win.qakbot (Back to overview)

QakBot

aka: Qbot, Pinkslipbot
URLhaus    

There is no description at this point.

References
https://www.johannesbader.ch/2016/02/the-dga-of-qakbot/
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf
https://securityintelligence.com/qakbot-banking-trojan-causes-massive-active-directory-lockouts/
http://contagiodump.blogspot.com/2010/11/template.html
https://www.varonis.com/blog/varonis-discovers-global-cyber-campaign-qbot/
https://blog.talosintelligence.com/2019/05/qakbot-levels-up-with-new-obfuscation.html
https://media.scmagazine.com/documents/225/bae_qbot_report_56053.pdf
https://www.cylance.com/en_us/blog/threat-spotlight-the-return-of-qakbot-malware.html
https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Karve-etal.pdf
https://www.vkremez.com/2018/07/lets-learn-in-depth-reversing-of-qakbot.html
Yara Rules
[TLP:WHITE] win_qakbot_auto (20180607 | autogenerated rule brought to you by yara-signator)
rule win_qakbot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2018-11-23"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot"
        malpedia_version = "20180607"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { ff750c 8d85d8feffff 50 ff5508 }
            // n = 4, score = 18000
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   8d85d8feffff         | lea                 eax, dword ptr [ebp - 0x128]
            //   50                   | push                eax
            //   ff5508               | call                dword ptr [ebp + 8]

        $sequence_1 = { 50 33f6 8bf8 895dfc }
            // n = 4, score = 18000
            //   50                   | push                eax
            //   33f6                 | xor                 esi, esi
            //   8bf8                 | mov                 edi, eax
            //   895dfc               | mov                 dword ptr [ebp - 4], ebx

        $sequence_2 = { 8b5510 41 890a 5d }
            // n = 4, score = 18000
            //   8b5510               | mov                 edx, dword ptr [ebp + 0x10]
            //   41                   | inc                 ecx
            //   890a                 | mov                 dword ptr [edx], ecx
            //   5d                   | pop                 ebp

        $sequence_3 = { 8b1481 40 8981c0090000 8bc2 }
            // n = 4, score = 18000
            //   8b1481               | mov                 edx, dword ptr [ecx + eax*4]
            //   40                   | inc                 eax
            //   8981c0090000         | mov                 dword ptr [ecx + 0x9c0], eax
            //   8bc2                 | mov                 eax, edx

        $sequence_4 = { 8b7514 56 57 ff750c }
            // n = 4, score = 18000
            //   8b7514               | mov                 esi, dword ptr [ebp + 0x14]
            //   56                   | push                esi
            //   57                   | push                edi
            //   ff750c               | push                dword ptr [ebp + 0xc]

        $sequence_5 = { 8907 899e28020000 8b8628020000 5f }
            // n = 4, score = 18000
            //   8907                 | mov                 dword ptr [edi], eax
            //   899e28020000         | mov                 dword ptr [esi + 0x228], ebx
            //   8b8628020000         | mov                 eax, dword ptr [esi + 0x228]
            //   5f                   | pop                 edi

        $sequence_6 = { 8d85d8feffff 50 ff5508 8bf0 }
            // n = 4, score = 18000
            //   8d85d8feffff         | lea                 eax, dword ptr [ebp - 0x128]
            //   50                   | push                eax
            //   ff5508               | call                dword ptr [ebp + 8]
            //   8bf0                 | mov                 esi, eax

        $sequence_7 = { 8a551c 3aca 750f 85db }
            // n = 4, score = 18000
            //   8a551c               | mov                 dl, byte ptr [ebp + 0x1c]
            //   3aca                 | cmp                 cl, dl
            //   750f                 | jne                 0x896279
            //   85db                 | test                ebx, ebx

        $sequence_8 = { 3c7e 7711 3c5b 740d }
            // n = 4, score = 18000
            //   3c7e                 | cmp                 al, 0x7e
            //   7711                 | ja                  0x892e6b
            //   3c5b                 | cmp                 al, 0x5b
            //   740d                 | je                  0x892e6b

        $sequence_9 = { 51 8365fc00 56 be48020000 }
            // n = 4, score = 18000
            //   51                   | push                ecx
            //   8365fc00             | and                 dword ptr [ebp - 4], 0
            //   56                   | push                esi
            //   be48020000           | mov                 esi, 0x248

    condition:
        7 of them
}
Download all Yara Rules