YARA rules for QakBot
6 rules · scoped to tool · back to QakBot
YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.
rule MAL_QakBot_ConfigExtraction_Feb23
{
meta:
author = "kevoreilly"
description = "QakBot Config Extraction"
cape_options = "bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config"
packed = "f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68"
reference = "https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar"
date = "2023-02-17"
license = "https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE"
id = "401184cf-bbd7-5afe-9589-470f54721af1"
strings:
$params = {8B 7D ?? 8B F1 57 89 55 ?? E8 [4] 8D 9E [2] 00 00 89 03 59 85 C0 75 08 6A FC 58 E9}
$c2list1 = {59 59 8D 4D D8 89 45 E0 E8 [4] 8B 45 E0 85 C0 74 ?? 8B 90 [2] 00 00 51 8B 88 [2] 00 00 6A 00 E8}
$c2list2 = {59 59 8B F8 8D 4D ?? 89 7D ?? E8 [4] 85 FF 74 52 8B 97 [2] 00 00 51 8B 8F [2] 00 00 53 E8}
$conf = {5F 5E 5B C9 C3 51 6A 00 E8 [4] 59 59 85 C0 75 01 C3}
condition:
uint16(0) == 0x5A4D and any of them
}
rule MAL_QakBotLoader_Export_Section_Feb23
{
meta:
author = "kevoreilly"
description = "QakBot Export Selection"
cape_options = "export=$export"
hash = "6f99171c95a8ed5d056eeb9234dbbee123a6f95f481ad0e0a966abd2844f0e1a"
reference = "https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar"
date = "2023-02-17"
license = "https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE"
id = "cb86e9fb-a8d2-5285-aeda-622704399f8e"
strings:
$export = {55 8B EC 83 EC 50 (3A|66 3B) ?? 74}
$wind = {(66 3B|3A) ?? 74 [1-14] BB 69 04 00 00 53 E8 [5-7] 74}
condition:
uint16(0) == 0x5A4D and all of them
}
rule MAL_QakBotAntiVM_AntiVM_Bypass_Feb23
{
meta:
author = "kevoreilly"
description = "QakBot AntiVM bypass"
cape_options = "bp0=$antivm1,action0=unwind,count=1"
hash = "e269497ce458b21c8427b3f6f6594a25d583490930af2d3395cb013b20d08ff7"
reference = "https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar"
date = "2023-02-17"
license = "https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE"
id = "7446522a-788a-512d-ad68-2fcc56169f5a"
strings:
$antivm1 = {55 8B EC 3A E4 0F [2] 00 00 00 6A 04 58 3A E4 0F [2] 00 00 00 C7 44 01 [5] 81 44 01 [5] 66 3B FF 74 ?? 6A 04 58 66 3B ED 0F [2] 00 00 00 C7 44 01 [5] 81 6C 01 [5] EB}
condition:
all of them
}
rule SUSP_Qakbot_Uninstaller_ShellCode_Aug23 {
meta:
description = "Detects Qakbot Uninstaller files used by the FBI and Dutch National Police in a disruption operation against the Qakbot in August 2023"
author = "Florian Roth"
reference = "https://www.justice.gov/usao-cdca/divisions/national-security-division/qakbot-resources"
date = "2023-08-30"
score = 60
id = "860796ab-689f-5c5f-bc40-3e2ef7fd1d5d"
strings:
$xc1 = { E8 00 00 00 00 58 55 89 E5 89 C2 68 03 00 00 00 68 00 2C 00 00 05 20 0A 00 00 50 E8 05 00 00 00 83 C4 04 C9 C3 81 EC 08 01 00 00 53 55 56 57 6A 6B 58 6A 65 5B 6A 72 66 89 84 24 D4 00 00 00 33 }
condition:
$xc1
}
rule SUSP_QakBot_Uninstaller_FBI_Aug23 {
meta:
description = "Detects Qakbot uninstaller used by the FBI / Dutch Police"
author = "Florian Roth"
reference = "https://www.justice.gov/usao-cdca/divisions/national-security-division/qakbot-resources"
date = "2023-08-31"
score = 60
hash1 = "559cae635f0d870652b9482ef436b31d4bb1a5a0f51750836f328d749291d0b6"
hash2 = "855eb5481f77dde5ad8fa6e9d953d4aebc280dddf9461144b16ed62817cc5071"
hash3 = "fab408536aa37c4abc8be97ab9c1f86cb33b63923d423fdc2859eb9d63fa8ea0"
id = "499bff56-ff49-53df-9922-227b816c0a36"
strings:
$op1 = { 69 c1 65 89 07 6c 03 c2 89 84 95 24 f6 ff ff 8b 55 e4 42 89 55 e4 81 fa 70 02 00 00 7c d4 }
$op2 = { 42 89 55 e4 81 fa 70 02 00 00 7c d4 f2 0f 10 0d a0 31 00 10 33 f6 f2 0f 10 15 a8 31 00 10 66 90 }
$op5 = { 68 48 31 00 10 6a 28 57 e8 e4 fd ff ff 8b 4d fc 83 c4 4c 33 cd 33 c0 }
$op6 = { 33 c0 66 39 06 74 0f 0f 1f 80 00 00 00 00 40 66 83 3c 46 00 75 f8 8d 3c 00 }
condition:
all of them
}
rule MAL_QBot_HTML_Smuggling_Indicators_Oct22_1 {
meta:
description = "Detects double encoded PKZIP headers as seen in HTML files used by QBot"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/ankit_anubhav/status/1578257383133876225?s=20&t=Bu3CCJCzImpTGOQX_KGsdA"
date = "2022-10-07"
score = 75
hash1 = "4f384bcba31fda53e504d0a6c85cee0ce3ea9586226633d063f34c53ddeaca3f"
hash2 = "8e61c2b751682becb4c0337f5a79b2da0f5f19c128b162ec8058104b894cae9b"
hash3 = "c5d23d991ce3fbcf73b177bc6136d26a501ded318ccf409ca16f7c664727755a"
hash4 = "5072d91ee0d162c28452123a4d9986f3df6b3244e48bf87444ce88add29dd8ed"
hash5 = "ff4e21f788c36aabe6ba870cf3b10e258c2ba6f28a2d359a25d5a684c92a0cad"
id = "8034d6af-4dae-5ff6-b635-efb5175fe4d1"
strings:
/* Double base64 encoded - as seen in HTML */
$sd1 = "VUVzREJCUUFBUUFJQ"
$sd2 = "VFc0RCQlFBQVFBSU"
$sd3 = "VRXNEQkJRQUFRQUlB"
/* reversed */
$sdr1 = "QJFUUBFUUCJERzVUV"
$sdr2 = "USBFVQBFlQCR0cFV"
$sdr3 = "BlUQRFUQRJkQENXRV"
/* Triple base64 encoded - to detect the double encoded versions in email attachments */
$st1 = "VlVWelJFSkNVVUZCVVVGSl"
$st2 = "ZVVnpSRUpDVVVGQlVVRkpR"
$st3 = "WVVZ6UkVKQ1VVRkJVVUZKU"
$st4 = "VkZjMFJDUWxGQlFWRkJTV"
$st5 = "ZGYzBSQ1FsRkJRVkZCU1"
$st6 = "WRmMwUkNRbEZCUVZGQlNV"
$st7 = "VlJYTkVRa0pSUVVGUlFVbE"
$st8 = "ZSWE5FUWtKUlFVRlJRVWxC"
$st9 = "WUlhORVFrSlJRVUZSUVVsQ"
/* reversed */
$str1 = "UUpGVVVCRlVVQ0pFUnpWVV"
$str2 = "FKRlVVQkZVVUNKRVJ6VlVW"
$str3 = "RSkZVVUJGVVVDSkVSelZVV"
$str4 = "VVNCRlZRQkZsUUNSMGNGV"
$str5 = "VTQkZWUUJGbFFDUjBjRl"
$str6 = "VU0JGVlFCRmxRQ1IwY0ZW"
$str7 = "QmxVUVJGVVFSSmtRRU5YUl"
$str8 = "JsVVFSRlVRUkprUUVOWFJW"
$str9 = "CbFVRUkZVUVJKa1FFTlhSV"
/* HTML */
$htm = "<html" ascii
/* avoid matches in emails with double encoding - because email attachments get base64 encoded */
$eml = "Content-Transfer-Encoding:" ascii
condition:
filesize < 10MB and (
( 1 of ($sd*) and $htm and not $eml ) /* double encoded in HTML */
or ( 1 of ($st*) and $eml ) /* triple encoded in EML */
)
}