Analyzing Qakbot — w/ Wireshark

Qakbot — What is it?

Analysis of PCAP

  1. sumonpro.xyz: 207.244.235.57 port 80
  2. vngkinderopvang.nl: 185.182.57.107 port 80
  3. stadt-fuchs.net: 136.243.123.152 port 80
  4. hdmedia.pro: 128.199.91.194 port 80
  5. www[dot]fernway[dot]com: 162.241.252.38 port 80
Indicates file is an Executable or DLL file.
Extracting Hash of 44251798532407400000.dat via CertUtil
Checking Hash via VirusTotal
SMTP Traffic Captured
Email that is trying to make a victim download a malicious file.
Extracting Hash of Cancellation_Letter_541411513–02242021.xls via CertUtil
Indeed Malicious as seen above

Other suspicious activities in the PCAP

71.117.132.169 traffic
76.25.142.196 traffic
Certificate Data Modified

--

--

--

I focus on Malware, RE, DFIR. This blog is used to improve my understanding of these concepts and show my progress.

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ben Lee

Ben Lee

I focus on Malware, RE, DFIR. This blog is used to improve my understanding of these concepts and show my progress.

More from Medium

How to play MarsDoge

How I Got Fired And Then Succeeded In Digital

Pepper: Object Sharing with Holograms

Nifty Multi-Time Frame Analysis