Qakbot infection with Cobalt Strike and VNC activity
By SANS Internet Storm Center
Archived: 2026-04-06 00:28:15 UTC
Introduction
On Monday 2022-03-14, I infected a vulnerable Windows host with Qakbot (Qbot) malware. Approximately 17
hours later, the infected host generated traffic for Cobalt Strike and VNC (Virtual Network Computing) activity. 
Like Cobalt Strike, VNC provides remote access to an infected host.
DLL files used for Qakbot infections have tags in the code that identify the malware sample's distribution
channel.  In this case, the distribution tag was obama166.
Today's diary provides a quick review of the infection activity.
Shown above:  Flow chart for Qakbot infection activity on Monday 2022-03-14.
Images From the Infection
https://isc.sans.edu/diary/rss/28448
Page 1 of 11

Shown above:  Example of email for obama166 distribution Qakbot on Monday 2022-03-14.
Shown above:  Downloading a zip archive from link in an email.
https://isc.sans.edu/diary/rss/28448
Page 2 of 11

Shown above:  Excel spreadsheet extracted from downloaded zip archive.
Shown above:  DLL files downloaded for Qakbot infection.
https://isc.sans.edu/diary/rss/28448
Page 3 of 11

Shown above:  Traffic from the infection filtered in Wireshark.
Shown above:  New Qakbot DLL saved to the infected Windows host shortly after the initial infection.
Shown above:  More traffic from the Qakbot infection filtered in Wireshark.
https://isc.sans.edu/diary/rss/28448
Page 4 of 11

Shown above:  TCP traffic over port 65400 associated with this Qakbot infection.
Shown above:  Data binary saved to disk at C:\u\ from the Qakbot infection.
https://isc.sans.edu/diary/rss/28448
Page 5 of 11

Shown above:  Cobalt Strike activity started about 17 hours after the initial Qakbot infection.
Shown above:  TCP SYN segments for VNC traffic caused by this Qakbot infection.
https://isc.sans.edu/diary/rss/28448
Page 6 of 11

Shown above:  First TCP stream for the VNC activity.
Shown above:  Second TCP stream for the VNC activity.
https://isc.sans.edu/diary/rss/28448
Page 7 of 11

Shown above:  Third TCP stream for the VNC activity (10 MB of data).
Shown above:  ETPRO alerts in Security Onion for the VNC traffic from this infection.
https://isc.sans.edu/diary/rss/28448
Page 8 of 11

Shown above:  Registry update made by the Qakbot infection.
Indicators of Compromise (IOCs)
Link from email for zip download:
hxxp://eaglio[.]org/apm/3/s2Fmok83x.zip
Traffic generated by Excel macro for Qakbot DLL files:
hxxp://101.99.95[.]190/6537991.dat
hxxp://146.70.81[.]64/6537991.dat
hxxp://190.14.37[.]12/6537991.dat
Qakbot C2 traffic:
201.170.181[.]247 port 443 - HTTPS traffic
port 443 - www.openssl[.]org - HTTPS traffic (connectivity check)
23.111.114[.]52 port 65400 - TCP traffic
76.169.147[.]192 port 32103 - HTTPS traffic
103.87.95[.]131 port 2222 - HTTPS traffic
86.98.27[.]253 port 443 - HTTPS traffic
various IP addresses over various ports - attempted TCP connections
Cobalt Strike traffic:
190.123.44[.]113 port 4444 - runfs[.]icu - HTTPS traffic
VNC module traffic:
https://isc.sans.edu/diary/rss/28448
Page 9 of 11

45.153.241[.]142 port 443 - encoded/encrypted traffic and beacon channels
Rule hits on VNC module traffic:
ETPRO MALWARE VNCStartServer USR Variant CnC Beacon
ETPRO MALWARE VNCStartServer BOT Variant CnC Beacon
Malware retrieved from the infected Windows client:
SHA256 hash: ba80720c42704e8e1a73e60906f6f289ba763365c8f6b16ccf47aac8a687b83e
File size: 92,828 bytes
File location: hxxp://eaglio[.]org/apm/3/s2Fmok83x.zip
File name: ClaimDetails-1699343128-Mar-14.zip
SHA256 hash: 5a6157eefc8d0b1089a5bfdee351379b27baff4c40b432fd22e0cbe1f6102fab
File size: 120,410 bytes
File name: ClaimDetails-1699343128-Mar-14.xlsb
SHA256 hash: 47fe3cbab19b43579e3312d90f7a8c7021c84e228e7c8ef97d39a1a7a261ea01
File size: 408,576 bytes
File location: hxxp://101.99.95[.]190/6537991.dat
File location: C:\Biloa\Dopaters1.ocx
File type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Run method: regsvr32.exe [filename]
SHA256 hash: 8751f8aedc65a10826071515b4b7896a8800152b8e3bcbbe9e8a64970deb9b49
File size: 408,576 bytes
File location: hxxp://146.70.81[.]64/6537991.dat
File location: C:\Biloa\Dopaters2.ocx
File type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Run method: regsvr32.exe [filename]
SHA256 hash: 7312353bab71ecefec6888bb804afd71f67178ded4ce41960924d3d6f7400320
File size: 408,576 bytes
File location: hxxp://190.14.37[.]12/6537991.dat
File location: C:\Biloa\Dopaters3.ocx
File type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Run method: regsvr32.exe [filename]
SHA256 hash: 7264fc1e81ff854b769f8e19ced247fb95210a58ddd5edce4a6275ddc38e5298
File size: 920,064 bytes
File location: C:\Users\[username]\AppData\Roaming\Microsoft\Hezuky\bbcdipimaxckk.dll
https://isc.sans.edu/diary/rss/28448
Page 10 of 11

File type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Run method: regsvr32.exe [filename]
Note: No binaries for Cobalt Strike or the VNC activity were found on the infected Windows host.
Final words
This infection shows some changes in Qakbot.
Earlier this year, Qakbot samples created a scheduled task that pointed to an additional registry update with
base64 code used to re-create the Qakbot binary after a reboot.  I no longer see that with recent Qakbot samples.
Also, this infection didn't stay persistent after logging out or doing a reboot.  Normally, Qakbot keeps the active
DLL in memory.  If a victim logs our or reboots, Qakbot saves the in-memory DLL to disk and creates a registry
update at HKCU\Software\Microsoft\Windows\CurrentVersion\Run.  After rebooting and/or logging back in, this
registry update loads the DLL, then Qakbot deletes the registry update and erases the DLL that had been saved to
disk.
In this case, a Qakbot DLL was already saved to disk long before I tried logging out/rebooting.  Furthermore, the
infection did not persist after I logged out.
There's also a data binary stored at a C:\u\ directory created by Qakbot.  From a forensic point of view, things
are noticeably different with recent Qakbot infections.  Not drastically different, but the changes are noticeable.
A pcap of the infection traffic along with malware (Excel file and DLL) from an infected host can be found here.
---
Brad Duncan
brad [at] malware-traffic-analysis.net
Source: https://isc.sans.edu/diary/rss/28448
https://isc.sans.edu/diary/rss/28448
Page 11 of 11

  https://isc.sans.edu/diary/rss/28448  
Shown above: TCP traffic over port 65400 associated with this Qakbot infection.
Shown above: Data binary saved to disk at C:\u\ from the Qakbot infection.
   Page 5 of 11 

   https://isc.sans.edu/diary/rss/28448  
Shown above: Cobalt Strike activity started about 17 hours after the initial Qakbot infection.
Shown above: TCP SYN segments for VNC traffic caused by this Qakbot infection.
   Page 6 of 11