#Qakbot - BB11 - url > .zip > .iso > .wsf > .dll
wscript.exe enjoying-G74.wsf
rundll32.exe C:\Users\Admin\i.dll,Updt
Samples π
https://bazaar.abuse.ch/sample/699414ec20038287dbec4aa01def60c5be9197a48bf32bc8c749ca6e82501e5c/
https://bazaar.abuse.ch/sample/af688f12fd4bf2d2f47665bac254dabfa13f9c2f0a33cb477d77d748c4fab3d3/
IOC's
https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB11_23.12.2022.txt
#Qakbot - obama233 - .pdf > .url > .zip > .iso > .wsf > .dll
wscript.exe Cancellation-N04.wsf
rundll32.exe C:\Users\Admin\i.txt,Updt
Samples π
https://bazaar.abuse.ch/sample/f6a8d7b8a80827bd4729cda40e959823c4c30e648a58832623fda8dae20a08ab/
https://bazaar.abuse.ch/sample/6a8557a2f8e1338e6edb2a07c345882389230ea24ffeb741a59621b7e8b56c59/
IOC's
https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_obama233_23.12.2022.txt
#Qakbot - BB11 - url > .zip > .iso > .wsf > .dll
wscript.exe GR1.wsf
rundll32.exe C:\ProgramData\user.dat,Updt
net view
cmd /c set
arp -a
ipconfig /all
nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.WORKGROUP
net share
net1 share
route print
netstat -nao
net localgroup
net1 localgroup
whoami /all
Samples π
https://bazaar.abuse.ch/sample/1883a9b94e11a3db9aa0cd29d7864af6e45d93fb7f5c873b8256d36e648a289f/
https://bazaar.abuse.ch/sample/845900fb58adf3e8b086c9517dfc5deeaefb5e6be80606b8e93c21502d2fe44c/
IOC's
https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB11_22.12.2022.txt
#Qakbot - azd - .html > .zip > .img > .lnk > .cmd > .dll
cmd /c SCAN_SP0692.lnk
cmd.exe /c Invoice\YouContract.cmd A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 9
rundll32 /s contract.dll,Updt
Sample π
https://bazaar.abuse.ch/sample/784a2827b5ddc82e69198aa9f6a5382c32716eb0263bc2a4f6fc500589c8a3ef/
https://bazaar.abuse.ch/sample/2a23cae4be2ab6165bd39d1af410be71df04f883b25dafb71d516d5eb5468da5/
IOC's
https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_azd_22.12.2022.txt
#Qakbot - obama232 - .pdf > .url > .zip > .img > .lnk > .dll
cmd /c Attn_257133_12222022.lnk
rundll32.exe user.dat,Updt
Samples π
https://bazaar.abuse.ch/sample/7a24750ec1191317cd4a6f3ae7937c9846f224430e1e351170c34a445d876735/
https://bazaar.abuse.ch/sample/26975798246161199b20263f3793e1c6d56299c0a881c6dfcd4bc9b753b75212/
IOC's
https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_obama232_22.12.2022.txt
#Qakbot - BB11 - url > .zip > .iso > .lnk > .wsf > .dll
cmd.exe /c Report-429_583497.lnk
wscript.exe Cellulipetal.wsf
rundll32.exe c:\users\public\buttoning.dll, qqqb
Samplesπ
https://bazaar.abuse.ch/sample/42904c781411928176ed54f44935305697dcedc991f742f9318156dcd707c4d7/
https://bazaar.abuse.ch/sample/501f753fad0f590197b6edacf61c5f60237a2a7e1f414221cc5054195afa53c0/
IOC's
https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB11_20.12.2022.txt
#Qakbot - obama230 - .pdf > .url > .zip > .img > .lnk > .dll
cmd.exe /c Summary_5658050_12192022.lnk
rundll32.exe deskmon.dat,qqqq
Samples π
https://bazaar.abuse.ch/sample/1e363955ad23b167d6c55454671e59864c31c9f98b8a25997c29ae9b70166d42/
https://bazaar.abuse.ch/sample/db333be4247b3cef1efefe762327112ca465de58a15a260033d03a7aaaf5cbb2/
IOC's
https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_obama230_19.12.2022.txt
#Qakbot - obama231 - .pdf > .url > .zip > .img > .lnk > .dll
cmd /c DocumentsFolder 5959843 12202022.lnk
rundll32.exe cursor.dat,qqqq
Samples π
https://bazaar.abuse.ch/sample/a7c94aab85118b74b911a7e511a587313fbbe4689bef8be295d23fbd65d38bd1/
https://bazaar.abuse.ch/sample/2ebb62e94adeb9e2b89c86158d047c4237d5df24a02f0324b9d81eb1ea164241/
IOC's
https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_obama231_20.12.2022.txt
@eddieknight @SeanWrightSec I will try make a better effort π
I would recommend getting this done for peace of mind to reduce the attack surface as there is not much of a genuine use case in most orgs.
https://support.huntress.io/hc/en-us/articles/11477430445587-Disabling-Mounting-of-Disk-Image-Files
