Brad

2022-04-16 (Thursday) - Reviewed #Qakbot/#CobaltStrike #pcap I posted at https://www.malware-traffic-analysis.net/2022/04/14/index.html …. Saw weird DNS traffic for Cobalt Strike DNS CnC activity, thanks to using so-import-pcap in #SecurityOnion with the #ETPRO ruleset. Malicious domain in DNS traffic: gmhteuster[.]compic.twitter.com/TLcafiNXw7

Or maybe this onepic.twitter.com/BNZIYPs9nd

2022-04-11 (Monday) - This is how I picture successful #Qakbot infections from today's .msi filespic.twitter.com/EeHyN3weXc

2022-04-11 (Monday) - Saw #CobaltStrike using kuxoemoli[.]com on 172.241.27[.]237 from a #Qakbot infection - References: https://twitter.com/k3dg3/status/1513514251788464132 … & https://twitter.com/Max_Mal_/status/1513539551070937093 …pic.twitter.com/HIiSkt12fQ

Ivan after last week's attempt by Emotet to use links didn't work out...pic.twitter.com/LNNFudmo8N

2022-04-04 (Monday) - #Emotet #epoch5 infection with #spambot activity - #pcap of the infection, some malware samples, email examples, and IOCs are available at: https://www.malware-traffic-analysis.net/2022/04/04/index.html …pic.twitter.com/Bcan5gJv3A

2022-03-31 (Thursday) - obama173 distribution #Qakbot (#Qbot) - UPS theme - "/nmt/" in the URL string. Email example: https://app.any.run/tasks/3e06833e-cf63-4c26-8372-da42f8308bee … Downloaded zip: https://tria.ge/220331-z7fwrsdhgk … DLL: https://tria.ge/220331-z8t5sahgg2 … DLL: https://tria.ge/220331-z9gk3seaaq … DLL: https://tria.ge/220331-z9yvcshgh5 …pic.twitter.com/klsPFiRQvr

pic.twitter.com/3fnm1OM3rI

March 2022 traffic analysis exercise - use a #pcap of infection traffic to write an incident report - https://www.malware-traffic-analysis.net/2022/03/21/index3.html … - #TrafficAnalysisExercisepic.twitter.com/pFLhaCJ8g8

2022-03-21 (Monday) - #Hancitor (#Chanitor/#MAN1/#Moskalvzapoe/#TA511) infection with #CobaltStrike and #MarsStealer - #pcap of the infection traffic, associated malware samples, and list of IOCs available at: https://www.malware-traffic-analysis.net/2022/03/21/index2.html …pic.twitter.com/4IBl1legxq

2022-03-24 (Thursday) - #pcap of the infection, 20 email examples, 12 Excel files, 1 DLL for #Emotet #epoch4 infection with another DLL for #CobaltStrike - based on an earlier tweet from today - available at: https://www.malware-traffic-analysis.net/2022/03/24/index.html …pic.twitter.com/LGI4VmjAa1

2022-03-24 (Thursday) - From an #Emotet epoch4 infection, I saw verofes[.]com as a #CobaltStrike domain on 139.60.160[.]9 over TCP port 443 today. Also saw more Cobalt Strike lgbtqplusfriendlydomain[.]com on 144.202.49[.]189 over TCP port 444.pic.twitter.com/6mAjeXkmHx

2022-03-23 (Wednesday) - info dump from #Qakbot (#Qbot) with the "aa" distribution tag. #pcap, email, malware samples, and list of IOCs available at: https://github.com/brad-duncan/IOCs/blob/main/2022-03-23-AA-Qakbot-data-dump.zip … - password: infectedpic.twitter.com/jiIp5EOA4Y