In this video I look for C2 traffic by doing something I call Rinse-Repeat Threat Hunting, which is a method for removing "normal" traffic in order to look closer at what isn't normal.
The video was recorded in a Windows Sandbox in order to avoid accidentally infecting my Windows PC with malware.
The PCAP files analyzed in the video are:
Thank you for sharing these capture files Brad!
- QBot source: 220.127.116.11
- QBot md5: 2b55988c0d236edd5ea1a631ccd37b76
- QBot sha1: 033a22c3bb2b0dd1677973e1ae6280e5466e771c
- QBot sha256: 2d68755335776e3de28fcd1757b7dcc07688b31c37205ce2324d92c2f419c6f0
- Qbot proxy protocol server: 18.104.22.168:65400
- QBot C2: 22.214.171.124:2222
- QBot C2 JA3: 51c64c77e60f3980eea90869b68c58a8
- QBot C2 JA3S : 7c02dbae662670040c7af9bd15fb7e2f
- QBot X.509 domain: thdoot.info
- QBot X.509 thumbprint: 5a8ee4be30bd5da709385940a1a6e386e66c20b6
- IcedID BackConnect server: 126.96.36.199:443
- IcedID BackConnect server: 188.8.131.52:8080
References and Links
- herALook.dat (MalwareBazaar)
- herALook.dat (VirusTotal)
- Qbot proxy protocol details (Securelist)
- QBot JA3 hash (DFIR Report)
- IcedID BackConnect protocol (Group-IB)
Part two of this analysis has been published: IcedID BackConnect Protocol
Posted by Erik Hjelmvik on Friday, 30 September 2022 12:37:00 (UTC/GMT)