malware_traffic

2020-12-02 (Wednesday) through 2020-12-03 (Thursday) - Qakbot (Qbot) infection with Cobalt Strike

Dec 4th, 2020 (edited)
3,285
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-12-02 (WEDNESDAY) THROUGH 2020-12-03 (THURSDAY) - QAKBOT (QBOT) INFECTION WITH COBALT STRIKE
  2.  
  3. START DATE/TIME:
  4.  
  5. - 2020-12-02 23:02 UTC
  6.  
  7. ASSOCIATED TWEET:
  8.  
  9. - https://twitter.com/malware_traffic/status/1334969751509094402
  10.  
  11. ASSOCIATED MALWARE:
  12.  
  13. - SHA256 hash: 7d840647aa7a7de762d8f9b9fae16f7898cdd77543f1751da1e01a77b8d1663a
  14. - File size: 19,425 bytes
  15. - File name: AddressValidateForm-1457800993-12022020.zip
  16. - File description: ZIP archive attached to malspam pushing Qakbot
  17.  
  18. - SHA256 hash: 44177b45e874857339a9052edea165dc9086173f793269bce1003b5de8b58c2b
  19. - File size: 44,032 bytes
  20. - File name: AddressValidateForm-1457800993-12022020.xls
  21. - File description: Excel spreadsheet with macro for Qakbot
  22.  
  23. - SHA256 hash: 517192baccacf725c7131ab452f67a1f7782bbf20ec8860042c9aa52fa693cd4
  24. - File size: 351,208 bytes
  25. - File location: hxxp://aosolucion[.]com/uqiyr/423323.jpg
  26. - File location: C:\Users\[username]\AppData\Roaming\Goka.zzxxcc
  27. - File description: DLL for Qakbot retrieved by Word macro
  28. - Run method: rundll32.exe [filename],DllRegisterServer
  29.  
  30. INFECTION TRAFFIC:
  31.  
  32. - 148.72.144[.]180 port 80 - aosolucion[.]com - GET /uqiyr/423323.jpg
  33. - 73.136.242[.]114 port 443 - Qakbot HTTPS traffic
  34. - 41.227.82[.]102 port 443 - Qakbot HTTPS traffic
  35. - 120.150.218[.]241 port 995 - Qakbot HTTPS traffic
  36. - 184.98.97[.]227 port 995 - Qakbot HTTPS traffic
  37. - 68.15.109[.]125 port 443 - Qakbot HTTPS traffic
  38. - 96.40.175[.]33 port 443 - Qakbot HTTPS traffic
  39.  
  40. - 72.252.201[.]69 port 443 - attempted TCP connections
  41. - 2.7.202[.]106 port 2222 - attempted TCP connections
  42. - 47.187.49[.]3 port 2222 - attempted TCP connections
  43. - 208.93.202[.]41 port 443 - attempted TCP connections
  44. - 217.133.54[.]140 port 32100 - attempted TCP connections
  45. - 45.118.216[.]157 port 443 - attempted TCP connections
  46. - 189.210.115[.]207 port 443 - attempted TCP connections
  47. - 41.227.82[.]102 port 443 - attempted TCP connections
  48. - 75.109.180[.]221 port 443 - attempted TCP connections
  49.  
  50. - port 443 - www.openssl[.]org - HTTPS traffic for connectivity check
  51. - 54.36.108[.]120 port 65400 - Qakbot TCP traffic
  52.  
  53. - 72.79.79[.]92 port 80 - encrypted data sent - returned HTTP message: 400 Page not found - Server: DVRDVS-Webs
  54.  
  55. - 23.106.160[.]137 port 80 - amajai-technologies[.]work - GET /GSMu
  56. - 23.106.160[.]137 port 80 - amajai-technologies[.]work - GET /IE9CompatViewList.xml
  57. - 23.106.160[.]137 port 80 - amajai-technologies[.]work - POST /submit.php?id=450385698
  58. - 23.106.160[.]137 port 80 - amajai-technologies[.]work - GET /pixel.gif
  59.  
  60. - port 443 - www.coolwick[.]com - small amount of HTTPS traffic to this business website.
  61.  
  62. - port 443 - api.ipify[.]org - IP address check
  63. - DNS queries for mail.myfairport[.]com
  64. - DNS queries for smtp-relay.gmail[.]com
  65. - DNS queries for inbount.att[.]net
  66. - various IP addresses - various email-related ports - mail banner/connectivity traffic
RAW Paste Data