SYMBOLCOMMON_NAMEaka. SYNONYMS
win.qakbot (Back to overview)

QakBot

aka: Pinkslipbot, Qbot, Quakbot
URLhaus    

QBot is a modular information stealer also known as Qakbot or Pinkslipbot. It has been active for years since 2007. It has historically been known as a banking Trojan, meaning that it steals financial data from infected systems, and a loader using C2 servers for payload targeting and download.

References
2021-02-24IBMIBM SECURITY X-FORCE
@online{xforce:20210224:xforce:ac9a90e, author = {IBM SECURITY X-FORCE}, title = {{X-Force Threat Intelligence Index 2021}}, date = {2021-02-24}, organization = {IBM}, url = {https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89}, language = {English}, urldate = {2021-03-02} } X-Force Threat Intelligence Index 2021
Emotet QakBot Ramnit REvil TrickBot
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon Ransomware BazarBackdoor Clop Cobalt Strike Conti Ransomware Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet Ransomware ShadowPad SmokeLoader Snake Ransomware SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader
2021-02-15Twitter (@TheDFIRReport)The DFIR Report
@online{report:20210215:qakbot:f692e9c, author = {The DFIR Report}, title = {{Tweet on Qakbot post infection discovery activity}}, date = {2021-02-15}, organization = {Twitter (@TheDFIRReport)}, url = {https://twitter.com/TheDFIRReport/status/1361331598344478727}, language = {English}, urldate = {2021-02-18} } Tweet on Qakbot post infection discovery activity
QakBot
2021-02-02CRONUPGermán Fernández
@online{fernndez:20210202:de:6ff4f3a, author = {Germán Fernández}, title = {{De ataque con Malware a incidente de Ransomware}}, date = {2021-02-02}, organization = {CRONUP}, url = {https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware}, language = {Spanish}, urldate = {2021-03-02} } De ataque con Malware a incidente de Ransomware
Avaddon Ransomware BazarBackdoor Buer Clop Cobalt Strike Conti Ransomware DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader
2021-01-19Medium elis531989Eli Salem
@online{salem:20210119:funtastic:42f9250, author = {Eli Salem}, title = {{Funtastic Packers And Where To Find Them}}, date = {2021-01-19}, organization = {Medium elis531989}, url = {https://elis531989.medium.com/funtastic-packers-and-where-to-find-them-41429a7ef9a7}, language = {English}, urldate = {2021-01-21} } Funtastic Packers And Where To Find Them
Get2 IcedID QakBot
2021-01-19Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20210119:wireshark:be0c831, author = {Brad Duncan}, title = {{Wireshark Tutorial: Examining Emotet Infection Traffic}}, date = {2021-01-19}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/}, language = {English}, urldate = {2021-01-21} } Wireshark Tutorial: Examining Emotet Infection Traffic
Emotet GootKit IcedID QakBot TrickBot
2021-01-06FBIFBI
@techreport{fbi:20210106:pin:66d55ca, author = {FBI}, title = {{PIN Number 20210106-001: Egregor Ransomware Targets Businesses Worldwide, Attempting to Extort Businesses by Publicly Releasing Exfiltrated Data}}, date = {2021-01-06}, institution = {FBI}, url = {https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf}, language = {English}, urldate = {2021-01-11} } PIN Number 20210106-001: Egregor Ransomware Targets Businesses Worldwide, Attempting to Extort Businesses by Publicly Releasing Exfiltrated Data
Egregor QakBot
2020-12-15HornetsecurityHornetsecurity Security Lab
@online{lab:20201215:qakbot:9397167, author = {Hornetsecurity Security Lab}, title = {{QakBot reducing its on disk artifacts}}, date = {2020-12-15}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/threat-research/qakbot-reducing-its-on-disk-artifacts/}, language = {English}, urldate = {2020-12-16} } QakBot reducing its on disk artifacts
Egregor PwndLocker QakBot
2020-12-12Medium 0xthreatintel0xthreatintel
@online{0xthreatintel:20201212:reversing:945a5b8, author = {0xthreatintel}, title = {{Reversing QakBot [ TLP: White]}}, date = {2020-12-12}, organization = {Medium 0xthreatintel}, url = {https://0xthreatintel.medium.com/reversing-qakbot-tlp-white-d1b8b37ad8e7}, language = {English}, urldate = {2020-12-14} } Reversing QakBot [ TLP: White]
QakBot
2020-12-09InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20201209:recent:0992506, author = {Brad Duncan}, title = {{Recent Qakbot (Qbot) activity}}, date = {2020-12-09}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/26862}, language = {English}, urldate = {2020-12-10} } Recent Qakbot (Qbot) activity
Cobalt Strike QakBot
2020-12-09FireEyeMitchell Clarke, Tom Hall
@techreport{clarke:20201209:its:c312acc, author = {Mitchell Clarke and Tom Hall}, title = {{It's not FINished The Evolving Maturity in Ransomware Operations (SLIDES)}}, date = {2020-12-09}, institution = {FireEye}, url = {https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf}, language = {English}, urldate = {2020-12-15} } It's not FINished The Evolving Maturity in Ransomware Operations (SLIDES)
Cobalt Strike DoppelPaymer QakBot REvil
2020-12-03Recorded FutureInsikt Group®
@techreport{group:20201203:egregor:a56f637, author = {Insikt Group®}, title = {{Egregor Ransomware, Used in a String of High-Profile Attacks, Shows Connections to QakBot}}, date = {2020-12-03}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-1203.pdf}, language = {English}, urldate = {2020-12-08} } Egregor Ransomware, Used in a String of High-Profile Attacks, Shows Connections to QakBot
Egregor QakBot
2020-12-02Red Canarytwitter (@redcanary)
@online{redcanary:20201202:increased:5db5dce, author = {twitter (@redcanary)}, title = {{Tweet on increased #Qbot activity delivering Cobalt Strike & #Egregor ransomware}}, date = {2020-12-02}, organization = {Red Canary}, url = {https://twitter.com/redcanary/status/1334224861628039169}, language = {English}, urldate = {2020-12-08} } Tweet on increased #Qbot activity delivering Cobalt Strike & #Egregor ransomware
Cobalt Strike Egregor QakBot
2020-12-01Group-IBGroup-IB, Oleg Skulkin, Semyon Rogachev, Roman Rezvukhin
@techreport{groupib:20201201:egregor:37e5698, author = {Group-IB and Oleg Skulkin and Semyon Rogachev and Roman Rezvukhin}, title = {{Egregor ransomware: The legacy of Maze lives on}}, date = {2020-12-01}, institution = {Group-IB}, url = {https://web.archive.org/web/20201207094648/https://go.group-ib.com/rs/689-LRE-818/images/Group-IB_Egregor_Ransomware.pdf}, language = {English}, urldate = {2021-01-21} } Egregor ransomware: The legacy of Maze lives on
Egregor QakBot
2020-11-30FireEyeMitchell Clarke, Tom Hall
@techreport{clarke:20201130:its:1b6b681, author = {Mitchell Clarke and Tom Hall}, title = {{It's not FINished The Evolving Maturity in Ransomware Operations}}, date = {2020-11-30}, institution = {FireEye}, url = {https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf}, language = {English}, urldate = {2020-12-14} } It's not FINished The Evolving Maturity in Ransomware Operations
Cobalt Strike DoppelPaymer MimiKatz QakBot REvil
2020-11-27Fiducia & GAD IT AGFrank Boldewin
@techreport{boldewin:20201127:when:9697611, author = {Frank Boldewin}, title = {{When ransomware hits an ATM giant - The Diebold Nixdorf case dissected}}, date = {2020-11-27}, institution = {Fiducia & GAD IT AG}, url = {https://raw.githubusercontent.com/fboldewin/When-ransomware-hits-an-ATM-giant---The-Diebold-Nixdorf-case-dissected/main/When%20ransomware%20hits%20an%20ATM%20giant%20-%20The%20Diebold%20Nixdorf%20case%20dissected%20-%20Group-IB%20CyberCrimeCon2020.pdf}, language = {English}, urldate = {2020-12-01} } When ransomware hits an ATM giant - The Diebold Nixdorf case dissected
PwndLocker QakBot
2020-11-26CybereasonLior Rochberger, Cybereason Nocturnus
@online{rochberger:20201126:cybereason:8301aeb, author = {Lior Rochberger and Cybereason Nocturnus}, title = {{Cybereason vs. Egregor Ransomware}}, date = {2020-11-26}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware}, language = {English}, urldate = {2020-12-08} } Cybereason vs. Egregor Ransomware
Cobalt Strike Egregor IcedID ISFB QakBot
2020-11-20Group-IBOleg Skulkin, Roman Rezvukhin, Semyon Rogachev
@online{skulkin:20201120:locking:cdb06cf, author = {Oleg Skulkin and Roman Rezvukhin and Semyon Rogachev}, title = {{The Locking Egregor}}, date = {2020-11-20}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/egregor}, language = {English}, urldate = {2020-11-23} } The Locking Egregor
Egregor QakBot
2020-11-20ZDNetCatalin Cimpanu
@online{cimpanu:20201120:malware:0b8ff59, author = {Catalin Cimpanu}, title = {{The malware that usually installs ransomware and you need to remove right away}}, date = {2020-11-20}, organization = {ZDNet}, url = {https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/}, language = {English}, urldate = {2020-11-23} } The malware that usually installs ransomware and you need to remove right away
Avaddon Ransomware BazarBackdoor Buer Clop Cobalt Strike Conti Ransomware DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader
2020-11-12IntrinsecJean Bichet
@online{bichet:20201112:egregor:1ac0eb1, author = {Jean Bichet}, title = {{Egregor – Prolock: Fraternal Twins ?}}, date = {2020-11-12}, organization = {Intrinsec}, url = {https://www.intrinsec.com/egregor-prolock/}, language = {English}, urldate = {2020-11-23} } Egregor – Prolock: Fraternal Twins ?
Egregor PwndLocker QakBot
2020-10-29CERT-FRCERT-FR
@techreport{certfr:20201029:le:d296223, author = {CERT-FR}, title = {{LE MALWARE-AS-A-SERVICE EMOTET}}, date = {2020-10-29}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf}, language = {English}, urldate = {2020-11-04} } LE MALWARE-AS-A-SERVICE EMOTET
Dridex Emotet ISFB QakBot
2020-10-14CrowdStrikeThe Falcon Complete Team
@online{team:20201014:duck:d227846, author = {The Falcon Complete Team}, title = {{Duck Hunting with Falcon Complete: Remediating a Fowl Banking Trojan, Part 3}}, date = {2020-10-14}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-countermeasures/}, language = {English}, urldate = {2020-11-09} } Duck Hunting with Falcon Complete: Remediating a Fowl Banking Trojan, Part 3
QakBot
2020-10-07CrowdStrikeThe Falcon Complete Team
@online{team:20201007:duck:69360c9, author = {The Falcon Complete Team}, title = {{Duck Hunting with Falcon Complete: Analyzing a Fowl Banking Trojan, Part 2}}, date = {2020-10-07}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/}, language = {English}, urldate = {2020-10-12} } Duck Hunting with Falcon Complete: Analyzing a Fowl Banking Trojan, Part 2
QakBot Zloader
2020-10-01CrowdStrikeDylan Barker, Quinten Bowen, Ryan Campbell
@online{barker:20201001:duck:edcc017, author = {Dylan Barker and Quinten Bowen and Ryan Campbell}, title = {{Duck Hunting with Falcon Complete: Analyzing a Fowl Banking Trojan, Part 1}}, date = {2020-10-01}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-analyzing-a-fowl-banking-trojan-part-1/}, language = {English}, urldate = {2020-10-07} } Duck Hunting with Falcon Complete: Analyzing a Fowl Banking Trojan, Part 1
QakBot
2020-09-29MicrosoftMicrosoft
@techreport{microsoft:20200929:microsoft:6e5d7b0, author = {Microsoft}, title = {{Microsoft Digital Defense Report}}, date = {2020-09-29}, institution = {Microsoft}, url = {https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf}, language = {English}, urldate = {2020-10-05} } Microsoft Digital Defense Report
Emotet IcedID Mailto Maze QakBot REvil RobinHood TrickBot
2020-09-10QuoSec GmbHQuosec Blog
@online{blog:20200910:grap:d2f055d, author = {Quosec Blog}, title = {{grap: Automating QakBot strings decryption}}, date = {2020-09-10}, organization = {QuoSec GmbH}, url = {https://blog.quosec.net/posts/grap_qakbot_strings/}, language = {English}, urldate = {2020-11-09} } grap: Automating QakBot strings decryption
QakBot
2020-09-10Group-IBOleg Skulkin, Semyon Rogachev
@online{skulkin:20200910:lock:a6f630a, author = {Oleg Skulkin and Semyon Rogachev}, title = {{Lock Like a Pro: Dive in Recent ProLock's Big Game Hunting}}, date = {2020-09-10}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/prolock_evolution}, language = {English}, urldate = {2020-09-15} } Lock Like a Pro: Dive in Recent ProLock's Big Game Hunting
PwndLocker QakBot
2020-09-04QuoSec GmbHQuosec Blog
@online{blog:20200904:navigating:75404a6, author = {Quosec Blog}, title = {{Navigating QakBot samples with grap}}, date = {2020-09-04}, organization = {QuoSec GmbH}, url = {https://blog.quosec.net/posts/grap_qakbot_navigation/}, language = {English}, urldate = {2020-11-09} } Navigating QakBot samples with grap
QakBot
2020-08-27CheckpointAlex Ilgayev
@online{ilgayev:20200827:old:8859e51, author = {Alex Ilgayev}, title = {{An Old Bot’s Nasty New Tricks: Exploring Qbot’s Latest Attack Methods}}, date = {2020-08-27}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2020/exploring-qbots-latest-attack-methods/}, language = {English}, urldate = {2020-08-31} } An Old Bot’s Nasty New Tricks: Exploring Qbot’s Latest Attack Methods
QakBot
2020-08-20MorphisecArnold Osipov
@online{osipov:20200820:qakbot:a7e14ef, author = {Arnold Osipov}, title = {{QakBot (QBot) Maldoc Campaign Introduces Two New Techniques into Its Arsenal}}, date = {2020-08-20}, organization = {Morphisec}, url = {https://blog.morphisec.com/qakbot-qbot-maldoc-two-new-techniques}, language = {English}, urldate = {2020-08-25} } QakBot (QBot) Maldoc Campaign Introduces Two New Techniques into Its Arsenal
QakBot
2020-07-15N1ght-W0lf BlogAbdallah Elshinbary
@online{elshinbary:20200715:deep:9b38d20, author = {Abdallah Elshinbary}, title = {{Deep Analysis of QBot Banking Trojan}}, date = {2020-07-15}, organization = {N1ght-W0lf Blog}, url = {https://n1ght-w0lf.github.io/malware%20analysis/qbot-banking-trojan/}, language = {English}, urldate = {2020-07-16} } Deep Analysis of QBot Banking Trojan
QakBot
2020-06-24MorphisecArnold Osipov
@online{osipov:20200624:obfuscated:74bfeed, author = {Arnold Osipov}, title = {{Obfuscated VBScript Drops Zloader, Ursnif, Qakbot, Dridex}}, date = {2020-06-24}, organization = {Morphisec}, url = {https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex}, language = {English}, urldate = {2020-06-25} } Obfuscated VBScript Drops Zloader, Ursnif, Qakbot, Dridex
Dridex ISFB QakBot Zloader
2020-06-21Malware and StuffAndreas Klopsch
@online{klopsch:20200621:upnp:f54abe6, author = {Andreas Klopsch}, title = {{UpnP – Messing up Security since years}}, date = {2020-06-21}, organization = {Malware and Stuff}, url = {https://malwareandstuff.com/upnp-messing-up-security-since-years/}, language = {English}, urldate = {2020-06-22} } UpnP – Messing up Security since years
QakBot
2020-06-16HornetsecuritySecurity Lab
@online{lab:20200616:qakbot:0353100, author = {Security Lab}, title = {{QakBot malspam leading to ProLock: Nothing personal just business}}, date = {2020-06-16}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-information/qakbot-malspam-leading-to-prolock/}, language = {English}, urldate = {2020-07-01} } QakBot malspam leading to ProLock: Nothing personal just business
PwndLocker QakBot
2020-06-11F5 LabsDoron Voolf
@online{voolf:20200611:qbot:1bd9fe7, author = {Doron Voolf}, title = {{Qbot Banking Trojan Still Up to Its Old Tricks}}, date = {2020-06-11}, organization = {F5 Labs}, url = {https://www.f5.com/labs/articles/threat-intelligence/qbot-banking-trojan-still-up-to-its-old-tricks}, language = {English}, urldate = {2020-06-16} } Qbot Banking Trojan Still Up to Its Old Tricks
QakBot
2020-05-05Malware and StuffAndreas Klopsch
@online{klopsch:20200505:old:84beb5b, author = {Andreas Klopsch}, title = {{An old enemy – Diving into QBot part 3}}, date = {2020-05-05}, organization = {Malware and Stuff}, url = {https://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-3/}, language = {English}, urldate = {2020-05-05} } An old enemy – Diving into QBot part 3
QakBot
2020-03-30Malware and StuffAndreas Klopsch
@online{klopsch:20200330:old:ed1f6ef, author = {Andreas Klopsch}, title = {{An old enemy – Diving into QBot part 1}}, date = {2020-03-30}, organization = {Malware and Stuff}, url = {https://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-1/}, language = {English}, urldate = {2020-04-01} } An old enemy – Diving into QBot part 1
QakBot
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2020-02-28PWC UKPWC UK
@techreport{uk:20200228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2020-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-02} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Ransomware Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Ransomware Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2020-02-19FireEyeFireEye
@online{fireeye:20200219:mtrends:193613a, author = {FireEye}, title = {{M-Trends 2020}}, date = {2020-02-19}, organization = {FireEye}, url = {https://content.fireeye.com/m-trends/rpt-m-trends-2020}, language = {English}, urldate = {2020-02-20} } M-Trends 2020
Cobalt Strike Grateful POS LockerGoga QakBot TrickBot
2020-02-10MalwarebytesAdam Kujawa, Wendy Zamora, Jérôme Segura, Thomas Reed, Nathan Collier, Jovi Umawing, Chris Boyd, Pieter Arntz, David Ruiz
@techreport{kujawa:20200210:2020:3fdaf12, author = {Adam Kujawa and Wendy Zamora and Jérôme Segura and Thomas Reed and Nathan Collier and Jovi Umawing and Chris Boyd and Pieter Arntz and David Ruiz}, title = {{2020 State of Malware Report}}, date = {2020-02-10}, institution = {Malwarebytes}, url = {https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf}, language = {English}, urldate = {2020-02-13} } 2020 State of Malware Report
magecart Emotet QakBot REvil Ryuk TrickBot WannaCryptor
2020-01-03Youtube (BSides Belfast)Nick Summerlin, Jorge Rodriguez
@online{summerlin:20200103:demystifying:c0a1a19, author = {Nick Summerlin and Jorge Rodriguez}, title = {{Demystifying QBot Banking Trojan}}, date = {2020-01-03}, organization = {Youtube (BSides Belfast)}, url = {https://www.youtube.com/watch?v=iB1psRMtlqg}, language = {English}, urldate = {2020-02-21} } Demystifying QBot Banking Trojan
QakBot
2020SecureworksSecureWorks
@online{secureworks:2020:gold:00ad0eb, author = {SecureWorks}, title = {{GOLD LAGOON}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-lagoon}, language = {English}, urldate = {2020-05-23} } GOLD LAGOON
QakBot
2019-11-12Hatching.ioMarkel Picado
@online{picado:20191112:reversing:de8a8b6, author = {Markel Picado}, title = {{Reversing Qakbot}}, date = {2019-11-12}, organization = {Hatching.io}, url = {https://hatching.io/blog/reversing-qakbot}, language = {English}, urldate = {2020-01-07} } Reversing Qakbot
QakBot
2019-06-03VaronisDolev Taler, Eric Saraga
@online{taler:20190603:varonis:21ad52e, author = {Dolev Taler and Eric Saraga}, title = {{Varonis Exposes Global Cyber Campaign: C2 Server Actively Compromising Thousands of Victims}}, date = {2019-06-03}, organization = {Varonis}, url = {https://www.varonis.com/blog/varonis-discovers-global-cyber-campaign-qbot/}, language = {English}, urldate = {2020-01-05} } Varonis Exposes Global Cyber Campaign: C2 Server Actively Compromising Thousands of Victims
QakBot
2019-05-02Cisco TalosAshlee Benge, Nick Randolph
@online{benge:20190502:qakbot:8c34660, author = {Ashlee Benge and Nick Randolph}, title = {{Qakbot levels up with new obfuscation techniques}}, date = {2019-05-02}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/05/qakbot-levels-up-with-new-obfuscation.html}, language = {English}, urldate = {2019-10-14} } Qakbot levels up with new obfuscation techniques
QakBot
2018-07-29Vitali Kremez BlogVitali Kremez
@online{kremez:20180729:lets:8f04eed, author = {Vitali Kremez}, title = {{Let's Learn: In-Depth Reversing of Qakbot "qbot" Banker Part 1}}, date = {2018-07-29}, organization = {Vitali Kremez Blog}, url = {https://www.vkremez.com/2018/07/lets-learn-in-depth-reversing-of-qakbot.html}, language = {English}, urldate = {2020-01-06} } Let's Learn: In-Depth Reversing of Qakbot "qbot" Banker Part 1
QakBot
2017-11-06MicrosoftMicrosoft Defender ATP Research Team
@online{team:20171106:mitigating:b623a70, author = {Microsoft Defender ATP Research Team}, title = {{Mitigating and eliminating info-stealing Qakbot and Emotet in corporate networks}}, date = {2017-11-06}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/}, language = {English}, urldate = {2020-10-23} } Mitigating and eliminating info-stealing Qakbot and Emotet in corporate networks
Emotet QakBot
2017-06-02SecurityIntelligenceMike Oppenheim, Kevin Zuk, Matan Meir, Limor Kessem
@online{oppenheim:20170602:qakbot:ffff91a, author = {Mike Oppenheim and Kevin Zuk and Matan Meir and Limor Kessem}, title = {{QakBot Banking Trojan Causes Massive Active Directory Lockouts}}, date = {2017-06-02}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/qakbot-banking-trojan-causes-massive-active-directory-lockouts/}, language = {English}, urldate = {2020-01-10} } QakBot Banking Trojan Causes Massive Active Directory Lockouts
QakBot
2017-05-23ThreatVectorCylance Threat Research Team
@online{team:20170523:quakbot:3572c02, author = {Cylance Threat Research Team}, title = {{Quakbot}}, date = {2017-05-23}, organization = {ThreatVector}, url = {https://www.cylance.com/en_us/blog/threat-spotlight-the-return-of-qakbot-malware.html}, language = {English}, urldate = {2020-01-08} } Quakbot
QakBot
2016-08Intel SecuritySanchit Karve, Guilherme Venere, Mark Olea
@techreport{karve:201608:diving:6f604b3, author = {Sanchit Karve and Guilherme Venere and Mark Olea}, title = {{DIVING INTO PINKSLIPBOT’S LATEST CAMPAIGN}}, date = {2016-08}, institution = {Intel Security}, url = {https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Karve-etal.pdf}, language = {English}, urldate = {2019-11-27} } DIVING INTO PINKSLIPBOT’S LATEST CAMPAIGN
QakBot
2016-02-24Johannes Bader BlogJohannes Bader
@online{bader:20160224:dga:735ff10, author = {Johannes Bader}, title = {{The DGA of Qakbot.T}}, date = {2016-02-24}, organization = {Johannes Bader Blog}, url = {https://www.johannesbader.ch/2016/02/the-dga-of-qakbot/}, language = {English}, urldate = {2020-01-06} } The DGA of Qakbot.T
QakBot
2016BAE SystemsBAE Systems
@techreport{systems:2016:return:52c175d, author = {BAE Systems}, title = {{The Return of Qbot}}, date = {2016}, institution = {BAE Systems}, url = {https://media.scmagazine.com/documents/225/bae_qbot_report_56053.pdf}, language = {English}, urldate = {2019-11-29} } The Return of Qbot
QakBot
2012SymantecNicolas Falliere
@techreport{falliere:2012:w32qakbot:974b5b5, author = {Nicolas Falliere}, title = {{W32.Qakbot in Detail}}, date = {2012}, institution = {Symantec}, url = {http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf}, language = {English}, urldate = {2019-11-28} } W32.Qakbot in Detail
QakBot
2011-05-25Contagio DumpMila Parkour
@online{parkour:20110525:w32qakbot:b814de0, author = {Mila Parkour}, title = {{W32.Qakbot aka W32/Pinkslipbot or infostealer worm}}, date = {2011-05-25}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2010/11/template.html}, language = {English}, urldate = {2019-11-21} } W32.Qakbot aka W32/Pinkslipbot or infostealer worm
QakBot
Yara Rules
[TLP:WHITE] win_qakbot_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_qakbot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 57 ff15???????? 33c0 85f6 0f94c0 }
            // n = 5, score = 4000
            //   57                   | push                edi
            //   ff15????????         |                     
            //   33c0                 | xor                 eax, eax
            //   85f6                 | test                esi, esi
            //   0f94c0               | sete                al

        $sequence_1 = { 50 ff5508 8bf0 59 }
            // n = 4, score = 4000
            //   50                   | push                eax
            //   ff5508               | call                dword ptr [ebp + 8]
            //   8bf0                 | mov                 esi, eax
            //   59                   | pop                 ecx

        $sequence_2 = { 8b4df8 8908 ff75fc ff15???????? }
            // n = 4, score = 3800
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   8908                 | mov                 dword ptr [eax], ecx
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ff15????????         |                     

        $sequence_3 = { c1e80b 33d0 8bc2 25ad583aff c1e007 33d0 }
            // n = 6, score = 3800
            //   c1e80b               | shr                 eax, 0xb
            //   33d0                 | xor                 edx, eax
            //   8bc2                 | mov                 eax, edx
            //   25ad583aff           | and                 eax, 0xff3a58ad
            //   c1e007               | shl                 eax, 7
            //   33d0                 | xor                 edx, eax

        $sequence_4 = { 8b1481 40 8981c0090000 8bc2 c1e80b 33d0 8bc2 }
            // n = 7, score = 3800
            //   8b1481               | mov                 edx, dword ptr [ecx + eax*4]
            //   40                   | inc                 eax
            //   8981c0090000         | mov                 dword ptr [ecx + 0x9c0], eax
            //   8bc2                 | mov                 eax, edx
            //   c1e80b               | shr                 eax, 0xb
            //   33d0                 | xor                 edx, eax
            //   8bc2                 | mov                 eax, edx

        $sequence_5 = { c3 33c9 3d80000000 0f94c1 }
            // n = 4, score = 3800
            //   c3                   | ret                 
            //   33c9                 | xor                 ecx, ecx
            //   3d80000000           | cmp                 eax, 0x80
            //   0f94c1               | sete                cl

        $sequence_6 = { 57 6a00 6a02 ff15???????? 8bf8 83c8ff }
            // n = 6, score = 3800
            //   57                   | push                edi
            //   6a00                 | push                0
            //   6a02                 | push                2
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax
            //   83c8ff               | or                  eax, 0xffffffff

        $sequence_7 = { 750c 57 ff15???????? 6afe 58 }
            // n = 5, score = 3800
            //   750c                 | jne                 0xe
            //   57                   | push                edi
            //   ff15????????         |                     
            //   6afe                 | push                -2
            //   58                   | pop                 eax

        $sequence_8 = { 8d45f8 56 50 e8???????? 8d45f4 }
            // n = 5, score = 3800
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   56                   | push                esi
            //   50                   | push                eax
            //   e8????????           |                     
            //   8d45f4               | lea                 eax, [ebp - 0xc]

        $sequence_9 = { 7507 c74508???????? e8???????? 85c0 7d08 }
            // n = 5, score = 3800
            //   7507                 | jne                 9
            //   c74508????????       |                     
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7d08                 | jge                 0xa

        $sequence_10 = { 50 e8???????? 8b06 47 59 }
            // n = 5, score = 3800
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   47                   | inc                 edi
            //   59                   | pop                 ecx

        $sequence_11 = { 740d 8d45fc 6a00 50 e8???????? 59 }
            // n = 6, score = 3800
            //   740d                 | je                  0xf
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   6a00                 | push                0
            //   50                   | push                eax
            //   e8????????           |                     
            //   59                   | pop                 ecx

        $sequence_12 = { 33c0 7402 ebfa e8???????? }
            // n = 4, score = 3700
            //   33c0                 | xor                 eax, eax
            //   7402                 | je                  4
            //   ebfa                 | jmp                 0xfffffffc
            //   e8????????           |                     

        $sequence_13 = { ebfa 83c8ff eb02 33c0 }
            // n = 4, score = 3500
            //   ebfa                 | jmp                 0xfffffffc
            //   83c8ff               | or                  eax, 0xffffffff
            //   eb02                 | jmp                 4
            //   33c0                 | xor                 eax, eax

        $sequence_14 = { 85c0 750d 33d2 7402 }
            // n = 4, score = 3500
            //   85c0                 | test                eax, eax
            //   750d                 | jne                 0xf
            //   33d2                 | xor                 edx, edx
            //   7402                 | je                  4

        $sequence_15 = { 6a00 ff15???????? a3???????? 833d????????00 750b 33c0 7402 }
            // n = 7, score = 3500
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   a3????????           |                     
            //   833d????????00       |                     
            //   750b                 | jne                 0xd
            //   33c0                 | xor                 eax, eax
            //   7402                 | je                  4

        $sequence_16 = { ff750c 8d85d8feffff 50 ff5508 }
            // n = 4, score = 3500
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   8d85d8feffff         | lea                 eax, [ebp - 0x128]
            //   50                   | push                eax
            //   ff5508               | call                dword ptr [ebp + 8]

        $sequence_17 = { 7404 33c0 eb27 6a00 6a00 }
            // n = 5, score = 3500
            //   7404                 | je                  6
            //   33c0                 | xor                 eax, eax
            //   eb27                 | jmp                 0x29
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_18 = { ebfa eb06 33c0 7402 }
            // n = 4, score = 3500
            //   ebfa                 | jmp                 0xfffffffc
            //   eb06                 | jmp                 8
            //   33c0                 | xor                 eax, eax
            //   7402                 | je                  4

        $sequence_19 = { 7412 8d85d8feffff 50 57 ff15???????? 85c0 75d9 }
            // n = 7, score = 3500
            //   7412                 | je                  0x14
            //   8d85d8feffff         | lea                 eax, [ebp - 0x128]
            //   50                   | push                eax
            //   57                   | push                edi
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   75d9                 | jne                 0xffffffdb

        $sequence_20 = { 83c40c 33c0 5b 5f 5e c9 c3 }
            // n = 7, score = 3500
            //   83c40c               | add                 esp, 0xc
            //   33c0                 | xor                 eax, eax
            //   5b                   | pop                 ebx
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   c9                   | leave               
            //   c3                   | ret                 

        $sequence_21 = { 7402 ebfa 83c8ff e9???????? }
            // n = 4, score = 3500
            //   7402                 | je                  4
            //   ebfa                 | jmp                 0xfffffffc
            //   83c8ff               | or                  eax, 0xffffffff
            //   e9????????           |                     

        $sequence_22 = { 8b84248c000000 8b4050 89442470 8b84248c000000 8b4034 8944246c 89e0 }
            // n = 7, score = 100
            //   8b84248c000000       | mov                 eax, dword ptr [esp + 0x8c]
            //   8b4050               | mov                 eax, dword ptr [eax + 0x50]
            //   89442470             | mov                 dword ptr [esp + 0x70], eax
            //   8b84248c000000       | mov                 eax, dword ptr [esp + 0x8c]
            //   8b4034               | mov                 eax, dword ptr [eax + 0x34]
            //   8944246c             | mov                 dword ptr [esp + 0x6c], eax
            //   89e0                 | mov                 eax, esp

        $sequence_23 = { 5f 5b 5d c3 31c0 8944242c 89442428 }
            // n = 7, score = 100
            //   5f                   | pop                 edi
            //   5b                   | pop                 ebx
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   31c0                 | xor                 eax, eax
            //   8944242c             | mov                 dword ptr [esp + 0x2c], eax
            //   89442428             | mov                 dword ptr [esp + 0x28], eax

        $sequence_24 = { 8b5824 89442438 8b842480000000 01f8 81c283f803c4 }
            // n = 5, score = 100
            //   8b5824               | mov                 ebx, dword ptr [eax + 0x24]
            //   89442438             | mov                 dword ptr [esp + 0x38], eax
            //   8b842480000000       | mov                 eax, dword ptr [esp + 0x80]
            //   01f8                 | add                 eax, edi
            //   81c283f803c4         | add                 edx, 0xc403f883

        $sequence_25 = { 81e2ffff0000 8b75ec 81c622be8b8f 01f2 8b75dc 01d6 8975d0 }
            // n = 7, score = 100
            //   81e2ffff0000         | and                 edx, 0xffff
            //   8b75ec               | mov                 esi, dword ptr [ebp - 0x14]
            //   81c622be8b8f         | add                 esi, 0x8f8bbe22
            //   01f2                 | add                 edx, esi
            //   8b75dc               | mov                 esi, dword ptr [ebp - 0x24]
            //   01d6                 | add                 esi, edx
            //   8975d0               | mov                 dword ptr [ebp - 0x30], esi

        $sequence_26 = { 8b5508 83f800 89442414 894c2410 8954240c }
            // n = 5, score = 100
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   83f800               | cmp                 eax, 0
            //   89442414             | mov                 dword ptr [esp + 0x14], eax
            //   894c2410             | mov                 dword ptr [esp + 0x10], ecx
            //   8954240c             | mov                 dword ptr [esp + 0xc], edx

        $sequence_27 = { c645ebda 662b4df2 668988f4000000 c78008010000611a0000 66c780f80000000b01 83c410 }
            // n = 6, score = 100
            //   c645ebda             | mov                 byte ptr [ebp - 0x15], 0xda
            //   662b4df2             | sub                 cx, word ptr [ebp - 0xe]
            //   668988f4000000       | mov                 word ptr [eax + 0xf4], cx
            //   c78008010000611a0000     | mov    dword ptr [eax + 0x108], 0x1a61
            //   66c780f80000000b01     | mov    word ptr [eax + 0xf8], 0x10b
            //   83c410               | add                 esp, 0x10

        $sequence_28 = { 8b4d0c 8b5508 31f6 8b5244 83fa00 8945f4 894df0 }
            // n = 7, score = 100
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   31f6                 | xor                 esi, esi
            //   8b5244               | mov                 edx, dword ptr [edx + 0x44]
            //   83fa00               | cmp                 edx, 0
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   894df0               | mov                 dword ptr [ebp - 0x10], ecx

        $sequence_29 = { 8b4c2418 39cf 89442410 897c2408 74c8 8b442408 8b4c2438 }
            // n = 7, score = 100
            //   8b4c2418             | mov                 ecx, dword ptr [esp + 0x18]
            //   39cf                 | cmp                 edi, ecx
            //   89442410             | mov                 dword ptr [esp + 0x10], eax
            //   897c2408             | mov                 dword ptr [esp + 8], edi
            //   74c8                 | je                  0xffffffca
            //   8b442408             | mov                 eax, dword ptr [esp + 8]
            //   8b4c2438             | mov                 ecx, dword ptr [esp + 0x38]

    condition:
        7 of them and filesize < 958464
}
Download all Yara Rules