Qakbot infection with Cobalt Strike and VNC activity - SANS Internet Storm Center
Common Information
Type Value
UUID fb7bbaf1-c1d6-419a-b3b7-c0717ec6f529
Fingerprint 2473392fb6b65ec2
Analysis status DONE
Considered CTI value 2
Text language
Published March 16, 2022, midnight
Added to db Sept. 26, 2022, 9:33 a.m.
Last updated Dec. 24, 2024, 8:49 a.m.
Headline Internet Storm Center
Title Qakbot infection with Cobalt Strike and VNC activity - SANS Internet Storm Center
Detected Hints/Tags/Attributes 29/1/32
Attributes
Details Type #Events CTI Value
Details Domain 1
eaglio.org
Details Domain 1
s2fmok83x.zip
Details Domain 86
www.openssl.org
Details Domain 1
runfs.icu
Details Domain 1
claimdetails-1699343128-mar-14.zip
Details File 1
s2fmok83x.zip
Details File 1
6537991.dat
Details File 1
claimdetails-1699343128-mar-14.zip
Details File 1
claimdetails-1699343128-mar-14.xlsb
Details File 498
regsvr32.exe
Details File 1
bbcdipimaxckk.dll
Details sha256 2
ba80720c42704e8e1a73e60906f6f289ba763365c8f6b16ccf47aac8a687b83e
Details sha256 2
5a6157eefc8d0b1089a5bfdee351379b27baff4c40b432fd22e0cbe1f6102fab
Details sha256 2
47fe3cbab19b43579e3312d90f7a8c7021c84e228e7c8ef97d39a1a7a261ea01
Details sha256 2
8751f8aedc65a10826071515b4b7896a8800152b8e3bcbbe9e8a64970deb9b49
Details sha256 2
7312353bab71ecefec6888bb804afd71f67178ded4ce41960924d3d6f7400320
Details sha256 1
7264fc1e81ff854b769f8e19ced247fb95210a58ddd5edce4a6275ddc38e5298
Details IPv4 1
101.99.95.190
Details IPv4 1
146.70.81.64
Details IPv4 1
190.14.37.12
Details IPv4 1
201.170.181.247
Details IPv4 5
23.111.114.52
Details IPv4 1
76.169.147.192
Details IPv4 1
103.87.95.131
Details IPv4 1
86.98.27.253
Details IPv4 1
190.123.44.113
Details IPv4 2
45.153.241.142
Details Url 1
http://eaglio.org/apm/3/s2fmok83x.zip
Details Url 1
http://101.99.95.190/6537991.dat
Details Url 1
http://146.70.81.64/6537991.dat
Details Url 1
http://190.14.37.12/6537991.dat
Details Windows Registry Key 200
HKCU\Software\Microsoft\Windows\CurrentVersion\Run