{
	"id": "006a9fdf-18c7-4739-8e42-1b2c57f46aea",
	"created_at": "2026-04-06T01:28:57.762682Z",
	"updated_at": "2026-04-10T03:24:24.84099Z",
	"deleted_at": null,
	"sha1_hash": "cb22c4c7442cc09ad213b8ac6da794afbd9d6199",
	"title": "Qakbot infection with Cobalt Strike and VNC activity",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 8220540,
	"plain_text": "Qakbot infection with Cobalt Strike and VNC activity\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-06 00:28:15 UTC\r\nIntroduction\r\nOn Monday 2022-03-14, I infected a vulnerable Windows host with Qakbot (Qbot) malware. Approximately 17\r\nhours later, the infected host generated traffic for Cobalt Strike and VNC (Virtual Network Computing) activity. \r\nLike Cobalt Strike, VNC provides remote access to an infected host.\r\nDLL files used for Qakbot infections have tags in the code that identify the malware sample's distribution\r\nchannel.  In this case, the distribution tag was obama166.\r\nToday's diary provides a quick review of the infection activity.\r\nShown above:  Flow chart for Qakbot infection activity on Monday 2022-03-14.\r\nImages From the Infection\r\nhttps://isc.sans.edu/diary/rss/28448\r\nPage 1 of 11\n\nShown above:  Example of email for obama166 distribution Qakbot on Monday 2022-03-14.\r\nShown above:  Downloading a zip archive from link in an email.\r\nhttps://isc.sans.edu/diary/rss/28448\r\nPage 2 of 11\n\nShown above:  Excel spreadsheet extracted from downloaded zip archive.\r\nShown above:  DLL files downloaded for Qakbot infection.\r\nhttps://isc.sans.edu/diary/rss/28448\r\nPage 3 of 11\n\nShown above:  Traffic from the infection filtered in Wireshark.\r\nShown above:  New Qakbot DLL saved to the infected Windows host shortly after the initial infection.\r\nShown above:  More traffic from the Qakbot infection filtered in Wireshark.\r\nhttps://isc.sans.edu/diary/rss/28448\r\nPage 4 of 11\n\nShown above:  TCP traffic over port 65400 associated with this Qakbot infection.\r\nShown above:  Data binary saved to disk at C:\\u\\ from the Qakbot infection.\r\nhttps://isc.sans.edu/diary/rss/28448\r\nPage 5 of 11\n\nShown above:  Cobalt Strike activity started about 17 hours after the initial Qakbot infection.\r\nShown above:  TCP SYN segments for VNC traffic caused by this Qakbot infection.\r\nhttps://isc.sans.edu/diary/rss/28448\r\nPage 6 of 11\n\nShown above:  First TCP stream for the VNC activity.\r\nShown above:  Second TCP stream for the VNC activity.\r\nhttps://isc.sans.edu/diary/rss/28448\r\nPage 7 of 11\n\nShown above:  Third TCP stream for the VNC activity (10 MB of data).\r\nShown above:  ETPRO alerts in Security Onion for the VNC traffic from this infection.\r\nhttps://isc.sans.edu/diary/rss/28448\r\nPage 8 of 11\n\nShown above:  Registry update made by the Qakbot infection.\r\nIndicators of Compromise (IOCs)\r\nLink from email for zip download:\r\nhxxp://eaglio[.]org/apm/3/s2Fmok83x.zip\r\nTraffic generated by Excel macro for Qakbot DLL files:\r\nhxxp://101.99.95[.]190/6537991.dat\r\nhxxp://146.70.81[.]64/6537991.dat\r\nhxxp://190.14.37[.]12/6537991.dat\r\nQakbot C2 traffic:\r\n201.170.181[.]247 port 443 - HTTPS traffic\r\nport 443 - www.openssl[.]org - HTTPS traffic (connectivity check)\r\n23.111.114[.]52 port 65400 - TCP traffic\r\n76.169.147[.]192 port 32103 - HTTPS traffic\r\n103.87.95[.]131 port 2222 - HTTPS traffic\r\n86.98.27[.]253 port 443 - HTTPS traffic\r\nvarious IP addresses over various ports - attempted TCP connections\r\nCobalt Strike traffic:\r\n190.123.44[.]113 port 4444 - runfs[.]icu - HTTPS traffic\r\nVNC module traffic:\r\nhttps://isc.sans.edu/diary/rss/28448\r\nPage 9 of 11\n\n45.153.241[.]142 port 443 - encoded/encrypted traffic and beacon channels\r\nRule hits on VNC module traffic:\r\nETPRO MALWARE VNCStartServer USR Variant CnC Beacon\r\nETPRO MALWARE VNCStartServer BOT Variant CnC Beacon\r\nMalware retrieved from the infected Windows client:\r\nSHA256 hash: ba80720c42704e8e1a73e60906f6f289ba763365c8f6b16ccf47aac8a687b83e\r\nFile size: 92,828 bytes\r\nFile location: hxxp://eaglio[.]org/apm/3/s2Fmok83x.zip\r\nFile name: ClaimDetails-1699343128-Mar-14.zip\r\nSHA256 hash: 5a6157eefc8d0b1089a5bfdee351379b27baff4c40b432fd22e0cbe1f6102fab\r\nFile size: 120,410 bytes\r\nFile name: ClaimDetails-1699343128-Mar-14.xlsb\r\nSHA256 hash: 47fe3cbab19b43579e3312d90f7a8c7021c84e228e7c8ef97d39a1a7a261ea01\r\nFile size: 408,576 bytes\r\nFile location: hxxp://101.99.95[.]190/6537991.dat\r\nFile location: C:\\Biloa\\Dopaters1.ocx\r\nFile type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nRun method: regsvr32.exe [filename]\r\nSHA256 hash: 8751f8aedc65a10826071515b4b7896a8800152b8e3bcbbe9e8a64970deb9b49\r\nFile size: 408,576 bytes\r\nFile location: hxxp://146.70.81[.]64/6537991.dat\r\nFile location: C:\\Biloa\\Dopaters2.ocx\r\nFile type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nRun method: regsvr32.exe [filename]\r\nSHA256 hash: 7312353bab71ecefec6888bb804afd71f67178ded4ce41960924d3d6f7400320\r\nFile size: 408,576 bytes\r\nFile location: hxxp://190.14.37[.]12/6537991.dat\r\nFile location: C:\\Biloa\\Dopaters3.ocx\r\nFile type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nRun method: regsvr32.exe [filename]\r\nSHA256 hash: 7264fc1e81ff854b769f8e19ced247fb95210a58ddd5edce4a6275ddc38e5298\r\nFile size: 920,064 bytes\r\nFile location: C:\\Users\\[username]\\AppData\\Roaming\\Microsoft\\Hezuky\\bbcdipimaxckk.dll\r\nhttps://isc.sans.edu/diary/rss/28448\r\nPage 10 of 11\n\nFile type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nRun method: regsvr32.exe [filename]\r\nNote: No binaries for Cobalt Strike or the VNC activity were found on the infected Windows host.\r\nFinal words\r\nThis infection shows some changes in Qakbot.\r\nEarlier this year, Qakbot samples created a scheduled task that pointed to an additional registry update with\r\nbase64 code used to re-create the Qakbot binary after a reboot.  I no longer see that with recent Qakbot samples.\r\nAlso, this infection didn't stay persistent after logging out or doing a reboot.  Normally, Qakbot keeps the active\r\nDLL in memory.  If a victim logs our or reboots, Qakbot saves the in-memory DLL to disk and creates a registry\r\nupdate at HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run.  After rebooting and/or logging back in, this\r\nregistry update loads the DLL, then Qakbot deletes the registry update and erases the DLL that had been saved to\r\ndisk.\r\nIn this case, a Qakbot DLL was already saved to disk long before I tried logging out/rebooting.  Furthermore, the\r\ninfection did not persist after I logged out.\r\nThere's also a data binary stored at a C:\\u\\ directory created by Qakbot.  From a forensic point of view, things\r\nare noticeably different with recent Qakbot infections.  Not drastically different, but the changes are noticeable.\r\nA pcap of the infection traffic along with malware (Excel file and DLL) from an infected host can be found here.\r\n---\r\nBrad Duncan\r\nbrad [at] malware-traffic-analysis.net\r\nSource: https://isc.sans.edu/diary/rss/28448\r\nhttps://isc.sans.edu/diary/rss/28448\r\nPage 11 of 11\n\n  https://isc.sans.edu/diary/rss/28448  \nShown above: TCP traffic over port 65400 associated with this Qakbot infection.\nShown above: Data binary saved to disk at C:\\u\\ from the Qakbot infection.\n   Page 5 of 11 \n\n   https://isc.sans.edu/diary/rss/28448  \nShown above: Cobalt Strike activity started about 17 hours after the initial Qakbot infection.\nShown above: TCP SYN segments for VNC traffic caused by this Qakbot infection.\n   Page 6 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://isc.sans.edu/diary/rss/28448"
	],
	"report_names": [
		"28448"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775438937,
	"ts_updated_at": 1775791464,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cb22c4c7442cc09ad213b8ac6da794afbd9d6199.pdf",
		"text": "https://archive.orkl.eu/cb22c4c7442cc09ad213b8ac6da794afbd9d6199.txt",
		"img": "https://archive.orkl.eu/cb22c4c7442cc09ad213b8ac6da794afbd9d6199.jpg"
	}
}