Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2020-12-02 (WEDNESDAY) THROUGH 2020-12-03 (THURSDAY) - QAKBOT (QBOT) INFECTION WITH COBALT STRIKE
- START DATE/TIME:
- - 2020-12-02 23:02 UTC
- ASSOCIATED TWEET:
- - https://twitter.com/malware_traffic/status/1334969751509094402
- ASSOCIATED MALWARE:
- - SHA256 hash: 7d840647aa7a7de762d8f9b9fae16f7898cdd77543f1751da1e01a77b8d1663a
- - File size: 19,425 bytes
- - File name: AddressValidateForm-1457800993-12022020.zip
- - File description: ZIP archive attached to malspam pushing Qakbot
- - SHA256 hash: 44177b45e874857339a9052edea165dc9086173f793269bce1003b5de8b58c2b
- - File size: 44,032 bytes
- - File name: AddressValidateForm-1457800993-12022020.xls
- - File description: Excel spreadsheet with macro for Qakbot
- - SHA256 hash: 517192baccacf725c7131ab452f67a1f7782bbf20ec8860042c9aa52fa693cd4
- - File size: 351,208 bytes
- - File location: hxxp://aosolucion[.]com/uqiyr/423323.jpg
- - File location: C:\Users\[username]\AppData\Roaming\Goka.zzxxcc
- - File description: DLL for Qakbot retrieved by Word macro
- - Run method: rundll32.exe [filename],DllRegisterServer
- INFECTION TRAFFIC:
- - 148.72.144[.]180 port 80 - aosolucion[.]com - GET /uqiyr/423323.jpg
- - 73.136.242[.]114 port 443 - Qakbot HTTPS traffic
- - 41.227.82[.]102 port 443 - Qakbot HTTPS traffic
- - 120.150.218[.]241 port 995 - Qakbot HTTPS traffic
- - 184.98.97[.]227 port 995 - Qakbot HTTPS traffic
- - 68.15.109[.]125 port 443 - Qakbot HTTPS traffic
- - 96.40.175[.]33 port 443 - Qakbot HTTPS traffic
- - 72.252.201[.]69 port 443 - attempted TCP connections
- - 2.7.202[.]106 port 2222 - attempted TCP connections
- - 47.187.49[.]3 port 2222 - attempted TCP connections
- - 208.93.202[.]41 port 443 - attempted TCP connections
- - 217.133.54[.]140 port 32100 - attempted TCP connections
- - 45.118.216[.]157 port 443 - attempted TCP connections
- - 189.210.115[.]207 port 443 - attempted TCP connections
- - 41.227.82[.]102 port 443 - attempted TCP connections
- - 75.109.180[.]221 port 443 - attempted TCP connections
- - port 443 - www.openssl[.]org - HTTPS traffic for connectivity check
- - 54.36.108[.]120 port 65400 - Qakbot TCP traffic
- - 72.79.79[.]92 port 80 - encrypted data sent - returned HTTP message: 400 Page not found - Server: DVRDVS-Webs
- - 23.106.160[.]137 port 80 - amajai-technologies[.]work - GET /GSMu
- - 23.106.160[.]137 port 80 - amajai-technologies[.]work - GET /IE9CompatViewList.xml
- - 23.106.160[.]137 port 80 - amajai-technologies[.]work - POST /submit.php?id=450385698
- - 23.106.160[.]137 port 80 - amajai-technologies[.]work - GET /pixel.gif
- - port 443 - www.coolwick[.]com - small amount of HTTPS traffic to this business website.
- - port 443 - api.ipify[.]org - IP address check
- - DNS queries for mail.myfairport[.]com
- - DNS queries for smtp-relay.gmail[.]com
- - DNS queries for inbount.att[.]net
- - various IP addresses - various email-related ports - mail banner/connectivity traffic
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement