45.106[.]173 port 443 - 124.45.106[.]173:443 - POST /G3tJeBBYQ455y/YocO7QfQZ1QRAAW/
  67. - 124.45.106[.]173 port 443 - 124.45.106[.]173:443 - POST /L0Ekr/IFWDb8/
  68. - 124.45.106[.]173 port 443 - 124.45.106[.]173:443 - POST /O1G3KKGd/
  69. - 124.45.106[.]173 port 443 - 124.45.106[.]173:443 - POST /LFKovAiCaYStgjSr/79emciYyrsQ90JeqAW/0WeN/q8HqypuBr8I/q1oJ2kQ6W/
  70. - 198.144.158[.]120 port 443 - 198.144.158[.]120:443 - POST /SyijpY8HtMg7yG/doPfqxoTHOiNmmTlzMY/KctCHNQ8jDAgfR/
  71. - 124.45.106[.]173 port 443 - 124.45.106[.]173:443 - POST /qlQ1/XqzH/lp9O87HKvTCVyd/ZYyi3rQR2pIm4w/PDqn0JWecLQHmo7sZ/
  72. - 124.45.106[.]173 port 443 - 124.45.106[.]173:443 - POST /0f68oLBb/Bl7lsW2ppvf2D3h/qLMDW/LMhHiMMrZ73oI/1Kb98oiQNUBNb8WF/
  73. - 124.45.106[.]173 port 443 - 124.45.106[.]173:443 - POST /AvPxevvvO/NNo7xktyceeX/bm0jvwGUrLs/dKYYGfX0GZrR5k/
  74. - 124.45.106[.]173 port 443 - 124.45.106[.]173:443 - POST /rkaLBO7N/
  75. - 124.45.106[.]173 port 443 - 124.45.106[.]173:443 - POST /iTOzKRl/z0hIjDx6c0cq0xO/
  76. - 198.144.158[.]120 port 443 - 198.144.158[.]120:443 - POST /NnDwHpG
  77. - 124.45.106[.]173 port 443 - 124.45.106[.]173:443 - POST /PXX8rq7y23jiXtOL7zR/YINnNyNRVgf/
  78. - 198.144.158[.]120 port 443 - 198.144.158[.]120:443 - POST /Jevuka8q8RYAKW5/40cu7wK8ecnI1l/l1zq0aNhvrb/qhBYRz/
  79. - 198.144.158[.]120 port 443 - 198.144.158[.]120:443 - POST /xBtHgDZq92bco
  80. - 124.45.106[.]173 port 443 - 124.45.106[.]173:443 - POST /69W36/RzDkJoOrfDOLC/
  81. - 124.45.106[.]173 port 443 - 124.45.106[.]173:443 - POST /VRgpDSSw7Y2m5W/QZna2EW8/u3jJ6cI6LEmkY0o45A/e0iO6MnC/FRioD/
  82. - 94.49.254[.]194 port 80 - 94.49.254[.]194 - POST /giPRh9IB2ksBRG36p/R4aRVfgRdYf9KtjwY/rsBcW7TrytfZoU/mBDg9WWwy/pdgso31rnTMTy5uIW/z5pNWkPilsOGJ/
  83. - 94.49.254[.]194 port 80 - 94.49.254[.]194 - POST /dZHhFxlmbYSyC/WAs7SsslRpphq/
  84.  
  85. QAKBOT (QBOT) POST-INFECTION TRAFFIC:
  86.  
  87. - 24.234.86[.]201 port 995 - HTTPS traffic
  88. - 82.118.22[.]125 port 443 - HTTPS traffic
  89. - port 443 - cdn.speedof[.]me - HTTPS traffic
  90. - 89.105.198[.]119 port 80 - a.strandsglobal[.]com - GET /redir_chrome.html
  91. - 54.36.108[.]120 port 65400
  92.  
  93. ATTEMPTED TCP CONNECTIONS BUT NO RESPONSE FROM THE SERVER (PROBABLY CAUSED BY QAKBOT):
  94.  
  95. - 70.183.127[.]6 port 995
  96. - 190.220.8[.]10 port 443
  97. - 98.116.62[.]242 port 443
  98. - 72.204.242[.]138 port 20
  99. - 76.187.8[.]160 port 443
  100. - 2.50.47[.]97 port 2222
  101. - 104.235.72[.]17 port 443
  102. - 179.51.23[.]31 port 443
  103. - 24.234.86[.]201 port 995
RAW Paste Data