Qbot Trojan delivered via malspam

[UPDATE] – Thanks to @kafeine for properly identifying the malware as Qbot. Post has been updated to reflect the identification.

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2019-11-11-Gootkit-pcap.zip

 

ASSOCIATED DOMAINS:

64.20.51.18 – wcdp2021.lk GET /wp-content/uploads/2019/11/home/06112.zip – Qbot VB Scipt
185.88.178.186 – pingup.ir GET /wp-content/uploads/2019/11/home/aaaa.png – Qbot Loader
2.177.101.143 – Port 443 – Qbot C2

 

ASSOCIATED PROCESS BEHAVIOR FOR HUNTING ENDPOINTS:

SYSMON [Event 3]
Image C:\Windows\System32\wscript.exe
Protocol tcp
DestinationIp 185.88.178.186

SYSMON [Event 1]
Image C:\Users\Jake\AppData\Local\Temp\ColorPick.exe
Description Egrep: print lines matching a pattern
Product Grep
Company GnuWin32 <http://gnuwin32.sourceforge.net>
OriginalFileName egrep.exe
CommandLine C:\Users\Jake\AppData\Local\Temp\ColorPick.exe
CurrentDirectory C:\Users\Jake\Downloads\06112\
User Jake-PC\Jake
Hashes MD5=CC7F84EC80721E950B4E8E96D9A8C7D4
ParentImage C:\Windows\System32\wscript.exe
ParentCommandLine “C:\Windows\System32\WScript.exe” “C:\Users\Jake\Downloads\06112\JVC_61541.vbs”

SYSMON [Event 1]
Image C:\Users\Jake\AppData\Local\Temp\ColorPick.exe
Description Egrep: print lines matching a pattern
Product Grep
Company GnuWin32 <http://gnuwin32.sourceforge.net>
OriginalFileName egrep.exe
CommandLine C:\Users\Jake\AppData\Local\Temp\ColorPick.exe /C
CurrentDirectory C:\Users\Jake\Downloads\06112\
User Jake-PC\Jake
Hashes MD5=CC7F84EC80721E950B4E8E96D9A8C7D4
ParentImage C:\Users\Jake\AppData\Local\Temp\ColorPick.exe
ParentCommandLine C:\Users\Jake\AppData\Local\Temp\ColorPick.exe

SYSMON [Event 1]
Image C:\Users\Jake\AppData\Roaming\Microsoft\Ribzgsaufo\fuqjy.exe
Description Egrep: print lines matching a pattern
Product Grep
Company GnuWin32 <http://gnuwin32.sourceforge.net>
OriginalFileName egrep.exe
CommandLine C:\Users\Jake\AppData\Roaming\Microsoft\Ribzgsaufo\fuqjy.exe
CurrentDirectory C:\Users\Jake\Downloads\06112\
User Jake-PC\Jake
Hashes MD5=CC7F84EC80721E950B4E8E96D9A8C7D4
ParentImage C:\Users\Jake\AppData\Local\Temp\ColorPick.exe
ParentCommandLine C:\Users\Jake\AppData\Local\Temp\ColorPick.exe

SYSMON [Event 1]
Image C:\Windows\System32\cmd.exe
Description Windows Command Processor
Product Microsoft® Windows® Operating System
Company Microsoft Corporation
OriginalFileName Cmd.Exe
CommandLine “C:\Windows\System32\cmd.exe” /c ping.exe -n 6 127.0.0.1 & type “C:\Windows\System32\calc.exe” > “C:\Users\Jake\AppData\Local\Temp\ColorPick.exe”
CurrentDirectory C:\Users\Jake\Downloads\06112\
User Jake-PC\Jake
Hashes MD5=AD7B9C14083B52BC532FBA5948342B98
ParentImage C:\Users\Jake\AppData\Local\Temp\ColorPick.exe
ParentCommandLine C:\Users\Jake\AppData\Local\Temp\ColorPick.exe

SYSMON [Event 1]
Image C:\Windows\System32\PING.EXE
Description TCP/IP Ping Command
Product Microsoft® Windows® Operating System
Company Microsoft Corporation
OriginalFileName ping.exe
CommandLine ping.exe -n 6 127.0.0.1
CurrentDirectory C:\Users\Jake\Downloads\06112\
User Jake-PC\Jake
Hashes MD5=6242E3D67787CCBF4E06AD2982853144
ParentImage C:\Windows\System32\cmd.exe
ParentCommandLine “C:\Windows\System32\cmd.exe” /c ping.exe -n 6 127.0.0.1 & type “C:\Windows\System32\calc.exe” > “C:\Users\Jake\AppData\Local\Temp\ColorPick.exe”

SYSMON [Event 1]
Image C:\Users\Jake\AppData\Roaming\Microsoft\Ribzgsaufo\fuqjy.exe
Description Egrep: print lines matching a pattern
Product Grep
Company GnuWin32 <http://gnuwin32.sourceforge.net>
OriginalFileName egrep.exe
CommandLine C:\Users\Jake\AppData\Roaming\Microsoft\Ribzgsaufo\fuqjy.exe /C
CurrentDirectory C:\Users\Jake\Downloads\06112\
User Jake-PC\Jake
Hashes MD5=CC7F84EC80721E950B4E8E96D9A8C7D4
ParentImage C:\Users\Jake\AppData\Roaming\Microsoft\Ribzgsaufo\fuqjy.exe
ParentCommandLine C:\Users\Jake\AppData\Roaming\Microsoft\Ribzgsaufo\fuqjy.exe

SYSMON [Event 1]
Image C:\Windows\System32\cscript.exe
Description Microsoft ® Console Based Script Host
Product Microsoft ® Windows Script Host
Company Microsoft Corporation
OriginalFileName cscript.exe
CommandLine “C:\Windows\System32\cscript.exe” “C:\Users\Jake\zmqxlntjihluqcsvcvlfqra.vbs”
CurrentDirectory C:\Users\Jake\Downloads\06112\
User Jake-PC\Jake
Hashes MD5=F36B7461FECDCF763FDEFA3A3352CD45
ParentImage C:\Users\Jake\AppData\Local\Temp\ColorPick.exe
ParentCommandLine C:\Users\Jake\AppData\Local\Temp\ColorPick.exe

SYSMON [Event 1]
Image C:\Windows\System32\cmd.exe
Description Windows Command Processor
Product Microsoft® Windows® Operating System
Company Microsoft Corporation
OriginalFileName Cmd.Exe
CommandLine “C:\Windows\System32\cmd.exe” /c ping.exe -n 6 127.0.0.1 & type “C:\Windows\System32\calc.exe” > “C:\Users\Jake\AppData\Local\Temp\ColorPick.exe”
CurrentDirectory C:\Users\Jake\Downloads\06112\
User Jake-PC\Jake
Hashes MD5=AD7B9C14083B52BC532FBA5948342B98
ParentImage C:\Users\Jake\AppData\Local\Temp\ColorPick.exe
ParentCommandLine C:\Users\Jake\AppData\Local\Temp\ColorPick.exe

SYSMON [Event 1]
Image C:\Windows\explorer.exe
Description Windows Explorer
Product Microsoft® Windows® Operating System
Company Microsoft Corporation
OriginalFileName EXPLORER.EXE
CommandLine C:\Windows\explorer.exe
CurrentDirectory C:\Users\Jake\Downloads\06112\
User Jake-PC\Jake
Hashes MD5=40D777B7A95E00593EB1568C68514493
ParentImage C:\Users\Jake\AppData\Roaming\Microsoft\Ribzgsaufo\fuqjy.exe
ParentCommandLine C:\Users\Jake\AppData\Roaming\Microsoft\Ribzgsaufo\fuqjy.exe

SYSMON [Event 1]
Image C:\Windows\System32\rundll32.exe
Description Windows host process (Rundll32)
Product Microsoft® Windows® Operating System
Company Microsoft Corporation
OriginalFileName RUNDLL32.EXE
CommandLine “C:\Windows\system32\rundll32.exe” C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Jake\AppData\Roaming\Microsoft\Ribzgsaufo\fuqjy.dat
CurrentDirectory C:\Users\Jake\AppData\Roaming\Microsoft\Ribzgsaufo\
User Jake-PC\Jake
Hashes MD5=51138BEEA3E2C21EC44D0932C71762A8
ParentImage C:\Windows\explorer.exe
ParentCommandLine C:\Windows\Explorer.EXE

SYSMON [Event 3]
Image C:\Windows\explorer.exe
Protocol tcp
DestinationIp 2.177.101.143
DestinationPort 443
DestinationPortName https

SYSMON [Event 3]
Image C:\Program Files\Internet Explorer\iexplore.exe
Protocol tcp
DestinationIp 89.105.198.119
DestinationPort 80
DestinationPortName http

SYSMON [Event 1]
Image C:\Windows\System32\schtasks.exe
Description Manages scheduled tasks
Product Microsoft® Windows® Operating System
Company Microsoft Corporation
OriginalFileName sctasks.exe
CommandLine “C:\Windows\system32\schtasks.exe” /create /tn {D6ED2D44-F944-4E0B-9E2F-F7427F52A55C} /tr “\”C:\Users\Jake\AppData\Roaming\Microsoft\Ribzgsaufo\fuqjy.exe\”” /sc HOURLY /mo 5 /F
CurrentDirectory C:\Users\Jake\Downloads\06112\
User Jake-PC\Jake
Hashes MD5=2003E9B15E1C502B146DAD2E383AC1E3
ParentImage C:\Windows\explorer.exe
ParentCommandLine C:\Windows\explorer.exe

 

IMAGES AND DETAILS:


Shown above: Traffic associated with Qbot after executing malicious Visual Basic Script

 


Shown above: Qbot loader download disguised as a png image file

 


Shown above: Organalzation SSL certificate associated with command and control traffic – Etit Zbigea Ofkjukeau LLC

 


Shown above: Qbot establishes persistence in AppData Roaming directory

 


Shown above: Qbot creates persistence in the Windows Registry

 


Shown above: Qbot creates persistence using Windows Scheduled Tasks