Analyzing Qakbot — w/ Wireshark

Qakbot — What is it?

Qakbot is a family of malware that allows unauthorized access to infected computers. It can steal sensitive information and can be downloaded/installed by other malware’s such as Emotet. Features of this malware include keystroke logging, getting IP addresses and host name, stealing cookies and certificates, stealing passwords from web browsers like Internet Explorer and much more.

Analysis of PCAP

Let’s dive into the PCAP!

  1. sumonpro.xyz: 207.244.235.57 port 80
  2. vngkinderopvang.nl: 185.182.57.107 port 80
  3. stadt-fuchs.net: 136.243.123.152 port 80
  4. hdmedia.pro: 128.199.91.194 port 80
  5. www[dot]fernway[dot]com: 162.241.252.38 port 80
Indicates file is an Executable or DLL file.
Extracting Hash of 44251798532407400000.dat via CertUtil
Checking Hash via VirusTotal
SMTP Traffic Captured
Email that is trying to make a victim download a malicious file.
Extracting Hash of Cancellation_Letter_541411513–02242021.xls via CertUtil
Indeed Malicious as seen above

Other suspicious activities in the PCAP

We can also see several HTTPS traffic without any domains generated by the malware to suspicious IP’s. I did this via the filter: (http.request or tls.handshake.type == 1) && !(ssdp). Two examples are 71.117.132.169 and 76.25.142.196

71.117.132.169 traffic
76.25.142.196 traffic
Certificate Data Modified

--

--

I focus on Malware, RE, DFIR. This blog is used to improve my understanding of these concepts and show my progress.

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ben Lee

Ben Lee

I focus on Malware, RE, DFIR. This blog is used to improve my understanding of these concepts and show my progress.