Introduction On Tuesday 2021-03-02, I generated a Qakbot (Qbot) infection on a Windows host in one of my Active Directory (AD) test environments, where I saw Cobalt Strike as follow-up activity. I've seen Cobalt Strike from Qakbot infections before. Below are two that I documented in December 2020.
I haven't documented one for the ISC yet, so today's diary reviews my Qakbot infection with Cobalt Strike seen on Tuesday 2021-03-02.
Images
Indicators of Compromise (IOCs) Malware from the infected Windows host: SHA256 hash: 16a0c2f741a14c423b7abe293e26f711fdb984fc52064982d874bf310c520b12
SHA256 hash: 24753d9f0d691b6d582da3e301b98f75abbdb5382bb871ee00713c5029c56d44
Traffic to retrieve the initial Qakbot DLL:
Qakbot C2 traffic:
Cobalt Strike traffic:
Final words A pcap of the infection traffic and the associated malware can be found here. --- Brad Duncan |
Brad 398 Posts ISC Handler Mar 3rd 2021 |
Thread locked Subscribe |
Mar 3rd 2021 1 month ago |
Sign Up for Free or Log In to start participating in the conversation!