Chain of Events Email --> link --> downloaded zip archive --> extracted Excel file --> enable macros --> HTTPS traffic for Qakbot DLL files --> Qakbot C2 activity --> DarkVNC traffic Images
Indicators of Compromise (IOCs) Malware from an infected Windows host: SHA256 hash: 685aa1d29540f5b63effec08fdf63f8bc7e995d1f15635cc1fd251bb7fb0dc73
SHA256 hash: 236b9d345a9b405c4850f880e1734712967d7cc34b176c270e78dd6f02f9839d
SHA256 hash: 74400f2acc98e59ddeba6d55da3ee0ea0c909eefdefeca4f1d3bf817a27b692b
SHA256 hash: 29942eb47c0de0415b2507dff8822e3309dd4fcc2ac8d01434b37eb4f75efbe1
SHA256 hash: 59fb3927427c68dee4c2f267f3ed4eea82dc07058061e06b3cd9b18d1a84b77f
Traffic for zip archive:
Traffic for Qakbot DLL files:
Qakbot post-infection traffic:
Dark VNC traffic:
Certificate issuer data for Qakbot HTTPS traffic: Certificate issuer data for HTTPS traffic to 189.146.73[.]62:
Certificate issuer data for HTTPS traffic to 75.99.168[.]194:
Certificate issuer data for HTTPS traffic to 37.252.0[.]102:
Final words A packet capture (pcap) of the infection traffic and the associated malware samples are available here. The pcap is from an Active Directory (AD) environment. The pcap been sanitized to disguise usernames, hostnames, domains, internal IP addresses, the public IP address used to connect from my test lab to the Internet, and any other information that could identify the environment. --- |
Brad 435 Posts ISC Handler Apr 20th 2022 |
Thread locked Subscribe |
Apr 20th 2022 2 months ago |
Hi Brad, I received a suspicious email from the same attacker and would love to forward the information to you (context, email, URL hyperlink with .zip, etc.) to investigate.
Is there any way we can DM? |
Anonymous |
Quote |
Apr 20th 2022 2 months ago |
Sign Up for Free or Log In to start participating in the conversation!