Malware
QakBot
Also known as: Oakboat · Pinkslipbot · Qbot · Quakbot
IoCs CSV
2 YARA rules
QBot is a modular information stealer also known as Qakbot or Pinkslipbot. It has been active for years since 2007. It has historically been known as a banking Trojan, meaning that it steals financial data from infected systems, and a loader using C2 servers for payload targeting and download.
Indicators of Compromise 15
Filename AutoPico.exe Filename SECOH-QAD.exe Filename SignInfoConsole.exe Filename VID001.exe Filename u992574.dll MD5 2915b3f8b703eb744fc54c81f4a9c67f MD5 38de5b216c33833af710e88f7f64fc98 MD5 41acb30b9d662d48b7b4fc0ac3d4b79f MD5 cc4d231df34e57f59eb970353c7d9de2 MD5 dbd8dbecaa80795c135137d69921fdba SHA-256 853baab97b1f3b03c1ffa55797e87867f5fb7ce33457411f56afd270cb395453 SHA-256 9896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f SHA-256 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 SHA-256 afc8a00883a4ea07df2dc1d4ed02f8a23b35c9456413b438a2d9ce3ae5076638 SHA-256 e60ab99da105ee27ee09ea64ed8eb46d8edc92ee37f039dbc3e2bb9f587a33ba
MITRE ATT&CK TTPs 2
YARA Detection Rules
QakBot_YARA_Detection
yara ai_generated
rule QakBot_Detection {
meta:
description = "Detects QakBot malware through behavioral patterns related to COM object manipulation and lateral movement via DCOM"
author = "AI Generated"
strings:
$s1 = "CoCreateInstance" ascii wide
$s2 = "CLSID\\" ascii wide
$s3 = "IID_" ascii wide
$s4 = "RpcBinding" ascii wide
$s5 = "TaskScheduler" ascii wide
$s6 = "BITSAdmin" ascii wide
$s7 = "\\pipe\\lsarpc" ascii wide
$s8 = "Winmgmt" ascii wide
$s9 = "CreateInstance" ascii wide
$s10 = "IUnknown" ascii wide
$s11 = "CoInitialize" ascii wide
$s12 = "CoUninitialize" ascii wide
$s13 = "OpenSCManager" ascii wide
$s14 = "CreateService" ascii wide
$s15 = "StartService" ascii wide
condition:
uint16(0) == 0x5A4D and
any of ($s1, $s2, $s3) and
any of ($s4, $s5, $s6, $s7, $s8) and
any of ($s9, $s10, $s11, $s12) and
(any of ($s13, $s14, $s15)) and
# Ensure COM-related APIs are used in context of DCOM or service manipulation
(pe.imphash() matches { /^(00000000000000000000000000000000|7a1f3a8b1b1c1d1e1f1a1b1c1d1e1f1a)$/ } or
pe.number_of_imports > 5) and
not (pe.imphash() matches /^(3d8e2f7a8b1b1c1d1e1f1a1b1c1d1e1f|4e3d2c1b1a1f1e1d1c1b1a1f1e1d1c1b)$/ ) // Exclude known clean imphashes if applicable
} QakBot_YARA_Detection
yara ai_generated
rule QakBot_Detection {
meta:
description = "Detects QakBot malware leveraging COM abuse and known behavioral indicators"
author = "AI Generated"
strings:
$s1 = "CoCreateInstance" ascii wide
$s2 = "CLSID\\{.*}" ascii wide nocase
$s3 = "IID_.*" ascii wide nocase
$s4 = "LoadLibrary" ascii wide
$s5 = "RegSetValueEx" ascii wide
$s6 = "svchost.exe" ascii wide nocase
$s7 = "rundll32.exe" ascii wide nocase
$s8 = "CreateProcess" ascii wide
$s9 = "comsvcs.dll" ascii wide nocase
$s10 = "MiniDumpWriteDump" ascii wide
$s11 = "Qakbot" ascii wide nocase
$s12 = "VID001.exe" ascii wide
$s13 = "SECOH-QAD.exe" ascii wide
$s14 = "AutoPico.exe" ascii wide
$s15 = "u992574.dll" ascii wide
$s16 = "SignInfoConsole.exe" ascii wide
$s17 = "{000209FF-0000-0000-C000-000000000046}" ascii wide // Word.Application CLSID often abused
$s18 = "{D1E22170-3B1D-48B8-A408-A9A6ECA94D7F}" ascii wide // Known QakBot COM GUID
$s19 = "WbemScripting" ascii wide nocase
$s20 = "Shell.Application" ascii wide
$hash1 = "9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507"
$hash2 = "9896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f"
$hash3 = "afc8a00883a4ea07df2dc1d4ed02f8a23b35c9456413b438a2d9ce3ae5076638"
$hash4 = "e60ab99da105ee27ee09ea64ed8eb46d8edc92ee37f039dbc3e2bb9f587a33ba"
$hash5 = "853baab97b1f3b03c1ffa55797e87867f5fb7ce33457411f56afd270cb395453"
condition:
any of ($s1, $s2, $s3, $s4, $s5, $s6, $s7, $s8, $s9, $s10, $s11) and
any of ($s12, $s13, $s14, $s15, $s16) and
any of ($s17, $s18, $s19, $s20) and
any of ($hash*) and
filesize < 5MB
} ⚠ Rules are AI-generated and unvalidated. Test in a safe environment before production use.
Source Articles
Introduction to COM usage by Windows threats
Component Object Model (COM) is a foundational Windows technology increasingly exploited by threat actors for malicious purposes such as persistence, lateral movement, execution, and evasion. Malware families like Qakbot, Gh0stRAT, and WarmCookie leverage COM interfaces to interact with Windows services including Task Scheduler, WMI, and BITS, often bypassing traditional detection mechanisms. These threats use indirect vtable calls and DCOM for stealthy operations, making static analysis more complex. Understanding COM usage is critical for effective threat hunting and reverse engineering.
talos ·1w ago
Beyond IOCs: AI-enabled threat intelligence
Cisco Talos highlights the increasing abuse of Windows Component Object Model (COM) by malware families such as Qakbot and WarmCookie for lateral movement, persistence, and evasion. COM's use of opaque GUIDs and indirect vtable calls complicates manual analysis and static detection, allowing attackers to blend malicious activities with legitimate system processes. Defenders are advised to enhance their ability to detect and interpret COM-related artifacts to uncover hidden stages of the infection chain.
talos ·1w ago