2020-12-07 - QAKBOT (QBOT) INFECTION WITH COBALT STRIKE (BEACON) AND SPAMBOT ACTIVITY

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES

• 2020-12-07-Qakbot-with-Cobalt-Strike-IOCs.txt.zip   2.3 kB   (2,312 bytes)
• 2020-12-07-Qakbot-with-Cobalt-Strike-and-spambot-activity.pcap.zip   13.9 MB   (13,850,352 bytes)
• 2020-12-07-Qakbot-malspam-7-examples-from-pcap.zip   153 kB   (152,504 bytes)
• 2020-12-07-zip-attachments-from-malspam-7-examples.zip   139 kB   (139,012 bytes)
• 2020-12-07-extracted-spreadsheet-from-zip-attachments-7-examples.zip   139 kB   (138,879 bytes)
• 2020-12-07-start-of-new-Qakbot-infection.pcap.zip   15.4 MB   (15,360,501 bytes)
• 2020-12-07-Qakbot-DLL-after-running-Excel-macro.bin.zip   2.7 kB   (2,723 bytes)

 

IMAGES

Shown above:  Some of the traffic filtered in Wireshark.

 

Shown above:  Emails from spambot traffic in the pcap.

 

Shown above:  One of the emails extracted from spambot traffic in the pcap.

 

Shown above:  Traffic from the start of a new Qakbot infection on another Windows host.

 

Click here to return to the main page.