BOLO for increased #Qbot activity delivering Cobalt Strike & #Egregor ransomware. If you see Qbot & recon/Cobalt Strike activity, move fast because a ransomware payload may be imminent. Behavioral analytics & detection opportunities in this thread. #RCintel #qakbot
Qbot executes as a DLL using regsvr32.exe and (as of today) rundll32.exe as a child of excel.exe. You can detect Qbot’s use of rundll32 from today by looking for rundll32.exe loading a DLL with the command line including DllRegisterServer.
We saw Qbot use regsvr32.exe yesterday. You can detect this behavior by looking for regsvr32 launched as a child process of excel.exe. Additionally, the strings “C:\\Flopers” & “Bilore.dll” appear to be fairly unique.
We’ve seen Qbot leveraging esentutl.exe to interact with the Windows web cache directory. Such activity is highly suspicious. You can detect it by looking for a process that is esentutl.exe executing in conjunction with a command line containing the term “WebCache”.
Qbot also injects malicious code into the Windows Error Reporting (werfault.exe) executable to evade detection. You can detect this activity by alerting on the execution of werfault.exe without a corresponding command line.
You can follow @redcanary.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
Those who think consciousness raising & movement building are disconnected, or even a distraction from electoral politics have not paid attention to the history of social change.In this thread, we
Read more
The 2020s will be known as the Remote Work decadeA few predictions of what is likely to emerge[ a thread ] Third Space: Office and Working from Home will
Read more
1/29: Have you ever had a concept explained to you that helps frame complex issues you’ve been wrestling with and opens your eyes to new possibilities? A concept that I
Read more
By continuing to use the site, you are consenting to the use of cookies as explained in our Cookie Policy to improve your experience.