Erik Hjelmvik
,
Thursday, 02 March 2023 12:43:00 (UTC/GMT)
In this video I analyze network traffic from a QakBot (QBot) infection in order to identify the Command-and-Control (C2) traffic.
The analyzed PCAP file is from malware-traffic-analysis.net .
IOC List
C2 IP and port: 80.47.61.240:2222
C2 IP and port: 185.80.53.210:443
QakBot proxy IP and port: 23.111.114.52:65400
JA3: 72a589da586844d7f0818ce684948eea
JA3S: ec74a5c51106f0419184d0dd08fb05bc
JA3S: fd4bc6cea4877646ccd62f0792ec0b62
meieou.info X.509 cert hash: 9de2a1c39fbe1952221c4b78b8d21dc3afe53a3e
meieou.info X.509 cert Subject OU: Hoahud Duhcuv Dampvafrog
meieou.info X.509 cert Issuer O: Qdf Wah Uotvzke LLC.
gifts.com X.509 cert hash: 0c7a37f55a0b0961c96412562dd0cf0b0b867d37
HTML Body Hash: 22e5446e82b3e46da34b5ebce6de5751664fb867
HTML Title: Welcome to CentOS
Links
For more analysis of QakBot network traffic, check out my
Hunting for C2 Traffic video.
Posted by Erik Hjelmvik on Thursday, 02 March 2023 12:43:00 (UTC/GMT)
Tags: #QakBot
#QBot
#C2
#Video
#malware-traffic-analysis.net
#ThreatFox
#ec74a5c51106f0419184d0dd08fb05bc
#fd4bc6cea4877646ccd62f0792ec0b62
#CapLoader
#NetworkMiner
Share:
Short URL:
https://netresec.com/?b=233eaa1
Erik Hjelmvik
,
Friday, 30 September 2022 12:37:00 (UTC/GMT)
In this video I look for C2 traffic by doing something I call Rinse-Repeat Threat Hunting,
which is a method for removing "normal" traffic in order to look closer at what isn't normal.
The video cannot be played in your browser.
The video was recorded in a Windows Sandbox in order to avoid accidentally infecting my Windows PC with malware.
The PCAP files analyzed in the video are:
Thank you for sharing these capture files Brad!
IOC List
QBot source: 23.29.125.210
QBot md5: 2b55988c0d236edd5ea1a631ccd37b76
QBot sha1: 033a22c3bb2b0dd1677973e1ae6280e5466e771c
QBot sha256: 2d68755335776e3de28fcd1757b7dcc07688b31c37205ce2324d92c2f419c6f0
Qbot proxy protocol server: 23.111.114.52:65400
QBot C2: 45.46.53.140:2222
QBot C2 JA3: 51c64c77e60f3980eea90869b68c58a8
QBot C2 JA3S : 7c02dbae662670040c7af9bd15fb7e2f
QBot X.509 domain: thdoot.info
QBot X.509 thumbprint: 5a8ee4be30bd5da709385940a1a6e386e66c20b6
IcedID BackConnect server: 78.31.67.7:443
IcedID BackConnect server: 91.238.50.80:8080
References and Links
Update 2022-10-13
Part two of this analysis has been published:
IcedID BackConnect Protocol
Posted by Erik Hjelmvik on Friday, 30 September 2022 12:37:00 (UTC/GMT)
Tags: #Threat Hunting
#PCAP
#CapLoader
#NetworkMiner
#NetworkMiner Professional
#Video
#QBot
#QakBot
#51c64c77e60f3980eea90869b68c58a8
#IcedID
#TA578
Share:
Short URL:
https://netresec.com/?b=2296553