NETRESEC Network Security Blog - Tag : 51c64c77e60f3980eea90869b68c58a8

rss Google News

Hunting for C2 Traffic

In this video I look for C2 traffic by doing something I call Rinse-Repeat Threat Hunting, which is a method for removing "normal" traffic in order to look closer at what isn't normal.

The video was recorded in a Windows Sandbox in order to avoid accidentally infecting my Windows PC with malware.

The PCAP files analyzed in the video are:

Thank you for sharing these capture files Brad!

IOC List

  • QBot source: 23.29.125.210
  • QBot md5: 2b55988c0d236edd5ea1a631ccd37b76
  • QBot sha1: 033a22c3bb2b0dd1677973e1ae6280e5466e771c
  • QBot sha256: 2d68755335776e3de28fcd1757b7dcc07688b31c37205ce2324d92c2f419c6f0
  • Qbot proxy protocol server: 23.111.114.52:65400
  • QBot C2: 45.46.53.140:2222
  • QBot C2 JA3: 51c64c77e60f3980eea90869b68c58a8
  • QBot C2 JA3S : 7c02dbae662670040c7af9bd15fb7e2f
  • QBot X.509 domain: thdoot.info
  • QBot X.509 thumbprint: 5a8ee4be30bd5da709385940a1a6e386e66c20b6
  • IcedID BackConnect server: 78.31.67.7:443
  • IcedID BackConnect server: 91.238.50.80:8080

References and Links

Update 2022-10-13

Part two of this analysis has been published: IcedID BackConnect Protocol

Posted by Erik Hjelmvik on Friday, 30 September 2022 12:37:00 (UTC/GMT)

Tags: #Threat Hunting#PCAP#CapLoader#NetworkMiner#NetworkMiner Professional#Video#51c64c77e60f3980eea90869b68c58a8#IcedID#TA578

Share: Facebook   Twitter   Reddit   Hacker News Short URL: https://netresec.com/?b=2296553


Emotet C2 and Spam Traffic Video

This video covers a life cycle of an Emotet infection, including initial infection, command-and-control traffic, and spambot activity sending emails with malicious spreadsheet attachments to infect new victims.

The video was recorded in a Windows Sandbox in order to avoid accidentally infecting my Windows PC with malware.

Initial Infection

Palo Alto's Unit 42 sent out a tweet with screenshots and IOCs from an Emotet infection in early March. A follow-up tweet by Brad Duncan linked to a PCAP file containing network traffic from the infection on Malware-Traffic-Analysis.net.

Screenshot of original infection email from Unit 42

Image: Screenshot of original infection email from Unit 42

  • Attachment MD5: 825e8ea8a9936eb9459344b941df741a

Emotet Download

The PCAP from Malware-Traffic-Analysis.net shows that the Excel spreadsheet attachment caused the download of a DLL file classified as Emotet.

CapLoader download of Emotet DLL from diacrestgroup.com

Image: CapLoader transcript of Emotet download

  • DNS: diacrestgroup.com
  • MD5: 99f59e6f3fa993ba594a3d7077cc884d

Emotet Command-and-Control

Just seconds after the Emotet DLL download completes the victim machine starts communicating with an IP address classified as a botnet command-and-control server.

Emotet C2 sessions with JA3 51c64c77e60f3980eea90869b68c58a8 in CapLoader

Image: Emotet C2 sessions in CapLoader

  • C2 IP: 209.15.236.39
  • C2 IP: 147.139.134.226
  • C2 IP: 134.209.156.68
  • JA3: 51c64c77e60f3980eea90869b68c58a8
  • JA3S: ec74a5c51106f0419184d0dd08fb05bc
  • JA3S: fd4bc6cea4877646ccd62f0792ec0b62

Emotet Spambot

The victim PC eventually started sending out spam emails. The spam bot used TLS encryption when possible, either through SMTPS (implicit TLS) or with help of STARTTLS (explicit TLS).

Emotet spambot JA3 hash 37cdab6ff1bd1c195bacb776c5213bf2 in NetworkMiner Professional

Image: Emotet spambot JA3 hash in NetworkMiner Professional

  • SMTPS JA3: 37cdab6ff1bd1c195bacb776c5213bf2
  • STARTTLS JA3: 37cdab6ff1bd1c195bacb776c5213bf2

Transmitted Spam

Below is a spam email sent from the victim PC without TLS encryption. The attached zip file contains a malicious Excel spreadsheet, which is designed to infect new victims with Emotet.

Emotet spam email from PCAP

Image: Spam email extracted from Emotet PCAP with NetworkMiner

  • .zip Attachment MD5: 5df1c719f5458035f6be2a071ea831db
  • .xlsm Attachment MD5: 79cb3df6c0b7ed6431db76f990c68b5b

Network Forensics Training

If you want to learn additional techniques for analyzing network traffic, then take a look at our upcoming network forensic trainings.

Posted by Erik Hjelmvik on Monday, 09 May 2022 06:50:00 (UTC/GMT)

Tags: #Emotet#C2#video#pcap#JA3#JA3S#51c64c77e60f3980eea90869b68c58a8#SMTP#SMTPS#Windows Sandbox

Share: Facebook   Twitter   Reddit   Hacker News Short URL: https://netresec.com/?b=225196a

Mastodon

NETRESEC on Mastodon: @netresec@infosec.exchange

twitter

NETRESEC on Twitter: @netresec