Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: SANS Internet Storm Center SANS Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

TA551 (Shathak) Word docs push Qakbot (Qbot)

Published: 2021-01-26
Last Updated: 2021-01-26 19:03:44 UTC
by Brad Duncan (Version: 1)
2 comment(s)


Late last week, we saw new samples of Word documents from TA551 (Shathak) pushing malware.  This actor was active up through 2020-12-18 pushing IcedID malware before going on break for the holidays.  Now that it's returned, TA551 has been pushing Qakbot (Qbot) malware instead of IcedID.

Shown above: flow chart for recent TA551 (Shathak) activity so far in January 2021.

Images from the infection

See below for images associated with the infection in my lab environment.

Shown above:  Screenshot of the TA551 (Shathak) Word document with macros for Qakbot (Qbot).

Shown above:  Regsvr32 pop up message when the malware DLL to install Qakbot has successuflly run.

Shown above:  Start of TCP stream showing the HTTP request and response for the initial DLL to install Qakbot (Qbot).

Shown above:  Traffic from the infection filtered in Wireshark (part 1).

Shown above:  Traffic from the infection filtered in Wireshark (part 2).

Shown above:  Traffic from the infection filtered in Wireshark (part 3).

Shown above:  One of the emails exported from the pcap (a copy is available here).


This month, the affiliate or campaign identification string for Qakbot malware distributed through TA551 has been krk01.  When my krk01 Qakbot-infected host started spamming more Qakbot, the affiliate/campaign ID for Qakbot samples caused by this malspam was abc120.

Because of this and its previous history pushing different families of malware, I believe TA551 (Shathak) is a distributor for other criminals in our cyber threat landscape.  The other criminals push malware (like the criminals behind Qakbot), while TA551 is specifically a distribution network.

Indicators of Compromise (IOCs)

SHA256 hash: 17cd3c11fba639c1fe987a79a1b998afe741636ac607254cc134eea02c63f658

  • File size: 76,663 bytes
  • File name: particulars-01.26.21.doc
  • File description: TA551 (Shathak) Word doc with macros for Qakbot (Qbot)

SHA256 hash: 231b081480a80b05d69ed1d2e18ada8a1fd85ba6ce3e69cc8f630ede5ce5400e

  • File size: 888,832 bytes
  • File location: hxxp://5that6[.]com//assets/55ddb775/ce51025b12/9b75bbce/8a06fd47/6ac84e7424b0539286562b/xtuaq14?anz=125c5909&dlzwg=7aec167a5a2ab0&bu=a09f740
  • File location: C:\ProgramData\aZe4I.tmp
  • File description: Windows malware DLL retrieved by Word macro, used to install Qakbot (Qbot) affliate/campaign ID krk01
  • Run method:  regsvr32.exe [filename]

Final words

A pcap of the infection traffic and and malware from the infected Windows host can be found here.

Brad Duncan
brad [at]

2 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Fun with NMAP NSE Scripts and DOH (DNS over HTTPS)
Jan 25th 2021
1 day ago by Rob VandenBrink (0 comments)

Video: Doc & RTF Malicious Document
Jan 24th 2021
2 days ago by DidierStevens (0 comments)

CyberChef: Analyzing OOXML Files for URLs
Jan 23rd 2021
3 days ago by DidierStevens (0 comments)

Another File Extension to Block in your MTA: .jnlp
Jan 22nd 2021
4 days ago by Xme (0 comments)

Powershell Dropping a REvil Ransomware
Jan 21st 2021
5 days ago by Xme (0 comments)

Qakbot activity resumes after holiday break
Jan 20th 2021
6 days ago by Brad (0 comments)

Gordon for fast cyber reputation checks
Jan 19th 2021
1 week ago by Russ McRee (0 comments)

View All Diaries →

Latest Discussions

created Dec 23rd 2020
1 month ago by (3 replies)

Port 23 & 2323
created Nov 15th 2020
2 months ago by Anonymous (0 replies)

Gmail hacked vis MS Outlook / virus/malware
created Oct 13th 2020
3 months ago by Anonymous (3 replies)

Why is the entire community so... I don't know the words...
created Sep 8th 2020
4 months ago by Everseeker (0 replies)

I can not find the Bluetooth channel!
created Aug 31st 2020
4 months ago by Martin (0 replies)

View All Forums →

Latest News

Top Diaries

An infection from Rig exploit kit
Jun 17th 2019
1 year ago by Brad (0 comments)

Old Worm But New Obfuscation Technique
Nov 13th 2020
2 months ago by Xme (0 comments)

Is IP testing Access to
Dec 5th 2020
1 month ago by Guy (0 comments)

AV Cleaned Maldoc
Nov 2nd 2020
2 months ago by DidierStevens (0 comments)

Traffic Analysis Quiz:
Oct 16th 2020
3 months ago by Brad (0 comments)