Malicious QakBot Dropped File Creation (Sysmon)

Nov 18, 2022 · attack.initial_access attack.defense_evasion attack.t1566 attack.t1027 attack.t1553 ·

Detects creation of files potentially associated with QakBot initial infection, documented by Adithya Chandra and Sushant Kumar Arya of Trellix in August 2022.

Sigma rule (View on GitHub)

 1title: Malicious QakBot Dropped File Creation (Sysmon)
 2id: 8e401ffe-ca9b-4bb2-87aa-8e285811d43f
 3status: experimental
 4description: Detects creation of files potentially associated with QakBot initial infection, documented by Adithya Chandra and Sushant Kumar Arya of Trellix in August 2022.
 5references:
 6    - https://www.trellix.com/en-us/about/newsroom/stories/research/demystifying-qbot-malware.html
 7author: Micah Babinski
 8date: 2022/11/17
 9tags:
10    - attack.initial_access
11    - attack.defense_evasion
12    - attack.t1566
13    - attack.t1027
14    - attack.t1553
15logsource:
16    category: file_event
17    product: windows
18detection:
19    selection:
20        TargetFilename|endswith:
21            - '.html'
22            - '.zip'
23            - '.iso'
24            - '.lnk'
25        TargetFilename|re: '.*TXRTN_[0-9]{7}\..*'
26    condition: selection
27falsepositives:
28    - Unknown
29level: high```

References

https://www.trellix.com/en-us/about/newsroom/stories/research/demystifying-qbot-malware.html

Read More

Malicious QakBot Dropped File Creation (Sysmon)

Sigma rule (View on GitHub)

References

https://www.trellix.com/en-us/about/newsroom/stories/research/demystifying-qbot-malware.html

Related rules