{ "id": "50535a95-1b40-4222-ba22-2888dc64d82b", "created_at": "2026-04-06T00:20:08.715685Z", "updated_at": "2026-04-10T03:36:47.954646Z", "deleted_at": null, "sha1_hash": "0fb546c150b7d6e73c3254cfb2ad6eaef37d0088", "title": "Wireshark Tutorial: Examining Qakbot Infections", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3235417, "plain_text": "Wireshark Tutorial: Examining Qakbot Infections\r\nBy Brad Duncan\r\nPublished: 2020-02-13 · Archived: 2026-04-05 13:20:43 UTC\r\nOverview\r\nQakbot is an information stealer also known as Qbot. This family of malware has been active for years, and\r\nQakbot generates distinct traffic patterns. This Wireshark tutorial reviews a recent packet capture (pcap) from a\r\nQakbot infection. Understanding these traffic patterns can be critical for security professionals when detecting and\r\ninvestigating Qakbot infections.\r\nNote: This tutorial assumes you have a basic knowledge of network traffic and Wireshark. We use a customized\r\ncolumn display shown in this tutorial. You should also have experience with Wireshark display filters as described\r\nin this additional tutorial.\r\nPlease also note that the pcap used for this tutorial contains malware. You should review this pcap in a non-Windows environment. If you are limited to a Windows computer, we suggest reviewing the pcap within a virtual\r\nmachine (VM) running any of the popular recent Linux distros.\r\nThis tutorial will cover the following:\r\nQakbot distribution methods\r\nInitial zip archive from link in an malspam\r\nWindows executable for Qakbot\r\nPost-infection HTTPS activity\r\nOther post-infection traffic\r\nThe pcap used for this tutorial is located here. Download the zip archive named 2020-01-29-Qbot-infection-traffic.pcap.zip and extract the pcap. Figure 1 shows our pcap open in Wireshark, ready to review.\r\nhttps://unit42.paloaltonetworks.com/tutorial-qakbot-infection/\r\nPage 1 of 18\n\nFigure 1. The pcap for this tutorial.\r\nQakbot Distribution Methods\r\nQakbot is most often distributed through malicious spam (malspam), but it also has been distributed through\r\nexploit kits as recently as November 2019. In some cases, Qakbot is a follow-up infection caused by different\r\nmalware like Emotet as reported in this example from March 2019.\r\nRecent malspam-based distribution campaigns for Qakbot follow a chain of events shown in Figure 2.\r\nFigure 2. Flow chart from recent Qakbot distribution campaigns.\r\nhttps://unit42.paloaltonetworks.com/tutorial-qakbot-infection/\r\nPage 2 of 18\n\nInitial Zip Archive from Link in Malspam\r\nRecent malspam distributing Qakbot uses fake email chains that spoof legitimate email addresses. One such\r\nexample is shown in Figure 3.\r\nFigure 3. Recent malspam example pushing Qakbot.\r\nURLs from these emails end with a short series of numbers followed by .zip. See Table 1 for a few examples of\r\nURLs from Qakbot malspam recently reported on URLhaus and Twitter.\r\nFirst reported URL for initial zip archive\r\n2019-12-27 hxxps://prajoon.000webhostapp[.]com/wp-content/uploads/2019/12/last/033/033.zip\r\n2019-12-27 hxxps://psi-uae[.]com/wp-content/uploads/2019/12/last/870853.zip\r\n2019-12-27 hxxps://re365[.]com/wp-content/uploads/2019/12/last/85944289/85944289.zip\r\n2019-12-27 hxxps://liputanforex.web[.]id/wp-content/uploads/2019/12/last/794/794.zip\r\n2020-01-06 hxxp://eps.icothanglong.edu[.]vn/forward/13078.zip\r\n2020-01-22 hxxp://hitechrobo[.]com/wp-content/uploads/2020/01/ahead/84296848/84296848.zip\r\n2020-01-22 hxxp://faithoasis.000webhostapp.com/wp-content/uploads/2020/01/ahead/550889.zip\r\nhttps://unit42.paloaltonetworks.com/tutorial-qakbot-infection/\r\nPage 3 of 18\n\n2020-01-27 hxxps://madisonclubbar[.]com/fast/invoice049740.zip\r\n2020-01-29 hxxp://zhinengbao[.]wang/wp-content/uploads/2020/01/lane/00571.zip\r\n2020-01-29 hxxp://bhatner[.]com/wp-content/uploads/2020/01/ahead/9312.zip\r\n2020-02-03 hxxp://santedeplus[.]info/wp-content/uploads/2020/02/ending/1582820/1582820.zip\r\nTable 1. URLs for the initial zip archive to kick off a Qakbot infection chain.\r\nIn our pcap, you can find the HTTP request for a zip archive using http.request.uri contains .zip in the Wireshark\r\nfilter as shown in Figure 4.\r\nFigure 4. Finding the URL for the initial zip archive.\r\nFollow the TCP stream to confirm this is a zip archive as shown in Figure 5 and Figure 6, then try to export the zip\r\narchive from the pcap as shown in Figure 7.\r\nFigure 5. Following the TCP stream for the HTTP request from our filter results.\r\nhttps://unit42.paloaltonetworks.com/tutorial-qakbot-infection/\r\nPage 4 of 18\n\nFigure 6. Indicators this URL returned a zip archive.\r\nFigure 7. Exporting objects from HTTP traffic in the pcap.\r\nIn most cases, the menu for File → Export Objects → HTTP should export a zip archive sent over HTTP.\r\nUnfortunately, as shown in Figure 8, we cannot export this file named 9312.zip because it is separated into\r\nhundreds of smaller parts within the export HTTP objects list.\r\nhttps://unit42.paloaltonetworks.com/tutorial-qakbot-infection/\r\nPage 5 of 18\n\nFigure 8. 9312.zip is broken up into hundreds of objects within the list, so we cannot export it this\r\nway.\r\nFortunately, we can export data from a TCP stream window and edit the binary in a hex editor to remove any hxxP\r\nresponse headers. Use the following steps to extract the zip archive from this pcap:\r\n1. 1. Follow TCP stream for the HTTP request for 9312.zip.\r\n2. Show only the response traffic in the TCP stream Window.\r\n3. Change “Show and save data as” from ASCII to Raw.\r\n4. Save the data as a binary (I chose to save it as: 9312.zip.bin)\r\n5. Open the binary in a hex editor and remove the HTTP request headers before the first two bytes of\r\nthe zip archive (which show as PK in ASCII).\r\n6. Save the file as a zip archive (I chose to save it as 9312.zip)\r\n7. Check the file to make sure it’s a zip archive.\r\nSee Figures 9 through 14 for a visual guide of this process.\r\nhttps://unit42.paloaltonetworks.com/tutorial-qakbot-infection/\r\nPage 6 of 18\n\nFigure 9. Step 2 - When viewing the TCP stream, switch from viewing the entire conversation to\r\nviewing only data returned from the server.\r\nFigure 10. Step 3 - Show and save data as Raw instead of ASCII.\r\nhttps://unit42.paloaltonetworks.com/tutorial-qakbot-infection/\r\nPage 7 of 18\n\nFigure 11. Step 4 - Save this raw data from the TCP stream as a binary.\r\nFigure 12. Step 5 - Open your saved binary in a hex editor and remove any HTTP response data\r\nbefore the first two bytes of the zip archive (that show as PK in ASCII).\r\nhttps://unit42.paloaltonetworks.com/tutorial-qakbot-infection/\r\nPage 8 of 18\n\nFigure 13. Step 6 - Save your edited binary as a zip archive.\r\nFigure 14. Step 7 - Confirm the edited file is a zip archive, then extract the VBS file and check the\r\nfile hashes.\r\nFigure 14 shows how to use a terminal window from a Debian-based Linux distro to check the files. From our\r\npcap, the zip archive should be the same as this file submitted to VirusTotal. Our extracted VBS file should be the\r\nsame as this file also submitted to VirusTotal.\r\nA public sandbox analysis of our extracted VBS file indicates it generates the next Qakbot-related URL in our\r\ninfection chain: a URL that returned a Windows executable for Qakbot.\r\nWindows Executable for Qakbot\r\nThese extracted VBS files generate URLs that return Windows executables for Qakbot. Since December 2019,\r\nURLs for Qakbot executables have ended with 44444.png or 444444.png. See Table 2 for some recent examples\r\nhttps://unit42.paloaltonetworks.com/tutorial-qakbot-infection/\r\nPage 9 of 18\n\nof these Qakbot URLs we found using our AutoFocus Threat Intelligence service.\r\nFirst Seen URL for Qakbot executable\r\n2019-12-27 hxxp://centre-de-conduite-roannais[.]com/wp-content/uploads/2019/12/last/444444.png\r\n2020-01-06 hxxp://newsinside[.]info/wp-content/uploads/2020/01/forward/44444.png\r\n2020-01-15 hxxp://iike.xolva[.]com/wp-content/themes/keenshot/fast/444444.png\r\n2020-01-17 hxxp://deccolab[.]com/fast/444444.png\r\n2020-01-21 hxxp://myrestaurant.coupoly[.]com/wp-content/uploads/2020/01/along/444444.png\r\n2020-01-22 hxxp://alphaenergyeng[.]com/wp-content/uploads/2020/01/ahead/444444.png\r\n2020-01-23 hxxp://claramohammedschoolstl[.]org/wp-content/uploads/2020/01/upwards/444444.png\r\n2020-01-23 hxxp://creationzerodechet[.]com/choice/444444.png\r\n2020-01-26 hxxp://productsphotostudio[.]com/wp-content/uploads/2020/01/lane/444444.png\r\n2020-01-27 hxxp://sophistproduction[.]com/wp-content/uploads/2020/01/choice/444444.png\r\n2020-01-30 hxxp://uofnpress[.]ch/wp-content/uploads/2020/01/side/444444.png\r\n2020-02-03 hxxp://csrkanjiza[.]rs/wp-content/uploads/2020/02/ending/444444.png\r\nTable 2. URLs for Qakbot executables.\r\nIn our pcap, find the HTTP GET request for our Qakbot executable using hxxp.request.uri contains .png in the\r\nWireshark filter as shown in Figure 15.\r\nFigure 15. Finding the URL for our Qakbot executable.\r\nExport this object from the pcap using the File → Export Objects → HTTP menu path as shown in Figure 16 and\r\ncheck the results as shown in Figure 17.\r\nhttps://unit42.paloaltonetworks.com/tutorial-qakbot-infection/\r\nPage 10 of 18\n\nFigure 16. Exporting our Qakbot executable from the pcap.\r\nFigure 17. Checking the exported file in a Debian-based Linux terminal window.\r\nFrom our pcap, the Qakbot executable should be this file submitted to VirusTotal. A public sandbox analysis of\r\nthis file generated several Qakbot indicators (identified as Qbot).\r\nPost-infection HTTPS Activity\r\nUse your basic filter (covered in this previous WIreshark tutorial) for a quick view of web traffic in our pcap.\r\nScroll down to activity after the HTTP GET request to alphaenergyeng[.]com that returned our Qakbot executable.\r\nYou should see several indicators of HTTPS or SSL/TLS traffic to 68.1.115[.]106 with no associated domain as\r\nnoted in Figure 18.\r\nhttps://unit42.paloaltonetworks.com/tutorial-qakbot-infection/\r\nPage 11 of 18\n\nFigure 18. HTTPS or SSL/TLS traffic caused by Qakbot.\r\nThis traffic has unusual certificate issuer data commonly noted during Qakbot infections. We reviewed unusual\r\ncertificate issuer data in our previous WIreshark tutorial about Ursnif, so this should be easy to find.\r\nLet’s review our Qakbot certificate issuer data using the following Wireshark filter:\r\nIp.addr eq 68.1.115.186 and ssl.handshake.type eq 11\r\nFor Wireshark 3.0 or newer, use tls.handshake.type instead of ssl.handshake.type. Select the first frame in your\r\nresults and expand the frame details window until you find the certificate issuer data as shown in Figure 19.\r\nhttps://unit42.paloaltonetworks.com/tutorial-qakbot-infection/\r\nPage 12 of 18\n\nFigure 19. Reviewing certificate issuer data from Qakbot traffic.\r\nPatterns for the locality name, organization name, and common name are highly-unusual, not normally found in\r\ncertificates from legitimate HTTPS, SSL, or TLS traffic. Our example of this issuer data is listed below:\r\nid-at-countryName=ES\r\nid-at-stateOrProvinceName=IA\r\nid-at-localityName=Uorh Ofwa\r\nid-at-organizationName=Coejdut Mavmtko Qxyemk Dxsjie LLC.\r\nid-at-commonName=gaevietovp.mobi\r\nOther Post-infection Traffic\r\nOur pcap contains other activity associated with a Qakbot infection. Each activity is not inherently malicious on\r\nits own, but taken together with our previous findings, we can assume a full Qakbot infection.\r\nAnother indicator of a Qakbot infection is HTTPS traffic to cdn.speedof[.]me. The domain speedof[.]me is used\r\nby a legitimate Internet speed test service. Although this is not malicious traffic, we frequently see traffic to\r\ncdn.speedof[.]me during Qakbot infections. Figure 20 shows this activity from our pcap.\r\nhttps://unit42.paloaltonetworks.com/tutorial-qakbot-infection/\r\nPage 13 of 18\n\nFigure 20. The domain cdn.speedof[.]me within the Qakbot traffic.\r\nQakbot also opens windows from all browsers on an infected Windows host. At approximately 13 minutes and 5\r\nseconds into\r\nthis sandbox analysis\r\n, the video playback shows Qakbot opening Chrome, then Firefox, then Internet Explorer on a Windows 7 host.\r\nThis analysis shows Qakbot generated traffic to the following URLs:\r\nhxxp://store.nvprivateoffice[.]com/redir_chrome.html\r\nhxxp://store.nvprivateoffice[.]com/redir_ff.html\r\nhxxp://store.nvprivateoffice[.]com/redir_ie.html\r\nThe domain nvprivateoffice[.]com has been registered through GoDaddy since 2012, and\r\nstore.nvprivateoffice[.]com shows a default web page for nginx on a Fedora server.\r\nOur pcap for this tutorial is from a Qakbot infection on a Windows 10 host without Chrome or Firefox installed.\r\nOur pcap only shows web traffic for Internet Explorer and the new Chromium-based Microsoft Edge. Both times,\r\nthe URL generated by Qakbot was hxxp://store.nvprivateoffice[.]com/redir_ie.html.\r\nTo find this traffic, use the following Wireshark filter as shown in Figure 21:\r\nhttp.request.full_uri contains store.nvprivateoffice\r\nhttps://unit42.paloaltonetworks.com/tutorial-qakbot-infection/\r\nPage 14 of 18\n\nFigure 21. Finding Qakbot traffic that opens web browsers on an infected Windows host.\r\nFollow the TCP stream for each of the two HTTP GET requests ending in redir_ie.html. The first request has a\r\nUser-Agent in the HTTP headers for Internet Explorer as shown in Figure 22. The second request for the same\r\nURL has a User-Agent in the HTTP headers for the new Chromium-based Microsoft Edge as noted in Figure 23.\r\nFigure 22. Qakbot traffic to store.nvprivateoffice[.]com using Internet Explorer 11.\r\nhttps://unit42.paloaltonetworks.com/tutorial-qakbot-infection/\r\nPage 15 of 18\n\nFigure 23. Qakbot traffic to store.nvprivateoffice[.]com using the new Chromium-based Microsoft\r\nEdge.\r\nFinally, our pcap from the Qakbot-infected host also has email-related TCP traffic to various ports for various\r\nemail protocols like SMTP, IMAP, and POP3. To get an idea of this non-web-related traffic, use the following\r\nWireshark filter as shown in Figure 25:\r\ntcp.flags eq 0x0002 and !(tcp.port eq 80) and !(tcp.port eq 443)\r\nhttps://unit42.paloaltonetworks.com/tutorial-qakbot-infection/\r\nPage 16 of 18\n\nFigure 25. Getting an idea of the non-web-related traffic from this Qakbot infection.\r\nFigure 25 shows TCP connections and attempted TCP connections to various ports like 25, 110,143, 465, 587,\r\n993, and 995 commonly used by different email protocols. The first two lines in the results show traffic to TCP\r\nport 65400, but reviewing the associated TCP streams indicates this also email-related traffic.\r\nUse the following Wireshark filter to get a better idea of email-related traffic from the infected host as shown in\r\nFigure 26:\r\nsmtp or imap or pop\r\nhttps://unit42.paloaltonetworks.com/tutorial-qakbot-infection/\r\nPage 17 of 18\n\nFigure 26. Finding email-related traffic caused by Qakbot in this pcap.\r\nFollow some of the TCP streams to get a better idea for this type of email traffic. We do not normally see such\r\nunencrypted email traffic originating from a Windows client to public IP addresses. Along with other indicators,\r\nthis smtp or imap or pop filter may reveal Qakbot activity.\r\nSource: https://unit42.paloaltonetworks.com/tutorial-qakbot-infection/\r\nhttps://unit42.paloaltonetworks.com/tutorial-qakbot-infection/\r\nPage 18 of 18\n\nWindows Executable These extracted VBS for files generate Qakbot URLs that return Windows executables for Qakbot. Since December 2019,\nURLs for Qakbot executables have ended with 44444.png or 444444.png. See Table 2 for some recent examples\n Page 9 of 18 \n\nemail protocols like Wireshark filter as shown SMTP, IMAP, and in Figure POP3. To get 25: an idea of this non-web-related traffic, use the following\ntcp.flags eq 0x0002 and !(tcp.port eq 80) and !(tcp.port eq 443)\n Page 16 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://unit42.paloaltonetworks.com/tutorial-qakbot-infection/" ], "report_names": [ "tutorial-qakbot-infection" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434808, "ts_updated_at": 1775792207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0fb546c150b7d6e73c3254cfb2ad6eaef37d0088.pdf", "text": "https://archive.orkl.eu/0fb546c150b7d6e73c3254cfb2ad6eaef37d0088.txt", "img": "https://archive.orkl.eu/0fb546c150b7d6e73c3254cfb2ad6eaef37d0088.jpg" } }