# Description
- Probable Name: Qakbot 
- MD5: 425595f9cdc4520240e4e7794fc5a711
- SHA1: 4f7f721e04a18f82b63b0ed2ba2b0a2f036a4e29
- SHA256: 812805d49995c915a30e4cc58bb0da885bb1e02143816d13378436dcb9e46a21
- Password of zip file: infected
- Duration: 
- Proxy Usage: This capture did not use an intermediate proxy.

- [VirusTotal](https://www.virustotal.com/en/file/812805d49995c915a30e4cc58bb0da885bb1e02143816d13378436dcb9e46a21/analysis/)
- [HybridAnalysis](https://www.hybrid-analysis.com/sample/812805d49995c915a30e4cc58bb0da885bb1e02143816d13378436dcb9e46a21?environmentId=2)
- RobotHash

[![](https://robohash.org/425595f9cdc4520240e4e7794fc5a711)](https://robohash.org)

# Files

- .capinfos
    - Capinfos file
- .dnstop
    - DNS top file
- mitm.out
    - Mitm proxy interception file of http and https
- .mitm.weblog
    - This is the HTTP and HTTPS web log that includes Labels. This is the preferred file for web analysis.
    - This file includes a header with the columns names. There are two new columns defined by us:
        - Column id: This number is unique for all the weblogs generated __inside__ the same TCP connection. When a TCP connection is opened and several GET/POST, etc., requests are made inside it, all of them are assigned the same Id in this file.
        - Column timestamp_end: This is the timestamp when the weblog ended. If you use this with the id column you can compute the total duration of the TCP connection that generated __all__ the weblogs. Similar to the duration of a hypothetical CONNECT request if this would have been done using a proxy.
- .passivedns
    - Passive DNS file
- .pcap
    - Original pcap file
- .rrd
    - RRD file for graphs
- .weblogng
    - WEB log of http traffic only. Generated with justsniffer
- .exe.zip
    - Original malware file
- bro
    - Folder with all the bro output files
- .biargus
    - Argus binary file. Bidirectional flows, 3600s of report time.
- .binetflow
    - Argus text file with bidirectional flows. Report time 3600 secs.
- .uniargus
    - Argus binary file. Unidirectional flows, 5s of report time.
- .uninetflow
    - Argus text file with unidirectional flows. Report time 5 secs. TAB as column separator.

# Generic Dataset name: CTU-Malware-Capture-Botnet-410-1

# IP Addresses
    - Infected host: 192.168.1.114
    - Default GW: 192.168.1.2

# Timeline

## Wed Dec  1 11:45:14 CET 2021
started win4

## Last packet in tcpdump before infection
1970/01/01 01:06:29.144625

## Wed Dec  1 11:51:47 CET 2021
infected

## Wed Dec  1 19:14:37 CET 2021
power off

# Disclaimer 
These files were generated in the Stratosphere Lab as part of the Malware Capture Facility Project in the CVUT University, Prague, Czech Republic.
The goal is to store long-lived real botnet traffic and to generate labeled netflows files.
Any question feel free to contact us:
Sebastian Garcia: sebastian.garcia@agents.fel.cvut.cz

You are free to use these files as long as you reference this project and the authors as follows:
Garcia, Sebastian. Malware Capture Facility Project. Retrieved from https://stratosphereips.org

# Suricata run with rules updated on 2021-12-01