2020-12-15 - QAKBOT (QBOT) INFECTION WITH COBALT STRIKE (BEACON)
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES
- 2020-12-15-Qakbot-with-Cobalt-Strike-IOCs.txt.zip 1.4 kB (1,380 bytes)
- 2020-12-15-Qakbot-malspam-example-1549-UTC.eml.zip 29.1 kB (29,104 bytes)
- 2020-12-15-Qakbot-infection-part-1.pcap.zip 8.5 MB (8,496,628 bytes)
- 2020-12-15-Qakbot-infection-part-2-with-Cobalt-Strike.pcap.zip 31.2 MB (31,164,032 bytes)
- 2020-12-15-malware-from-Qakbot-infection.zip 56.5 kB (56,486 bytes)
NOTES:
- This post documents updated domains/IP addresses for Cobalt Strike activity from Qakbot, different than what I saw last week.
IMAGES
Shown above: Traffic from the Qakbot infection filtered in Wireshark.
Shown above: Cobalt Strike traffic seen hours after the initial Qakbot infection.
Click here to return to the main page.