SANS ISC: Qakbot infection with Cobalt Strike

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

Introduction

On Tuesday 2021-03-02, I generated a Qakbot (Qbot) infection on a Windows host in one of my Active Directory (AD) test environments, where I saw Cobalt Strike as follow-up activity.  I've seen Cobalt Strike from Qakbot infections before.  Below are two that I documented in December 2020.

• https://www.malware-traffic-analysis.net/2020/12/07/index.html
• https://www.malware-traffic-analysis.net/2020/12/15/index.html

I haven't documented one for the ISC yet, so today's diary reviews my Qakbot infection with Cobalt Strike seen on Tuesday 2021-03-02.

Shown above:  Flow chart for the Qakbot infection with Cobalt Strike from Tuesday 2021-03-02.

Images

Shown above:  Spreadsheet extracted from a zip archive attached to malspam pushing Qakbot.

Shown above:  Traffic from the infection filtered in Wireshark (image 1 of 3).

Shown above:  Traffic from the infection filtered in Wireshark (image 2 of 3).

Shown above:  Traffic from the infection filtered in Wireshark (image 3 of 3).

Shown above:  Initial DLL saved a the victim's Windows host.

Shown above:  Artifact saved to disk during the Qakbot infection.

Shown above:  Registry updates caused by Qakbot.

Indicators of Compromise (IOCs)

Malware from the infected Windows host:

SHA256 hash: 16a0c2f741a14c423b7abe293e26f711fdb984fc52064982d874bf310c520b12

• File size: 87,552 bytes
• File name: document-1955896638.xls
• File description: Excel spreadsheet with macro for Qakbot (Qbot)
• Any.Run analysis: https://app.any.run/tasks/713d7a1f-6905-4ddd-92e4-84c0bbc97f89
• Cape analysis: https://capesandbox.com/analysis/121176/
• Triage analysis: https://tria.ge/210302-1lphqmv2px

SHA256 hash: 24753d9f0d691b6d582da3e301b98f75abbdb5382bb871ee00713c5029c56d44

• File size: 434,744 bytes
• File location: hxxp://kfzhm28pwzrlk02bmjy[.]com/mrch.gif
• File location: C:\Users\[username]\IEUDLK.CJF
• File description: Initial DLL for Qakbot (Qbot) retrieved by Excel macro
• Any.Run analysis: https://app.any.run/tasks/957a9919-b411-4724-b49f-8c9a1a4c95ab
• Cape analysis: https://capesandbox.com/analysis/120925/
• Triage analysis: https://tria.ge/210302-y9rqfzcq5x

Traffic to retrieve the initial Qakbot DLL:

• 8.209.64[.]96 port 80 - kfzhm28pwzrlk02bmjy[.]com - GET /mrch.gif

Qakbot C2 traffic:

• 207.246.77[.]75 port 995 - HTTPS traffic

Cobalt Strike traffic:

• 45.144.29[.]185 port 443 - HTTPS traffic
• 45.144.29[.]185 port 443 - logon.securewindows[.]xyz - HTTPS traffic
• 45.144.29[.]185 port 8080 - 45.144.29[.]185:8080 - GET /WjSH
• 45.144.29[.]185 port 8080 - logon.securewindows[.]xyz:8080 - GET /cx
• 45.144.29[.]185 port 8080 - 45.144.29[.]185:8080 - GET /en_US/all.js
• 45.144.29[.]185 port 8080 - 45.144.29[.]185:8080 - POST /submit.php?id=248927919

Final words

A pcap of the infection traffic and the associated malware can be found here.

---

Brad Duncan
brad [at] malware-traffic-analysis.net