Malware-Traffic-Analysis.net - 2022-12-09 - HTML smuggling leads to Qakbot, distribution/botnet tag: azd

2022-12-09 (FRIDAY) - HTML SMUGGLING LEADS TO QAKBOT (QBOT), DISTRIBUTION/BOTNET TAG: AZD

NOTES:

The HTML file used for smuggling was posted to VirusTotal today, and create/modify dates for the disk image & its content are all 2022-12-09.
Zip files are password-protected. If you don't know the password, see the "about" page of this website.

ASSOCIATED FILES:

2022-12-09-IOCs-for-azd-Qakbot.txt.zip 2.6 kB (2,642 bytes)
2022-12-09-azd-Qakbot-infection-traffic-carved-and-santized.pcap.zip 1.9 MB (1,929,146 bytes)
2022-12-09-azd-Qakbot-malware-and-artifacts.zip 2.0 MB (1,967,131 bytes)

IMAGES

Shown above: HTML file opened in Microsoft Edge web browser.

Shown above: Downloaded zip archive contains disk image with contents for Qakbot.

Shown above: Qakbot creates a folder named with random alphabetic characters under C:\Users\[username]\AppData\Roaming\Microsoft directory.

Shown above: Qakbot also creates a Windows registry key named with random alphabetic characters uder the HKCU\SOFTWARE\Microsoft.

Shown above: Traffic (carved and sanitized) of the infection filtered in Wireshark.

Shown above: Active Qakbot C2 server viewed in Firefox web browser.

Shown above: Certificate data from Qakbot C2 server for HTTPS traffic shown in Firefox.

2022-12-09 (FRIDAY) - HTML SMUGGLING FOR QAKBOT (QBOT) DISTRIBUTION TAG: AZD

DISTRIBUTION:

- Unknown source (email?) --> HTML file --> password-protected zip archive --> extracted ISO image with .img file extension

INFECTION FROM DISK IMAGE:

- Visible Windows shortcut runs --> .cmd file with obfuscated script, which runs --> Qakbot DLL

DISTRIBUTION FILES:

- SHA256 hash: 4efc4cc462a27245945ee90465caef589b71c41b33bf6d24ce2e6f74b75fdbe7
- File size: 1,287,748 bytes
- File name: SCAN_DT6281.html
- File description: HTML file used for HTML smuggling, generates password-protected zip archive

- SHA256 hash: b393d0b041aeb2299936d2362b67e324e7a8c6765a5bfacdabff3c4820c841c7
- File size: 369,344 bytes
- File name: 5f21561d-cd4e-4e55-8622-eeee37af1c7b.zip
- File description: Password-protected zip archive generated by above HTML file
- Password: 052333

- SHA256 hash: cc1fdbde529da88eeab58ff1695c80d2be68df600024860b3b9622c8a312affa
- File size: 1,056,768 bytes
- File name: SCAN_DT6281.img
- File description: Extracted from above zip, this is an ISO disk image with an .img file extension

DISK IMAGE CONTENTS:

- SHA256 hash: 1aa40f0bcf14d02d5aa184c70f2d9fb8e20532777a63094580abf1d79d2525e6
- File size: 1,972 bytes
- File name: SCAN_DT6281.lnk
- File description: Windows shortcut, only visible file in disk image
- Shortcut: C:\Windows\System32\cmd.exe /c IncomingPay\Issues.cmd A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 
            4 5 6 7 8 9

- SHA256 hash: 20e3441a46717fc6cd0ad5a4dca25246c211e8c355755dae067c45ff2d97f59b
- File size: 9,577 bytes
- File name: IncomingPay\Issues.cmd
- File description: In hidden directory, .cmd file run by above shortcut

- SHA256 hash: f4f8a14f76055dbe55422ba8754582ed8abf139b7ed33630fa656cb7e879bc7d
- File size: 660,992 bytes
- File name: IncomingPay\NewInformation.lc
- File description: In hidden directory, Qakbot DLL run by above .cmd file
- Qakbot version: 404.30
- Qakbot distribution tag/botnet: azd
- Run method: regsvr32.exe /s NewInformation.lc
- Analysis: https://tria.ge/221209-2j4zssee88

- File name: IncomingPay\ChangeRules.txt
- File description: Decoy text file in hidden directory (from psyhcology paper or publication)

- File name: IncomingPay\Changes.txt
- File description: Decoy text file in hidden directory (from psyhcology paper or publication)

QAKBOT C2 TRAFFIC:

- legitimate domains for connectivity checks before each attempt at C2 traffic
- 98.178.242.28:443 - HTTPS traffic for Qakbot C2

CERTIFICATE DATA FOR HTTPS TRAFFIC FROM QAKBOT SERVER AT 98.178.242.28:443:

- Subject Name: 
  - Country: PT
  - Organizational Unit: Eteri Boyiuhuspw
  - Common Name: fscej.org

- Issuer Name:
  - Country: PT
  - State/Province: GR
  - Locality: Ocoa Jeoqkfmz
  - Organization: Dqimuc Saoamaf Sngiantob Kjujtk
  - Common Name: fscej.org
  
- Validity:
  - Not Before: Tue, 06 Dec 2022 18:10:07 GMT
  - Not After: Fri, 05 Dec 2025 21:53:13 GMT

120 QAKBOT C2 IP ADDRESSES EXTRACTED FROM THE DLL (BASED ON TRIA.GE ANALYSIS):

- 2.99.47.198:2222
- 201.137.151.25:443
- 201.208.139.250:2222
- 208.180.17.32:2222
- 213.67.255.57:2222
- 217.128.91.196:2222
- 24.69.87.61:443
- 24.71.120.191:443
- 24.142.218.202:443
- 24.206.27.39:443
- 27.109.19.90:2078
- 31.53.29.245:2222
- 38.166.226.185:2087
- 41.228.226.109:995
- 46.10.198.106:443
- 47.16.76.35:2222
- 47.34.30.133:443
- 47.41.154.250:443
- 50.68.204.71:443
- 50.68.204.71:995
- 50.90.249.161:443
- 64.121.161.102:443
- 66.85.236.205:2222
- 66.180.226.117:2222
- 66.191.69.18:995
- 67.61.71.201:443
- 69.119.123.159:2222
- 70.51.153.251:2222
- 70.66.199.12:443
- 70.77.116.233:443
- 70.115.104.126:995
- 70.121.198.103:2078
- 71.31.101.183:443
- 71.247.10.63:995
- 72.200.109.104:443
- 73.29.92.128:443
- 73.36.196.11:443
- 73.155.10.79:443
- 74.66.134.24:443
- 75.98.154.19:443
- 75.99.125.236:2222
- 75.143.236.149:443
- 76.80.180.154:995
- 76.100.159.250:443
- 78.69.251.252:2222
- 80.13.179.151:2222
- 81.229.117.95:2222
- 81.248.77.37:2222
- 82.9.210.36:443
- 83.213.192.136:443
- 84.35.26.14:995
- 84.113.121.103:443
- 85.7.61.22:2222
- 85.61.165.153:2222
- 86.96.75.237:2222
- 86.130.9.250:2222
- 86.165.15.180:2222
- 86.171.75.63:443
- 86.190.16.164:443
- 87.202.101.164:50000
- 87.221.197.110:2222
- 87.223.91.46:443
- 88.126.94.4:50000
- 90.4.193.117:2222
- 90.66.229.185:2222
- 90.79.129.166:2222
- 90.104.22.28:2222
- 90.221.1.60:443
- 91.68.227.219:443
- 91.165.188.74:50000
- 91.169.12.198:32100
- 91.171.148.162:50000
- 91.180.68.95:2222
- 92.8.190.211:2222
- 92.27.86.48:2222
- 92.154.17.149:2222
- 92.189.214.236:2222
- 93.156.98.63:443
- 94.30.98.134:32100
- 98.145.23.67:443
- 98.147.155.235:443
- 98.178.242.28:443
- 98.187.21.2:443
- 99.229.164.42:443
- 99.251.67.229:443
- 100.8.168.108:443
- 103.71.21.107:443
- 108.6.249.139:443
- 109.11.175.42:2222
- 109.76.25.214:443
- 109.145.40.125:443
- 12.172.173.82:22
- 12.172.173.82:465
- 12.172.173.82:990
- 12.172.173.82:993
- 12.172.173.82:995
- 12.172.173.82:50001
- 121.122.99.223:995
- 123.3.240.16:995
- 136.35.241.159:443
- 141.255.65.113:995
- 172.117.139.142:995
- 172.90.139.138:2222
- 173.18.126.3:443
- 173.239.94.212:443
- 174.104.184.149:443
- 176.133.4.230:995
- 178.191.21.187:995
- 184.189.41.80:443
- 184.68.116.146:2222
- 184.68.116.146:3389
- 184.68.116.146:50010
- 185.135.120.81:443
- 188.48.123.229:995
- 188.79.182.186:2222
- 190.24.45.24:995
- 193.253.100.236:2222
- 193.32.212.114:443
- 197.94.213.23:443
- 199.83.165.233:443

Click here to return to the main page.