malware_traffic

2020-12-02 (Wednesday) through 2020-12-03 (Thursday) - Qakbot (Qbot) infection with Cobalt Strike

Dec 4th, 2020 (edited)
2,981
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-12-02 (WEDNESDAY) THROUGH 2020-12-03 (THURSDAY) - QAKBOT (QBOT) INFECTION WITH COBALT STRIKE
  2.  
  3. START DATE/TIME:
  4.  
  5. - 2020-12-02 23:02 UTC
  6.  
  7. ASSOCIATED TWEET:
  8.  
  9. - https://twitter.com/malware_traffic/status/1334969751509094402
  10.  
  11. ASSOCIATED MALWARE:
  12.  
  13. - SHA256 hash: 7d840647aa7a7de762d8f9b9fae16f7898cdd77543f1751da1e01a77b8d1663a
  14. - File size: 19,425 bytes
  15. - File name: AddressValidateForm-1457800993-12022020.zip
  16. - File description: ZIP archive attached to malspam pushing Qakbot
  17.  
  18. - SHA256 hash: 44177b45e874857339a9052edea165dc9086173f793269bce1003b5de8b58c2b
  19. - File size: 44,032 bytes
  20. - File name: AddressValidateForm-1457800993-12022020.xls
  21. - File description: Excel spreadsheet with macro for Qakbot
  22.  
  23. - SHA256 hash: 517192baccacf725c7131ab452f67a1f7782bbf20ec8860042c9aa52fa693cd4
  24. - File size: 351,208 bytes
  25. - File location: hxxp://aosolucion[.]com/uqiyr/423323.jpg
  26. - File location: C:\Users\[username]\AppData\Roaming\Goka.zzxxcc
  27. - File description: DLL for Qakbot retrieved by Word macro
  28. - Run method: rundll32.exe [filename],DllRegisterServer
  29.  
  30. INFECTION TRAFFIC:
  31.  
  32. - 148.72.144[.]180 port 80 - aosolucion[.]com - GET /uqiyr/423323.jpg
  33. - 73.136.242[.]114 port 443 - Qakbot HTTPS traffic
  34. - 41.227.82[.]102 port 443 - Qakbot HTTPS traffic
  35. - 120.150.218[.]241 port 995 - Qakbot HTTPS traffic
  36. - 184.98.97[.]227 port 995 - Qakbot HTTPS traffic
  37. - 68.15.109[.]125 port 443 - Qakbot HTTPS traffic
  38. - 96.40.175[.]33 port 443 - Qakbot HTTPS traffic
  39.  
  40. - 72.252.201[.]69 port 443 - attempted TCP connections
  41. - 2.7.202[.]106 port 2222 - attempted TCP connections
  42. - 47.187.49[.]3 port 2222 - attempted TCP connections
  43. - 208.93.202[.]41 port 443 - attempted TCP connections
  44. - 217.133.54[.]140 port 32100 - attempted TCP connections
  45. - 45.118.216[.]157 port 443 - attempted TCP connections
  46. - 189.210.115[.]207 port 443 - attempted TCP connections
  47. - 41.227.82[.]102 port 443 - attempted TCP connections
  48. - 75.109.180[.]221 port 443 - attempted TCP connections
  49.  
  50. - port 443 - www.openssl[.]org - HTTPS traffic for connectivity check
  51. - 54.36.108[.]120 port 65400 - Qakbot TCP traffic
  52.  
  53. - 72.79.79[.]92 port 80 - encrypted data sent - returned HTTP message: 400 Page not found - Server: DVRDVS-Webs
  54.  
  55. - 23.106.160[.]137 port 80 - amajai-technologies[.]work - GET /GSMu
  56. - 23.106.160[.]137 port 80 - amajai-technologies[.]work - GET /IE9CompatViewList.xml
  57. - 23.106.160[.]137 port 80 - amajai-technologies[.]work - POST /submit.php?id=450385698
  58. - 23.106.160[.]137 port 80 - amajai-technologies[.]work - GET /pixel.gif
  59.  
  60. - port 443 - www.coolwick[.]com - small amount of HTTPS traffic to this business website.
  61.  
  62. - port 443 - api.ipify[.]org - IP address check
  63. - DNS queries for mail.myfairport[.]com
  64. - DNS queries for smtp-relay.gmail[.]com
  65. - DNS queries for inbount.att[.]net
  66. - various IP addresses - various email-related ports - mail banner/connectivity traffic
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×