Date: 08/20/2024
Severity: Medium
Summary
"Qakbot Regsvr32 Calc Pattern" refers to a specific technique used by Qakbot malware, which involves leveraging the Regsvr32 tool to execute malicious payloads. Qakbot, a sophisticated banking Trojan, uses Regsvr32—a legitimate Windows utility for registering and unregistering DLLs—to evade detection and carry out its malicious activities. The "Calc Pattern" likely refers to a pattern or method related to how Qakbot uses Regsvr32 to execute or obfuscate its payloads, often involving techniques like running code or commands that are disguised as legitimate operations to avoid security measures. Understanding this pattern helps in identifying and mitigating Qakbot infections more effectively.
Indicators of Compromise (IOC) List
Image | '\regsvr32.exe' |
CommandLine | ' -s' ' calc' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | (((Resourcename in ("Sysmon") AND eventtype = "1") AND image in ("\regsvr32.exe")) AND commandline in ("-s","calc")) |
Detection Query 2 | (((Technologygroup = "EDR" ) AND image in ("\regsvr32.exe")) AND commandline in ("-s","calc")) |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml