# QakBot C2 Traffic **netresec.com/** Erik Hjelmvik , Thursday, 02 March 2023 12:43:00 (UTC/GMT) March 2, 2023 In this video I analyze network traffic from a QakBot (QBot) infection in order to identify the Command-and-Control (C2) traffic. The analyzed PCAP file is from malware-trafficanalysis.net. **IOC List** C2 IP and port: 80.47.61.240:2222 C2 IP and port: 185.80.53.210:443 QakBot proxy IP and port: 23.111.114.52:65400 JA3: 72a589da586844d7f0818ce684948eea JA3S: ec74a5c51106f0419184d0dd08fb05bc JA3S: fd4bc6cea4877646ccd62f0792ec0b62 meieou.info X.509 cert hash: 9de2a1c39fbe1952221c4b78b8d21dc3afe53a3e meieou.info X.509 cert Subject OU: Hoahud Duhcuv Dampvafrog meieou.info X.509 cert Issuer O: Qdf Wah Uotvzke LLC. gifts.com X.509 cert hash: 0c7a37f55a0b0961c96412562dd0cf0b0b867d37 HTML Body Hash: 22e5446e82b3e46da34b5ebce6de5751664fb867 ----- HTML Title: Welcome to CentOS **Links** For more analysis of QakBot network traffic, check out my [Hunting for C2 Traffic video.](https://netresec.com/?b=2296553) Posted by Erik Hjelmvik on Thursday, 02 March 2023 12:43:00 (UTC/GMT) [Tags: #QakBot​ #QBot​ #C2​ #Video​ #malware-traffic-analysis.net​ #ThreatFox​](https://www.netresec.com/?page=Blog&tag=QakBot) [#ec74a5c51106f0419184d0dd08fb05bc​ #fd4bc6cea4877646ccd62f0792ec0b62​ #CapLoader​](https://www.netresec.com/?page=Blog&tag=ec74a5c51106f0419184d0dd08fb05bc) [#NetworkMiner​](https://www.netresec.com/?page=Blog&tag=NetworkMiner) ## Recent Posts » [QakBot C2 Traffic](https://www.netresec.com/?page=Blog&month=2023-03&post=QakBot-C2-Traffic) » [TLS Redirection and Dynamic Decryption Bypass in PolarProxy](https://www.netresec.com/?page=Blog&month=2023-02&post=TLS-Redirection-and-Dynamic-Decryption-Bypass-in-PolarProxy) » [How to Identify IcedID Network Traffic](https://www.netresec.com/?page=Blog&month=2023-02&post=How-to-Identify-IcedID-Network-Traffic) » [CapLoader 1.9.5 Alerts on Malicious Traffic](https://www.netresec.com/?page=Blog&month=2023-02&post=CapLoader-1-9-5-Alerts-on-Malicious-Traffic) » [Online Network Forensics Class](https://www.netresec.com/?page=Blog&month=2023-01&post=Online-Network-Forensics-Class) » [IEC-104 File Transfer Extraction](https://www.netresec.com/?page=Blog&month=2023-01&post=IEC-104-File-Transfer-Extraction) » [NetworkMiner 2.8 Released](https://www.netresec.com/?page=Blog&month=2023-01&post=NetworkMiner-2-8-Released) » [NetworkMiner in FLARE VM](https://www.netresec.com/?page=Blog&month=2022-12&post=NetworkMiner-in-FLARE-VM) ## Blog Archive » [2023 Blog Posts](https://www.netresec.com/?page=Blog&year=2023) » [2022 Blog Posts](https://www.netresec.com/?page=Blog&year=2022) » [2021 Blog Posts](https://www.netresec.com/?page=Blog&year=2021) » [2020 Blog Posts](https://www.netresec.com/?page=Blog&year=2020) » [2019 Blog Posts](https://www.netresec.com/?page=Blog&year=2019) » [2018 Blog Posts](https://www.netresec.com/?page=Blog&year=2018) » [2017 Blog Posts](https://www.netresec.com/?page=Blog&year=2017) » [2016 Blog Posts](https://www.netresec.com/?page=Blog&year=2016) ----- » [2015 Blog Posts](https://www.netresec.com/?page=Blog&year=2015) » [2014 Blog Posts](https://www.netresec.com/?page=Blog&year=2014) » [2013 Blog Posts](https://www.netresec.com/?page=Blog&year=2013) » [2012 Blog Posts](https://www.netresec.com/?page=Blog&year=2012) » [2011 Blog Posts](https://www.netresec.com/?page=Blog&year=2011) [List all blog posts](https://www.netresec.com/?page=Blog&blogPostList=true) ## News Feeds » [Google News](https://news.google.com/publications/CAAqBwgKMIKCogswxYy6Aw) » [FeedBurner](https://feeds.feedburner.com/Netresec-Network-Security-Blog) » [RSS Feed](https://www.netresec.com/rss.ashx) [NETRESEC on Mastodon: @netresec@infosec.exchange](https://infosec.exchange/@netresec) NETRESEC on Twitter: [@netresec](https://twitter.com/netresec) -----