2020-12-07 - QAKBOT (QBOT) INFECTION WITH COBALT STRIKE (BEACON) AND SPAMBOT ACTIVITY

ASSOCIATED FILES

• 2020-12-07-Qakbot-with-Cobalt-Strike-IOCs.txt.zip   kB   (2,312 bytes)
• 2020-12-07-Qakbot-with-Cobalt-Strike-and-spambot-activity.pcap.zip   13.9 MB   (13,850,352 bytes)
• 2020-12-07-Qakbot-malspam-7-examples-from-pcap.zip   152 kB   (151,624 bytes)
• 2020-12-07-zip-attachments-from-malspam-7-examples.zip   138 kB   (138,068 bytes)
• 2020-12-07-extracted-spreadsheet-from-zip-attachments-7-examples.zip   138 kB   (137,711 bytes)
• 2020-12-08-start-of-new-Qakbot-infection.pcap.zip   15.4 MB   (15,360,501 bytes)
• 2020-12-08-Qakbot-DLL-after-running-Excel-macro.zip   2.7 kB   (2,655 bytes)

NOTES:

• All zip archives on this site are password-protected with the standard password.  If you don't know it, see the "about" page of this website.

 

IMAGES

Shown above:  Some of the traffic filtered in Wireshark.

 

Shown above:  Emails from spambot traffic in the pcap.

 

Shown above:  One of the emails extracted from spambot traffic in the pcap.

 

Shown above:  Traffic from the start of a new Qakbot infection on another Windows host.

 

Click here to return to the main page.