YARA rules

Home/Qakbot / Qbot Operators/YARA rules

YARA

YARA rules for Qakbot / Qbot Operators

51 rules · scoped to actor · back to Qakbot / Qbot Operators

YARA rules whose family, name, or description matches this actor or its tooling. Use these for binary-pattern hunts.

◈

1 of 51

direct QBot

MAL_QBot_HTML_Smuggling_Indicators_Oct22_1

Detects double encoded PKZIP headers as seen in HTML files used by QBot

author Florian Roth (Nextron Systems) license see source repo

view YARA rule

rule MAL_QBot_HTML_Smuggling_Indicators_Oct22_1 {
   meta:
      description = "Detects double encoded PKZIP headers as seen in HTML files used by QBot"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://twitter.com/ankit_anubhav/status/1578257383133876225?s=20&t=Bu3CCJCzImpTGOQX_KGsdA"
      date = "2022-10-07"
      score = 75
      hash1 = "4f384bcba31fda53e504d0a6c85cee0ce3ea9586226633d063f34c53ddeaca3f"
      hash2 = "8e61c2b751682becb4c0337f5a79b2da0f5f19c128b162ec8058104b894cae9b"
      hash3 = "c5d23d991ce3fbcf73b177bc6136d26a501ded318ccf409ca16f7c664727755a"
      hash4 = "5072d91ee0d162c28452123a4d9986f3df6b3244e48bf87444ce88add29dd8ed"
      hash5 = "ff4e21f788c36aabe6ba870cf3b10e258c2ba6f28a2d359a25d5a684c92a0cad"
      id = "8034d6af-4dae-5ff6-b635-efb5175fe4d1"
   strings:
      /* Double base64 encoded - as seen in HTML */
      $sd1 = "VUVzREJCUUFBUUFJQ"
      $sd2 = "VFc0RCQlFBQVFBSU"
      $sd3 = "VRXNEQkJRQUFRQUlB"
      /* reversed */
      $sdr1 = "QJFUUBFUUCJERzVUV"
      $sdr2 = "USBFVQBFlQCR0cFV"
      $sdr3 = "BlUQRFUQRJkQENXRV"

      /* Triple base64 encoded - to detect the double encoded versions in email attachments */
      $st1 = "VlVWelJFSkNVVUZCVVVGSl"
      $st2 = "ZVVnpSRUpDVVVGQlVVRkpR"
      $st3 = "WVVZ6UkVKQ1VVRkJVVUZKU"
      $st4 = "VkZjMFJDUWxGQlFWRkJTV"
      $st5 = "ZGYzBSQ1FsRkJRVkZCU1"
      $st6 = "WRmMwUkNRbEZCUVZGQlNV"
      $st7 = "VlJYTkVRa0pSUVVGUlFVbE"
      $st8 = "ZSWE5FUWtKUlFVRlJRVWxC"
      $st9 = "WUlhORVFrSlJRVUZSUVVsQ"
      /* reversed */
      $str1 = "UUpGVVVCRlVVQ0pFUnpWVV"
      $str2 = "FKRlVVQkZVVUNKRVJ6VlVW"
      $str3 = "RSkZVVUJGVVVDSkVSelZVV"
      $str4 = "VVNCRlZRQkZsUUNSMGNGV"
      $str5 = "VTQkZWUUJGbFFDUjBjRl"
      $str6 = "VU0JGVlFCRmxRQ1IwY0ZW"
      $str7 = "QmxVUVJGVVFSSmtRRU5YUl"
      $str8 = "JsVVFSRlVRUkprUUVOWFJW"
      $str9 = "CbFVRUkZVUVJKa1FFTlhSV"

      /* HTML */
      $htm = "<html" ascii
      /* avoid matches in emails with double encoding - because email attachments get base64 encoded */
      $eml = "Content-Transfer-Encoding:" ascii
   condition:
      filesize < 10MB and ( 
         ( 1 of ($sd*) and $htm and not $eml ) /* double encoded in HTML */
         or ( 1 of ($st*) and $eml )           /* triple encoded in EML */
      )
}

Showing 51-51 of 51

Prev 2 Next

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin