Malware2023

Qakbot

5Rules

4References

1Folders

2024-03-05Latest

Summary

Qakbot is tracked here as a malware family or toolset with 5 Sigma detections spanning 2023. Coverage centers on windows / process_creation.

Related Detections

Search this threat

Emerging Threathightest

Qakbot Regsvr32 Calc Pattern

Detects a specific command line of "regsvr32" where the "calc" keyword is used in conjunction with the "/s" flag. This behavior is often seen used by Qakbot

WindowsProcess Creation

TA0005 · StealthTA0002 · Executiondetection.emerging-threats

Nasreddine Bencherchali (Nextron Systems)Fri May 262023

Emerging Threathightest

Qakbot Uninstaller Execution

Detects the execution of the Qakbot uninstaller file mentioned in the USAO-CDCA document on the disruption of the Qakbot malware and botnet

WindowsProcess Creation

TA0002 · Executiondetection.emerging-threats

Florian Roth (Nextron Systems)Thu Aug 312023

Emerging Threatcriticaltest

Qakbot Rundll32 Exports Execution

Detects specific process tree behavior of a "rundll32" execution with exports linked with Qakbot activity.

WindowsProcess Creation

TA0005 · StealthTA0002 · Executiondetection.emerging-threats

X__Junior (Nextron Systems)Wed May 242023

Emerging Threathightest

Potential Qakbot Rundll32 Execution

Detects specific process tree behavior of a "rundll32" execution often linked with potential Qakbot activity.

WindowsProcess Creation

TA0005 · StealthTA0002 · Executiondetection.emerging-threats

X__Junior (Nextron Systems)Wed May 242023

Emerging Threatcriticaltest

Qakbot Rundll32 Fake DLL Extension Execution

Detects specific process tree behavior of a "rundll32" execution where the DLL doesn't have the ".dll" extension. This is often linked with potential Qakbot activity.

WindowsProcess Creation

TA0005 · StealthTA0002 · Executiondetection.emerging-threats

X__Junior (Nextron Systems)+1Wed May 242023

References