ioc[.]one - OSINT Cyber Threat Intelligence Database

QakBot reducing its on disk artifacts - Hornetsecurity

Tags

cmtmf-attack-pattern:	Application Layer Protocol Boot Or Logon Autostart Execution Obfuscated Files Or Information Process Injection Scheduled Task/Job
country:	Jersey
maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Direct Application Layer Protocol - T1437 Boot Or Logon Autostart Execution - T1547 Code Signing - T1553.002 Code Signing Certificates - T1587.002 Code Signing Certificates - T1588.003 Credentials From Password Stores - T1555 Credentials From Web Browsers - T1555.003 Credentials From Web Browsers - T1503 External Proxy - T1090.002 Indicator Removal On Host - T1630 Malicious File - T1204.002 Malware - T1587.001 Malware - T1588.001 Obfuscated Files Or Information - T1406 Password Guessing - T1110.001 Phishing - T1660 Phishing - T1566 Process Hollowing - T1055.012 Process Injection - T1631 Registry Run Keys / Startup Folder - T1547.001 Regsvr32 - T1218.010 Scheduled Task - T1053.005 Scheduled Task/Job - T1603 Software - T1592.002 Software Packing - T1027.002 Software Packing - T1406.002 Spearphishing Attachment - T1566.001 Spearphishing Attachment - T1598.002 Spearphishing Link - T1566.002 Spearphishing Link - T1598.003 System Checks - T1633.001 System Checks - T1497.001 Web Protocols - T1071.001 Web Protocols - T1437.001 Virtualization/Sandbox Evasion - T1497 Virtualization/Sandbox Evasion - T1633 Standard Application Layer Protocol - T1071 Brute Force - T1110 Code Signing - T1116 Connection Proxy - T1090 Credential Dumping - T1003 Indicator Removal On Host - T1070 Obfuscated Files Or Information - T1027 Process Hollowing - T1093 Process Injection - T1055 Registry Run Keys / Start Folder - T1060 Regsvr32 - T1117 Scheduled Task - T1053 Software Packing - T1045 Spearphishing Attachment - T1193 Spearphishing Link - T1192 User Execution - T1204 Indicator Removal On Host Spearphishing Attachment User Execution

Show in Graph

Common Information

Type	Value
UUID	2c07dc35-b6e0-4689-8332-cddc1eb5db33
Fingerprint	46ffa9f2088dc340
Analysis status	DONE
Considered CTI value	2
Text language
Published	Dec. 15, 2020, 1:18 p.m.
Added to db	Sept. 11, 2022, 12:47 p.m.
Last updated	Nov. 17, 2024, 11:40 p.m.
Headline	QakBot reducing its on disk artifacts
Title	QakBot reducing its on disk artifacts - Hornetsecurity
Detected Hints/Tags/Attributes	107/4/74

Source URLs

	Redirection	Url
Details	Source	https://www.hornetsecurity.com/en/threat-research/qakbot-reducing-its-on-disk-artifacts/

URL Provider

Details	Provider	Source level domain
Details	hornetsecurity.com	www.hornetsecurity.com

Attributes

Details	Type	#Events	Value
Details	Domain	911	any.run
Details	Domain	11	www.hornetsecurity.com
Details	Domain	87	app.any.run
Details	Domain	4128	github.com
Details	Domain	48	pefile.pe
Details	Domain	1	entry.directory
Details	File	1	904400.jpg
Details	File	35	ccsvchst.exe
Details	File	13	avgcsrvx.exe
Details	File	9	avgsvcx.exe
Details	File	10	avgcsrva.exe
Details	File	198	msmpeng.exe
Details	File	45	mcshield.exe
Details	File	119	avp.exe
Details	File	8	kavtray.exe
Details	File	36	egui.exe
Details	File	53	ekrn.exe
Details	File	42	bdagent.exe
Details	File	22	vsserv.exe
Details	File	9	vsservppl.exe
Details	File	41	avastsvc.exe
Details	File	16	coreserviceshell.exe
Details	File	29	pccntmon.exe
Details	File	29	ntrtscan.exe
Details	File	19	savadminservice.exe
Details	File	25	savservice.exe
Details	File	12	fshoster32.exe
Details	File	20	wrsa.exe
Details	File	12	vkise.exe
Details	File	1	iserv.exe
Details	File	23	cmdagent.exe
Details	File	9	bytefence.exe
Details	File	28	mbamservice.exe
Details	File	11	mbamgui.exe
Details	File	11	fmon.exe
Details	File	18	mobsync.exe
Details	File	1260	explorer.exe
Details	File	3	srvpost.exe
Details	File	10	frida-winjector-helper-32.exe
Details	File	8	frida-winjector-helper-64.exe
Details	File	1	a3e64e55_pr.sys
Details	File	4	c:\windows\syswow64\explorer.exe
Details	File	2126	cmd.exe
Details	File	459	regsvr32.exe
Details	File	1	26e0000.dll
Details	Github username	35	hasherezade
Details	md5	1	6bc0584f6cbb74714add1718b0322655
Details	md5	1	e23bc27212f61520cfb130185d74cfb1
Details	sha1	1	632dcb214ee9fb08441c640d240f672a7aba6eb1
Details	IPv4	1	6.8.0.123
Details	MITRE ATT&CK Techniques	310	T1566.001
Details	MITRE ATT&CK Techniques	183	T1566.002
Details	MITRE ATT&CK Techniques	627	T1027
Details	MITRE ATT&CK Techniques	365	T1204.002
Details	MITRE ATT&CK Techniques	380	T1547.001
Details	MITRE ATT&CK Techniques	275	T1053.005
Details	MITRE ATT&CK Techniques	160	T1027.002
Details	MITRE ATT&CK Techniques	440	T1055
Details	MITRE ATT&CK Techniques	86	T1055.012
Details	MITRE ATT&CK Techniques	247	T1070
Details	MITRE ATT&CK Techniques	97	T1497.001
Details	MITRE ATT&CK Techniques	289	T1003
Details	MITRE ATT&CK Techniques	44	T1110.001
Details	MITRE ATT&CK Techniques	125	T1555.003
Details	MITRE ATT&CK Techniques	442	T1071.001
Details	MITRE ATT&CK Techniques	152	T1090
Details	MITRE ATT&CK Techniques	36	T1090.002
Details	Url	2	https://www.hornetsecurity.com/en/security-information/email-conversation-thread-hijacking
Details	Url	2	https://www.hornetsecurity.com/en/security-information/qakbot-malspam-leading-to-prolock
Details	Url	1	https://www.hornetsecurity.com/en/threat-research/qakbot-distributed-by-xlsb-files
Details	Url	1	https://app.any.run/tasks/2d4eb3c8-6670-4c25-a96b-0cd46c3b6d7c
Details	Url	2	https://github.com/hasherezade/pe-sieve
Details	Url	2	https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks
Details	Windows Registry Key	188	HKCU\Software\Microsoft\Windows\CurrentVersion\Run