2020-06-12 - QAKBOT (QBOT) SPX139 INFECTION WITH ZLOADER

ASSOCIATED FILES:

NOTES:

 

IMAGES


Shown above:  Downloading the zip archive from a link in the malspam, and extacting the VBS file.

 


Shown above:  Traffic from the infection filtered in Wireshark.

 


Shown above:  Files in the AppData\Local\Temp folder seen during this infection.

 


Shown above:  Some of the decoy directories created by ZLoader.

 


Shown above:  Final location of ZLoader on the infected Windows host.

 


Shown above:  Qakbot persistent on the infected Windows host.

 

Click here to return to the main page.