Introduction

Early morning Tuesday 2023-02-28, I generated an infection with a URL I found on VirusTotal after pivoting on a search for BB17-tagged distribution URLs for Qakbot (Qbot).  Based on other public reports, I saw the expected Qakbot activity.  Today's diary shares indicators from the infection.

Shown above:  Traffic from the infection filtered in Wireshark.

Indicators of Compromise (IOCs)

Files extracted from the pcap:

SHA256 hash: 5fb714dfc9206ab4d188bf3c0cb35c44fbf5246f863c1efd5fdaecaa0891bd7a

File size: 385,552 bytes
File name: clamouring.zip
File location: hxxp://columbiahhc[.]com/UM.php?atu=2
File type: Zip archive data, at least v2.0 to extract, compression method=deflate
File description: password-protected zip archive containing malicious disk image
Password: 764

SHA256 hash: e62a7453020148080614f7bd81ae3c316b1655b60845606120a6d671c5aaac43

File size: 798,720 bytes
File name: clamouring.img
File type: ISO 9660 CD-ROM filesystem data 'CD_ROM'
File description: Extracted from the above zip file, disk image with files for Qakbot infection

SHA256 hash: 442420af4fc55164f5390ec68847bba4ae81d74534727975f47b7dd9d6dbdbe7

File size: 606,304 bytes
File location: hxxp://67.207.84[.]43/Gy0toZ0/2
File type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
File description: Qakbot DLL returned from 67.207.84[.]43
Run method: rundll32.exe [filename],N115

Traffic from link for password-protected zip archive:

64.151.228[.]124 port 80 - columbiahhc[.]com - GET /UM.php?atu=2
64.151.228[.]124 port 80 - columbiahhc[.]com - GET /UM.php?e=r1.zip

Traffic to retrieve the initial Qakbot DLL:

67.207.84[.]43 port 80 - 67.207.84[.]43 - GET /Gy0toZ0/2

Qakbot C2:

80.47.61[.]240 port 2222 - HTTPS traffic
185.80.53[.]210 port 443 - HTTPS traffic
port 443 - www.openssl.org - HTTPS traffic  <-- legitimate domain used for connectivity check by Qakbot
23.111.114[.]52 port 65400 - TCP traffic

Connectivity checks to legitimate domains generated by Qakbot C2 traffic.  This traffic is not malicious, but was generated by the infection:

port 443 - broadcom.com
port 443 - cisco.com
port 443 - google.com
port 443 - linkedin.com
port 443 - irs.gov
port 443 - microsoft.com
port 443 - oracle.com
port 443 - verisign.com
port 443 - xfinity.com
port 443 - yahoo.com

Self-signed certificate for Qakbot C2 at 80.47.61[.]240:    

id-at-countryName=PT
id-at-stateOrProvinceName=NO
id-at-localityName=Utjxyj
id-at-organizationName=Qdf Wah Uotvzke LLC.
id-at-commonName=meieou.info

Self-signed certificate for Qakbot C2 at 185.80.53[.]210:

id-at-countryName=US
id-at-stateOrProvinceName=NY
id-at-localityName=New York
id-at-organizationName=gifts.com
id-at-commonName=gifts.com

Note: The above is a self-signed certificate used by the Qakbot C2 server and is not associated with the actual gifts.com website.

Shown above:  Qakbot C2 server at 185.80.53[.]210 shows security warning for self-signed certificate when viewed in a web browser.

Shown abovve:  Self-signed certificate data for Qakbot C2 server at 185.80.53[.]210.

Final Words

Pcap from today's dairy can be found here.

----
Brad Duncan
brad [at] malware-traffic-analysis.net