2020-07-21 (Tuesday) - Emotet infection with Qakbot

1. 2020-07-21 (TUESDAY) - EMOTET INFECTION WITH QAKBOT
2.  
3. REFERENCE:
4.  
5. - https://www.malware-traffic-analysis.net/2020/07/21/index.html
6.  
7. INFECTION CHAIN:
8.  
9. - Malspam link --> Word doc --> enable macros --> Emotet infection --> Qakbot infection
10.  
11. NOTES:
12.  
13. - This happened from a US location
14. - I saw Qakbot as follow-up malware when I tried both Emotet epoch 2 and Emotet epoch 3 infections.
15. - These IOCs are for the Emotet epoch 2 infection with Qakbot
16.  
17. MALWARE:
18.  
19. - SHA256 hash: e8eff9852fefe1a01b140600735f3b9abecfd2f1bb93929c8955778bb11d0681
20. - File size: 175,150 bytes
21. - File location: hxxp://umeedupvanfoundation[.]com/blogs/JB5HY27RGXBM90/
22. - File name: RSH_070120_FLV_072120.doc
23. - File description: Word doc with macro for Emotet (epoch 2)
24.  
25. - SHA256 hash: 915a61faf42b819b836fe6901544b30562b93113fbf7626eec63a1b33b011d09
26. - File size: 770,048 bytes
27. - File location: hxxps://www.thelibrarysamui[.]com/wp-content/themes/stockholm/t9/
28. - File location: C:\Users\[username]\332.exe
29. - File location: C:\Users\[username]\AppData\Local\proquota\wvc.exe
30. - File description: Initial Emotet EXE retrieved by Word macro (epoch 2)
31. - Note 1: The file name 332.exe may be a different 3-digit number in the name for a diffent host.
32. - Note 2: The file path & name proquota\wvc.exe is different for each infection.
33.  
34. - SHA256 hash: a7f46b14baa4d0df476385bdb7316c774842d39faf6efc1f2b0f09ad3c5060de
35. - File size: 427,520 bytes
36. - File location: C:\Users\[username]\AppData\Local\proquota\wvc.exe
37. - File description: Emotet EXE updated shortly after the initial infection
38. - Note 2: The file path & name proquota\wvc.exe is different for each infection.
39.  
40. - SHA256 hash: 576029dbd4166e9d6548f877bea422da5d7a07adfc5ca60c93dabbecfab3d6c7
41. - File size: 811,536 bytes
42. - File location: C:\Users\[username]\AppData\Local\proquota\KBDHU17cd.exe
43. - File location: C:\Users\[username]\AppData\Roaming\Microsoft\Whimnooaor\jpkwoqx.exe
44. - File description: Qakbot EXE retrieved by Emotet-infected host
45. - Note 1: The file name KBDHU17cd.exe is different for each infection.
46. - Note 2: The file path & name Whimnooaor\jpkwoqx.exe is different for each infected host.
47.  
48. INFECTION TRAFFIC:
49.  
50. WEB TRAFFIC TO DOWNLOAD WORD DOCUMENT FROM EMOTET MALSPAM (EPOCH 2):
51.  
52. - 182.50.151[.]87 port 80 - umeedupvanfoundation[.]com - GET /blogs/JB5HY27RGXBM90/
53.  
54. WEB TRAFFIC BY WORD MACROS TO RETRIEVE THE INITIAL EMOTET EXE:
55.  
56. - 104.238.82[.]165 port 443 (HTTPS) - kipliani[.]com - GET /sys-cache/w84tjs1/
57. - 163.44.168[.]22 port 80 - phamthuan[.]com - GET /wp-admin/h/
58. - 134.209.38[.]89 port 80 - rmacadetstore[.]com - GET /cwu/l6y/
59. - 134.209.38[.]89 port 443 (HTTPS) - rmacadetstore[.]com - GET /cwu/l6y/
60. - 104.28.22[.]107 port 80 - fivestarcleanerstx[.]com - GET /h/procurement/9uvmim/
61. - 139.59.228[.]88 port 443 (HTTPS) - www.thelibrarysamui[.]com - /h/procurement/9uvmim/
62.  
63. EMOTET POST-INFECTION TRAFFIC:
64.  
65. - 124.45.106[.]173 port 443 - 124.45.106[.]173:443 - POST /Edif/
66. - 124.45.106[.]173 port 443 - 124.45.106[.]173:443 - POST /G3tJeBBYQ455y/YocO7QfQZ1QRAAW/
67. - 124.45.106[.]173 port 443 - 124.45.106[.]173:443 - POST /L0Ekr/IFWDb8/
68. - 124.45.106[.]173 port 443 - 124.45.106[.]173:443 - POST /O1G3KKGd/
69. - 124.45.106[.]173 port 443 - 124.45.106[.]173:443 - POST /LFKovAiCaYStgjSr/79emciYyrsQ90JeqAW/0WeN/q8HqypuBr8I/q1oJ2kQ6W/
70. - 198.144.158[.]120 port 443 - 198.144.158[.]120:443 - POST /SyijpY8HtMg7yG/doPfqxoTHOiNmmTlzMY/KctCHNQ8jDAgfR/
71. - 124.45.106[.]173 port 443 - 124.45.106[.]173:443 - POST /qlQ1/XqzH/lp9O87HKvTCVyd/ZYyi3rQR2pIm4w/PDqn0JWecLQHmo7sZ/
72. - 124.45.106[.]173 port 443 - 124.45.106[.]173:443 - POST /0f68oLBb/Bl7lsW2ppvf2D3h/qLMDW/LMhHiMMrZ73oI/1Kb98oiQNUBNb8WF/
73. - 124.45.106[.]173 port 443 - 124.45.106[.]173:443 - POST /AvPxevvvO/NNo7xktyceeX/bm0jvwGUrLs/dKYYGfX0GZrR5k/
74. - 124.45.106[.]173 port 443 - 124.45.106[.]173:443 - POST /rkaLBO7N/
75. - 124.45.106[.]173 port 443 - 124.45.106[.]173:443 - POST /iTOzKRl/z0hIjDx6c0cq0xO/
76. - 198.144.158[.]120 port 443 - 198.144.158[.]120:443 - POST /NnDwHpG
77. - 124.45.106[.]173 port 443 - 124.45.106[.]173:443 - POST /PXX8rq7y23jiXtOL7zR/YINnNyNRVgf/
78. - 198.144.158[.]120 port 443 - 198.144.158[.]120:443 - POST /Jevuka8q8RYAKW5/40cu7wK8ecnI1l/l1zq0aNhvrb/qhBYRz/
79. - 198.144.158[.]120 port 443 - 198.144.158[.]120:443 - POST /xBtHgDZq92bco
80. - 124.45.106[.]173 port 443 - 124.45.106[.]173:443 - POST /69W36/RzDkJoOrfDOLC/
81. - 124.45.106[.]173 port 443 - 124.45.106[.]173:443 - POST /VRgpDSSw7Y2m5W/QZna2EW8/u3jJ6cI6LEmkY0o45A/e0iO6MnC/FRioD/
82. - 94.49.254[.]194 port 80 - 94.49.254[.]194 - POST /giPRh9IB2ksBRG36p/R4aRVfgRdYf9KtjwY/rsBcW7TrytfZoU/mBDg9WWwy/pdgso31rnTMTy5uIW/z5pNWkPilsOGJ/
83. - 94.49.254[.]194 port 80 - 94.49.254[.]194 - POST /dZHhFxlmbYSyC/WAs7SsslRpphq/
84.  
85. QAKBOT (QBOT) POST-INFECTION TRAFFIC:
86.  
87. - 24.234.86[.]201 port 995 - HTTPS traffic
88. - 82.118.22[.]125 port 443 - HTTPS traffic
89. - port 443 - cdn.speedof[.]me - HTTPS traffic
90. - 89.105.198[.]119 port 80 - a.strandsglobal[.]com - GET /redir_chrome.html
91. - 54.36.108[.]120 port 65400
92.  
93. ATTEMPTED TCP CONNECTIONS BUT NO RESPONSE FROM THE SERVER (PROBABLY CAUSED BY QAKBOT):
94.  
95. - 70.183.127[.]6 port 995
96. - 190.220.8[.]10 port 443
97. - 98.116.62[.]242 port 443
98. - 72.204.242[.]138 port 20
99. - 76.187.8[.]160 port 443
100. - 2.50.47[.]97 port 2222
101. - 104.235.72[.]17 port 443
102. - 179.51.23[.]31 port 443
103. - 24.234.86[.]201 port 995