Qakbot Rundll32 Exports Execution

calendar Apr 1, 2024 · attack.defense_evasion attack.execution detection.emerging_threats  ·
Share on: linkedin copy

Detects specific process tree behavior of a "rundll32" execution with exports linked with Qakbot activity.

Sigma rule (View on GitHub)

 1title: Qakbot Rundll32 Exports Execution
 2id: 339ed3d6-5490-46d0-96a7-8abe33078f58
 3status: test
 4description: Detects specific process tree behavior of a "rundll32" execution with exports linked with Qakbot activity.
 5references:
 6    - https://github.com/pr0xylife/Qakbot/
 7author: X__Junior (Nextron Systems)
 8date: 2023/05/24
 9modified: 2023/05/30
10tags:
11    - attack.defense_evasion
12    - attack.execution
13    - detection.emerging_threats
14logsource:
15    product: windows
16    category: process_creation
17detection:
18    selection_paths:
19        ParentImage|endswith:
20            # Note: Only add processes seen used by Qakbot to avoid collision with other strains of malware
21            - '\cmd.exe'
22            - '\cscript.exe'
23            - '\curl.exe'
24            - '\mshta.exe'
25            - '\powershell.exe'
26            - '\pwsh.exe'
27            - '\wscript.exe'
28        Image|endswith: '\rundll32.exe'
29        CommandLine|contains:
30            # Note: Only add paths seen used by Qakbot to avoid collision with other strains of malware
31            - ':\ProgramData\'
32            - ':\Users\Public\'
33            - '\AppData\Local\Temp\'
34            - '\AppData\Roaming\'
35    selection_exports:
36        CommandLine|endswith:
37            # Note: Only add additional exports seen used by Qakbot
38            - 'aslr' # https://tria.ge/230524-scgq9add9v/behavioral1#report
39            - 'bind'
40            - 'DrawThemeIcon'
41            - 'GG10'
42            - 'GL70'
43            - 'jhbvygftr'
44            - 'kjhbhkjvydrt'
45            - 'LS88'
46            - 'Motd'
47            - 'N115'
48            - 'next' # https://tria.ge/230530-n3rxpahf9w/behavioral2
49            - 'Nikn'
50            - 'print'
51            - 'qqqb'
52            - 'qqqq'
53            - 'RS32'
54            - 'Test'
55            - 'Time'
56            - 'Updt'
57            - 'vips'
58            - 'Wind'
59            - 'WW50'
60            - 'X555'
61            - 'XL55'
62            - 'xlAutoOpen'
63            - 'XS88'
64    condition: all of selection_*
65falsepositives:
66    - Unlikely
67level: critical

References

Related rules

to-top