SYMBOLCOMMON_NAMEaka. SYNONYMS
win.qakbot (Back to overview)

QakBot

aka: Oakboat, Pinkslipbot, Qbot, Quakbot

Actor(s): GOLD CABIN

URLhaus    

QBot is a modular information stealer also known as Qakbot or Pinkslipbot. It has been active for years since 2007. It has historically been known as a banking Trojan, meaning that it steals financial data from infected systems, and a loader using C2 servers for payload targeting and download.

References
2022-11-23CybereasonCybereason Global SOC Team
@online{team:20221123:threat:17093cc, author = {Cybereason Global SOC Team}, title = {{THREAT ALERT: Aggressive Qakbot Campaign and the Black Basta Ransomware Group Targeting U.S. Companies}}, date = {2022-11-23}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies}, language = {English}, urldate = {2022-11-25} } THREAT ALERT: Aggressive Qakbot Campaign and the Black Basta Ransomware Group Targeting U.S. Companies
Black Basta QakBot
2022-11-14Twitter (@embee_research)Matthew
@online{matthew:20221114:twitter:9b57525, author = {Matthew}, title = {{Twitter thread on Yara Signatures for Qakbot Encryption Routines}}, date = {2022-11-14}, organization = {Twitter (@embee_research)}, url = {https://twitter.com/embee_research/status/1592067841154756610?s=20}, language = {English}, urldate = {2022-11-18} } Twitter thread on Yara Signatures for Qakbot Encryption Routines
IcedID QakBot
2022-11-10IntezerNicole Fishbein
@online{fishbein:20221110:how:6b334be, author = {Nicole Fishbein}, title = {{How LNK Files Are Abused by Threat Actors}}, date = {2022-11-10}, organization = {Intezer}, url = {https://www.intezer.com/blog/malware-analysis/how-threat-actors-abuse-lnk-files/}, language = {English}, urldate = {2022-11-11} } How LNK Files Are Abused by Threat Actors
BumbleBee Emotet Mount Locker QakBot
2022-11-03SentinelOneSentinelLabs
@online{sentinellabs:20221103:black:0be02f3, author = {SentinelLabs}, title = {{Black Basta Ransomware | Attacks deploy Custom EDR Evasion Tools tied to FIN7 Threat Actor}}, date = {2022-11-03}, organization = {SentinelOne}, url = {https://assets.sentinelone.com/sentinellabs22/sentinellabs-blackbasta}, language = {English}, urldate = {2022-11-03} } Black Basta Ransomware | Attacks deploy Custom EDR Evasion Tools tied to FIN7 Threat Actor
Black Basta QakBot SocksBot
2022-10-31CynetMax Malyutin
@online{malyutin:20221031:orion:49e3b5c, author = {Max Malyutin}, title = {{Orion Threat Alert: Qakbot TTPs Arsenal and the Black Basta Ransomware}}, date = {2022-10-31}, organization = {Cynet}, url = {https://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/}, language = {English}, urldate = {2022-11-15} } Orion Threat Alert: Qakbot TTPs Arsenal and the Black Basta Ransomware
Black Basta Cobalt Strike QakBot
2022-10-31Security homeworkChristophe Rieunier
@online{rieunier:20221031:qakbot:e82f924, author = {Christophe Rieunier}, title = {{QakBot CCs prioritization and new record types}}, date = {2022-10-31}, organization = {Security homework}, url = {https://www.securityhomework.net/articles/qakbot_ccs_prioritization_and_new_record_types/qakbot_ccs_prioritization_and_new_record_types.php}, language = {English}, urldate = {2022-10-31} } QakBot CCs prioritization and new record types
QakBot
2022-10-13SyrionRaffaele Sabato
@online{sabato:20221013:qakbot:f971585, author = {Raffaele Sabato}, title = {{QAKBOT BB Configuration and C2 IPs List}}, date = {2022-10-13}, organization = {Syrion}, url = {https://syrion.me/malware/qakbot-bb-extractor/}, language = {English}, urldate = {2022-10-24} } QAKBOT BB Configuration and C2 IPs List
QakBot
2022-10-13SpamhausSpamhaus Malware Labs
@techreport{labs:20221013:spamhaus:43e3190, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q3 2022}}, date = {2022-10-13}, institution = {Spamhaus}, url = {https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf}, language = {English}, urldate = {2022-10-17} } Spamhaus Botnet Threat Update Q3 2022
FluBot Loki Arkei Stealer AsyncRAT Ave Maria BumbleBee Cobalt Strike DCRat Dridex Emotet Nanocore RAT NetWire RC NjRAT QakBot RecordBreaker RedLine Stealer Remcos Socelars Tofsee Vjw0rm
2022-09-06ZscalerBrett Stone-Gross
@online{stonegross:20220906:ares:e7ddb5d, author = {Brett Stone-Gross}, title = {{The Ares Banking Trojan Learns Old Tricks: Adds the Defunct Qakbot DGA}}, date = {2022-09-06}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/ares-banking-trojan-learns-old-tricks-adds-defunct-qakbot-dga}, language = {English}, urldate = {2022-09-07} } The Ares Banking Trojan Learns Old Tricks: Adds the Defunct Qakbot DGA
Ares QakBot
2022-09-01Trend MicroTrend Micro
@online{micro:20220901:ransomware:8eda6e4, author = {Trend Micro}, title = {{Ransomware Spotlight Black Basta}}, date = {2022-09-01}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta}, language = {English}, urldate = {2022-09-19} } Ransomware Spotlight Black Basta
Black Basta Cobalt Strike MimiKatz QakBot
2022-08-25Palo Alto Networks Unit 42Amer Elsad
@online{elsad:20220825:threat:b3514ed, author = {Amer Elsad}, title = {{Threat Assessment: Black Basta Ransomware}}, date = {2022-08-25}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/}, language = {English}, urldate = {2022-10-05} } Threat Assessment: Black Basta Ransomware
Black Basta QakBot
2022-08-24ElasticCyril François
@online{franois:20220824:qbot:152ef8d, author = {Cyril François}, title = {{QBOT Malware Analysis}}, date = {2022-08-24}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/qbot-malware-analysis}, language = {English}, urldate = {2022-08-30} } QBOT Malware Analysis
QakBot
2022-08-24TrellixAdithya Chandra, Sushant Kumar Arya
@online{chandra:20220824:demystifying:77609b2, author = {Adithya Chandra and Sushant Kumar Arya}, title = {{Demystifying Qbot Malware}}, date = {2022-08-24}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/demystifying-qbot-malware.html}, language = {English}, urldate = {2022-08-28} } Demystifying Qbot Malware
QakBot
2022-07-27ElasticCyril François, Derek Ditch
@online{franois:20220727:qbot:82146d1, author = {Cyril François and Derek Ditch}, title = {{QBOT Configuration Extractor}}, date = {2022-07-27}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/qbot-configuration-extractor}, language = {English}, urldate = {2022-08-05} } QBOT Configuration Extractor
QakBot
2022-07-27cybleCyble Research Labs
@online{labs:20220727:targeted:aa69498, author = {Cyble Research Labs}, title = {{Targeted Attacks Being Carried Out Via DLL SideLoading}}, date = {2022-07-27}, organization = {cyble}, url = {https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/}, language = {English}, urldate = {2022-08-15} } Targeted Attacks Being Carried Out Via DLL SideLoading
Cobalt Strike QakBot
2022-07-27ElasticCyril François, Andrew Pease, Seth Goodwin
@online{franois:20220727:exploring:67dc644, author = {Cyril François and Andrew Pease and Seth Goodwin}, title = {{Exploring the QBOT Attack Pattern}}, date = {2022-07-27}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern}, language = {English}, urldate = {2022-08-05} } Exploring the QBOT Attack Pattern
QakBot
2022-07-24Bleeping ComputerBill Toulas
@online{toulas:20220724:qbot:f6c03d9, author = {Bill Toulas}, title = {{QBot phishing uses Windows Calculator sideloading to infect devices}}, date = {2022-07-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/qbot-phishing-uses-windows-calculator-sideloading-to-infect-devices/}, language = {English}, urldate = {2022-07-29} } QBot phishing uses Windows Calculator sideloading to infect devices
QakBot
2022-07-19FortinetXiaopeng Zhang
@online{zhang:20220719:new:a3b1085, author = {Xiaopeng Zhang}, title = {{New Variant of QakBot Being Spread by HTML File Attached to Phishing Emails}}, date = {2022-07-19}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/new-variant-of-qakbot-spread-by-phishing-emails}, language = {English}, urldate = {2022-07-25} } New Variant of QakBot Being Spread by HTML File Attached to Phishing Emails
QakBot
2022-07-17ResecurityResecurity
@online{resecurity:20220717:shortcutbased:6cd77fb, author = {Resecurity}, title = {{Shortcut-Based (LNK) Attacks Delivering Malicious Code On The Rise}}, date = {2022-07-17}, organization = {Resecurity}, url = {https://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise}, language = {English}, urldate = {2022-07-28} } Shortcut-Based (LNK) Attacks Delivering Malicious Code On The Rise
AsyncRAT BumbleBee Emotet IcedID QakBot
2022-07-12ZscalerTarun Dewan, Aditya Sharma
@online{dewan:20220712:rise:1cc657e, author = {Tarun Dewan and Aditya Sharma}, title = {{Rise in Qakbot attacks traced to evolving threat techniques}}, date = {2022-07-12}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/rise-qakbot-attacks-traced-evolving-threat-techniques}, language = {English}, urldate = {2022-07-14} } Rise in Qakbot attacks traced to evolving threat techniques
QakBot
2022-07-07FortinetErin Lin
@online{lin:20220707:notable:71d2df3, author = {Erin Lin}, title = {{Notable Droppers Emerge in Recent Threat Campaigns}}, date = {2022-07-07}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/notable-droppers-emerge-in-recent-threat-campaigns}, language = {English}, urldate = {2022-07-15} } Notable Droppers Emerge in Recent Threat Campaigns
BumbleBee Emotet PhotoLoader QakBot
2022-07-05Soc InvestigationPriyadharshini Balaji
@online{balaji:20220705:qbot:75c3b14, author = {Priyadharshini Balaji}, title = {{QBot Spreads via LNK Files – Detection & Response}}, date = {2022-07-05}, organization = {Soc Investigation}, url = {https://www.socinvestigation.com/qbot-spreads-via-lnk-files-detection-response/}, language = {English}, urldate = {2022-07-13} } QBot Spreads via LNK Files – Detection & Response
QakBot
2022-06-30Trend MicroKenneth Adrian Apostol, Paolo Ronniel Labrador, Mirah Manlapig, James Panlilio, Emmanuel Panopio, John Kenneth Reyes, Melvin Singwa
@online{apostol:20220630:black:7464953, author = {Kenneth Adrian Apostol and Paolo Ronniel Labrador and Mirah Manlapig and James Panlilio and Emmanuel Panopio and John Kenneth Reyes and Melvin Singwa}, title = {{Black Basta Ransomware Operators Expand Their Attack Arsenal With QakBot Trojan and PrintNightmare Exploit}}, date = {2022-06-30}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html}, language = {English}, urldate = {2022-07-05} } Black Basta Ransomware Operators Expand Their Attack Arsenal With QakBot Trojan and PrintNightmare Exploit
Black Basta Cobalt Strike QakBot
2022-06-21McAfeeLakshya Mathur
@online{mathur:20220621:rise:71e04f0, author = {Lakshya Mathur}, title = {{Rise of LNK (Shortcut files) Malware}}, date = {2022-06-21}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-of-lnk-shortcut-files-malware/}, language = {English}, urldate = {2022-07-05} } Rise of LNK (Shortcut files) Malware
BazarBackdoor Emotet IcedID QakBot
2022-06-17Github (NtQuerySystemInformation)Twitter (@kasua02)
@techreport{kasua02:20220617:reverse:b218c67, author = {Twitter (@kasua02)}, title = {{A reverse engineer primer on Qakbot Dll Stager: From initial execution to multithreading.}}, date = {2022-06-17}, institution = {Github (NtQuerySystemInformation)}, url = {https://raw.githubusercontent.com/NtQuerySystemInformation/Malware-RE-papers/main/Qakbot%20report.pdf}, language = {English}, urldate = {2022-07-01} } A reverse engineer primer on Qakbot Dll Stager: From initial execution to multithreading.
QakBot
2022-06-09InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20220609:ta570:a51c1eb, author = {Brad Duncan}, title = {{TA570 Qakbot (Qbot) tries CVE-2022-30190 (Follina) exploit (ms-msdt)}}, date = {2022-06-09}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/28728}, language = {English}, urldate = {2022-06-09} } TA570 Qakbot (Qbot) tries CVE-2022-30190 (Follina) exploit (ms-msdt)
QakBot
2022-06-02MandiantMandiant
@online{mandiant:20220602:trending:0bcdbc4, author = {Mandiant}, title = {{TRENDING EVIL Q2 2022}}, date = {2022-06-02}, organization = {Mandiant}, url = {https://experience.mandiant.com/trending-evil-2/p/1}, language = {English}, urldate = {2022-06-07} } TRENDING EVIL Q2 2022
CloudEyE Cobalt Strike CryptBot Emotet IsaacWiper QakBot
2022-05-24BitSightJoão Batista, Pedro Umbelino, BitSight
@online{batista:20220524:emotet:cae57f1, author = {João Batista and Pedro Umbelino and BitSight}, title = {{Emotet Botnet Rises Again}}, date = {2022-05-24}, organization = {BitSight}, url = {https://www.bitsight.com/blog/emotet-botnet-rises-again}, language = {English}, urldate = {2022-05-25} } Emotet Botnet Rises Again
Cobalt Strike Emotet QakBot SystemBC
2022-05-19Trend MicroAdolph Christian Silverio, Jeric Miguel Abordo, Khristian Joseph Morales, Maria Emreen Viray
@online{silverio:20220519:bruised:f5c6775, author = {Adolph Christian Silverio and Jeric Miguel Abordo and Khristian Joseph Morales and Maria Emreen Viray}, title = {{Bruised but Not Broken: The Resurgence of the Emotet Botnet Malware}}, date = {2022-05-19}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/e/bruised-but-not-broken--the-resurgence-of-the-emotet-botnet-malw.html}, language = {English}, urldate = {2022-05-25} } Bruised but Not Broken: The Resurgence of the Emotet Botnet Malware
Emotet QakBot
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-04-28SymantecKarthikeyan C Kasiviswanathan, Vishal Kamble
@online{kasiviswanathan:20220428:ransomware:95feafb, author = {Karthikeyan C Kasiviswanathan and Vishal Kamble}, title = {{Ransomware: How Attackers are Breaching Corporate Networks}}, date = {2022-04-28}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker}, language = {English}, urldate = {2022-05-04} } Ransomware: How Attackers are Breaching Corporate Networks
AvosLocker Conti Emotet Hive IcedID PhotoLoader QakBot TrickBot
2022-04-26Intel 471Intel 471
@online{471:20220426:conti:6bcff7d, author = {Intel 471}, title = {{Conti and Emotet: A constantly destructive duo}}, date = {2022-04-26}, organization = {Intel 471}, url = {https://intel471.com/blog/conti-emotet-ransomware-conti-leaks}, language = {English}, urldate = {2022-04-29} } Conti and Emotet: A constantly destructive duo
Cobalt Strike Conti Emotet IcedID QakBot TrickBot
2022-04-20SANS ISCBrad Duncan
@online{duncan:20220420:aa:eb304fb, author = {Brad Duncan}, title = {{'aa' distribution Qakbot (Qbot) infection with DarkVNC traffic}}, date = {2022-04-20}, organization = {SANS ISC}, url = {https://isc.sans.edu/diary/rss/28568}, language = {English}, urldate = {2022-04-25} } 'aa' distribution Qakbot (Qbot) infection with DarkVNC traffic
QakBot
2022-04-17MalwarologyGaetano Pellegrino
@online{pellegrino:20220417:qakbot:6af138c, author = {Gaetano Pellegrino}, title = {{Qakbot Series: API Hashing}}, date = {2022-04-17}, organization = {Malwarology}, url = {https://www.malwarology.com/2022/04/qakbot-series-api-hashing/}, language = {English}, urldate = {2022-05-29} } Qakbot Series: API Hashing
QakBot
2022-04-16MalwarologyGaetano Pellegrino
@online{pellegrino:20220416:qakbot:0b60d1c, author = {Gaetano Pellegrino}, title = {{Qakbot Series: Process Injection}}, date = {2022-04-16}, organization = {Malwarology}, url = {https://www.malwarology.com/2022/04/qakbot-series-process-injection/}, language = {English}, urldate = {2022-05-31} } Qakbot Series: Process Injection
QakBot
2022-04-13MalwarologyGaetano Pellegrino
@online{pellegrino:20220413:qakbot:4bc5d74, author = {Gaetano Pellegrino}, title = {{Qakbot Series: Configuration Extraction}}, date = {2022-04-13}, organization = {Malwarology}, url = {https://www.malwarology.com/2022/04/qakbot-series-configuration-extraction/}, language = {English}, urldate = {2022-05-29} } Qakbot Series: Configuration Extraction
QakBot
2022-04-12Tech TimesJoseph Henry
@online{henry:20220412:qbot:9dd8d54, author = {Joseph Henry}, title = {{Qbot Botnet Deploys Malware Payloads Through Malicious Windows Installers}}, date = {2022-04-12}, organization = {Tech Times}, url = {https://www.techtimes.com/articles/274190/20220412/qbot-botnet-deploys-malware-payloads-through-malicious-windows-installers.htm}, language = {English}, urldate = {2022-05-04} } Qbot Botnet Deploys Malware Payloads Through Malicious Windows Installers
QakBot
2022-04-11Bleeping ComputerSergiu Gatlan
@online{gatlan:20220411:qbot:7f1ddc7, author = {Sergiu Gatlan}, title = {{Qbot malware switches to new Windows Installer infection vector}}, date = {2022-04-11}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/qbot-malware-switches-to-new-windows-installer-infection-vector/}, language = {English}, urldate = {2022-05-04} } Qbot malware switches to new Windows Installer infection vector
QakBot
2022-04-10MalwarologyGaetano Pellegrino
@online{pellegrino:20220410:qakbot:d46c1cc, author = {Gaetano Pellegrino}, title = {{Qakbot Series: String Obfuscation}}, date = {2022-04-10}, organization = {Malwarology}, url = {https://www.malwarology.com/2022/04/qakbot-series-string-obfuscation/}, language = {English}, urldate = {2022-05-29} } Qakbot Series: String Obfuscation
QakBot
2022-03-31nccgroupNikolaos Pantazopoulos, Alex Jessop, Simon Biggs, RIFT: Research and Intelligence Fusion Team
@online{pantazopoulos:20220331:continuation:b38514d, author = {Nikolaos Pantazopoulos and Alex Jessop and Simon Biggs and RIFT: Research and Intelligence Fusion Team}, title = {{Conti-nuation: methods and techniques observed in operations post the leaks}}, date = {2022-03-31}, organization = {nccgroup}, url = {https://research.nccgroup.com/2022/03/31/conti-nuation-methods-and-techniques-observed-in-operations-post-the-leaks/}, language = {English}, urldate = {2022-03-31} } Conti-nuation: methods and techniques observed in operations post the leaks
Cobalt Strike Conti QakBot
2022-03-25SANS ISCXavier Mertens
@online{mertens:20220325:xlsb:21fdeaf, author = {Xavier Mertens}, title = {{XLSB Files: Because Binary is Stealthier Than XML}}, date = {2022-03-25}, organization = {SANS ISC}, url = {https://isc.sans.edu/forums/diary/XLSB+Files+Because+Binary+is+Stealthier+Than+XML/28476/}, language = {English}, urldate = {2022-03-25} } XLSB Files: Because Binary is Stealthier Than XML
QakBot
2022-03-17Trend MicroTrend Micro Research
@techreport{research:20220317:navigating:5ad631e, author = {Trend Micro Research}, title = {{Navigating New Frontiers Trend Micro 2021 Annual Cybersecurity Report}}, date = {2022-03-17}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf}, language = {English}, urldate = {2022-03-22} } Navigating New Frontiers Trend Micro 2021 Annual Cybersecurity Report
REvil BazarBackdoor Buer IcedID QakBot REvil
2022-03-16InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20220316:qakbot:ff11e1e, author = {Brad Duncan}, title = {{Qakbot infection with Cobalt Strike and VNC activity}}, date = {2022-03-16}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/28448}, language = {English}, urldate = {2022-03-17} } Qakbot infection with Cobalt Strike and VNC activity
Cobalt Strike QakBot
2022-03-16SANS ISCBrad Duncan
@online{duncan:20220316:qakbot:7fe703f, author = {Brad Duncan}, title = {{Qakbot infection with Cobalt Strike and VNC activity}}, date = {2022-03-16}, organization = {SANS ISC}, url = {https://isc.sans.edu/forums/diary/Qakbot+infection+with+Cobalt+Strike+and+VNC+activity/28448/}, language = {English}, urldate = {2022-03-17} } Qakbot infection with Cobalt Strike and VNC activity
Cobalt Strike QakBot
2022-02-26MandiantMandiant
@online{mandiant:20220226:trending:a445d4a, author = {Mandiant}, title = {{TRENDING EVIL Q1 2022}}, date = {2022-02-26}, organization = {Mandiant}, url = {https://experience.mandiant.com/trending-evil/p/1}, language = {English}, urldate = {2022-03-14} } TRENDING EVIL Q1 2022
KEYPLUG FAKEUPDATES GootLoader BazarBackdoor QakBot
2022-02-26LinkedIn (Zayed AlJaberi)Zayed AlJaberi
@online{aljaberi:20220226:hunting:270b30c, author = {Zayed AlJaberi}, title = {{Hunting Recent QakBot Malware}}, date = {2022-02-26}, organization = {LinkedIn (Zayed AlJaberi)}, url = {https://www.linkedin.com/posts/zayedaljaberi_hunting-recent-qakbot-malware-activity-6903498764984606720-2Gl4}, language = {English}, urldate = {2022-03-01} } Hunting Recent QakBot Malware
QakBot
2022-02-24The Hacker NewsRavie Lakshmanan
@online{lakshmanan:20220224:trickbot:7e86d52, author = {Ravie Lakshmanan}, title = {{TrickBot Gang Likely Shifting Operations to Switch to New Malware}}, date = {2022-02-24}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/02/trickbot-gang-likely-shifting.html}, language = {English}, urldate = {2022-03-01} } TrickBot Gang Likely Shifting Operations to Switch to New Malware
BazarBackdoor Emotet QakBot TrickBot
2022-02-21The DFIR Report
@online{report:20220221:qbot:8b10b52, author = {The DFIR Report}, title = {{Qbot and Zerologon Lead To Full Domain Compromise}}, date = {2022-02-21}, url = {https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/}, language = {English}, urldate = {2022-02-26} } Qbot and Zerologon Lead To Full Domain Compromise
Cobalt Strike QakBot
2022-02-16SOC PrimeAlla Yurchenko
@online{yurchenko:20220216:qbot:db07ba5, author = {Alla Yurchenko}, title = {{QBot Malware Detection: Old Dog New Tricks}}, date = {2022-02-16}, organization = {SOC Prime}, url = {https://socprime.com/blog/qbot-malware-detection-old-dog-new-tricks/}, language = {English}, urldate = {2022-02-17} } QBot Malware Detection: Old Dog New Tricks
QakBot
2022-02-10CybereasonCybereason Global SOC Team
@online{team:20220210:threat:320574f, author = {Cybereason Global SOC Team}, title = {{Threat Analysis Report: All Paths Lead to Cobalt Strike - IcedID, Emotet and QBot}}, date = {2022-02-10}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot}, language = {English}, urldate = {2022-02-10} } Threat Analysis Report: All Paths Lead to Cobalt Strike - IcedID, Emotet and QBot
Cobalt Strike Emotet IcedID QakBot
2022-02-08BleepingComputerBill Toulas
@online{toulas:20220208:qbot:a40ed5c, author = {Bill Toulas}, title = {{Qbot needs only 30 minutes to steal your credentials, emails}}, date = {2022-02-08}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/qbot-needs-only-30-minutes-to-steal-your-credentials-emails/}, language = {English}, urldate = {2022-02-09} } Qbot needs only 30 minutes to steal your credentials, emails
QakBot
2022-02-07The DFIR ReportThe DFIR Report
@online{report:20220207:qbot:35410a9, author = {The DFIR Report}, title = {{Qbot Likes to Move It, Move It}}, date = {2022-02-07}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/}, language = {English}, urldate = {2022-02-09} } Qbot Likes to Move It, Move It
QakBot
2022-01-19BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20220119:kraken:5b52d17, author = {The BlackBerry Research & Intelligence Team}, title = {{Kraken the Code on Prometheus}}, date = {2022-01-19}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus}, language = {English}, urldate = {2022-05-25} } Kraken the Code on Prometheus
Prometheus Backdoor BlackMatter Cerber Cobalt Strike DCRat Ficker Stealer QakBot REvil Ryuk
2022-01-18Recorded FutureInsikt Group®
@techreport{group:20220118:2021:9cff6fc, author = {Insikt Group®}, title = {{2021 Adversary Infrastructure Report}}, date = {2022-01-18}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf}, language = {English}, urldate = {2022-01-24} } 2021 Adversary Infrastructure Report
BazarBackdoor Cobalt Strike Dridex IcedID QakBot TrickBot
2022-01-15Atomic Matryoshkaz3r0day_504
@online{z3r0day504:20220115:malware:ce94f8c, author = {z3r0day_504}, title = {{Malware Headliners: Qakbot}}, date = {2022-01-15}, organization = {Atomic Matryoshka}, url = {https://www.atomicmatryoshka.com/post/malware-headliners-qakbot}, language = {English}, urldate = {2022-02-01} } Malware Headliners: Qakbot
QakBot
2022-01-13TrustwaveLloyd Macrohon, Rodel Mendrez
@online{macrohon:20220113:decrypting:274747e, author = {Lloyd Macrohon and Rodel Mendrez}, title = {{Decrypting Qakbot’s Encrypted Registry Keys}}, date = {2022-01-13}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/decrypting-qakbots-encrypted-registry-keys/}, language = {English}, urldate = {2022-01-25} } Decrypting Qakbot’s Encrypted Registry Keys
QakBot
2022-01-11CybereasonOmri Refaeli, Chen Erlich, Ofir Ozer, Niv Yona, Daichi Shimabukuro
@online{refaeli:20220111:threat:fd22089, author = {Omri Refaeli and Chen Erlich and Ofir Ozer and Niv Yona and Daichi Shimabukuro}, title = {{Threat Analysis Report: DatopLoader Exploits ProxyShell to Deliver QBOT and Cobalt Strike}}, date = {2022-01-11}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike}, language = {English}, urldate = {2022-01-18} } Threat Analysis Report: DatopLoader Exploits ProxyShell to Deliver QBOT and Cobalt Strike
Cobalt Strike QakBot Squirrelwaffle
2021-12-17Trend MicroAbraham Camba, Jonna Santos, Gilbert Sison, Jay Yaneza
@online{camba:20211217:staging:0ec37d9, author = {Abraham Camba and Jonna Santos and Gilbert Sison and Jay Yaneza}, title = {{Staging a Quack: Reverse Analyzing a Fileless QAKBOT Stager}}, date = {2021-12-17}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/l/staging-a-quack-reverse-analyzing-fileless-qakbot-stager.html}, language = {English}, urldate = {2021-12-31} } Staging a Quack: Reverse Analyzing a Fileless QAKBOT Stager
QakBot
2021-12-16Red CanaryThe Red Canary Team
@online{team:20211216:intelligence:f7bad55, author = {The Red Canary Team}, title = {{Intelligence Insights: December 2021}}, date = {2021-12-16}, organization = {Red Canary}, url = {https://redcanary.com/blog/intelligence-insights-december-2021}, language = {English}, urldate = {2021-12-31} } Intelligence Insights: December 2021
Cobalt Strike QakBot Squirrelwaffle
2021-12-11YouTube (AGDC Services)AGDC Services
@online{services:20211211:how:358bd74, author = {AGDC Services}, title = {{How To Extract & Decrypt Qbot Configs Across Variants}}, date = {2021-12-11}, organization = {YouTube (AGDC Services)}, url = {https://www.youtube.com/watch?v=M22c1JgpG-U}, language = {English}, urldate = {2021-12-20} } How To Extract & Decrypt Qbot Configs Across Variants
QakBot
2021-12-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team
@online{team:20211209:closer:bace4ec, author = {Microsoft 365 Defender Threat Intelligence Team}, title = {{A closer look at Qakbot’s latest building blocks (and how to knock them down)}}, date = {2021-12-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/}, language = {English}, urldate = {2021-12-13} } A closer look at Qakbot’s latest building blocks (and how to knock them down)
QakBot
2021-11-21Twitter (@tylabs)Tyler McLellan, Twitter (@ffforward)
@online{mclellan:20211121:twitter:018d4b1, author = {Tyler McLellan and Twitter (@ffforward)}, title = {{Twitter Thread about UNC1500 phishing using QAKBOT}}, date = {2021-11-21}, organization = {Twitter (@tylabs)}, url = {https://twitter.com/tylabs/status/1462195377277476871}, language = {English}, urldate = {2021-11-29} } Twitter Thread about UNC1500 phishing using QAKBOT
QakBot
2021-11-19Trend MicroMohamed Fahmy, Sherif Magdy, Abdelrhman Sharshar
@online{fahmy:20211119:squirrelwaffle:1e8fa78, author = {Mohamed Fahmy and Sherif Magdy and Abdelrhman Sharshar}, title = {{Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains}}, date = {2021-11-19}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html}, language = {English}, urldate = {2021-11-25} } Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains
Cobalt Strike QakBot Squirrelwaffle
2021-11-18Red CanaryThe Red Canary Team
@online{team:20211118:intelligence:7b00cb9, author = {The Red Canary Team}, title = {{Intelligence Insights: November 2021}}, date = {2021-11-18}, organization = {Red Canary}, url = {https://redcanary.com/blog/intelligence-insights-november-2021/}, language = {English}, urldate = {2021-11-19} } Intelligence Insights: November 2021
Andromeda Conti LockBit QakBot Squirrelwaffle
2021-11-17Twitter (@Unit42_Intel)Unit 42
@online{42:20211117:matanbuchus:9e3556c, author = {Unit 42}, title = {{Tweet on Matanbuchus Loader used to deliver Qakbot (tag obama128b) and follow-up CobaltStrike}}, date = {2021-11-17}, organization = {Twitter (@Unit42_Intel)}, url = {https://twitter.com/Unit42_Intel/status/1461004489234829320}, language = {English}, urldate = {2021-11-25} } Tweet on Matanbuchus Loader used to deliver Qakbot (tag obama128b) and follow-up CobaltStrike
Cobalt Strike QakBot
2021-11-16Twitter (@kienbigmummy)m4n0w4r
@online{m4n0w4r:20211116:short:97d45fa, author = {m4n0w4r}, title = {{Tweet on short analysis of QakBot}}, date = {2021-11-16}, organization = {Twitter (@kienbigmummy)}, url = {https://twitter.com/kienbigmummy/status/1460537501676802051}, language = {English}, urldate = {2021-11-19} } Tweet on short analysis of QakBot
QakBot
2021-11-15TRUESECFabio Viggiani
@online{viggiani:20211115:proxyshell:bf17c6d, author = {Fabio Viggiani}, title = {{ProxyShell, QBot, and Conti Ransomware Combined in a Series of Cyberattacks}}, date = {2021-11-15}, organization = {TRUESEC}, url = {https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks}, language = {English}, urldate = {2021-11-17} } ProxyShell, QBot, and Conti Ransomware Combined in a Series of Cyberattacks
Cobalt Strike Conti QakBot
2021-11-13YouTube (AGDC Services)AGDC Services
@online{services:20211113:automate:487e01f, author = {AGDC Services}, title = {{Automate Qbot Malware String Decryption With Ghidra Script}}, date = {2021-11-13}, organization = {YouTube (AGDC Services)}, url = {https://www.youtube.com/watch?v=4I0LF8Vm7SI}, language = {English}, urldate = {2021-11-19} } Automate Qbot Malware String Decryption With Ghidra Script
QakBot
2021-11-13Trend MicroIan Kenefick, Vladimir Kropotov
@online{kenefick:20211113:qakbot:3138b93, author = {Ian Kenefick and Vladimir Kropotov}, title = {{QAKBOT Loader Returns With New Techniques and Tools}}, date = {2021-11-13}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/k/qakbot-loader-returns-with-new-techniques-and-tools.html}, language = {English}, urldate = {2021-11-17} } QAKBOT Loader Returns With New Techniques and Tools
QakBot
2021-11-12Trend MicroIan Kenefick, Vladimir Kropotov
@techreport{kenefick:20211112:prelude:781d4d7, author = {Ian Kenefick and Vladimir Kropotov}, title = {{The Prelude to Ransomware: A Look into Current QAKBOT Capabilities and Global Activities}}, date = {2021-11-12}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/pdf/Technical-Brief---The-Prelude-to-Ransomware-A-Look-into-Current-QAKBOT-Capabilities-and-Activity.pdf}, language = {English}, urldate = {2021-11-17} } The Prelude to Ransomware: A Look into Current QAKBOT Capabilities and Global Activities
QakBot
2021-11-12Recorded FutureInsikt Group®
@techreport{group:20211112:business:6d6cffa, author = {Insikt Group®}, title = {{The Business of Fraud: Botnet Malware Dissemination}}, date = {2021-11-12}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-1112.pdf}, language = {English}, urldate = {2021-11-17} } The Business of Fraud: Botnet Malware Dissemination
Mozi Dridex IcedID QakBot TrickBot
2021-11-11CynetMax Malyutin
@online{malyutin:20211111:duck:897cc6f, author = {Max Malyutin}, title = {{A Duck Nightmare Quakbot Strikes with QuakNightmare Exploitation}}, date = {2021-11-11}, organization = {Cynet}, url = {https://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/}, language = {English}, urldate = {2021-11-25} } A Duck Nightmare Quakbot Strikes with QuakNightmare Exploitation
Cobalt Strike QakBot
2021-11-11vmwareJason Zhang, Stefano Ortolani, Giovanni Vigna, Threat Analysis Unit
@online{zhang:20211111:research:b254ed6, author = {Jason Zhang and Stefano Ortolani and Giovanni Vigna and Threat Analysis Unit}, title = {{Research Recap: How To Automate Malware Campaign Detection With Telemetry Peak Analyzer}}, date = {2021-11-11}, organization = {vmware}, url = {https://blogs.vmware.com/security/2021/11/telemetry-peak-analyzer-an-automatic-malware-campaign-detector.html}, language = {English}, urldate = {2022-03-22} } Research Recap: How To Automate Malware Campaign Detection With Telemetry Peak Analyzer
Phorpiex QakBot
2021-11-10CIRCLCIRCL
@online{circl:20211110:tr64:37ab4d8, author = {CIRCL}, title = {{TR-64 - Exploited Exchange Servers - Mails with links to malware from known/valid senders}}, date = {2021-11-10}, organization = {CIRCL}, url = {https://www.circl.lu/pub/tr-64/}, language = {English}, urldate = {2021-11-25} } TR-64 - Exploited Exchange Servers - Mails with links to malware from known/valid senders
QakBot
2021-11-09MinervaLabsMinerva Labs
@online{labs:20211109:new:411a8fd, author = {Minerva Labs}, title = {{A New DatopLoader Delivers QakBot Trojan}}, date = {2021-11-09}, organization = {MinervaLabs}, url = {https://blog.minerva-labs.com/a-new-datoploader-delivers-qakbot-trojan}, language = {English}, urldate = {2021-11-17} } A New DatopLoader Delivers QakBot Trojan
QakBot Squirrelwaffle
2021-11-03Twitter (@Corvid_Cyber)CORVID
@online{corvid:20211103:unique:3709f32, author = {CORVID}, title = {{Tweet on a unique Qbot debugger dropped by an actor after compromise}}, date = {2021-11-03}, organization = {Twitter (@Corvid_Cyber)}, url = {https://twitter.com/Corvid_Cyber/status/1455844008081641472}, language = {English}, urldate = {2021-11-08} } Tweet on a unique Qbot debugger dropped by an actor after compromise
QakBot
2021-11-03Team Cymrutcblogposts
@online{tcblogposts:20211103:webinject:f4d41bb, author = {tcblogposts}, title = {{Webinject Panel Administration: A Vantage Point into Multiple Threat Actor Campaigns - A Case Study on the Value of Threat Reconnaisance}}, date = {2021-11-03}, organization = {Team Cymru}, url = {https://team-cymru.com/blog/2021/11/03/webinject-panel-administration-a-vantage-point-into-multiple-threat-actor-campaigns/}, language = {English}, urldate = {2021-11-08} } Webinject Panel Administration: A Vantage Point into Multiple Threat Actor Campaigns - A Case Study on the Value of Threat Reconnaisance
DoppelDridex IcedID QakBot Zloader
2021-10-26ANSSI
@techreport{anssi:20211026:identification:9444ac3, author = {ANSSI}, title = {{Identification of a new cyber criminal group: Lockean}}, date = {2021-10-26}, institution = {}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf}, language = {English}, urldate = {2022-01-25} } Identification of a new cyber criminal group: Lockean
Cobalt Strike DoppelPaymer Egregor Maze PwndLocker QakBot REvil
2021-10-26Cisco TalosEdmund Brumaghin, Mariano Graziano, Nick Mavis
@online{brumaghin:20211026:squirrelwaffle:88c5943, author = {Edmund Brumaghin and Mariano Graziano and Nick Mavis}, title = {{SQUIRRELWAFFLE Leverages malspam to deliver Qakbot, Cobalt Strike}}, date = {2021-10-26}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html}, language = {English}, urldate = {2021-11-02} } SQUIRRELWAFFLE Leverages malspam to deliver Qakbot, Cobalt Strike
Cobalt Strike QakBot Squirrelwaffle
2021-10-07NetskopeGustavo Palazolo, Ghanashyam Satpathy
@online{palazolo:20211007:squirrelwaffle:3506816, author = {Gustavo Palazolo and Ghanashyam Satpathy}, title = {{SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot}}, date = {2021-10-07}, organization = {Netskope}, url = {https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot}, language = {English}, urldate = {2021-10-11} } SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot
Cobalt Strike QakBot Squirrelwaffle
2021-09-03IBMCamille Singleton, Andrew Gorecki, John Dwyer
@online{singleton:20210903:dissecting:4d56786, author = {Camille Singleton and Andrew Gorecki and John Dwyer}, title = {{Dissecting Sodinokibi Ransomware Attacks: Bringing Incident Response and Intelligence Together in the Fight}}, date = {2021-09-03}, organization = {IBM}, url = {https://securityintelligence.com/posts/sodinokibi-ransomware-incident-response-intelligence-together/}, language = {English}, urldate = {2021-09-09} } Dissecting Sodinokibi Ransomware Attacks: Bringing Incident Response and Intelligence Together in the Fight
Valak QakBot REvil
2021-09-03Trend MicroMohamad Mokbel
@techreport{mokbel:20210903:state:df86499, author = {Mohamad Mokbel}, title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}}, date = {2021-09-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf}, language = {English}, urldate = {2021-09-19} } The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2021-09-02KasperskyAnton Kuzmenko, Oleg Kupreev, Haim Zigel
@online{kuzmenko:20210902:qakbot:219d23c, author = {Anton Kuzmenko and Oleg Kupreev and Haim Zigel}, title = {{QakBot Technical Analysis}}, date = {2021-09-02}, organization = {Kaspersky}, url = {https://securelist.com/qakbot-technical-analysis/103931/}, language = {English}, urldate = {2021-09-06} } QakBot Technical Analysis
QakBot
2021-08-15SymantecThreat Hunter Team
@techreport{team:20210815:ransomware:f799696, author = {Threat Hunter Team}, title = {{The Ransomware Threat}}, date = {2021-08-15}, institution = {Symantec}, url = {https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf}, language = {English}, urldate = {2021-12-15} } The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker
2021-08-05Group-IBViktor Okorokov, Nikita Rostovcev
@online{okorokov:20210805:prometheus:38ab6a6, author = {Viktor Okorokov and Nikita Rostovcev}, title = {{Prometheus TDS The key to success for Campo Loader, Hancitor, IcedID, and QBot}}, date = {2021-08-05}, organization = {Group-IB}, url = {https://blog.group-ib.com/prometheus-tds}, language = {English}, urldate = {2021-08-06} } Prometheus TDS The key to success for Campo Loader, Hancitor, IcedID, and QBot
Prometheus Backdoor Buer campoloader Hancitor IcedID QakBot
2021-08-05The RecordCatalin Cimpanu
@online{cimpanu:20210805:meet:bce8310, author = {Catalin Cimpanu}, title = {{Meet Prometheus, the secret TDS behind some of today’s malware campaigns}}, date = {2021-08-05}, organization = {The Record}, url = {https://therecord.media/meet-prometheus-the-secret-tds-behind-some-of-todays-malware-campaigns/}, language = {English}, urldate = {2021-08-06} } Meet Prometheus, the secret TDS behind some of today’s malware campaigns
Buer campoloader IcedID QakBot
2021-07-30HPPatrick Schläpfer
@online{schlpfer:20210730:detecting:2291323, author = {Patrick Schläpfer}, title = {{Detecting TA551 domains}}, date = {2021-07-30}, organization = {HP}, url = {https://threatresearch.ext.hp.com/detecting-ta551-domains/}, language = {English}, urldate = {2021-08-02} } Detecting TA551 domains
Valak Dridex IcedID ISFB QakBot
2021-07-240ffset BlogDaniel Bunce
@online{bunce:20210724:quack:ddda5cd, author = {Daniel Bunce}, title = {{Quack Quack: Analysing Qakbot’s Browser Hooking Module – Part 1}}, date = {2021-07-24}, organization = {0ffset Blog}, url = {https://www.0ffset.net/reverse-engineering/malware-analysis/qakbot-browser-hooking-p1/}, language = {English}, urldate = {2021-08-02} } Quack Quack: Analysing Qakbot’s Browser Hooking Module – Part 1
QakBot
2021-06-24KasperskyAnton Kuzmenko
@online{kuzmenko:20210624:malicious:83a5c83, author = {Anton Kuzmenko}, title = {{Malicious spam campaigns delivering banking Trojans}}, date = {2021-06-24}, organization = {Kaspersky}, url = {https://securelist.com/malicious-spam-campaigns-delivering-banking-trojans/102917}, language = {English}, urldate = {2021-06-25} } Malicious spam campaigns delivering banking Trojans
IcedID QakBot
2021-06-16ProofpointSelena Larson, Daniel Blackford, Garrett M. Graff
@online{larson:20210616:first:2e436a0, author = {Selena Larson and Daniel Blackford and Garrett M. Graff}, title = {{The First Step: Initial Access Leads to Ransomware}}, date = {2021-06-16}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware}, language = {English}, urldate = {2021-06-21} } The First Step: Initial Access Leads to Ransomware
BazarBackdoor Egregor IcedID Maze QakBot REvil Ryuk TrickBot WastedLocker
2021-06-16S2 GrupoCSIRT-CV (the ICT Security Center of the Valencian Community)
@online{community:20210616:emotet:7e0fafe, author = {CSIRT-CV (the ICT Security Center of the Valencian Community)}, title = {{Emotet campaign analysis}}, date = {2021-06-16}, organization = {S2 Grupo}, url = {https://www.securityartwork.es/2021/06/16/analisis-campana-emotet/}, language = {Spanish}, urldate = {2021-06-21} } Emotet campaign analysis
Emotet QakBot
2021-06-16Twitter (@ChouchWard)ch0uch ward
@online{ward:20210616:qbot:1adaa08, author = {ch0uch ward}, title = {{Tweet on Qbot operators left their web server's access.log file unsecured}}, date = {2021-06-16}, organization = {Twitter (@ChouchWard)}, url = {https://twitter.com/ChouchWard/status/1405168040254316547}, language = {English}, urldate = {2021-06-21} } Tweet on Qbot operators left their web server's access.log file unsecured
QakBot
2021-06-15Perception PointShai Golderman
@online{golderman:20210615:insights:d3fc7b6, author = {Shai Golderman}, title = {{Insights Into an Excel 4.0 Macro Attack using Qakbot Malware}}, date = {2021-06-15}, organization = {Perception Point}, url = {https://perception-point.io/insights-into-an-excel-4-0-macro-attack-using-qakbot-malware}, language = {English}, urldate = {2021-06-21} } Insights Into an Excel 4.0 Macro Attack using Qakbot Malware
QakBot
2021-06-10ZAYOTEMİlker Verimoğlu, Emre Doğan, Kaan Binen, Abdulkadir Binan, Emrah Sarıdağ
@online{verimolu:20210610:qakbot:4896852, author = {İlker Verimoğlu and Emre Doğan and Kaan Binen and Abdulkadir Binan and Emrah Sarıdağ}, title = {{QakBot Technical Analysis Report}}, date = {2021-06-10}, organization = {ZAYOTEM}, url = {https://drive.google.com/file/d/1mO2Zb-Q94t39DvdASd4KNTPBD8JdkyC3/view}, language = {English}, urldate = {2021-06-16} } QakBot Technical Analysis Report
QakBot
2021-06-08Advanced IntelligenceVitali Kremez, Yelisey Boguslavskiy
@online{kremez:20210608:from:62f4d20, author = {Vitali Kremez and Yelisey Boguslavskiy}, title = {{From QBot...with REvil Ransomware: Initial Attack Exposure of JBS}}, date = {2021-06-08}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/from-qbot-with-revil-ransomware-initial-attack-exposure-of-jbs}, language = {English}, urldate = {2021-06-09} } From QBot...with REvil Ransomware: Initial Attack Exposure of JBS
QakBot REvil
2021-06-02Bleeping ComputerLawrence Abrams
@online{abrams:20210602:fujifilm:eced96f, author = {Lawrence Abrams}, title = {{FUJIFILM shuts down network after suspected ransomware attack}}, date = {2021-06-02}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fujifilm-shuts-down-network-after-suspected-ransomware-attack/}, language = {English}, urldate = {2021-06-09} } FUJIFILM shuts down network after suspected ransomware attack
QakBot
2021-05-26DeepInstinctRon Ben Yizhak
@online{yizhak:20210526:deep:c123a19, author = {Ron Ben Yizhak}, title = {{A Deep Dive into Packing Software CryptOne}}, date = {2021-05-26}, organization = {DeepInstinct}, url = {https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/}, language = {English}, urldate = {2021-06-22} } A Deep Dive into Packing Software CryptOne
Cobalt Strike Dridex Emotet Gozi ISFB Mailto QakBot SmokeLoader WastedLocker Zloader
2021-05-19Intel 471Intel 471
@online{471:20210519:look:5ba9516, author = {Intel 471}, title = {{Look how many cybercriminals love Cobalt Strike}}, date = {2021-05-19}, organization = {Intel 471}, url = {https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor}, language = {English}, urldate = {2021-05-19} } Look how many cybercriminals love Cobalt Strike
BazarBackdoor Cobalt Strike Hancitor QakBot SmokeLoader SystemBC TrickBot
2021-05-04Seguranca InformaticaPedro Tavares
@online{tavares:20210504:taste:b6a3380, author = {Pedro Tavares}, title = {{A taste of the latest release of QakBot}}, date = {2021-05-04}, organization = {Seguranca Informatica}, url = {https://seguranca-informatica.pt/a-taste-of-the-latest-release-of-qakbot}, language = {English}, urldate = {2021-05-07} } A taste of the latest release of QakBot
QakBot
2021-04-30MADRID LabsOdin Bernstein
@online{bernstein:20210430:qbot:104bad4, author = {Odin Bernstein}, title = {{Qbot: Analyzing PHP Proxy Scripts from Compromised Web Server}}, date = {2021-04-30}, organization = {MADRID Labs}, url = {https://madlabs.dsu.edu/madrid/blog/2021/04/30/qbot-analyzing-php-proxy-scripts-from-compromised-web-server/}, language = {English}, urldate = {2021-05-08} } Qbot: Analyzing PHP Proxy Scripts from Compromised Web Server
QakBot
2021-04-28IBMDavid Bisson
@online{bisson:20210428:qbot:dcbcd50, author = {David Bisson}, title = {{QBot Malware Spotted Using Windows Defender Antivirus Lure}}, date = {2021-04-28}, organization = {IBM}, url = {https://securityintelligence.com/news/qbot-malware-using-windows-defender-antivirus-lure/}, language = {English}, urldate = {2021-05-03} } QBot Malware Spotted Using Windows Defender Antivirus Lure
QakBot
2021-04-28Reversing LabsKarlo Zanki
@online{zanki:20210428:spotting:61ba0f6, author = {Karlo Zanki}, title = {{Spotting malicious Excel4 macros}}, date = {2021-04-28}, organization = {Reversing Labs}, url = {https://blog.reversinglabs.com/blog/spotting-malicious-excel4-macros}, language = {English}, urldate = {2021-05-03} } Spotting malicious Excel4 macros
QakBot
2021-04-19Twitter (@_alex_il_)Alex Ilgayev
@online{ilgayev:20210419:qakbots:b3b929c, author = {Alex Ilgayev}, title = {{Tweet on QakBot's additional decryption mechanism}}, date = {2021-04-19}, organization = {Twitter (@_alex_il_)}, url = {https://twitter.com/_alex_il_/status/1384094623270727685}, language = {English}, urldate = {2021-04-20} } Tweet on QakBot's additional decryption mechanism
QakBot
2021-04-15AT&TDax Morrow, Ofer Caspi
@online{morrow:20210415:rise:73d9a21, author = {Dax Morrow and Ofer Caspi}, title = {{The rise of QakBot}}, date = {2021-04-15}, organization = {AT&T}, url = {https://cybersecurity.att.com/blogs/labs-research/the-rise-of-qakbot}, language = {English}, urldate = {2021-04-16} } The rise of QakBot
QakBot
2021-04-13Silent PushMartijn Grooten
@online{grooten:20210413:malicious:094869a, author = {Martijn Grooten}, title = {{Malicious infrastructure as a service}}, date = {2021-04-13}, organization = {Silent Push}, url = {https://www.silentpush.com/blog/malicious-infrastructure-as-a-service}, language = {English}, urldate = {2022-06-09} } Malicious infrastructure as a service
IcedID PhotoLoader QakBot
2021-04-12PTSecurityPTSecurity
@online{ptsecurity:20210412:paas:1d06836, author = {PTSecurity}, title = {{PaaS, or how hackers evade antivirus software}}, date = {2021-04-12}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/}, language = {English}, urldate = {2021-04-12} } PaaS, or how hackers evade antivirus software
Amadey Bunitu Cerber Dridex ISFB KPOT Stealer Mailto Nemty Phobos Pony Predator The Thief QakBot Raccoon RTM SmokeLoader Zloader
2021-04-12Twitter (@elisalem9)Eli Salem
@online{salem:20210412:tweets:7b7280e, author = {Eli Salem}, title = {{Tweets on QakBot}}, date = {2021-04-12}, organization = {Twitter (@elisalem9)}, url = {https://twitter.com/elisalem9/status/1381859965875462144}, language = {English}, urldate = {2021-04-14} } Tweets on QakBot
QakBot
2021-04-06Intel 471Intel 471
@online{471:20210406:ettersilent:b591f59, author = {Intel 471}, title = {{EtterSilent: the underground’s new favorite maldoc builder}}, date = {2021-04-06}, organization = {Intel 471}, url = {https://intel471.com/blog/ettersilent-maldoc-builder-macro-trickbot-qbot/}, language = {English}, urldate = {2021-04-06} } EtterSilent: the underground’s new favorite maldoc builder
BazarBackdoor ISFB QakBot TrickBot
2021-03-31Red CanaryRed Canary
@techreport{canary:20210331:2021:cd81f2d, author = {Red Canary}, title = {{2021 Threat Detection Report}}, date = {2021-03-31}, institution = {Red Canary}, url = {https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf}, language = {English}, urldate = {2021-04-06} } 2021 Threat Detection Report
Shlayer Andromeda Cobalt Strike Dridex Emotet IcedID MimiKatz QakBot TrickBot
2021-03-26Trend MicroTrend Micro
@online{micro:20210326:alleged:ce2115c, author = {Trend Micro}, title = {{Alleged Members of Egregor Ransomware Cartel Arrested}}, date = {2021-03-26}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/c/egregor-ransomware-cartel-members-arrested.html}, language = {English}, urldate = {2021-04-28} } Alleged Members of Egregor Ransomware Cartel Arrested
Egregor QakBot
2021-03-18VinCSSTran Trung Kien
@online{kien:20210318:re021:00caf5b, author = {Tran Trung Kien}, title = {{[RE021] Qakbot analysis – Dangerous malware has been around for more than a decade}}, date = {2021-03-18}, organization = {VinCSS}, url = {https://blog.vincss.net/2021/03/re021-qakbot-dangerous-malware-has-been-around-for-more-than-a-decade.html}, language = {English}, urldate = {2021-03-19} } [RE021] Qakbot analysis – Dangerous malware has been around for more than a decade
QakBot
2021-03Group-IBOleg Skulkin, Roman Rezvukhin, Semyon Rogachev
@techreport{skulkin:202103:ransomware:992ca10, author = {Oleg Skulkin and Roman Rezvukhin and Semyon Rogachev}, title = {{Ransomware Uncovered 2020/2021}}, date = {2021-03}, institution = {Group-IB}, url = {https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf}, language = {English}, urldate = {2021-06-16} } Ransomware Uncovered 2020/2021
RansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot RansomEXX REvil Ryuk SDBbot TrickBot Zloader
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Tonto Team
2021-02-24IBMIBM SECURITY X-FORCE
@online{xforce:20210224:xforce:ac9a90e, author = {IBM SECURITY X-FORCE}, title = {{X-Force Threat Intelligence Index 2021}}, date = {2021-02-24}, organization = {IBM}, url = {https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89}, language = {English}, urldate = {2021-03-02} } X-Force Threat Intelligence Index 2021
Emotet QakBot Ramnit REvil TrickBot
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-15Twitter (@TheDFIRReport)The DFIR Report
@online{report:20210215:qakbot:f692e9c, author = {The DFIR Report}, title = {{Tweet on Qakbot post infection discovery activity}}, date = {2021-02-15}, organization = {Twitter (@TheDFIRReport)}, url = {https://twitter.com/TheDFIRReport/status/1361331598344478727}, language = {English}, urldate = {2021-02-18} } Tweet on Qakbot post infection discovery activity
QakBot
2021-02-02CRONUPGermán Fernández
@online{fernndez:20210202:de:6ff4f3a, author = {Germán Fernández}, title = {{De ataque con Malware a incidente de Ransomware}}, date = {2021-02-02}, organization = {CRONUP}, url = {https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware}, language = {Spanish}, urldate = {2021-03-02} } De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader
2021-01-19Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20210119:wireshark:be0c831, author = {Brad Duncan}, title = {{Wireshark Tutorial: Examining Emotet Infection Traffic}}, date = {2021-01-19}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/}, language = {English}, urldate = {2021-01-21} } Wireshark Tutorial: Examining Emotet Infection Traffic
Emotet GootKit IcedID QakBot TrickBot
2021-01-19Medium elis531989Eli Salem
@online{salem:20210119:funtastic:42f9250, author = {Eli Salem}, title = {{Funtastic Packers And Where To Find Them}}, date = {2021-01-19}, organization = {Medium elis531989}, url = {https://elis531989.medium.com/funtastic-packers-and-where-to-find-them-41429a7ef9a7}, language = {English}, urldate = {2021-01-21} } Funtastic Packers And Where To Find Them
Get2 IcedID QakBot
2021-01-06FBIFBI
@techreport{fbi:20210106:pin:66d55ca, author = {FBI}, title = {{PIN Number 20210106-001: Egregor Ransomware Targets Businesses Worldwide, Attempting to Extort Businesses by Publicly Releasing Exfiltrated Data}}, date = {2021-01-06}, institution = {FBI}, url = {https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf}, language = {English}, urldate = {2021-01-11} } PIN Number 20210106-001: Egregor Ransomware Targets Businesses Worldwide, Attempting to Extort Businesses by Publicly Releasing Exfiltrated Data
Egregor QakBot
2021SecureworksSecureWorks
@online{secureworks:2021:threat:5afd502, author = {SecureWorks}, title = {{Threat Profile: GOLD LAGOON}}, date = {2021}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-lagoon}, language = {English}, urldate = {2021-05-31} } Threat Profile: GOLD LAGOON
QakBot MALLARD SPIDER
2020-12-15HornetsecurityHornetsecurity Security Lab
@online{lab:20201215:qakbot:9397167, author = {Hornetsecurity Security Lab}, title = {{QakBot reducing its on disk artifacts}}, date = {2020-12-15}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/threat-research/qakbot-reducing-its-on-disk-artifacts/}, language = {English}, urldate = {2020-12-16} } QakBot reducing its on disk artifacts
Egregor PwndLocker QakBot
2020-12-12Medium 0xthreatintel0xthreatintel
@online{0xthreatintel:20201212:reversing:945a5b8, author = {0xthreatintel}, title = {{Reversing QakBot [ TLP: White]}}, date = {2020-12-12}, organization = {Medium 0xthreatintel}, url = {https://0xthreatintel.medium.com/reversing-qakbot-tlp-white-d1b8b37ad8e7}, language = {English}, urldate = {2020-12-14} } Reversing QakBot [ TLP: White]
QakBot
2020-12-09FireEyeMitchell Clarke, Tom Hall
@techreport{clarke:20201209:its:c312acc, author = {Mitchell Clarke and Tom Hall}, title = {{It's not FINished The Evolving Maturity in Ransomware Operations (SLIDES)}}, date = {2020-12-09}, institution = {FireEye}, url = {https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf}, language = {English}, urldate = {2020-12-15} } It's not FINished The Evolving Maturity in Ransomware Operations (SLIDES)
Cobalt Strike DoppelPaymer QakBot REvil
2020-12-09InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20201209:recent:0992506, author = {Brad Duncan}, title = {{Recent Qakbot (Qbot) activity}}, date = {2020-12-09}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/26862}, language = {English}, urldate = {2020-12-10} } Recent Qakbot (Qbot) activity
Cobalt Strike QakBot
2020-12-03Recorded FutureInsikt Group®
@techreport{group:20201203:egregor:a56f637, author = {Insikt Group®}, title = {{Egregor Ransomware, Used in a String of High-Profile Attacks, Shows Connections to QakBot}}, date = {2020-12-03}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-1203.pdf}, language = {English}, urldate = {2020-12-08} } Egregor Ransomware, Used in a String of High-Profile Attacks, Shows Connections to QakBot
Egregor QakBot
2020-12-02Red Canarytwitter (@redcanary)
@online{redcanary:20201202:increased:5db5dce, author = {twitter (@redcanary)}, title = {{Tweet on increased #Qbot activity delivering Cobalt Strike & #Egregor ransomware}}, date = {2020-12-02}, organization = {Red Canary}, url = {https://twitter.com/redcanary/status/1334224861628039169}, language = {English}, urldate = {2020-12-08} } Tweet on increased #Qbot activity delivering Cobalt Strike & #Egregor ransomware
Cobalt Strike Egregor QakBot
2020-12-01Group-IBGroup-IB, Oleg Skulkin, Semyon Rogachev, Roman Rezvukhin
@techreport{groupib:20201201:egregor:37e5698, author = {Group-IB and Oleg Skulkin and Semyon Rogachev and Roman Rezvukhin}, title = {{Egregor ransomware: The legacy of Maze lives on}}, date = {2020-12-01}, institution = {Group-IB}, url = {https://web.archive.org/web/20201207094648/https://go.group-ib.com/rs/689-LRE-818/images/Group-IB_Egregor_Ransomware.pdf}, language = {English}, urldate = {2021-01-21} } Egregor ransomware: The legacy of Maze lives on
Egregor QakBot
2020-11-30FireEyeMitchell Clarke, Tom Hall
@techreport{clarke:20201130:its:1b6b681, author = {Mitchell Clarke and Tom Hall}, title = {{It's not FINished The Evolving Maturity in Ransomware Operations}}, date = {2020-11-30}, institution = {FireEye}, url = {https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf}, language = {English}, urldate = {2020-12-14} } It's not FINished The Evolving Maturity in Ransomware Operations
Cobalt Strike DoppelPaymer MimiKatz QakBot REvil
2020-11-27Fiducia & GAD IT AGFrank Boldewin
@techreport{boldewin:20201127:when:9697611, author = {Frank Boldewin}, title = {{When ransomware hits an ATM giant - The Diebold Nixdorf case dissected}}, date = {2020-11-27}, institution = {Fiducia & GAD IT AG}, url = {https://raw.githubusercontent.com/fboldewin/When-ransomware-hits-an-ATM-giant---The-Diebold-Nixdorf-case-dissected/main/When%20ransomware%20hits%20an%20ATM%20giant%20-%20The%20Diebold%20Nixdorf%20case%20dissected%20-%20Group-IB%20CyberCrimeCon2020.pdf}, language = {English}, urldate = {2020-12-01} } When ransomware hits an ATM giant - The Diebold Nixdorf case dissected
PwndLocker QakBot
2020-11-26CybereasonLior Rochberger, Cybereason Nocturnus
@online{rochberger:20201126:cybereason:8301aeb, author = {Lior Rochberger and Cybereason Nocturnus}, title = {{Cybereason vs. Egregor Ransomware}}, date = {2020-11-26}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware}, language = {English}, urldate = {2020-12-08} } Cybereason vs. Egregor Ransomware
Cobalt Strike Egregor IcedID ISFB QakBot
2020-11-20Group-IBOleg Skulkin, Roman Rezvukhin, Semyon Rogachev
@online{skulkin:20201120:locking:cdb06cf, author = {Oleg Skulkin and Roman Rezvukhin and Semyon Rogachev}, title = {{The Locking Egregor}}, date = {2020-11-20}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/egregor}, language = {English}, urldate = {2020-11-23} } The Locking Egregor
Egregor QakBot
2020-11-20ZDNetCatalin Cimpanu
@online{cimpanu:20201120:malware:0b8ff59, author = {Catalin Cimpanu}, title = {{The malware that usually installs ransomware and you need to remove right away}}, date = {2020-11-20}, organization = {ZDNet}, url = {https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/}, language = {English}, urldate = {2020-11-23} } The malware that usually installs ransomware and you need to remove right away
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader
2020-11-12IntrinsecJean Bichet
@online{bichet:20201112:egregor:1ac0eb1, author = {Jean Bichet}, title = {{Egregor – Prolock: Fraternal Twins ?}}, date = {2020-11-12}, organization = {Intrinsec}, url = {https://www.intrinsec.com/egregor-prolock/}, language = {English}, urldate = {2020-11-23} } Egregor – Prolock: Fraternal Twins ?
Egregor PwndLocker QakBot
2020-10-29CERT-FRCERT-FR
@techreport{certfr:20201029:le:d296223, author = {CERT-FR}, title = {{LE MALWARE-AS-A-SERVICE EMOTET}}, date = {2020-10-29}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf}, language = {English}, urldate = {2020-11-04} } LE MALWARE-AS-A-SERVICE EMOTET
Dridex Emotet ISFB QakBot
2020-10-14CrowdStrikeThe Falcon Complete Team
@online{team:20201014:duck:d227846, author = {The Falcon Complete Team}, title = {{Duck Hunting with Falcon Complete: Remediating a Fowl Banking Trojan, Part 3}}, date = {2020-10-14}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-countermeasures/}, language = {English}, urldate = {2020-11-09} } Duck Hunting with Falcon Complete: Remediating a Fowl Banking Trojan, Part 3
QakBot
2020-10-07CrowdStrikeThe Falcon Complete Team
@online{team:20201007:duck:69360c9, author = {The Falcon Complete Team}, title = {{Duck Hunting with Falcon Complete: Analyzing a Fowl Banking Trojan, Part 2}}, date = {2020-10-07}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/}, language = {English}, urldate = {2020-10-12} } Duck Hunting with Falcon Complete: Analyzing a Fowl Banking Trojan, Part 2
QakBot Zloader
2020-10-01CrowdStrikeDylan Barker, Quinten Bowen, Ryan Campbell
@online{barker:20201001:duck:edcc017, author = {Dylan Barker and Quinten Bowen and Ryan Campbell}, title = {{Duck Hunting with Falcon Complete: Analyzing a Fowl Banking Trojan, Part 1}}, date = {2020-10-01}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-analyzing-a-fowl-banking-trojan-part-1/}, language = {English}, urldate = {2020-10-07} } Duck Hunting with Falcon Complete: Analyzing a Fowl Banking Trojan, Part 1
QakBot MALLARD SPIDER
2020-09-29MicrosoftMicrosoft
@techreport{microsoft:20200929:microsoft:6e5d7b0, author = {Microsoft}, title = {{Microsoft Digital Defense Report}}, date = {2020-09-29}, institution = {Microsoft}, url = {https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf}, language = {English}, urldate = {2020-10-05} } Microsoft Digital Defense Report
Emotet IcedID Mailto Maze QakBot REvil RobinHood TrickBot
2020-09-29PWC UKAndy Auld
@online{auld:20200929:whats:2782a62, author = {Andy Auld}, title = {{What's behind the increase in ransomware attacks this year?}}, date = {2020-09-29}, organization = {PWC UK}, url = {https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html}, language = {English}, urldate = {2021-05-25} } What's behind the increase in ransomware attacks this year?
DarkSide Avaddon Clop Conti DoppelPaymer Dridex Emotet FriedEx Mailto PwndLocker QakBot REvil Ryuk SMAUG SunCrypt TrickBot WastedLocker
2020-09-10Group-IBOleg Skulkin, Semyon Rogachev
@online{skulkin:20200910:lock:a6f630a, author = {Oleg Skulkin and Semyon Rogachev}, title = {{Lock Like a Pro: Dive in Recent ProLock's Big Game Hunting}}, date = {2020-09-10}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/prolock_evolution}, language = {English}, urldate = {2020-09-15} } Lock Like a Pro: Dive in Recent ProLock's Big Game Hunting
PwndLocker QakBot
2020-09-10QuoSec GmbHQuosec Blog
@online{blog:20200910:grap:d2f055d, author = {Quosec Blog}, title = {{grap: Automating QakBot strings decryption}}, date = {2020-09-10}, organization = {QuoSec GmbH}, url = {https://quosecgmbh.github.io/blog/grap_qakbot_strings.html}, language = {English}, urldate = {2021-03-22} } grap: Automating QakBot strings decryption
QakBot
2020-09-04QuoSec GmbHQuosec Blog
@online{blog:20200904:navigating:75404a6, author = {Quosec Blog}, title = {{Navigating QakBot samples with grap}}, date = {2020-09-04}, organization = {QuoSec GmbH}, url = {https://quosecgmbh.github.io/blog/grap_qakbot_navigation.html}, language = {English}, urldate = {2021-03-22} } Navigating QakBot samples with grap
QakBot
2020-08-27CheckpointAlex Ilgayev
@online{ilgayev:20200827:old:8859e51, author = {Alex Ilgayev}, title = {{An Old Bot’s Nasty New Tricks: Exploring Qbot’s Latest Attack Methods}}, date = {2020-08-27}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2020/exploring-qbots-latest-attack-methods/}, language = {English}, urldate = {2020-08-31} } An Old Bot’s Nasty New Tricks: Exploring Qbot’s Latest Attack Methods
QakBot
2020-08-20MorphisecArnold Osipov
@online{osipov:20200820:qakbot:a7e14ef, author = {Arnold Osipov}, title = {{QakBot (QBot) Maldoc Campaign Introduces Two New Techniques into Its Arsenal}}, date = {2020-08-20}, organization = {Morphisec}, url = {https://blog.morphisec.com/qakbot-qbot-maldoc-two-new-techniques}, language = {English}, urldate = {2020-08-25} } QakBot (QBot) Maldoc Campaign Introduces Two New Techniques into Its Arsenal
QakBot
2020-07-15N1ght-W0lf BlogAbdallah Elshinbary
@online{elshinbary:20200715:deep:9b38d20, author = {Abdallah Elshinbary}, title = {{Deep Analysis of QBot Banking Trojan}}, date = {2020-07-15}, organization = {N1ght-W0lf Blog}, url = {https://n1ght-w0lf.github.io/malware%20analysis/qbot-banking-trojan/}, language = {English}, urldate = {2020-07-16} } Deep Analysis of QBot Banking Trojan
QakBot
2020-06-24MorphisecArnold Osipov
@online{osipov:20200624:obfuscated:74bfeed, author = {Arnold Osipov}, title = {{Obfuscated VBScript Drops Zloader, Ursnif, Qakbot, Dridex}}, date = {2020-06-24}, organization = {Morphisec}, url = {https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex}, language = {English}, urldate = {2020-06-25} } Obfuscated VBScript Drops Zloader, Ursnif, Qakbot, Dridex
Dridex ISFB QakBot Zloader
2020-06-21Malware and StuffAndreas Klopsch
@online{klopsch:20200621:upnp:f54abe6, author = {Andreas Klopsch}, title = {{UpnP – Messing up Security since years}}, date = {2020-06-21}, organization = {Malware and Stuff}, url = {https://malwareandstuff.com/upnp-messing-up-security-since-years/}, language = {English}, urldate = {2020-06-22} } UpnP – Messing up Security since years
QakBot
2020-06-16HornetsecuritySecurity Lab
@online{lab:20200616:qakbot:0353100, author = {Security Lab}, title = {{QakBot malspam leading to ProLock: Nothing personal just business}}, date = {2020-06-16}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-information/qakbot-malspam-leading-to-prolock/}, language = {English}, urldate = {2020-07-01} } QakBot malspam leading to ProLock: Nothing personal just business
PwndLocker QakBot
2020-06-11F5 LabsDoron Voolf
@online{voolf:20200611:qbot:1bd9fe7, author = {Doron Voolf}, title = {{Qbot Banking Trojan Still Up to Its Old Tricks}}, date = {2020-06-11}, organization = {F5 Labs}, url = {https://www.f5.com/labs/articles/threat-intelligence/qbot-banking-trojan-still-up-to-its-old-tricks}, language = {English}, urldate = {2020-06-16} } Qbot Banking Trojan Still Up to Its Old Tricks
QakBot
2020-05-05Malware and StuffAndreas Klopsch
@online{klopsch:20200505:old:84beb5b, author = {Andreas Klopsch}, title = {{An old enemy – Diving into QBot part 3}}, date = {2020-05-05}, organization = {Malware and Stuff}, url = {https://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-3/}, language = {English}, urldate = {2020-05-05} } An old enemy – Diving into QBot part 3
QakBot
2020-03-30Malware and StuffAndreas Klopsch
@online{klopsch:20200330:old:ed1f6ef, author = {Andreas Klopsch}, title = {{An old enemy – Diving into QBot part 1}}, date = {2020-03-30}, organization = {Malware and Stuff}, url = {https://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-1/}, language = {English}, urldate = {2020-04-01} } An old enemy – Diving into QBot part 1
QakBot
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA
2020-02-19FireEyeFireEye
@online{fireeye:20200219:mtrends:193613a, author = {FireEye}, title = {{M-Trends 2020}}, date = {2020-02-19}, organization = {FireEye}, url = {https://content.fireeye.com/m-trends/rpt-m-trends-2020}, language = {English}, urldate = {2020-02-20} } M-Trends 2020
Cobalt Strike Grateful POS LockerGoga QakBot TrickBot
2020-02-13Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20200213:wireshark:3110e30, author = {Brad Duncan}, title = {{Wireshark Tutorial: Examining Qakbot Infections}}, date = {2020-02-13}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/tutorial-qakbot-infection/}, language = {English}, urldate = {2022-10-05} } Wireshark Tutorial: Examining Qakbot Infections
QakBot
2020-02-10MalwarebytesAdam Kujawa, Wendy Zamora, Jérôme Segura, Thomas Reed, Nathan Collier, Jovi Umawing, Chris Boyd, Pieter Arntz, David Ruiz
@techreport{kujawa:20200210:2020:3fdaf12, author = {Adam Kujawa and Wendy Zamora and Jérôme Segura and Thomas Reed and Nathan Collier and Jovi Umawing and Chris Boyd and Pieter Arntz and David Ruiz}, title = {{2020 State of Malware Report}}, date = {2020-02-10}, institution = {Malwarebytes}, url = {https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf}, language = {English}, urldate = {2020-02-13} } 2020 State of Malware Report
magecart Emotet QakBot REvil Ryuk TrickBot WannaCryptor
2020-01-03Youtube (BSides Belfast)Nick Summerlin, Jorge Rodriguez
@online{summerlin:20200103:demystifying:c0a1a19, author = {Nick Summerlin and Jorge Rodriguez}, title = {{Demystifying QBot Banking Trojan}}, date = {2020-01-03}, organization = {Youtube (BSides Belfast)}, url = {https://www.youtube.com/watch?v=iB1psRMtlqg}, language = {English}, urldate = {2020-02-21} } Demystifying QBot Banking Trojan
QakBot
2020SecureworksSecureWorks
@online{secureworks:2020:gold:00ad0eb, author = {SecureWorks}, title = {{GOLD LAGOON}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-lagoon}, language = {English}, urldate = {2020-05-23} } GOLD LAGOON
QakBot
2020University of MaltaSteve Borg
@online{borg:2020:memory:974bf75, author = {Steve Borg}, title = {{Memory Forensics of Qakbot}}, date = {2020}, organization = {University of Malta}, url = {https://www.um.edu.mt/library/oar/handle/123456789/76802}, language = {English}, urldate = {2021-06-24} } Memory Forensics of Qakbot
QakBot
2019-12-07SecureworksKevin O’Reilly, Keith Jarvis
@techreport{oreilly:20191207:endtoend:84340da, author = {Kevin O’Reilly and Keith Jarvis}, title = {{End-to-end Botnet Monitoring... Botconf 2019}}, date = {2019-12-07}, institution = {Secureworks}, url = {https://www.botconf.eu/wp-content/uploads/2019/12/B2019-OReilly-Jarvis-End-to-end-Botnet-Monitoring.pdf}, language = {English}, urldate = {2021-11-08} } End-to-end Botnet Monitoring... Botconf 2019
Emotet ISFB QakBot
2019-11-12Hatching.ioMarkel Picado
@online{picado:20191112:reversing:de8a8b6, author = {Markel Picado}, title = {{Reversing Qakbot}}, date = {2019-11-12}, organization = {Hatching.io}, url = {https://hatching.io/blog/reversing-qakbot}, language = {English}, urldate = {2020-01-07} } Reversing Qakbot
QakBot
2019-06-03VaronisDolev Taler, Eric Saraga
@online{taler:20190603:varonis:21ad52e, author = {Dolev Taler and Eric Saraga}, title = {{Varonis Exposes Global Cyber Campaign: C2 Server Actively Compromising Thousands of Victims}}, date = {2019-06-03}, organization = {Varonis}, url = {https://www.varonis.com/blog/varonis-discovers-global-cyber-campaign-qbot/}, language = {English}, urldate = {2020-01-05} } Varonis Exposes Global Cyber Campaign: C2 Server Actively Compromising Thousands of Victims
QakBot
2019-05-02Cisco TalosAshlee Benge, Nick Randolph
@online{benge:20190502:qakbot:8c34660, author = {Ashlee Benge and Nick Randolph}, title = {{Qakbot levels up with new obfuscation techniques}}, date = {2019-05-02}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/05/qakbot-levels-up-with-new-obfuscation.html}, language = {English}, urldate = {2019-10-14} } Qakbot levels up with new obfuscation techniques
QakBot
2018-07-29Vitali Kremez BlogVitali Kremez
@online{kremez:20180729:lets:8f04eed, author = {Vitali Kremez}, title = {{Let's Learn: In-Depth Reversing of Qakbot "qbot" Banker Part 1}}, date = {2018-07-29}, organization = {Vitali Kremez Blog}, url = {https://www.vkremez.com/2018/07/lets-learn-in-depth-reversing-of-qakbot.html}, language = {English}, urldate = {2020-01-06} } Let's Learn: In-Depth Reversing of Qakbot "qbot" Banker Part 1
QakBot
2017-11-06MicrosoftMicrosoft Defender ATP Research Team
@online{team:20171106:mitigating:b623a70, author = {Microsoft Defender ATP Research Team}, title = {{Mitigating and eliminating info-stealing Qakbot and Emotet in corporate networks}}, date = {2017-11-06}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/}, language = {English}, urldate = {2020-10-23} } Mitigating and eliminating info-stealing Qakbot and Emotet in corporate networks
Emotet QakBot
2017-06-02SecurityIntelligenceMike Oppenheim, Kevin Zuk, Matan Meir, Limor Kessem
@online{oppenheim:20170602:qakbot:ffff91a, author = {Mike Oppenheim and Kevin Zuk and Matan Meir and Limor Kessem}, title = {{QakBot Banking Trojan Causes Massive Active Directory Lockouts}}, date = {2017-06-02}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/qakbot-banking-trojan-causes-massive-active-directory-lockouts/}, language = {English}, urldate = {2020-01-10} } QakBot Banking Trojan Causes Massive Active Directory Lockouts
QakBot
2017-05-23ThreatVectorCylance Threat Research Team
@online{team:20170523:quakbot:3572c02, author = {Cylance Threat Research Team}, title = {{Quakbot}}, date = {2017-05-23}, organization = {ThreatVector}, url = {https://www.cylance.com/en_us/blog/threat-spotlight-the-return-of-qakbot-malware.html}, language = {English}, urldate = {2020-01-08} } Quakbot
QakBot
2016-08Intel SecuritySanchit Karve, Guilherme Venere, Mark Olea
@techreport{karve:201608:diving:6f604b3, author = {Sanchit Karve and Guilherme Venere and Mark Olea}, title = {{DIVING INTO PINKSLIPBOT’S LATEST CAMPAIGN}}, date = {2016-08}, institution = {Intel Security}, url = {https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Karve-etal.pdf}, language = {English}, urldate = {2019-11-27} } DIVING INTO PINKSLIPBOT’S LATEST CAMPAIGN
QakBot
2016-04-28Cisco TalosBen Baker
@online{baker:20160428:research:999032f, author = {Ben Baker}, title = {{Research Spotlight: The Resurgence of Qbot}}, date = {2016-04-28}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2016/04/qbot-on-the-rise.html}, language = {English}, urldate = {2021-03-04} } Research Spotlight: The Resurgence of Qbot
QakBot
2016-02-24Johannes Bader BlogJohannes Bader
@online{bader:20160224:dga:735ff10, author = {Johannes Bader}, title = {{The DGA of Qakbot.T}}, date = {2016-02-24}, organization = {Johannes Bader Blog}, url = {https://www.johannesbader.ch/2016/02/the-dga-of-qakbot/}, language = {English}, urldate = {2020-01-06} } The DGA of Qakbot.T
QakBot
2016BAE SystemsBAE Systems
@techreport{systems:2016:return:52c175d, author = {BAE Systems}, title = {{The Return of Qbot}}, date = {2016}, institution = {BAE Systems}, url = {https://media.scmagazine.com/documents/225/bae_qbot_report_56053.pdf}, language = {English}, urldate = {2019-11-29} } The Return of Qbot
QakBot
2012SymantecNicolas Falliere
@techreport{falliere:2012:w32qakbot:974b5b5, author = {Nicolas Falliere}, title = {{W32.Qakbot in Detail}}, date = {2012}, institution = {Symantec}, url = {http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf}, language = {English}, urldate = {2019-11-28} } W32.Qakbot in Detail
QakBot
2011-05-25Contagio DumpMila Parkour
@online{parkour:20110525:w32qakbot:b814de0, author = {Mila Parkour}, title = {{W32.Qakbot aka W32/Pinkslipbot or infostealer worm}}, date = {2011-05-25}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2010/11/template.html}, language = {English}, urldate = {2019-11-21} } W32.Qakbot aka W32/Pinkslipbot or infostealer worm
QakBot
Yara Rules
[TLP:WHITE] win_qakbot_auto (20221125 | Detects win.qakbot.)
rule win_qakbot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.qakbot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c9 c3 55 8bec 81ecc4090000 }
            // n = 5, score = 5500
            //   c9                   | leave               
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   81ecc4090000         | sub                 esp, 0x9c4

        $sequence_1 = { 50 e8???????? 8b06 47 }
            // n = 4, score = 5400
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   47                   | inc                 edi

        $sequence_2 = { 33c0 7402 ebfa e8???????? }
            // n = 4, score = 5400
            //   33c0                 | xor                 eax, eax
            //   7402                 | je                  4
            //   ebfa                 | jmp                 0xfffffffc
            //   e8????????           |                     

        $sequence_3 = { 740d 8d45fc 6a00 50 e8???????? 59 59 }
            // n = 7, score = 5400
            //   740d                 | je                  0xf
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   6a00                 | push                0
            //   50                   | push                eax
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx

        $sequence_4 = { ebfa eb06 33c0 7402 }
            // n = 4, score = 5200
            //   ebfa                 | jmp                 0xfffffffc
            //   eb06                 | jmp                 8
            //   33c0                 | xor                 eax, eax
            //   7402                 | je                  4

        $sequence_5 = { 7402 ebfa 33c0 7402 }
            // n = 4, score = 5200
            //   7402                 | je                  4
            //   ebfa                 | jmp                 0xfffffffc
            //   33c0                 | xor                 eax, eax
            //   7402                 | je                  4

        $sequence_6 = { e8???????? 83c410 33c0 7402 }
            // n = 4, score = 4600
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   33c0                 | xor                 eax, eax
            //   7402                 | je                  4

        $sequence_7 = { 7cef eb10 c644301c00 ff465c 8b465c 83f838 7cf0 }
            // n = 7, score = 4300
            //   7cef                 | jl                  0xfffffff1
            //   eb10                 | jmp                 0x12
            //   c644301c00           | mov                 byte ptr [eax + esi + 0x1c], 0
            //   ff465c               | inc                 dword ptr [esi + 0x5c]
            //   8b465c               | mov                 eax, dword ptr [esi + 0x5c]
            //   83f838               | cmp                 eax, 0x38
            //   7cf0                 | jl                  0xfffffff2

        $sequence_8 = { eb0b c644301c00 ff465c 8b465c 83f840 7cf0 }
            // n = 6, score = 4300
            //   eb0b                 | jmp                 0xd
            //   c644301c00           | mov                 byte ptr [eax + esi + 0x1c], 0
            //   ff465c               | inc                 dword ptr [esi + 0x5c]
            //   8b465c               | mov                 eax, dword ptr [esi + 0x5c]
            //   83f840               | cmp                 eax, 0x40
            //   7cf0                 | jl                  0xfffffff2

        $sequence_9 = { 50 ff5508 8bf0 59 }
            // n = 4, score = 4300
            //   50                   | push                eax
            //   ff5508               | call                dword ptr [ebp + 8]
            //   8bf0                 | mov                 esi, eax
            //   59                   | pop                 ecx

        $sequence_10 = { 85c0 750a 33c0 7402 }
            // n = 4, score = 4300
            //   85c0                 | test                eax, eax
            //   750a                 | jne                 0xc
            //   33c0                 | xor                 eax, eax
            //   7402                 | je                  4

        $sequence_11 = { 57 ff15???????? 33c0 85f6 0f94c0 }
            // n = 5, score = 4100
            //   57                   | push                edi
            //   ff15????????         |                     
            //   33c0                 | xor                 eax, eax
            //   85f6                 | test                esi, esi
            //   0f94c0               | sete                al

        $sequence_12 = { 85c0 750c 57 ff15???????? 6afe 58 }
            // n = 6, score = 3900
            //   85c0                 | test                eax, eax
            //   750c                 | jne                 0xe
            //   57                   | push                edi
            //   ff15????????         |                     
            //   6afe                 | push                -2
            //   58                   | pop                 eax

        $sequence_13 = { c3 33c9 3d80000000 0f94c1 }
            // n = 4, score = 3900
            //   c3                   | ret                 
            //   33c9                 | xor                 ecx, ecx
            //   3d80000000           | cmp                 eax, 0x80
            //   0f94c1               | sete                cl

        $sequence_14 = { 7402 ebfa e9???????? 6a00 }
            // n = 4, score = 3900
            //   7402                 | je                  4
            //   ebfa                 | jmp                 0xfffffffc
            //   e9????????           |                     
            //   6a00                 | push                0

        $sequence_15 = { 7507 c74508???????? e8???????? 85c0 }
            // n = 4, score = 3900
            //   7507                 | jne                 9
            //   c74508????????       |                     
            //   e8????????           |                     
            //   85c0                 | test                eax, eax

        $sequence_16 = { 6a02 ff15???????? 8bf8 83c8ff }
            // n = 4, score = 3900
            //   6a02                 | push                2
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax
            //   83c8ff               | or                  eax, 0xffffffff

        $sequence_17 = { 6a00 58 0f95c0 40 50 }
            // n = 5, score = 3700
            //   6a00                 | push                0
            //   58                   | pop                 eax
            //   0f95c0               | setne               al
            //   40                   | inc                 eax
            //   50                   | push                eax

        $sequence_18 = { 817de8ffffff7f 7506 837dec00 740f 817de800000080 }
            // n = 5, score = 3600
            //   817de8ffffff7f       | cmp                 dword ptr [ebp - 0x18], 0x7fffffff
            //   7506                 | jne                 8
            //   837dec00             | cmp                 dword ptr [ebp - 0x14], 0
            //   740f                 | je                  0x11
            //   817de800000080       | cmp                 dword ptr [ebp - 0x18], 0x80000000

        $sequence_19 = { ff750c 8d85d8feffff 50 ff5508 }
            // n = 4, score = 3500
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   8d85d8feffff         | lea                 eax, [ebp - 0x128]
            //   50                   | push                eax
            //   ff5508               | call                dword ptr [ebp + 8]

        $sequence_20 = { 7412 8d85d8feffff 50 57 ff15???????? 85c0 }
            // n = 6, score = 3500
            //   7412                 | je                  0x14
            //   8d85d8feffff         | lea                 eax, [ebp - 0x128]
            //   50                   | push                eax
            //   57                   | push                edi
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_21 = { 01c1 81e1ffff0000 83c101 8b442474 }
            // n = 4, score = 100
            //   01c1                 | add                 ecx, eax
            //   81e1ffff0000         | and                 ecx, 0xffff
            //   83c101               | add                 ecx, 1
            //   8b442474             | mov                 eax, dword ptr [esp + 0x74]

        $sequence_22 = { 01c1 894c2404 8b442404 8d65fc }
            // n = 4, score = 100
            //   01c1                 | add                 ecx, eax
            //   894c2404             | mov                 dword ptr [esp + 4], ecx
            //   8b442404             | mov                 eax, dword ptr [esp + 4]
            //   8d65fc               | lea                 esp, [ebp - 4]

        $sequence_23 = { 00e9 8b55e4 880c1a 8a4df3 }
            // n = 4, score = 100
            //   00e9                 | add                 cl, ch
            //   8b55e4               | mov                 edx, dword ptr [ebp - 0x1c]
            //   880c1a               | mov                 byte ptr [edx + ebx], cl
            //   8a4df3               | mov                 cl, byte ptr [ebp - 0xd]

        $sequence_24 = { 01c1 894c2430 e9???????? 55 }
            // n = 4, score = 100
            //   01c1                 | add                 ecx, eax
            //   894c2430             | mov                 dword ptr [esp + 0x30], ecx
            //   e9????????           |                     
            //   55                   | push                ebp

        $sequence_25 = { 00ca 66897c2446 31f6 8974244c }
            // n = 4, score = 100
            //   00ca                 | add                 dl, cl
            //   66897c2446           | mov                 word ptr [esp + 0x46], di
            //   31f6                 | xor                 esi, esi
            //   8974244c             | mov                 dword ptr [esp + 0x4c], esi

        $sequence_26 = { 01c1 8b442448 01c8 8944243c }
            // n = 4, score = 100
            //   01c1                 | add                 ecx, eax
            //   8b442448             | mov                 eax, dword ptr [esp + 0x48]
            //   01c8                 | add                 eax, ecx
            //   8944243c             | mov                 dword ptr [esp + 0x3c], eax

        $sequence_27 = { 00e9 884c0451 83c001 39d0 }
            // n = 4, score = 100
            //   00e9                 | add                 cl, ch
            //   884c0451             | mov                 byte ptr [esp + eax + 0x51], cl
            //   83c001               | add                 eax, 1
            //   39d0                 | cmp                 eax, edx

        $sequence_28 = { 01c1 21d1 8a442465 f6642465 }
            // n = 4, score = 100
            //   01c1                 | add                 ecx, eax
            //   21d1                 | and                 ecx, edx
            //   8a442465             | mov                 al, byte ptr [esp + 0x65]
            //   f6642465             | mul                 byte ptr [esp + 0x65]

    condition:
        7 of them and filesize < 958464
}
Download all Yara Rules