win.qakbot (Back to overview)


aka: Oakboat, Pinkslipbot, Qbot, Quakbot

Actor(s): GOLD CABIN

VTCollection     URLhaus    

QBot is a modular information stealer also known as Qakbot or Pinkslipbot. It has been active for years since 2007. It has historically been known as a banking Trojan, meaning that it steals financial data from infected systems, and a loader using C2 servers for payload targeting and download.

2024-02-21YouTube (Invoke RE)Josh Reynolds
Analyzing Qakbot Using Binary Ninja Automation Part 3
2024-02-16Malcatmalcat team
Writing a Qakbot 5.0 config extractor with Malcat
2024-02-09CensysCensys, Embee_research
A Beginners Guide to Tracking Malware Infrastructure
AsyncRAT BianLian Cobalt Strike QakBot
2024-02-09YouTube (Invoke RE)Josh Reynolds
Analyzing and Unpacking Qakbot Using Binary Ninja Automation Part 2
2024-01-31ZscalerJavier Vicente
Tracking 15 Years of Qakbot Development
2024-01-23YouTube (Invoke RE)Josh Reynolds
Analyzing and Unpacking Qakbot using Binary Ninja Automation
2024-01-12SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q4 2023
FluBot Hook FAKEUPDATES AsyncRAT BianLian Cobalt Strike DCRat Havoc IcedID Lumma Stealer Meterpreter NjRAT Pikabot QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver
2024-01-12YouTube (BSides Cambridge UK)Cian Heasley
Slipping The Net: Qakbot, Emotet And Defense Evasion
Emotet QakBot
2024-01-04K7 SecuritySaikumaravel
Qakbot Returns
2023-12-05YouTube (SecureWorks)Austin Graham
Emulating Qakbot with Austin Graham
2023-11-30Twitter (@embee_research)Embee_research
Advanced Threat Intel Queries - Catching 83 Qakbot Servers with Regex, Censys and TLS Certificates
2023-11-22Twitter (@embee_research)Embee_research
Practical Queries for Malware Infrastructure - Part 3 (Advanced Examples)
BianLian Xtreme RAT NjRAT QakBot RedLine Stealer Remcos
2023-11-20CofenseDylan Duncan
Are DarkGate and PikaBot the new QakBot?
DarkGate Pikabot QakBot
2023-10-12SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q3 2023
FluBot AsyncRAT Ave Maria Cobalt Strike DCRat Havoc IcedID ISFB Nanocore RAT NjRAT QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Stealc Tofsee Vidar
2023-10-05TalosGuilherme Venere
Qakbot-affiliated actors distribute Ransom Knight malware despite infrastructure takedown
2023-09-11Github (m4now4r)m4n0w4r
Unveiling Qakbot Exploring one of the Most Active Threat Actors
2023-08-29The Shadowserver FoundationShadowserver Foundation
Qakbot Botnet Disruption
2023-08-29US Department of JusticeUS Department of Justice
Qakbot Malware Disrupted in International Cyber Takedown
2023-08-29SecureworksCounter Threat Unit ResearchTeam
Law Enforcement Takes Down QakBot
2023-08-29US Department of JusticeDepartment of Justice
Documents and Resources related to the Disruption of the QakBot Malware and Botnet
FBI, Partners Dismantle Qakbot Infrastructure in Multinational Cyber Takedown
2023-08-29KrebsOnSecurityBrian Krebs
U.S. Hacks QakBot, Quietly Removes Botnet Infections
2023-08-29SpamhausSpamhaus Team
Qakbot - the takedown and the remediation
2023-08-23Department of JusticeUnited States District Court for the Central District of California
Application and Affidavit for a Seizure Warrant by Telephone or other Reliable Electronic Means
2023-08-21Department of JusticeUnited States District Court for the Central District of California
Application for a Warrant by Telephone or other reliable Electronic Means
2023-08-07Team CymruS2 Research Team
Visualizing Qakbot Infrastructure Part II: Uncharted Territory
2023-07-31d01aMohamed Adel
Pikabot deep analysis
Pikabot QakBot
2023-07-28Red CanaryStef Rand
Drop It Like It's Qbot: Separating malicious droppers, loaders, and crypters from their payloads
CloudEyE QakBot
2023-07-28YouTube (SANS Cyber Defense)Stef Rand
Drop It Like It's Qbot: Separating malicious droppers, loaders, and crypters from their payloads
CloudEyE QakBot
2023-07-25ZscalerMeghraj Nandanwar, Pradeep Mahato, Satyam Singh
Hibernating Qakbot: A Comprehensive Study and In-depth Campaign Analysis
2023-07-11SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q2 2023
Hydra AsyncRAT Aurora Stealer Ave Maria BumbleBee Cobalt Strike DCRat Havoc IcedID ISFB NjRAT QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee
2023-06-08Twitter (@embee_research)Embee_research
Practical Queries for Identifying Malware Infrastructure: An informal page for storing Censys/Shodan queries
Amadey AsyncRAT Cobalt Strike QakBot Quasar RAT Sliver solarmarker
2023-06-01LumenBlack Lotus Labs
Qakbot: Retool, Reinfect, Recycle
2023-05-21Github (0xThiebaut)Maxime Thiebaut
IcedID QakBot
2023-05-17Team CymruTeam Cymru
Visualizing QakBot Infrastructure
M-Trends 2023
QUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive INDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC WhisperGate
2023-04-18Rapid7 LabsMatt Green
Automating Qakbot Detection at Scale With Velociraptor
2023-04-13SublimeSam Scholten
Detecting QakBot: WSF attachments, OneNote files, and generic attack surface reduction
2023-04-12loginsoftBhargav koduru
Maximizing Threat Detections of Qakbot with Osquery
2023-04-12SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q1 2023
FluBot Amadey AsyncRAT Aurora Ave Maria BumbleBee Cobalt Strike DCRat Emotet IcedID ISFB NjRAT QakBot RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee Vidar
2023-04-10Check PointCheck Point
March 2023’s Most Wanted Malware: New Emotet Campaign Bypasses Microsoft Blocks to Distribute Malicious OneNote Files
Agent Tesla CloudEyE Emotet Formbook Nanocore RAT NjRAT QakBot Remcos Tofsee
2023-04-05velociraptorMatt Green
Automating Qakbot Decode At Scale
2023-03-30loginsoftSaharsh Agrawal
From Innocence to Malice: The OneNote Malware Campaign Uncovered
Agent Tesla AsyncRAT DOUBLEBACK Emotet Formbook IcedID NetWire RC QakBot Quasar RAT RedLine Stealer XWorm
2023-03-30United States District Court (Eastern District of New York)Fortra, HEALTH-ISAC, Microsoft
Cracked Cobalt Strike (1:23-cv-02447)
Black Basta BlackCat LockBit RagnarLocker LockBit Black Basta BlackCat Cobalt Strike Cuba Emotet LockBit Mount Locker PLAY QakBot RagnarLocker Royal Ransom Zloader
Bypassing Qakbot Anti-Analysis
QBot: Laying the Foundations for Black Basta Ransomware Activity
Black Basta QakBot
2023-03-07TrellixAlejandro Houspanossian, John Fokker, Mathanraj Thangaraju, Pham Duy Phuc, Raghav Kapoor
Qakbot Evolves to OneNote Malware Distribution
2023-03-02NetresecErik Hjelmvik
QakBot C2 Traffic
2023-03-02Youtube (Microsoft Security Response Center (MSRC))Ben Magee, Daniel Taylor
BlueHat 2023: Hunting Qakbot with Daniel Taylor & Ben Magee
2023-03-01ZscalerMeghraj Nandanwar, Shatak Jain
OneNote: A Growing Threat for Malware Distribution
AsyncRAT Cobalt Strike IcedID QakBot RedLine Stealer
2023-02-24Medium walmartglobaltechJason Reaves, Jonathan Mccay, Joshua Platt, Kirk Sayre
Qbot testing malvertising campaigns?
The Many Faces of Qakbot Malware: A Look at Its Diverse Distribution Methods
2023-02-14DSIHCharles Blanc-Rolin
Comment Qbot revient en force avec OneNote ?
2023-02-06SophosAndrew Brandt
Qakbot mechanizes distribution of malicious OneNote notebooks
2023-01-23KrollElio Biasiotto, Stephen Green
Black Basta – Technical Analysis
Black Basta Cobalt Strike MimiKatz QakBot SystemBC
2023-01-19CiscoGuilherme Venere
Following the LNK metadata trail
BumbleBee PhotoLoader QakBot
2023-01-12EclecticIQEclecticIQ Threat Research Team
QakBot Malware Used Unpatched Vulnerability to Bypass Windows OS Security Feature
2022-12-28Micah Babinski
HTML Smuggling Detection
Qakbot Being Distributed via Virtual Disk Files (*.vhd)
2022-12-05CybereasonKotaro Ogino, Ralph Villanueva, Robin Plumer
Threat Analysis: MSI - Masquerading as a Software Installer
Magniber Matanbuchus QakBot
2022-12-02Github (binref)Jesko Hüttenhain
The Refinery Files 0x06: Qakbot Decoder
2022-12-01splunkSplunk Threat Research Team
From Macros to No Macros: Continuous Malware Improvements by QakBot
2022-11-30Tidal Cyber Inc.Scott Small
Identifying and Defending Against QakBot's Evolving TTPs
2022-11-23CybereasonCybereason Global SOC Team
THREAT ALERT: Aggressive Qakbot Campaign and the Black Basta Ransomware Group Targeting U.S. Companies
Black Basta QakBot
2022-11-14Twitter (@embee_research)Matthew
Twitter thread on Yara Signatures for Qakbot Encryption Routines
IcedID QakBot
2022-11-10IntezerNicole Fishbein
How LNK Files Are Abused by Threat Actors
BumbleBee Emotet Mount Locker QakBot
Black Basta Ransomware | Attacks deploy Custom EDR Evasion Tools tied to FIN7 Threat Actor
Black Basta QakBot SocksBot
2022-10-31Security homeworkChristophe Rieunier
QakBot CCs prioritization and new record types
2022-10-31CynetMax Malyutin
Orion Threat Alert: Qakbot TTPs Arsenal and the Black Basta Ransomware
Black Basta Cobalt Strike QakBot
2022-10-13SyrionRaffaele Sabato
QAKBOT BB Configuration and C2 IPs List
2022-10-13SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q3 2022
FluBot Arkei Stealer AsyncRAT Ave Maria BumbleBee Cobalt Strike DCRat Dridex Emotet Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT QakBot RecordBreaker RedLine Stealer Remcos Socelars Tofsee Vjw0rm
2022-10-12Trend MicroIan Kenefick, Lucas Silva, Nicole Hernandez
Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike
Black Basta Brute Ratel C4 Cobalt Strike QakBot
2022-09-06ZscalerBrett Stone-Gross
The Ares Banking Trojan Learns Old Tricks: Adds the Defunct Qakbot DGA
Ares QakBot
2022-09-01Trend MicroTrend Micro
Ransomware Spotlight Black Basta
Black Basta Cobalt Strike MimiKatz QakBot
2022-08-25Palo Alto Networks Unit 42Amer Elsad
Threat Assessment: Black Basta Ransomware
Black Basta QakBot
2022-08-24TrellixAdithya Chandra, Sushant Kumar Arya
Demystifying Qbot Malware
2022-08-24ElasticCyril François
QBOT Malware Analysis
2022-07-27ElasticCyril François, Derek Ditch
QBOT Configuration Extractor
2022-07-27ElasticAndrew Pease, Cyril François, Seth Goodwin
Exploring the QBOT Attack Pattern
2022-07-27cybleCyble Research Labs
Targeted Attacks Being Carried Out Via DLL SideLoading
Cobalt Strike QakBot
2022-07-24Bleeping ComputerBill Toulas
QBot phishing uses Windows Calculator sideloading to infect devices
2022-07-19FortinetXiaopeng Zhang
New Variant of QakBot Being Spread by HTML File Attached to Phishing Emails
Shortcut-Based (LNK) Attacks Delivering Malicious Code On The Rise
AsyncRAT BumbleBee Emotet IcedID QakBot
2022-07-12ZscalerAditya Sharma, Tarun Dewan
Rise in Qakbot attacks traced to evolving threat techniques
2022-07-07FortinetErin Lin
Notable Droppers Emerge in Recent Threat Campaigns
BumbleBee Emotet PhotoLoader QakBot
2022-07-05Soc InvestigationPriyadharshini Balaji
QBot Spreads via LNK Files – Detection & Response
2022-06-30Trend MicroEmmanuel Panopio, James Panlilio, John Kenneth Reyes, Kenneth Adrian Apostol, Melvin Singwa, Mirah Manlapig, Paolo Ronniel Labrador
Black Basta Ransomware Operators Expand Their Attack Arsenal With QakBot Trojan and PrintNightmare Exploit
Black Basta Cobalt Strike QakBot
2022-06-21McAfeeLakshya Mathur
Rise of LNK (Shortcut files) Malware
BazarBackdoor Emotet IcedID QakBot
2022-06-17Github (NtQuerySystemInformation)Twitter (@kasua02)
A reverse engineer primer on Qakbot Dll Stager: From initial execution to multithreading.
2022-06-09InfoSec Handlers Diary BlogBrad Duncan
TA570 Qakbot (Qbot) tries CVE-2022-30190 (Follina) exploit (ms-msdt)
CloudEyE Cobalt Strike CryptBot Emotet IsaacWiper QakBot
2022-05-24BitSightBitSight, João Batista, Pedro Umbelino
Emotet Botnet Rises Again
Cobalt Strike Emotet QakBot SystemBC
2022-05-19Trend MicroAdolph Christian Silverio, Jeric Miguel Abordo, Khristian Joseph Morales, Maria Emreen Viray
Bruised but Not Broken: The Resurgence of the Emotet Botnet Malware
Emotet QakBot
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-04-28SymantecKarthikeyan C Kasiviswanathan, Vishal Kamble
Ransomware: How Attackers are Breaching Corporate Networks
AvosLocker Conti Emotet Hive IcedID PhotoLoader QakBot TrickBot
2022-04-26Intel 471Intel 471
Conti and Emotet: A constantly destructive duo
Cobalt Strike Conti Emotet IcedID QakBot TrickBot
2022-04-20SANS ISCBrad Duncan
'aa' distribution Qakbot (Qbot) infection with DarkVNC traffic
2022-04-17MalwarologyGaetano Pellegrino
Qakbot Series: API Hashing
2022-04-16MalwarologyGaetano Pellegrino
Qakbot Series: Process Injection
2022-04-13MalwarologyGaetano Pellegrino
Qakbot Series: Configuration Extraction
2022-04-12Tech TimesJoseph Henry
Qbot Botnet Deploys Malware Payloads Through Malicious Windows Installers
2022-04-11Bleeping ComputerSergiu Gatlan
Qbot malware switches to new Windows Installer infection vector
2022-04-10MalwarologyGaetano Pellegrino
Qakbot Series: String Obfuscation
2022-03-31nccgroupAlex Jessop, Nikolaos Pantazopoulos, RIFT: Research and Intelligence Fusion Team, Simon Biggs
Conti-nuation: methods and techniques observed in operations post the leaks
Cobalt Strike Conti QakBot
2022-03-25SANS ISCXavier Mertens
XLSB Files: Because Binary is Stealthier Than XML
2022-03-17Trend MicroTrend Micro Research
Navigating New Frontiers Trend Micro 2021 Annual Cybersecurity Report
REvil BazarBackdoor Buer IcedID QakBot REvil
2022-03-16SANS ISCBrad Duncan
Qakbot infection with Cobalt Strike and VNC activity
Cobalt Strike QakBot
2022-03-16InfoSec Handlers Diary BlogBrad Duncan
Qakbot infection with Cobalt Strike and VNC activity
Cobalt Strike QakBot
2022-02-26LinkedIn (Zayed AlJaberi)Zayed AlJaberi
Hunting Recent QakBot Malware
KEYPLUG FAKEUPDATES GootLoader BazarBackdoor QakBot
2022-02-24The Hacker NewsRavie Lakshmanan
TrickBot Gang Likely Shifting Operations to Switch to New Malware
BazarBackdoor Emotet QakBot TrickBot
2022-02-21The DFIR Report
Qbot and Zerologon Lead To Full Domain Compromise
Cobalt Strike QakBot
2022-02-16SOC PrimeAlla Yurchenko
QBot Malware Detection: Old Dog New Tricks
2022-02-10CybereasonCybereason Global SOC Team
Threat Analysis Report: All Paths Lead to Cobalt Strike - IcedID, Emotet and QBot
Cobalt Strike Emotet IcedID QakBot
2022-02-08BleepingComputerBill Toulas
Qbot needs only 30 minutes to steal your credentials, emails
2022-02-07The DFIR ReportThe DFIR Report
Qbot Likes to Move It, Move It
2022-01-19BlackberryThe BlackBerry Research & Intelligence Team
Kraken the Code on Prometheus
Prometheus Backdoor BlackMatter Cerber Cobalt Strike DCRat Ficker Stealer QakBot REvil Ryuk
2022-01-18Recorded FutureInsikt Group®
2021 Adversary Infrastructure Report
BazarBackdoor Cobalt Strike Dridex IcedID QakBot TrickBot
2022-01-15Atomic Matryoshkaz3r0day_504
Malware Headliners: Qakbot
2022-01-13TrustwaveLloyd Macrohon, Rodel Mendrez
Decrypting Qakbot’s Encrypted Registry Keys
2022-01-11CybereasonChen Erlich, Daichi Shimabukuro, Niv Yona, Ofir Ozer, Omri Refaeli
Threat Analysis Report: DatopLoader Exploits ProxyShell to Deliver QBOT and Cobalt Strike
Cobalt Strike QakBot Squirrelwaffle
2021-12-17Trend MicroAbraham Camba, Gilbert Sison, Jay Yaneza, Jonna Santos
Staging a Quack: Reverse Analyzing a Fileless QAKBOT Stager
2021-12-16Red CanaryThe Red Canary Team
Intelligence Insights: December 2021
Cobalt Strike QakBot Squirrelwaffle
2021-12-11YouTube (AGDC Services)AGDC Services
How To Extract & Decrypt Qbot Configs Across Variants
2021-12-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team
A closer look at Qakbot’s latest building blocks (and how to knock them down)
2021-11-21Twitter (@tylabs)Twitter (@ffforward), Tyler McLellan
Twitter Thread about UNC1500 phishing using QAKBOT
2021-11-19Trend MicroAbdelrhman Sharshar, Mohamed Fahmy, Sherif Magdy
Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains
Cobalt Strike QakBot Squirrelwaffle
2021-11-18Red CanaryThe Red Canary Team
Intelligence Insights: November 2021
Andromeda Conti LockBit QakBot Squirrelwaffle
2021-11-17Twitter (@Unit42_Intel)Unit 42
Tweet on Matanbuchus Loader used to deliver Qakbot (tag obama128b) and follow-up CobaltStrike
Cobalt Strike QakBot
2021-11-16Twitter (@kienbigmummy)m4n0w4r
Tweet on short analysis of QakBot
2021-11-15TRUESECFabio Viggiani
ProxyShell, QBot, and Conti Ransomware Combined in a Series of Cyberattacks
Cobalt Strike Conti QakBot
2021-11-13Trend MicroIan Kenefick, Vladimir Kropotov
QAKBOT Loader Returns With New Techniques and Tools
2021-11-13YouTube (AGDC Services)AGDC Services
Automate Qbot Malware String Decryption With Ghidra Script
2021-11-12Recorded FutureInsikt Group®
The Business of Fraud: Botnet Malware Dissemination
Mozi Dridex IcedID QakBot TrickBot
2021-11-12Trend MicroIan Kenefick, Vladimir Kropotov
The Prelude to Ransomware: A Look into Current QAKBOT Capabilities and Global Activities
2021-11-11CynetMax Malyutin
A Duck Nightmare Quakbot Strikes with QuakNightmare Exploitation
Cobalt Strike QakBot
2021-11-11vmwareGiovanni Vigna, Jason Zhang, Stefano Ortolani, Threat Analysis Unit
Research Recap: How To Automate Malware Campaign Detection With Telemetry Peak Analyzer
Phorpiex QakBot
TR-64 - Exploited Exchange Servers - Mails with links to malware from known/valid senders
2021-11-09MinervaLabsMinerva Labs
A New DatopLoader Delivers QakBot Trojan
QakBot Squirrelwaffle
2021-11-03Team Cymrutcblogposts
Webinject Panel Administration: A Vantage Point into Multiple Threat Actor Campaigns - A Case Study on the Value of Threat Reconnaisance
DoppelDridex IcedID QakBot Zloader
2021-11-03Twitter (@Corvid_Cyber)CORVID
Tweet on a unique Qbot debugger dropped by an actor after compromise
2021-10-26Cisco TalosEdmund Brumaghin, Mariano Graziano, Nick Mavis
SQUIRRELWAFFLE Leverages malspam to deliver Qakbot, Cobalt Strike
Cobalt Strike QakBot Squirrelwaffle
Identification of a new cyber criminal group: Lockean
Cobalt Strike DoppelPaymer Egregor Maze PwndLocker QakBot REvil
2021-10-07NetskopeGhanashyam Satpathy, Gustavo Palazolo
SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot
Cobalt Strike QakBot Squirrelwaffle
2021-09-03IBMAndrew Gorecki, Camille Singleton, John Dwyer
Dissecting Sodinokibi Ransomware Attacks: Bringing Incident Response and Intelligence Together in the Fight
Valak QakBot REvil
2021-09-03Trend MicroMohamad Mokbel
The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2021-09-02KasperskyAnton Kuzmenko, Haim Zigel, Oleg Kupreev
QakBot Technical Analysis
2021-08-15SymantecThreat Hunter Team
The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker
2021-08-05Group-IBNikita Rostovcev, Viktor Okorokov
Prometheus TDS The key to success for Campo Loader, Hancitor, IcedID, and QBot
Prometheus Backdoor Buer campoloader Hancitor IcedID QakBot
2021-08-05The RecordCatalin Cimpanu
Meet Prometheus, the secret TDS behind some of today’s malware campaigns
Buer campoloader IcedID QakBot
2021-07-30HPPatrick Schläpfer
Detecting TA551 domains
Valak Dridex IcedID ISFB QakBot
2021-07-240ffset BlogDaniel Bunce
Quack Quack: Analysing Qakbot’s Browser Hooking Module – Part 1
2021-06-24KasperskyAnton Kuzmenko
Malicious spam campaigns delivering banking Trojans
IcedID QakBot
2021-06-16ProofpointDaniel Blackford, Garrett M. Graff, Selena Larson
The First Step: Initial Access Leads to Ransomware
BazarBackdoor Egregor IcedID Maze QakBot REvil Ryuk TrickBot WastedLocker TA570 TA575 TA577
2021-06-16Twitter (@ChouchWard)ch0uch ward
Tweet on Qbot operators left their web server's access.log file unsecured
2021-06-16S2 GrupoCSIRT-CV (the ICT Security Center of the Valencian Community)
Emotet campaign analysis
Emotet QakBot
2021-06-15Perception PointShai Golderman
Insights Into an Excel 4.0 Macro Attack using Qakbot Malware
2021-06-10ZAYOTEMAbdulkadir Binan, Emrah Sarıdağ, Emre Doğan, İlker Verimoğlu, Kaan Binen
QakBot Technical Analysis Report
2021-06-08Advanced IntelligenceVitali Kremez, Yelisey Boguslavskiy
From QBot...with REvil Ransomware: Initial Attack Exposure of JBS
QakBot REvil
2021-06-02Bleeping ComputerLawrence Abrams
FUJIFILM shuts down network after suspected ransomware attack
2021-05-26DeepInstinctRon Ben Yizhak
A Deep Dive into Packing Software CryptOne
Cobalt Strike Dridex Emotet Gozi ISFB Mailto QakBot SmokeLoader WastedLocker Zloader
2021-05-19Intel 471Intel 471
Look how many cybercriminals love Cobalt Strike
BazarBackdoor Cobalt Strike Hancitor QakBot SmokeLoader SystemBC TrickBot
2021-05-04Seguranca InformaticaPedro Tavares
A taste of the latest release of QakBot
2021-04-30MADRID LabsOdin Bernstein
Qbot: Analyzing PHP Proxy Scripts from Compromised Web Server
2021-04-28Reversing LabsKarlo Zanki
Spotting malicious Excel4 macros
2021-04-28IBMDavid Bisson
QBot Malware Spotted Using Windows Defender Antivirus Lure
2021-04-19Twitter (@_alex_il_)Alex Ilgayev
Tweet on QakBot's additional decryption mechanism
2021-04-15AT&TDax Morrow, Ofer Caspi
The rise of QakBot
2021-04-13Silent PushMartijn Grooten
Malicious infrastructure as a service
IcedID PhotoLoader QakBot
PaaS, or how hackers evade antivirus software
Amadey Bunitu Cerber Dridex ISFB KPOT Stealer Mailto Nemty Phobos Pony Predator The Thief QakBot Raccoon RTM SmokeLoader Zloader
2021-04-12Twitter (@elisalem9)Eli Salem
Tweets on QakBot
2021-04-06Intel 471Intel 471
EtterSilent: the underground’s new favorite maldoc builder
BazarBackdoor ISFB QakBot TrickBot
2021-03-31Red CanaryRed Canary
2021 Threat Detection Report
Shlayer Andromeda Cobalt Strike Dridex Emotet IcedID MimiKatz QakBot TrickBot
2021-03-26Trend MicroTrend Micro
Alleged Members of Egregor Ransomware Cartel Arrested
Egregor QakBot
2021-03-18VinCSSm4n0w4r, Tran Trung Kien
[RE021] Qakbot analysis – Dangerous malware has been around for more than a decade
2021-03-01Group-IBOleg Skulkin, Roman Rezvukhin, Semyon Rogachev
Ransomware Uncovered 2020/2021
RansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot RansomEXX REvil Ryuk SDBbot TrickBot Zloader
2021-02-28PWC UKPWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team
X-Force Threat Intelligence Index 2021
Emotet QakBot Ramnit REvil TrickBot
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-15Twitter (@TheDFIRReport)The DFIR Report
Tweet on Qakbot post infection discovery activity
2021-02-02CRONUPGermán Fernández
De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader
2021-01-19Medium elis531989Eli Salem
Funtastic Packers And Where To Find Them
Get2 IcedID QakBot
2021-01-19Palo Alto Networks Unit 42Brad Duncan
Wireshark Tutorial: Examining Emotet Infection Traffic
Emotet GootKit IcedID QakBot TrickBot
PIN Number 20210106-001: Egregor Ransomware Targets Businesses Worldwide, Attempting to Extort Businesses by Publicly Releasing Exfiltrated Data
Egregor QakBot
Threat Profile: GOLD LAGOON
2020-12-15HornetsecurityHornetsecurity Security Lab
QakBot reducing its on disk artifacts
Egregor PwndLocker QakBot
2020-12-12Medium 0xthreatintel0xthreatintel
Reversing QakBot [ TLP: White]
2020-12-09InfoSec Handlers Diary BlogBrad Duncan
Recent Qakbot (Qbot) activity
Cobalt Strike QakBot
2020-12-09FireEyeMitchell Clarke, Tom Hall
It's not FINished The Evolving Maturity in Ransomware Operations (SLIDES)
Cobalt Strike DoppelPaymer QakBot REvil
2020-12-03Recorded FutureInsikt Group®
Egregor Ransomware, Used in a String of High-Profile Attacks, Shows Connections to QakBot
Egregor QakBot
2020-12-02Red Canarytwitter (@redcanary)
Tweet on increased #Qbot activity delivering Cobalt Strike & #Egregor ransomware
Cobalt Strike Egregor QakBot
2020-12-01Group-IBGroup-IB, Oleg Skulkin, Roman Rezvukhin, Semyon Rogachev
Egregor ransomware: The legacy of Maze lives on
Egregor QakBot
2020-11-30FireEyeMitchell Clarke, Tom Hall
It's not FINished The Evolving Maturity in Ransomware Operations
Cobalt Strike DoppelPaymer MimiKatz QakBot REvil
2020-11-27Fiducia & GAD IT AGFrank Boldewin
When ransomware hits an ATM giant - The Diebold Nixdorf case dissected
PwndLocker QakBot
2020-11-26CybereasonCybereason Nocturnus, Lior Rochberger
Cybereason vs. Egregor Ransomware
Cobalt Strike Egregor IcedID ISFB QakBot
2020-11-20ZDNetCatalin Cimpanu
The malware that usually installs ransomware and you need to remove right away
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader
2020-11-20Group-IBOleg Skulkin, Roman Rezvukhin, Semyon Rogachev
The Locking Egregor
Egregor QakBot
2020-11-12IntrinsecJean Bichet
Egregor – Prolock: Fraternal Twins ?
Egregor PwndLocker QakBot
Dridex Emotet ISFB QakBot
2020-10-14CrowdStrikeThe Falcon Complete Team
Duck Hunting with Falcon Complete: Remediating a Fowl Banking Trojan, Part 3
2020-10-07CrowdStrikeThe Falcon Complete Team
Duck Hunting with Falcon Complete: Analyzing a Fowl Banking Trojan, Part 2
QakBot Zloader
2020-10-01CrowdStrikeDylan Barker, Quinten Bowen, Ryan Campbell
Duck Hunting with Falcon Complete: Analyzing a Fowl Banking Trojan, Part 1
Microsoft Digital Defense Report
Emotet IcedID Mailto Maze QakBot REvil RobinHood TrickBot
2020-09-29PWC UKAndy Auld
What's behind the increase in ransomware attacks this year?
DarkSide Avaddon Clop Conti DoppelPaymer Dridex Emotet FriedEx Mailto PwndLocker QakBot REvil Ryuk SMAUG SunCrypt TrickBot WastedLocker
2020-09-10Group-IBOleg Skulkin, Semyon Rogachev
Lock Like a Pro: Dive in Recent ProLock's Big Game Hunting
PwndLocker QakBot
2020-09-10QuoSec GmbHQuosec Blog
grap: Automating QakBot strings decryption
2020-09-04QuoSec GmbHQuosec Blog
Navigating QakBot samples with grap
2020-08-27CheckpointAlex Ilgayev
An Old Bot’s Nasty New Tricks: Exploring Qbot’s Latest Attack Methods
2020-08-20MorphisecArnold Osipov
QakBot (QBot) Maldoc Campaign Introduces Two New Techniques into Its Arsenal
2020-07-15N1ght-W0lf BlogAbdallah Elshinbary
Deep Analysis of QBot Banking Trojan
2020-06-24MorphisecArnold Osipov
Obfuscated VBScript Drops Zloader, Ursnif, Qakbot, Dridex
Dridex ISFB QakBot Zloader
2020-06-21Malware and StuffAndreas Klopsch
UpnP – Messing up Security since years
2020-06-16HornetsecuritySecurity Lab
QakBot malspam leading to ProLock: Nothing personal just business
PwndLocker QakBot
2020-06-11F5 LabsDoron Voolf
Qbot Banking Trojan Still Up to Its Old Tricks
2020-05-05Malware and StuffAndreas Klopsch
An old enemy – Diving into QBot part 3
2020-03-30Malware and StuffAndreas Klopsch
An old enemy – Diving into QBot part 1
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-03-03PWC UKPWC UK
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle
M-Trends 2020
Cobalt Strike Grateful POS LockerGoga QakBot TrickBot
2020-02-13Palo Alto Networks Unit 42Brad Duncan
Wireshark Tutorial: Examining Qakbot Infections
2020-02-10MalwarebytesAdam Kujawa, Chris Boyd, David Ruiz, Jérôme Segura, Jovi Umawing, Nathan Collier, Pieter Arntz, Thomas Reed, Wendy Zamora
2020 State of Malware Report
magecart Emotet QakBot REvil Ryuk TrickBot WannaCryptor
2020-01-03Youtube (BSides Belfast)Jorge Rodriguez, Nick Summerlin
Demystifying QBot Banking Trojan
2020-01-01University of MaltaSteve Borg
Memory Forensics of Qakbot
2019-12-07SecureworksKeith Jarvis, Kevin O’Reilly
End-to-end Botnet Monitoring... Botconf 2019
Emotet ISFB QakBot
2019-11-12Hatching.ioMarkel Picado
Reversing Qakbot
2019-06-03VaronisDolev Taler, Eric Saraga
Varonis Exposes Global Cyber Campaign: C2 Server Actively Compromising Thousands of Victims
2019-05-02Cisco TalosAshlee Benge, Nick Randolph
Qakbot levels up with new obfuscation techniques
2018-07-29Vitali Kremez BlogVitali Kremez
Let's Learn: In-Depth Reversing of Qakbot "qbot" Banker Part 1
2017-11-06MicrosoftMicrosoft Defender ATP Research Team
Mitigating and eliminating info-stealing Qakbot and Emotet in corporate networks
Emotet QakBot
2017-06-02SecurityIntelligenceKevin Zuk, Limor Kessem, Matan Meir, Mike Oppenheim
QakBot Banking Trojan Causes Massive Active Directory Lockouts
2017-05-23ThreatVectorCylance Threat Research Team
2016-08-01Intel SecurityGuilherme Venere, Mark Olea, Sanchit Karve
2016-04-28Cisco TalosBen Baker
Research Spotlight: The Resurgence of Qbot
2016-02-24Johannes Bader BlogJohannes Bader
The DGA of Qakbot.T
2016-01-01BAE SystemsBAE Systems
The Return of Qbot
2012-01-01SymantecNicolas Falliere
W32.Qakbot in Detail
2011-12-11Open Security ResearchMichael G. Spohn.
Intro. To Reversing - W32Pinkslipbot
2011-05-25Contagio DumpMila Parkour
W32.Qakbot aka W32/Pinkslipbot or infostealer worm
2010-10-25RSARSA FraudAction Research Labs
Businesses Beware: Qakbot Spreads like a Worm, Stings like a Trojan
2010-05-11SymantecShunichi Imano
Qakbot, Data Thief Unmasked: Part I
2010-04-22SymantecPatrick Fitzgerald
Qakbot Steals 2GB of Confidential Data per Week
2009-12-22SymantecJohn McDonald, Masaki Suenaga, Takayoshi Nakayama
Qakbot, Data Thief Unmasked: Part II
2009-05-07SymantecAngela Thigpen, Eric Chien
Yara Rules
[TLP:WHITE] win_qakbot_auto (20230808 | Detects win.qakbot.)
rule win_qakbot_auto {

        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.qakbot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = ""
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.

        $sequence_0 = { c9 c3 55 8bec 81ecc4090000 }
            // n = 5, score = 15700
            //   c9                   | leave               
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   81ecc4090000         | sub                 esp, 0x9c4

        $sequence_1 = { 33c0 7402 ebfa e8???????? }
            // n = 4, score = 15500
            //   33c0                 | xor                 eax, eax
            //   7402                 | je                  4
            //   ebfa                 | jmp                 0xfffffffc
            //   e8????????           |                     

        $sequence_2 = { 7402 ebfa 33c0 7402 }
            // n = 4, score = 15400
            //   7402                 | je                  4
            //   ebfa                 | jmp                 0xfffffffc
            //   33c0                 | xor                 eax, eax
            //   7402                 | je                  4

        $sequence_3 = { 7402 ebfa eb06 33c0 }
            // n = 4, score = 14900
            //   7402                 | je                  4
            //   ebfa                 | jmp                 0xfffffffc
            //   eb06                 | jmp                 8
            //   33c0                 | xor                 eax, eax

        $sequence_4 = { e8???????? 33c9 85c0 0f9fc1 41 }
            // n = 5, score = 14800
            //   e8????????           |                     
            //   33c9                 | xor                 ecx, ecx
            //   85c0                 | test                eax, eax
            //   0f9fc1               | setg                cl
            //   41                   | inc                 ecx

        $sequence_5 = { 50 e8???????? 8b06 47 59 }
            // n = 5, score = 14400
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   47                   | inc                 edi
            //   59                   | pop                 ecx

        $sequence_6 = { 8d45fc 6aff 50 e8???????? }
            // n = 4, score = 14100
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   6aff                 | push                -1
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_7 = { 59 59 33c0 7402 }
            // n = 4, score = 13900
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   33c0                 | xor                 eax, eax
            //   7402                 | je                  4

        $sequence_8 = { e8???????? 59 59 6afb e9???????? }
            // n = 5, score = 13800
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   6afb                 | push                -5
            //   e9????????           |                     

        $sequence_9 = { 740d 8d45fc 6a00 50 }
            // n = 4, score = 13700
            //   740d                 | je                  0xf
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   6a00                 | push                0
            //   50                   | push                eax

        $sequence_10 = { 50 8d8534f6ffff 6a00 50 e8???????? }
            // n = 5, score = 13700
            //   50                   | push                eax
            //   8d8534f6ffff         | lea                 eax, [ebp - 0x9cc]
            //   6a00                 | push                0
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_11 = { 8945fc e8???????? 8bf0 8d45fc 50 e8???????? }
            // n = 6, score = 13500
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_12 = { 33c0 e9???????? 33c0 7402 }
            // n = 4, score = 13400
            //   33c0                 | xor                 eax, eax
            //   e9????????           |                     
            //   33c0                 | xor                 eax, eax
            //   7402                 | je                  4

        $sequence_13 = { 7402 ebfa e9???????? 6a00 }
            // n = 4, score = 13200
            //   7402                 | je                  4
            //   ebfa                 | jmp                 0xfffffffc
            //   e9????????           |                     
            //   6a00                 | push                0

        $sequence_14 = { 8975f8 8975f0 8975f4 e8???????? }
            // n = 4, score = 13200
            //   8975f8               | mov                 dword ptr [ebp - 8], esi
            //   8975f0               | mov                 dword ptr [ebp - 0x10], esi
            //   8975f4               | mov                 dword ptr [ebp - 0xc], esi
            //   e8????????           |                     

        $sequence_15 = { eb0b c644301c00 ff465c 8b465c 83f840 7cf0 }
            // n = 6, score = 13000
            //   eb0b                 | jmp                 0xd
            //   c644301c00           | mov                 byte ptr [eax + esi + 0x1c], 0
            //   ff465c               | inc                 dword ptr [esi + 0x5c]
            //   8b465c               | mov                 eax, dword ptr [esi + 0x5c]
            //   83f840               | cmp                 eax, 0x40
            //   7cf0                 | jl                  0xfffffff2

        $sequence_16 = { 7cef eb10 c644301c00 ff465c 8b465c 83f838 }
            // n = 6, score = 13000
            //   7cef                 | jl                  0xfffffff1
            //   eb10                 | jmp                 0x12
            //   c644301c00           | mov                 byte ptr [eax + esi + 0x1c], 0
            //   ff465c               | inc                 dword ptr [esi + 0x5c]
            //   8b465c               | mov                 eax, dword ptr [esi + 0x5c]
            //   83f838               | cmp                 eax, 0x38

        $sequence_17 = { e8???????? 83c410 33c0 7402 }
            // n = 4, score = 12800
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   33c0                 | xor                 eax, eax
            //   7402                 | je                  4

        $sequence_18 = { 85c0 750a 33c0 7402 }
            // n = 4, score = 12700
            //   85c0                 | test                eax, eax
            //   750a                 | jne                 0xc
            //   33c0                 | xor                 eax, eax
            //   7402                 | je                  4

        $sequence_19 = { c644061c00 ff465c 837e5c38 7cef eb10 c644301c00 }
            // n = 6, score = 12700
            //   c644061c00           | mov                 byte ptr [esi + eax + 0x1c], 0
            //   ff465c               | inc                 dword ptr [esi + 0x5c]
            //   837e5c38             | cmp                 dword ptr [esi + 0x5c], 0x38
            //   7cef                 | jl                  0xfffffff1
            //   eb10                 | jmp                 0x12
            //   c644301c00           | mov                 byte ptr [eax + esi + 0x1c], 0

        $sequence_20 = { 7507 c7466401000000 83f840 7507 }
            // n = 4, score = 12400
            //   7507                 | jne                 9
            //   c7466401000000       | mov                 dword ptr [esi + 0x64], 1
            //   83f840               | cmp                 eax, 0x40
            //   7507                 | jne                 9

        $sequence_21 = { 837dfc00 750b 33c0 7402 }
            // n = 4, score = 12300
            //   837dfc00             | cmp                 dword ptr [ebp - 4], 0
            //   750b                 | jne                 0xd
            //   33c0                 | xor                 eax, eax
            //   7402                 | je                  4

        $sequence_22 = { e8???????? e8???????? 33c0 7402 }
            // n = 4, score = 12300
            //   e8????????           |                     
            //   e8????????           |                     
            //   33c0                 | xor                 eax, eax
            //   7402                 | je                  4

        $sequence_23 = { 833d????????00 7508 33c0 7402 }
            // n = 4, score = 12100
            //   833d????????00       |                     
            //   7508                 | jne                 0xa
            //   33c0                 | xor                 eax, eax
            //   7402                 | je                  4

        $sequence_24 = { c7466001000000 33c0 40 5e }
            // n = 4, score = 11900
            //   c7466001000000       | mov                 dword ptr [esi + 0x60], 1
            //   33c0                 | xor                 eax, eax
            //   40                   | inc                 eax
            //   5e                   | pop                 esi

        $sequence_25 = { 7402 ebfa 837d1000 7408 }
            // n = 4, score = 11600
            //   7402                 | je                  4
            //   ebfa                 | jmp                 0xfffffffc
            //   837d1000             | cmp                 dword ptr [ebp + 0x10], 0
            //   7408                 | je                  0xa

        $sequence_26 = { 80ea80 8855f0 e8???????? 0fb64df7 }
            // n = 4, score = 11600
            //   80ea80               | sub                 dl, 0x80
            //   8855f0               | mov                 byte ptr [ebp - 0x10], dl
            //   e8????????           |                     
            //   0fb64df7             | movzx               ecx, byte ptr [ebp - 9]

        $sequence_27 = { 50 8d45d8 50 8d45d4 50 8d45ec }
            // n = 6, score = 9500
            //   50                   | push                eax
            //   8d45d8               | lea                 eax, [ebp - 0x28]
            //   50                   | push                eax
            //   8d45d4               | lea                 eax, [ebp - 0x2c]
            //   50                   | push                eax
            //   8d45ec               | lea                 eax, [ebp - 0x14]

        $sequence_28 = { 56 e8???????? 8b45fc 83c40c 40 }
            // n = 5, score = 9500
            //   56                   | push                esi
            //   e8????????           |                     
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   83c40c               | add                 esp, 0xc
            //   40                   | inc                 eax

        $sequence_29 = { 6a00 6800600900 6a00 ff15???????? }
            // n = 4, score = 8800
            //   6a00                 | push                0
            //   6800600900           | push                0x96000
            //   6a00                 | push                0
            //   ff15????????         |                     

        $sequence_30 = { 50 ff5508 8bf0 59 }
            // n = 4, score = 6300
            //   50                   | push                eax
            //   ff5508               | call                dword ptr [ebp + 8]
            //   8bf0                 | mov                 esi, eax
            //   59                   | pop                 ecx

        $sequence_31 = { 6a00 58 0f95c0 40 50 }
            // n = 5, score = 5800
            //   6a00                 | push                0
            //   58                   | pop                 eax
            //   0f95c0               | setne               al
            //   40                   | inc                 eax
            //   50                   | push                eax

        $sequence_32 = { 57 ff15???????? 33c0 85f6 0f94c0 }
            // n = 5, score = 5200
            //   57                   | push                edi
            //   ff15????????         |                     
            //   33c0                 | xor                 eax, eax
            //   85f6                 | test                esi, esi
            //   0f94c0               | sete                al

        $sequence_33 = { 750c 57 ff15???????? 6afe 58 }
            // n = 5, score = 5200
            //   750c                 | jne                 0xe
            //   57                   | push                edi
            //   ff15????????         |                     
            //   6afe                 | push                -2
            //   58                   | pop                 eax

        $sequence_34 = { c3 33c9 3d80000000 0f94c1 }
            // n = 4, score = 5200
            //   c3                   | ret                 
            //   33c9                 | xor                 ecx, ecx
            //   3d80000000           | cmp                 eax, 0x80
            //   0f94c1               | sete                cl

        $sequence_35 = { 6a02 ff15???????? 8bf8 83c8ff }
            // n = 4, score = 5000
            //   6a02                 | push                2
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax
            //   83c8ff               | or                  eax, 0xffffffff

        $sequence_36 = { 50 e8???????? 6a40 8d4590 }
            // n = 4, score = 4500
            //   50                   | push                eax
            //   e8????????           |                     
            //   6a40                 | push                0x40
            //   8d4590               | lea                 eax, [ebp - 0x70]

        $sequence_37 = { 8d85e4fcffff 50 8d85e4fdffff 50 }
            // n = 4, score = 4300
            //   8d85e4fcffff         | lea                 eax, [ebp - 0x31c]
            //   50                   | push                eax
            //   8d85e4fdffff         | lea                 eax, [ebp - 0x21c]
            //   50                   | push                eax

        $sequence_38 = { 56 e8???????? 83c40c 8d4514 50 }
            // n = 5, score = 4000
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8d4514               | lea                 eax, [ebp + 0x14]
            //   50                   | push                eax

        $sequence_39 = { e8???????? 6a00 8d45d4 50 68???????? }
            // n = 5, score = 500
            //   e8????????           |                     
            //   6a00                 | push                0
            //   8d45d4               | lea                 eax, [ebp - 0x2c]
            //   50                   | push                eax
            //   68????????           |                     

        $sequence_40 = { 5d c3 33c9 66890c46 }
            // n = 4, score = 300
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   33c9                 | xor                 ecx, ecx
            //   66890c46             | mov                 word ptr [esi + eax*2], cx

        $sequence_41 = { 8b4a04 83c204 03f0 85c9 75e1 }
            // n = 5, score = 100
            //   8b4a04               | mov                 ecx, dword ptr [edx + 4]
            //   83c204               | add                 edx, 4
            //   03f0                 | add                 esi, eax
            //   85c9                 | test                ecx, ecx
            //   75e1                 | jne                 0xffffffe3

        $sequence_42 = { 01f1 898424a8000000 899424ac000000 8d8424b4000000 89c2 8db424c4000000 }
            // n = 6, score = 100
            //   01f1                 | add                 ecx, esi
            //   898424a8000000       | mov                 dword ptr [esp + 0xa8], eax
            //   899424ac000000       | mov                 dword ptr [esp + 0xac], edx
            //   8d8424b4000000       | lea                 eax, [esp + 0xb4]
            //   89c2                 | mov                 edx, eax
            //   8db424c4000000       | lea                 esi, [esp + 0xc4]

        $sequence_43 = { 8a442417 8b4c2410 0485 88440c66 89ca 83c201 }
            // n = 6, score = 100
            //   8a442417             | mov                 al, byte ptr [esp + 0x17]
            //   8b4c2410             | mov                 ecx, dword ptr [esp + 0x10]
            //   0485                 | add                 al, 0x85
            //   88440c66             | mov                 byte ptr [esp + ecx + 0x66], al
            //   89ca                 | mov                 edx, ecx
            //   83c201               | add                 edx, 1

        $sequence_44 = { ffd3 85ff 741b 6808020000 6a00 }
            // n = 5, score = 100
            //   ffd3                 | call                ebx
            //   85ff                 | test                edi, edi
            //   741b                 | je                  0x1d
            //   6808020000           | push                0x208
            //   6a00                 | push                0

        $sequence_45 = { 88442401 894c245c 0f847afdffff e9???????? }
            // n = 4, score = 100
            //   88442401             | mov                 byte ptr [esp + 1], al
            //   894c245c             | mov                 dword ptr [esp + 0x5c], ecx
            //   0f847afdffff         | je                  0xfffffd80
            //   e9????????           |                     

        $sequence_46 = { 89442410 884c2417 eb94 55 89e5 31c0 }
            // n = 6, score = 100
            //   89442410             | mov                 dword ptr [esp + 0x10], eax
            //   884c2417             | mov                 byte ptr [esp + 0x17], cl
            //   eb94                 | jmp                 0xffffff96
            //   55                   | push                ebp
            //   89e5                 | mov                 ebp, esp
            //   31c0                 | xor                 eax, eax

        $sequence_47 = { 8945fc 8b4518 53 8b5d10 56 8945c4 }
            // n = 6, score = 100
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8b4518               | mov                 eax, dword ptr [ebp + 0x18]
            //   53                   | push                ebx
            //   8b5d10               | mov                 ebx, dword ptr [ebp + 0x10]
            //   56                   | push                esi
            //   8945c4               | mov                 dword ptr [ebp - 0x3c], eax

        $sequence_48 = { 8b742420 81c638a1e7c3 39f0 89442410 894c240c 89542408 7408 }
            // n = 7, score = 100
            //   8b742420             | mov                 esi, dword ptr [esp + 0x20]
            //   81c638a1e7c3         | add                 esi, 0xc3e7a138
            //   39f0                 | cmp                 eax, esi
            //   89442410             | mov                 dword ptr [esp + 0x10], eax
            //   894c240c             | mov                 dword ptr [esp + 0xc], ecx
            //   89542408             | mov                 dword ptr [esp + 8], edx
            //   7408                 | je                  0xa

        $sequence_49 = { 8b74242c bb3c13b648 f7e3 69f63c13b648 01f2 89442428 8954242c }
            // n = 7, score = 100
            //   8b74242c             | mov                 esi, dword ptr [esp + 0x2c]
            //   bb3c13b648           | mov                 ebx, 0x48b6133c
            //   f7e3                 | mul                 ebx
            //   69f63c13b648         | imul                esi, esi, 0x48b6133c
            //   01f2                 | add                 edx, esi
            //   89442428             | mov                 dword ptr [esp + 0x28], eax
            //   8954242c             | mov                 dword ptr [esp + 0x2c], edx

        $sequence_50 = { 8b4c2444 ffd1 83ec08 b901000000 ba66000000 31ff 89c3 }
            // n = 7, score = 100
            //   8b4c2444             | mov                 ecx, dword ptr [esp + 0x44]
            //   ffd1                 | call                ecx
            //   83ec08               | sub                 esp, 8
            //   b901000000           | mov                 ecx, 1
            //   ba66000000           | mov                 edx, 0x66
            //   31ff                 | xor                 edi, edi
            //   89c3                 | mov                 ebx, eax

        $sequence_51 = { 89e0 89580c bb04000000 895808 8b5c246c 895804 8b9c2480000000 }
            // n = 7, score = 100
            //   89e0                 | mov                 eax, esp
            //   89580c               | mov                 dword ptr [eax + 0xc], ebx
            //   bb04000000           | mov                 ebx, 4
            //   895808               | mov                 dword ptr [eax + 8], ebx
            //   8b5c246c             | mov                 ebx, dword ptr [esp + 0x6c]
            //   895804               | mov                 dword ptr [eax + 4], ebx
            //   8b9c2480000000       | mov                 ebx, dword ptr [esp + 0x80]

        $sequence_52 = { 8bf0 83c40c 85f6 0f84f8000000 a1???????? }
            // n = 5, score = 100
            //   8bf0                 | mov                 esi, eax
            //   83c40c               | add                 esp, 0xc
            //   85f6                 | test                esi, esi
            //   0f84f8000000         | je                  0xfe
            //   a1????????           |                     

        7 of them and filesize < 4883456
Download all Yara Rules