QakBot (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.qakbot (Back to overview)

QakBot

aka: Oakboat, Pinkslipbot, Qbot, Quakbot

Actor(s): GOLD CABIN

URLhaus

QBot is a modular information stealer also known as Qakbot or Pinkslipbot. It has been active for years since 2007. It has historically been known as a banking Trojan, meaning that it steals financial data from infected systems, and a loader using C2 servers for payload targeting and download.

References

2023-03-07 ⋅ Trellix ⋅ Pham Duy Phuc, Raghav Kapoor, John Fokker, Alejandro Houspanossian, Mathanraj Thangaraju
Qakbot Evolves to OneNote Malware Distribution
QakBot

2023-03-02 ⋅ Netresec ⋅ Erik Hjelmvik
QakBot C2 Traffic
QakBot

2023-03-01 ⋅ Zscaler ⋅ Meghraj Nandanwar, Shatak Jain
OneNote: A Growing Threat for Malware Distribution
AsyncRAT Cobalt Strike IcedID QakBot RedLine Stealer

2023-02-24 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt, Jonathan Mccay, Kirk Sayre
Qbot testing malvertising campaigns?
QakBot

2023-02-17 ⋅ cyble ⋅ Cyble
The Many Faces of Qakbot Malware: A Look at Its Diverse Distribution Methods
QakBot

2023-02-14 ⋅ DSIH ⋅ Charles Blanc-Rolin
Comment Qbot revient en force avec OneNote ?
QakBot

2023-02-06 ⋅ Sophos ⋅ Andrew Brandt
Qakbot mechanizes distribution of malicious OneNote notebooks
QakBot

2023-01-12 ⋅ EclecticIQ ⋅ EclecticIQ Threat Research Team
QakBot Malware Used Unpatched Vulnerability to Bypass Windows OS Security Feature
QakBot

2022-12-28 ⋅ Micah Babinski
HTML Smuggling Detection
QakBot

2022-12-22 ⋅ ASEC ⋅ AhnLab
Qakbot Being Distributed via Virtual Disk Files (*.vhd)
QakBot

2022-12-05 ⋅ Cybereason ⋅ Kotaro Ogino, Ralph Villanueva, Robin Plumer
Threat Analysis: MSI - Masquerading as a Software Installer
Magniber Matanbuchus QakBot

2022-12-02 ⋅ Github (binref) ⋅ Jesko Hüttenhain
The Refinery Files 0x06: Qakbot Decoder
QakBot

2022-12-01 ⋅ splunk ⋅ Splunk Threat Research Team
From Macros to No Macros: Continuous Malware Improvements by QakBot
QakBot

2022-11-30 ⋅ Tidal Cyber Inc. ⋅ Scott Small
Identifying and Defending Against QakBot's Evolving TTPs
QakBot

2022-11-23 ⋅ Cybereason ⋅ Cybereason Global SOC Team
THREAT ALERT: Aggressive Qakbot Campaign and the Black Basta Ransomware Group Targeting U.S. Companies
Black Basta QakBot

2022-11-14 ⋅ Twitter (@embee_research) ⋅ Matthew
Twitter thread on Yara Signatures for Qakbot Encryption Routines
IcedID QakBot

2022-11-10 ⋅ Intezer ⋅ Nicole Fishbein
How LNK Files Are Abused by Threat Actors
BumbleBee Emotet Mount Locker QakBot

2022-11-03 ⋅ SentinelOne ⋅ SentinelLabs
Black Basta Ransomware | Attacks deploy Custom EDR Evasion Tools tied to FIN7 Threat Actor
Black Basta QakBot SocksBot

2022-10-31 ⋅ Cynet ⋅ Max Malyutin
Orion Threat Alert: Qakbot TTPs Arsenal and the Black Basta Ransomware
Black Basta Cobalt Strike QakBot

2022-10-31 ⋅ Security homework ⋅ Christophe Rieunier
QakBot CCs prioritization and new record types
QakBot

2022-10-13 ⋅ Syrion ⋅ Raffaele Sabato
QAKBOT BB Configuration and C2 IPs List
QakBot

2022-10-13 ⋅ Spamhaus ⋅ Spamhaus Malware Labs
Spamhaus Botnet Threat Update Q3 2022
FluBot Arkei Stealer AsyncRAT Ave Maria BumbleBee Cobalt Strike DCRat Dridex Emotet Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT QakBot RecordBreaker RedLine Stealer Remcos Socelars Tofsee Vjw0rm

2022-09-06 ⋅ Zscaler ⋅ Brett Stone-Gross
The Ares Banking Trojan Learns Old Tricks: Adds the Defunct Qakbot DGA
Ares QakBot

2022-09-01 ⋅ Trend Micro ⋅ Trend Micro
Ransomware Spotlight Black Basta
Black Basta Cobalt Strike MimiKatz QakBot

2022-08-25 ⋅ Palo Alto Networks Unit 42 ⋅ Amer Elsad
Threat Assessment: Black Basta Ransomware
Black Basta QakBot

2022-08-24 ⋅ Elastic ⋅ Cyril François
QBOT Malware Analysis
QakBot

2022-08-24 ⋅ Trellix ⋅ Adithya Chandra, Sushant Kumar Arya
Demystifying Qbot Malware
QakBot

2022-07-27 ⋅ Elastic ⋅ Cyril François, Derek Ditch
QBOT Configuration Extractor
QakBot

2022-07-27 ⋅ cyble ⋅ Cyble Research Labs
Targeted Attacks Being Carried Out Via DLL SideLoading
Cobalt Strike QakBot

2022-07-27 ⋅ Elastic ⋅ Cyril François, Andrew Pease, Seth Goodwin
Exploring the QBOT Attack Pattern
QakBot

2022-07-24 ⋅ Bleeping Computer ⋅ Bill Toulas
QBot phishing uses Windows Calculator sideloading to infect devices
QakBot

2022-07-19 ⋅ Fortinet ⋅ Xiaopeng Zhang
New Variant of QakBot Being Spread by HTML File Attached to Phishing Emails
QakBot

2022-07-17 ⋅ Resecurity ⋅ Resecurity
Shortcut-Based (LNK) Attacks Delivering Malicious Code On The Rise
AsyncRAT BumbleBee Emotet IcedID QakBot

2022-07-12 ⋅ Zscaler ⋅ Tarun Dewan, Aditya Sharma
Rise in Qakbot attacks traced to evolving threat techniques
QakBot

2022-07-07 ⋅ Fortinet ⋅ Erin Lin
Notable Droppers Emerge in Recent Threat Campaigns
BumbleBee Emotet PhotoLoader QakBot

2022-07-05 ⋅ Soc Investigation ⋅ Priyadharshini Balaji
QBot Spreads via LNK Files – Detection & Response
QakBot

2022-06-30 ⋅ Trend Micro ⋅ Kenneth Adrian Apostol, Paolo Ronniel Labrador, Mirah Manlapig, James Panlilio, Emmanuel Panopio, John Kenneth Reyes, Melvin Singwa
Black Basta Ransomware Operators Expand Their Attack Arsenal With QakBot Trojan and PrintNightmare Exploit
Black Basta Cobalt Strike QakBot

2022-06-21 ⋅ McAfee ⋅ Lakshya Mathur
Rise of LNK (Shortcut files) Malware
BazarBackdoor Emotet IcedID QakBot

2022-06-17 ⋅ Github (NtQuerySystemInformation) ⋅ Twitter (@kasua02)
A reverse engineer primer on Qakbot Dll Stager: From initial execution to multithreading.
QakBot

2022-06-09 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
TA570 Qakbot (Qbot) tries CVE-2022-30190 (Follina) exploit (ms-msdt)
QakBot

2022-06-02 ⋅ Mandiant ⋅ Mandiant
TRENDING EVIL Q2 2022
CloudEyE Cobalt Strike CryptBot Emotet IsaacWiper QakBot

2022-05-24 ⋅ BitSight ⋅ João Batista, Pedro Umbelino, BitSight
Emotet Botnet Rises Again
Cobalt Strike Emotet QakBot SystemBC

2022-05-19 ⋅ Trend Micro ⋅ Adolph Christian Silverio, Jeric Miguel Abordo, Khristian Joseph Morales, Maria Emreen Viray
Bruised but Not Broken: The Resurgence of the Emotet Botnet Malware
Emotet QakBot

2022-05-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT

2022-04-28 ⋅ Symantec ⋅ Karthikeyan C Kasiviswanathan, Vishal Kamble
Ransomware: How Attackers are Breaching Corporate Networks
AvosLocker Conti Emotet Hive IcedID PhotoLoader QakBot TrickBot

2022-04-26 ⋅ Intel 471 ⋅ Intel 471
Conti and Emotet: A constantly destructive duo
Cobalt Strike Conti Emotet IcedID QakBot TrickBot

2022-04-20 ⋅ SANS ISC ⋅ Brad Duncan
'aa' distribution Qakbot (Qbot) infection with DarkVNC traffic
QakBot

2022-04-17 ⋅ Malwarology ⋅ Gaetano Pellegrino
Qakbot Series: API Hashing
QakBot

2022-04-16 ⋅ Malwarology ⋅ Gaetano Pellegrino
Qakbot Series: Process Injection
QakBot

2022-04-13 ⋅ Malwarology ⋅ Gaetano Pellegrino
Qakbot Series: Configuration Extraction
QakBot

2022-04-12 ⋅ Tech Times ⋅ Joseph Henry
Qbot Botnet Deploys Malware Payloads Through Malicious Windows Installers
QakBot

2022-04-11 ⋅ Bleeping Computer ⋅ Sergiu Gatlan
Qbot malware switches to new Windows Installer infection vector
QakBot

2022-04-10 ⋅ Malwarology ⋅ Gaetano Pellegrino
Qakbot Series: String Obfuscation
QakBot

2022-03-31 ⋅ nccgroup ⋅ Nikolaos Pantazopoulos, Alex Jessop, Simon Biggs, RIFT: Research and Intelligence Fusion Team
Conti-nuation: methods and techniques observed in operations post the leaks
Cobalt Strike Conti QakBot

2022-03-25 ⋅ SANS ISC ⋅ Xavier Mertens
XLSB Files: Because Binary is Stealthier Than XML
QakBot

2022-03-17 ⋅ Trend Micro ⋅ Trend Micro Research
Navigating New Frontiers Trend Micro 2021 Annual Cybersecurity Report
REvil BazarBackdoor Buer IcedID QakBot REvil

2022-03-16 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
Qakbot infection with Cobalt Strike and VNC activity
Cobalt Strike QakBot

2022-03-16 ⋅ SANS ISC ⋅ Brad Duncan
Qakbot infection with Cobalt Strike and VNC activity
Cobalt Strike QakBot

2022-02-26 ⋅ Mandiant ⋅ Mandiant
TRENDING EVIL Q1 2022
KEYPLUG FAKEUPDATES GootLoader BazarBackdoor QakBot

2022-02-26 ⋅ LinkedIn (Zayed AlJaberi) ⋅ Zayed AlJaberi
Hunting Recent QakBot Malware
QakBot

2022-02-24 ⋅ The Hacker News ⋅ Ravie Lakshmanan
TrickBot Gang Likely Shifting Operations to Switch to New Malware
BazarBackdoor Emotet QakBot TrickBot

2022-02-21 ⋅ The DFIR Report
Qbot and Zerologon Lead To Full Domain Compromise
Cobalt Strike QakBot

2022-02-16 ⋅ SOC Prime ⋅ Alla Yurchenko
QBot Malware Detection: Old Dog New Tricks
QakBot

2022-02-10 ⋅ Cybereason ⋅ Cybereason Global SOC Team
Threat Analysis Report: All Paths Lead to Cobalt Strike - IcedID, Emotet and QBot
Cobalt Strike Emotet IcedID QakBot

2022-02-08 ⋅ BleepingComputer ⋅ Bill Toulas
Qbot needs only 30 minutes to steal your credentials, emails
QakBot

2022-02-07 ⋅ The DFIR Report ⋅ The DFIR Report
Qbot Likes to Move It, Move It
QakBot

2022-01-19 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
Kraken the Code on Prometheus
Prometheus Backdoor BlackMatter Cerber Cobalt Strike DCRat Ficker Stealer QakBot REvil Ryuk

2022-01-18 ⋅ Recorded Future ⋅ Insikt Group®
2021 Adversary Infrastructure Report
BazarBackdoor Cobalt Strike Dridex IcedID QakBot TrickBot

2022-01-15 ⋅ Atomic Matryoshka ⋅ z3r0day_504
Malware Headliners: Qakbot
QakBot

2022-01-13 ⋅ Trustwave ⋅ Lloyd Macrohon, Rodel Mendrez
Decrypting Qakbot’s Encrypted Registry Keys
QakBot

2022-01-11 ⋅ Cybereason ⋅ Omri Refaeli, Chen Erlich, Ofir Ozer, Niv Yona, Daichi Shimabukuro
Threat Analysis Report: DatopLoader Exploits ProxyShell to Deliver QBOT and Cobalt Strike
Cobalt Strike QakBot Squirrelwaffle

2021-12-17 ⋅ Trend Micro ⋅ Abraham Camba, Jonna Santos, Gilbert Sison, Jay Yaneza
Staging a Quack: Reverse Analyzing a Fileless QAKBOT Stager
QakBot

2021-12-16 ⋅ Red Canary ⋅ The Red Canary Team
Intelligence Insights: December 2021
Cobalt Strike QakBot Squirrelwaffle

2021-12-11 ⋅ YouTube (AGDC Services) ⋅ AGDC Services
How To Extract & Decrypt Qbot Configs Across Variants
QakBot

2021-12-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team
A closer look at Qakbot’s latest building blocks (and how to knock them down)
QakBot

2021-11-21 ⋅ Twitter (@tylabs) ⋅ Tyler McLellan, Twitter (@ffforward)
Twitter Thread about UNC1500 phishing using QAKBOT
QakBot

2021-11-19 ⋅ Trend Micro ⋅ Mohamed Fahmy, Sherif Magdy, Abdelrhman Sharshar
Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains
Cobalt Strike QakBot Squirrelwaffle

2021-11-18 ⋅ Red Canary ⋅ The Red Canary Team
Intelligence Insights: November 2021
Andromeda Conti LockBit QakBot Squirrelwaffle

2021-11-17 ⋅ Twitter (@Unit42_Intel) ⋅ Unit 42
Tweet on Matanbuchus Loader used to deliver Qakbot (tag obama128b) and follow-up CobaltStrike
Cobalt Strike QakBot

2021-11-16 ⋅ Twitter (@kienbigmummy) ⋅ m4n0w4r
Tweet on short analysis of QakBot
QakBot

2021-11-15 ⋅ TRUESEC ⋅ Fabio Viggiani
ProxyShell, QBot, and Conti Ransomware Combined in a Series of Cyberattacks
Cobalt Strike Conti QakBot

2021-11-13 ⋅ YouTube (AGDC Services) ⋅ AGDC Services
Automate Qbot Malware String Decryption With Ghidra Script
QakBot

2021-11-13 ⋅ Trend Micro ⋅ Ian Kenefick, Vladimir Kropotov
QAKBOT Loader Returns With New Techniques and Tools
QakBot

2021-11-12 ⋅ Trend Micro ⋅ Ian Kenefick, Vladimir Kropotov
The Prelude to Ransomware: A Look into Current QAKBOT Capabilities and Global Activities
QakBot

2021-11-12 ⋅ Recorded Future ⋅ Insikt Group®
The Business of Fraud: Botnet Malware Dissemination
Mozi Dridex IcedID QakBot TrickBot

2021-11-11 ⋅ Cynet ⋅ Max Malyutin
A Duck Nightmare Quakbot Strikes with QuakNightmare Exploitation
Cobalt Strike QakBot

2021-11-11 ⋅ vmware ⋅ Jason Zhang, Stefano Ortolani, Giovanni Vigna, Threat Analysis Unit
Research Recap: How To Automate Malware Campaign Detection With Telemetry Peak Analyzer
Phorpiex QakBot

2021-11-10 ⋅ CIRCL ⋅ CIRCL
TR-64 - Exploited Exchange Servers - Mails with links to malware from known/valid senders
QakBot

2021-11-09 ⋅ MinervaLabs ⋅ Minerva Labs
A New DatopLoader Delivers QakBot Trojan
QakBot Squirrelwaffle

2021-11-03 ⋅ Twitter (@Corvid_Cyber) ⋅ CORVID
Tweet on a unique Qbot debugger dropped by an actor after compromise
QakBot

2021-11-03 ⋅ Team Cymru ⋅ tcblogposts
Webinject Panel Administration: A Vantage Point into Multiple Threat Actor Campaigns - A Case Study on the Value of Threat Reconnaisance
DoppelDridex IcedID QakBot Zloader

2021-10-26 ⋅ ANSSI
Identification of a new cyber criminal group: Lockean
Cobalt Strike DoppelPaymer Egregor Maze PwndLocker QakBot REvil

2021-10-26 ⋅ Cisco Talos ⋅ Edmund Brumaghin, Mariano Graziano, Nick Mavis
SQUIRRELWAFFLE Leverages malspam to deliver Qakbot, Cobalt Strike
Cobalt Strike QakBot Squirrelwaffle

2021-10-07 ⋅ Netskope ⋅ Gustavo Palazolo, Ghanashyam Satpathy
SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot
Cobalt Strike QakBot Squirrelwaffle

2021-09-03 ⋅ IBM ⋅ Camille Singleton, Andrew Gorecki, John Dwyer
Dissecting Sodinokibi Ransomware Attacks: Bringing Incident Response and Intelligence Together in the Fight
Valak QakBot REvil

2021-09-03 ⋅ Trend Micro ⋅ Mohamad Mokbel
The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader

2021-09-02 ⋅ Kaspersky ⋅ Anton Kuzmenko, Oleg Kupreev, Haim Zigel
QakBot Technical Analysis
QakBot

2021-08-15 ⋅ Symantec ⋅ Threat Hunter Team
The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker

2021-08-05 ⋅ Group-IB ⋅ Viktor Okorokov, Nikita Rostovcev
Prometheus TDS The key to success for Campo Loader, Hancitor, IcedID, and QBot
Prometheus Backdoor Buer campoloader Hancitor IcedID QakBot

2021-08-05 ⋅ The Record ⋅ Catalin Cimpanu
Meet Prometheus, the secret TDS behind some of today’s malware campaigns
Buer campoloader IcedID QakBot

2021-07-30 ⋅ HP ⋅ Patrick Schläpfer
Detecting TA551 domains
Valak Dridex IcedID ISFB QakBot

2021-07-24 ⋅ 0ffset Blog ⋅ Daniel Bunce
Quack Quack: Analysing Qakbot’s Browser Hooking Module – Part 1
QakBot

2021-06-24 ⋅ Kaspersky ⋅ Anton Kuzmenko
Malicious spam campaigns delivering banking Trojans
IcedID QakBot

2021-06-16 ⋅ Proofpoint ⋅ Selena Larson, Daniel Blackford, Garrett M. Graff
The First Step: Initial Access Leads to Ransomware
BazarBackdoor Egregor IcedID Maze QakBot REvil Ryuk TrickBot WastedLocker

2021-06-16 ⋅ S2 Grupo ⋅ CSIRT-CV (the ICT Security Center of the Valencian Community)
Emotet campaign analysis
Emotet QakBot

2021-06-16 ⋅ Twitter (@ChouchWard) ⋅ ch0uch ward
Tweet on Qbot operators left their web server's access.log file unsecured
QakBot

2021-06-15 ⋅ Perception Point ⋅ Shai Golderman
Insights Into an Excel 4.0 Macro Attack using Qakbot Malware
QakBot

2021-06-10 ⋅ ZAYOTEM ⋅ İlker Verimoğlu, Emre Doğan, Kaan Binen, Abdulkadir Binan, Emrah Sarıdağ
QakBot Technical Analysis Report
QakBot

2021-06-08 ⋅ Advanced Intelligence ⋅ Vitali Kremez, Yelisey Boguslavskiy
From QBot...with REvil Ransomware: Initial Attack Exposure of JBS
QakBot REvil

2021-06-02 ⋅ Bleeping Computer ⋅ Lawrence Abrams
FUJIFILM shuts down network after suspected ransomware attack
QakBot

2021-05-26 ⋅ DeepInstinct ⋅ Ron Ben Yizhak
A Deep Dive into Packing Software CryptOne
Cobalt Strike Dridex Emotet Gozi ISFB Mailto QakBot SmokeLoader WastedLocker Zloader

2021-05-19 ⋅ Intel 471 ⋅ Intel 471
Look how many cybercriminals love Cobalt Strike
BazarBackdoor Cobalt Strike Hancitor QakBot SmokeLoader SystemBC TrickBot

2021-05-04 ⋅ Seguranca Informatica ⋅ Pedro Tavares
A taste of the latest release of QakBot
QakBot

2021-04-30 ⋅ MADRID Labs ⋅ Odin Bernstein
Qbot: Analyzing PHP Proxy Scripts from Compromised Web Server
QakBot

2021-04-28 ⋅ IBM ⋅ David Bisson
QBot Malware Spotted Using Windows Defender Antivirus Lure
QakBot

2021-04-28 ⋅ Reversing Labs ⋅ Karlo Zanki
Spotting malicious Excel4 macros
QakBot

2021-04-19 ⋅ Twitter (@_alex_il_) ⋅ Alex Ilgayev
Tweet on QakBot's additional decryption mechanism
QakBot

2021-04-15 ⋅ AT&T ⋅ Dax Morrow, Ofer Caspi
The rise of QakBot
QakBot

2021-04-13 ⋅ Silent Push ⋅ Martijn Grooten
Malicious infrastructure as a service
IcedID PhotoLoader QakBot

2021-04-12 ⋅ PTSecurity ⋅ PTSecurity
PaaS, or how hackers evade antivirus software
Amadey Bunitu Cerber Dridex ISFB KPOT Stealer Mailto Nemty Phobos Pony Predator The Thief QakBot Raccoon RTM SmokeLoader Zloader

2021-04-12 ⋅ Twitter (@elisalem9) ⋅ Eli Salem
Tweets on QakBot
QakBot

2021-04-06 ⋅ Intel 471 ⋅ Intel 471
EtterSilent: the underground’s new favorite maldoc builder
BazarBackdoor ISFB QakBot TrickBot

2021-03-31 ⋅ Red Canary ⋅ Red Canary
2021 Threat Detection Report
Shlayer Andromeda Cobalt Strike Dridex Emotet IcedID MimiKatz QakBot TrickBot

2021-03-26 ⋅ Trend Micro ⋅ Trend Micro
Alleged Members of Egregor Ransomware Cartel Arrested
Egregor QakBot

2021-03-18 ⋅ VinCSS ⋅ Tran Trung Kien
[RE021] Qakbot analysis – Dangerous malware has been around for more than a decade
QakBot

2021-03 ⋅ Group-IB ⋅ Oleg Skulkin, Roman Rezvukhin, Semyon Rogachev
Ransomware Uncovered 2020/2021
RansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot RansomEXX REvil Ryuk SDBbot TrickBot Zloader

2021-02-28 ⋅ PWC UK ⋅ PWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Tonto Team

2021-02-24 ⋅ IBM ⋅ IBM SECURITY X-FORCE
X-Force Threat Intelligence Index 2021
Emotet QakBot Ramnit REvil TrickBot

2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER

2021-02-15 ⋅ Twitter (@TheDFIRReport) ⋅ The DFIR Report
Tweet on Qakbot post infection discovery activity
QakBot

2021-02-02 ⋅ CRONUP ⋅ Germán Fernández
De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader

2021-01-19 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan
Wireshark Tutorial: Examining Emotet Infection Traffic
Emotet GootKit IcedID QakBot TrickBot

2021-01-19 ⋅ Medium elis531989 ⋅ Eli Salem
Funtastic Packers And Where To Find Them
Get2 IcedID QakBot

2021-01-06 ⋅ FBI ⋅ FBI
PIN Number 20210106-001: Egregor Ransomware Targets Businesses Worldwide, Attempting to Extort Businesses by Publicly Releasing Exfiltrated Data
Egregor QakBot

2021 ⋅ Secureworks ⋅ SecureWorks
Threat Profile: GOLD LAGOON
QakBot MALLARD SPIDER

2020-12-15 ⋅ Hornetsecurity ⋅ Hornetsecurity Security Lab
QakBot reducing its on disk artifacts
Egregor PwndLocker QakBot

2020-12-12 ⋅ Medium 0xthreatintel ⋅ 0xthreatintel
Reversing QakBot [ TLP: White]
QakBot

2020-12-09 ⋅ FireEye ⋅ Mitchell Clarke, Tom Hall
It's not FINished The Evolving Maturity in Ransomware Operations (SLIDES)
Cobalt Strike DoppelPaymer QakBot REvil

2020-12-09 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
Recent Qakbot (Qbot) activity
Cobalt Strike QakBot

2020-12-03 ⋅ Recorded Future ⋅ Insikt Group®
Egregor Ransomware, Used in a String of High-Profile Attacks, Shows Connections to QakBot
Egregor QakBot

2020-12-02 ⋅ Red Canary ⋅ twitter (@redcanary)
Tweet on increased #Qbot activity delivering Cobalt Strike & #Egregor ransomware
Cobalt Strike Egregor QakBot

2020-12-01 ⋅ Group-IB ⋅ Group-IB, Oleg Skulkin, Semyon Rogachev, Roman Rezvukhin
Egregor ransomware: The legacy of Maze lives on
Egregor QakBot

2020-11-30 ⋅ FireEye ⋅ Mitchell Clarke, Tom Hall
It's not FINished The Evolving Maturity in Ransomware Operations
Cobalt Strike DoppelPaymer MimiKatz QakBot REvil

2020-11-27 ⋅ Fiducia & GAD IT AG ⋅ Frank Boldewin
When ransomware hits an ATM giant - The Diebold Nixdorf case dissected
PwndLocker QakBot

2020-11-26 ⋅ Cybereason ⋅ Lior Rochberger, Cybereason Nocturnus
Cybereason vs. Egregor Ransomware
Cobalt Strike Egregor IcedID ISFB QakBot

2020-11-20 ⋅ Group-IB ⋅ Oleg Skulkin, Roman Rezvukhin, Semyon Rogachev
The Locking Egregor
Egregor QakBot

2020-11-20 ⋅ ZDNet ⋅ Catalin Cimpanu
The malware that usually installs ransomware and you need to remove right away
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader

2020-11-12 ⋅ Intrinsec ⋅ Jean Bichet
Egregor – Prolock: Fraternal Twins ?
Egregor PwndLocker QakBot

2020-10-29 ⋅ CERT-FR ⋅ CERT-FR
LE MALWARE-AS-A-SERVICE EMOTET
Dridex Emotet ISFB QakBot

2020-10-14 ⋅ CrowdStrike ⋅ The Falcon Complete Team
Duck Hunting with Falcon Complete: Remediating a Fowl Banking Trojan, Part 3
QakBot

2020-10-07 ⋅ CrowdStrike ⋅ The Falcon Complete Team
Duck Hunting with Falcon Complete: Analyzing a Fowl Banking Trojan, Part 2
QakBot Zloader

2020-10-01 ⋅ CrowdStrike ⋅ Dylan Barker, Quinten Bowen, Ryan Campbell
Duck Hunting with Falcon Complete: Analyzing a Fowl Banking Trojan, Part 1
QakBot MALLARD SPIDER

2020-09-29 ⋅ Microsoft ⋅ Microsoft
Microsoft Digital Defense Report
Emotet IcedID Mailto Maze QakBot REvil RobinHood TrickBot

2020-09-29 ⋅ PWC UK ⋅ Andy Auld
What's behind the increase in ransomware attacks this year?
DarkSide Avaddon Clop Conti DoppelPaymer Dridex Emotet FriedEx Mailto PwndLocker QakBot REvil Ryuk SMAUG SunCrypt TrickBot WastedLocker

2020-09-10 ⋅ Group-IB ⋅ Oleg Skulkin, Semyon Rogachev
Lock Like a Pro: Dive in Recent ProLock's Big Game Hunting
PwndLocker QakBot

2020-09-10 ⋅ QuoSec GmbH ⋅ Quosec Blog
grap: Automating QakBot strings decryption
QakBot

2020-09-04 ⋅ QuoSec GmbH ⋅ Quosec Blog
Navigating QakBot samples with grap
QakBot

2020-08-27 ⋅ Checkpoint ⋅ Alex Ilgayev
An Old Bot’s Nasty New Tricks: Exploring Qbot’s Latest Attack Methods
QakBot

2020-08-20 ⋅ Morphisec ⋅ Arnold Osipov
QakBot (QBot) Maldoc Campaign Introduces Two New Techniques into Its Arsenal
QakBot

2020-07-15 ⋅ N1ght-W0lf Blog ⋅ Abdallah Elshinbary
Deep Analysis of QBot Banking Trojan
QakBot

2020-06-24 ⋅ Morphisec ⋅ Arnold Osipov
Obfuscated VBScript Drops Zloader, Ursnif, Qakbot, Dridex
Dridex ISFB QakBot Zloader

2020-06-21 ⋅ Malware and Stuff ⋅ Andreas Klopsch
UpnP – Messing up Security since years
QakBot

2020-06-16 ⋅ Hornetsecurity ⋅ Security Lab
QakBot malspam leading to ProLock: Nothing personal just business
PwndLocker QakBot

2020-06-11 ⋅ F5 Labs ⋅ Doron Voolf
Qbot Banking Trojan Still Up to Its Old Tricks
QakBot

2020-05-05 ⋅ Malware and Stuff ⋅ Andreas Klopsch
An old enemy – Diving into QBot part 3
QakBot

2020-03-30 ⋅ Malware and Stuff ⋅ Andreas Klopsch
An old enemy – Diving into QBot part 1
QakBot

2020-03-04 ⋅ CrowdStrike ⋅ CrowdStrike
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER

2020-03-03 ⋅ PWC UK ⋅ PWC UK
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA

2020-02-19 ⋅ FireEye ⋅ FireEye
M-Trends 2020
Cobalt Strike Grateful POS LockerGoga QakBot TrickBot

2020-02-13 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan
Wireshark Tutorial: Examining Qakbot Infections
QakBot

2020-02-10 ⋅ Malwarebytes ⋅ Adam Kujawa, Wendy Zamora, Jérôme Segura, Thomas Reed, Nathan Collier, Jovi Umawing, Chris Boyd, Pieter Arntz, David Ruiz
2020 State of Malware Report
magecart Emotet QakBot REvil Ryuk TrickBot WannaCryptor

2020-01-03 ⋅ Youtube (BSides Belfast) ⋅ Nick Summerlin, Jorge Rodriguez
Demystifying QBot Banking Trojan
QakBot

2020 ⋅ Secureworks ⋅ SecureWorks
GOLD LAGOON
QakBot

2020 ⋅ University of Malta ⋅ Steve Borg
Memory Forensics of Qakbot
QakBot

2019-12-07 ⋅ Secureworks ⋅ Kevin O’Reilly, Keith Jarvis
End-to-end Botnet Monitoring... Botconf 2019
Emotet ISFB QakBot

2019-11-12 ⋅ Hatching.io ⋅ Markel Picado
Reversing Qakbot
QakBot

2019-06-03 ⋅ Varonis ⋅ Dolev Taler, Eric Saraga
Varonis Exposes Global Cyber Campaign: C2 Server Actively Compromising Thousands of Victims
QakBot

2019-05-02 ⋅ Cisco Talos ⋅ Ashlee Benge, Nick Randolph
Qakbot levels up with new obfuscation techniques
QakBot

2018-07-29 ⋅ Vitali Kremez Blog ⋅ Vitali Kremez
Let's Learn: In-Depth Reversing of Qakbot "qbot" Banker Part 1
QakBot

2017-11-06 ⋅ Microsoft ⋅ Microsoft Defender ATP Research Team
Mitigating and eliminating info-stealing Qakbot and Emotet in corporate networks
Emotet QakBot

2017-06-02 ⋅ SecurityIntelligence ⋅ Mike Oppenheim, Kevin Zuk, Matan Meir, Limor Kessem
QakBot Banking Trojan Causes Massive Active Directory Lockouts
QakBot

2017-05-23 ⋅ ThreatVector ⋅ Cylance Threat Research Team
Quakbot
QakBot

2016-08 ⋅ Intel Security ⋅ Sanchit Karve, Guilherme Venere, Mark Olea
DIVING INTO PINKSLIPBOT’S LATEST CAMPAIGN
QakBot

2016-04-28 ⋅ Cisco Talos ⋅ Ben Baker
Research Spotlight: The Resurgence of Qbot
QakBot

2016-02-24 ⋅ Johannes Bader Blog ⋅ Johannes Bader
The DGA of Qakbot.T
QakBot

2016 ⋅ BAE Systems ⋅ BAE Systems
The Return of Qbot
QakBot

2012 ⋅ Symantec ⋅ Nicolas Falliere
W32.Qakbot in Detail
QakBot

2011-05-25 ⋅ Contagio Dump ⋅ Mila Parkour
W32.Qakbot aka W32/Pinkslipbot or infostealer worm
QakBot

Yara Rules

[TLP:WHITE] win_qakbot_auto (20230125 | Detects win.qakbot.)

rule win_qakbot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.qakbot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 e8???????? 8b06 47 }
            // n = 4, score = 8600
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   47                   | inc                 edi

        $sequence_1 = { e9???????? 33c0 7402 ebfa }
            // n = 4, score = 8400
            //   e9????????           |                     
            //   33c0                 | xor                 eax, eax
            //   7402                 | je                  4
            //   ebfa                 | jmp                 0xfffffffc

        $sequence_2 = { 740d 8d45fc 6a00 50 }
            // n = 4, score = 8300
            //   740d                 | je                  0xf
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   6a00                 | push                0
            //   50                   | push                eax

        $sequence_3 = { 8b06 47 59 59 }
            // n = 4, score = 8200
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   47                   | inc                 edi
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx

        $sequence_4 = { eb13 e8???????? 33c9 85c0 0f9fc1 41 }
            // n = 6, score = 8200
            //   eb13                 | jmp                 0x15
            //   e8????????           |                     
            //   33c9                 | xor                 ecx, ecx
            //   85c0                 | test                eax, eax
            //   0f9fc1               | setg                cl
            //   41                   | inc                 ecx

        $sequence_5 = { 7402 ebfa 33c0 7402 }
            // n = 4, score = 8200
            //   7402                 | je                  4
            //   ebfa                 | jmp                 0xfffffffc
            //   33c0                 | xor                 eax, eax
            //   7402                 | je                  4

        $sequence_6 = { 0fb64903 c1e008 0bc2 c1e008 0bc1 c3 55 }
            // n = 7, score = 8200
            //   0fb64903             | movzx               ecx, byte ptr [ecx + 3]
            //   c1e008               | shl                 eax, 8
            //   0bc2                 | or                  eax, edx
            //   c1e008               | shl                 eax, 8
            //   0bc1                 | or                  eax, ecx
            //   c3                   | ret                 
            //   55                   | push                ebp

        $sequence_7 = { ebfa eb06 33c0 7402 }
            // n = 4, score = 8200
            //   ebfa                 | jmp                 0xfffffffc
            //   eb06                 | jmp                 8
            //   33c0                 | xor                 eax, eax
            //   7402                 | je                  4

        $sequence_8 = { 8d45fc 6aff 50 e8???????? 59 59 }
            // n = 6, score = 8000
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   6aff                 | push                -1
            //   50                   | push                eax
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx

        $sequence_9 = { 59 59 6afb e9???????? }
            // n = 4, score = 7900
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   6afb                 | push                -5
            //   e9????????           |                     

        $sequence_10 = { 48 50 8d8534f6ffff 6a00 50 }
            // n = 5, score = 7700
            //   48                   | dec                 eax
            //   50                   | push                eax
            //   8d8534f6ffff         | lea                 eax, [ebp - 0x9cc]
            //   6a00                 | push                0
            //   50                   | push                eax

        $sequence_11 = { 5e c9 c3 55 8bec 81ecc4090000 }
            // n = 6, score = 7600
            //   5e                   | pop                 esi
            //   c9                   | leave               
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   81ecc4090000         | sub                 esp, 0x9c4

        $sequence_12 = { e8???????? 83c410 33c0 7402 }
            // n = 4, score = 7600
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   33c0                 | xor                 eax, eax
            //   7402                 | je                  4

        $sequence_13 = { 7cef eb10 c644301c00 ff465c 8b465c 83f838 }
            // n = 6, score = 7500
            //   7cef                 | jl                  0xfffffff1
            //   eb10                 | jmp                 0x12
            //   c644301c00           | mov                 byte ptr [eax + esi + 0x1c], 0
            //   ff465c               | inc                 dword ptr [esi + 0x5c]
            //   8b465c               | mov                 eax, dword ptr [esi + 0x5c]
            //   83f838               | cmp                 eax, 0x38

        $sequence_14 = { eb0b c644301c00 ff465c 8b465c 83f840 7cf0 }
            // n = 6, score = 7500
            //   eb0b                 | jmp                 0xd
            //   c644301c00           | mov                 byte ptr [eax + esi + 0x1c], 0
            //   ff465c               | inc                 dword ptr [esi + 0x5c]
            //   8b465c               | mov                 eax, dword ptr [esi + 0x5c]
            //   83f840               | cmp                 eax, 0x40
            //   7cf0                 | jl                  0xfffffff2

        $sequence_15 = { c644061c00 ff465c 837e5c38 7cef eb10 c644301c00 }
            // n = 6, score = 7400
            //   c644061c00           | mov                 byte ptr [esi + eax + 0x1c], 0
            //   ff465c               | inc                 dword ptr [esi + 0x5c]
            //   837e5c38             | cmp                 dword ptr [esi + 0x5c], 0x38
            //   7cef                 | jl                  0xfffffff1
            //   eb10                 | jmp                 0x12
            //   c644301c00           | mov                 byte ptr [eax + esi + 0x1c], 0

        $sequence_16 = { 7507 c7466401000000 83f840 7507 }
            // n = 4, score = 7200
            //   7507                 | jne                 9
            //   c7466401000000       | mov                 dword ptr [esi + 0x64], 1
            //   83f840               | cmp                 eax, 0x40
            //   7507                 | jne                 9

        $sequence_17 = { 85c0 750a 33c0 7402 }
            // n = 4, score = 7200
            //   85c0                 | test                eax, eax
            //   750a                 | jne                 0xc
            //   33c0                 | xor                 eax, eax
            //   7402                 | je                  4

        $sequence_18 = { 72b6 33c0 5f 5e 5b c9 c3 }
            // n = 7, score = 6900
            //   72b6                 | jb                  0xffffffb8
            //   33c0                 | xor                 eax, eax
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   c9                   | leave               
            //   c3                   | ret                 

        $sequence_19 = { 7402 ebfa e9???????? 6a00 }
            // n = 4, score = 6800
            //   7402                 | je                  4
            //   ebfa                 | jmp                 0xfffffffc
            //   e9????????           |                     
            //   6a00                 | push                0

        $sequence_20 = { c7466001000000 33c0 40 5e }
            // n = 4, score = 6700
            //   c7466001000000       | mov                 dword ptr [esi + 0x60], 1
            //   33c0                 | xor                 eax, eax
            //   40                   | inc                 eax
            //   5e                   | pop                 esi

        $sequence_21 = { 6afe 8d45f4 50 e8???????? }
            // n = 4, score = 5600
            //   6afe                 | push                -2
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_22 = { 7402 ebfa eb0d 33c0 }
            // n = 4, score = 5500
            //   7402                 | je                  4
            //   ebfa                 | jmp                 0xfffffffc
            //   eb0d                 | jmp                 0xf
            //   33c0                 | xor                 eax, eax

        $sequence_23 = { 50 ff5508 8bf0 59 }
            // n = 4, score = 4300
            //   50                   | push                eax
            //   ff5508               | call                dword ptr [ebp + 8]
            //   8bf0                 | mov                 esi, eax
            //   59                   | pop                 ecx

        $sequence_24 = { 57 ff15???????? 33c0 85f6 0f94c0 }
            // n = 5, score = 4100
            //   57                   | push                edi
            //   ff15????????         |                     
            //   33c0                 | xor                 eax, eax
            //   85f6                 | test                esi, esi
            //   0f94c0               | sete                al

        $sequence_25 = { ff15???????? 85c0 750c 57 ff15???????? 6afe }
            // n = 6, score = 3900
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   750c                 | jne                 0xe
            //   57                   | push                edi
            //   ff15????????         |                     
            //   6afe                 | push                -2

        $sequence_26 = { c3 33c9 3d80000000 0f94c1 }
            // n = 4, score = 3900
            //   c3                   | ret                 
            //   33c9                 | xor                 ecx, ecx
            //   3d80000000           | cmp                 eax, 0x80
            //   0f94c1               | sete                cl

        $sequence_27 = { 6a02 ff15???????? 8bf8 83c8ff }
            // n = 4, score = 3900
            //   6a02                 | push                2
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax
            //   83c8ff               | or                  eax, 0xffffffff

        $sequence_28 = { 6a00 58 0f95c0 40 50 }
            // n = 5, score = 3700
            //   6a00                 | push                0
            //   58                   | pop                 eax
            //   0f95c0               | setne               al
            //   40                   | inc                 eax
            //   50                   | push                eax

        $sequence_29 = { e8???????? 33c0 c3 55 8bec 51 51 }
            // n = 7, score = 3700
            //   e8????????           |                     
            //   33c0                 | xor                 eax, eax
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   51                   | push                ecx
            //   51                   | push                ecx

        $sequence_30 = { 7412 8d85d8feffff 50 57 ff15???????? }
            // n = 5, score = 3500
            //   7412                 | je                  0x14
            //   8d85d8feffff         | lea                 eax, [ebp - 0x128]
            //   50                   | push                eax
            //   57                   | push                edi
            //   ff15????????         |                     

        $sequence_31 = { 00e9 8b55e4 880c1a 8a4df3 }
            // n = 4, score = 100
            //   00e9                 | add                 cl, ch
            //   8b55e4               | mov                 edx, dword ptr [ebp - 0x1c]
            //   880c1a               | mov                 byte ptr [edx + ebx], cl
            //   8a4df3               | mov                 cl, byte ptr [ebp - 0xd]

        $sequence_32 = { 00ca 66897c2446 31f6 8974244c }
            // n = 4, score = 100
            //   00ca                 | add                 dl, cl
            //   66897c2446           | mov                 word ptr [esp + 0x46], di
            //   31f6                 | xor                 esi, esi
            //   8974244c             | mov                 dword ptr [esp + 0x4c], esi

        $sequence_33 = { 01c1 894c2430 e9???????? 55 }
            // n = 4, score = 100
            //   01c1                 | add                 ecx, eax
            //   894c2430             | mov                 dword ptr [esp + 0x30], ecx
            //   e9????????           |                     
            //   55                   | push                ebp

        $sequence_34 = { 01c1 81e1ffff0000 83c101 8b442474 }
            // n = 4, score = 100
            //   01c1                 | add                 ecx, eax
            //   81e1ffff0000         | and                 ecx, 0xffff
            //   83c101               | add                 ecx, 1
            //   8b442474             | mov                 eax, dword ptr [esp + 0x74]

        $sequence_35 = { 00e9 884c0451 83c001 39d0 }
            // n = 4, score = 100
            //   00e9                 | add                 cl, ch
            //   884c0451             | mov                 byte ptr [esp + eax + 0x51], cl
            //   83c001               | add                 eax, 1
            //   39d0                 | cmp                 eax, edx

        $sequence_36 = { 01c1 8b442448 01c8 8944243c }
            // n = 4, score = 100
            //   01c1                 | add                 ecx, eax
            //   8b442448             | mov                 eax, dword ptr [esp + 0x48]
            //   01c8                 | add                 eax, ecx
            //   8944243c             | mov                 dword ptr [esp + 0x3c], eax

        $sequence_37 = { 01c1 894c2404 8b442404 8d65fc }
            // n = 4, score = 100
            //   01c1                 | add                 ecx, eax
            //   894c2404             | mov                 dword ptr [esp + 4], ecx
            //   8b442404             | mov                 eax, dword ptr [esp + 4]
            //   8d65fc               | lea                 esp, [ebp - 4]

        $sequence_38 = { 01c1 21d1 8a442465 f6642465 }
            // n = 4, score = 100
            //   01c1                 | add                 ecx, eax
            //   21d1                 | and                 ecx, edx
            //   8a442465             | mov                 al, byte ptr [esp + 0x65]
            //   f6642465             | mul                 byte ptr [esp + 0x65]

    condition:
        7 of them and filesize < 1168384
}

Download all Yara Rules

QakBot Propose Change

References

Yara Rules

QakBot