Malware

QakBot

Also known as: Oakboat · Pinkslipbot · Qbot · Quakbot

IoCs CSV 2 YARA rules

QBot is a modular information stealer also known as Qakbot or Pinkslipbot. It has been active for years since 2007. It has historically been known as a banking Trojan, meaning that it steals financial data from infected systems, and a loader using C2 servers for payload targeting and download.

Indicators of Compromise 15

MITRE ATT&CK TTPs 2

YARA Detection Rules

QakBot_YARA_Detection
yara ai_generated
rule QakBot_Detection {
    meta:
        description = "Detects QakBot malware through behavioral patterns related to COM object manipulation and lateral movement via DCOM"
        author = "AI Generated"

    strings:
        $s1 = "CoCreateInstance" ascii wide
        $s2 = "CLSID\\" ascii wide
        $s3 = "IID_" ascii wide
        $s4 = "RpcBinding" ascii wide
        $s5 = "TaskScheduler" ascii wide
        $s6 = "BITSAdmin" ascii wide
        $s7 = "\\pipe\\lsarpc" ascii wide
        $s8 = "Winmgmt" ascii wide
        $s9 = "CreateInstance" ascii wide
        $s10 = "IUnknown" ascii wide
        $s11 = "CoInitialize" ascii wide
        $s12 = "CoUninitialize" ascii wide
        $s13 = "OpenSCManager" ascii wide
        $s14 = "CreateService" ascii wide
        $s15 = "StartService" ascii wide

    condition:
        uint16(0) == 0x5A4D and
        any of ($s1, $s2, $s3) and
        any of ($s4, $s5, $s6, $s7, $s8) and
        any of ($s9, $s10, $s11, $s12) and
        (any of ($s13, $s14, $s15)) and
        # Ensure COM-related APIs are used in context of DCOM or service manipulation
        (pe.imphash() matches { /^(00000000000000000000000000000000|7a1f3a8b1b1c1d1e1f1a1b1c1d1e1f1a)$/ } or
         pe.number_of_imports > 5) and
        not (pe.imphash() matches /^(3d8e2f7a8b1b1c1d1e1f1a1b1c1d1e1f|4e3d2c1b1a1f1e1d1c1b1a1f1e1d1c1b)$/ ) // Exclude known clean imphashes if applicable
}
QakBot_YARA_Detection
yara ai_generated
rule QakBot_Detection {
    meta:
        description = "Detects QakBot malware leveraging COM abuse and known behavioral indicators"
        author = "AI Generated"

    strings:
        $s1 = "CoCreateInstance" ascii wide
        $s2 = "CLSID\\{.*}" ascii wide nocase
        $s3 = "IID_.*" ascii wide nocase
        $s4 = "LoadLibrary" ascii wide
        $s5 = "RegSetValueEx" ascii wide
        $s6 = "svchost.exe" ascii wide nocase
        $s7 = "rundll32.exe" ascii wide nocase
        $s8 = "CreateProcess" ascii wide
        $s9 = "comsvcs.dll" ascii wide nocase
        $s10 = "MiniDumpWriteDump" ascii wide
        $s11 = "Qakbot" ascii wide nocase
        $s12 = "VID001.exe" ascii wide
        $s13 = "SECOH-QAD.exe" ascii wide
        $s14 = "AutoPico.exe" ascii wide
        $s15 = "u992574.dll" ascii wide
        $s16 = "SignInfoConsole.exe" ascii wide
        $s17 = "{000209FF-0000-0000-C000-000000000046}" ascii wide  // Word.Application CLSID often abused
        $s18 = "{D1E22170-3B1D-48B8-A408-A9A6ECA94D7F}" ascii wide  // Known QakBot COM GUID
        $s19 = "WbemScripting" ascii wide nocase
        $s20 = "Shell.Application" ascii wide

        $hash1 = "9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507"
        $hash2 = "9896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f"
        $hash3 = "afc8a00883a4ea07df2dc1d4ed02f8a23b35c9456413b438a2d9ce3ae5076638"
        $hash4 = "e60ab99da105ee27ee09ea64ed8eb46d8edc92ee37f039dbc3e2bb9f587a33ba"
        $hash5 = "853baab97b1f3b03c1ffa55797e87867f5fb7ce33457411f56afd270cb395453"

    condition:
        any of ($s1, $s2, $s3, $s4, $s5, $s6, $s7, $s8, $s9, $s10, $s11) and
        any of ($s12, $s13, $s14, $s15, $s16) and
        any of ($s17, $s18, $s19, $s20) and
        any of ($hash*) and
        filesize < 5MB
}

Rules are AI-generated and unvalidated. Test in a safe environment before production use.

Source Articles