Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Max_Malyutin Profile picture
Max_Malyutin
@Max_Mal_
Threat Researcher, Blue Team, DFIR, Malware Analysis, and Reverse Engineering. “⚔️What do we say to God of malware, Not today⚔️”
Nov 16, 2022 4 tweets 3 min read
#Qakbot Infection New TTPs 🚨

[+] Deliver ISO (T1204.002)
[+] DLL Search Order Hijacking (T1574.001)🔥
[+] Regsvr32 (T1218.010)
[+] Process Hollowing (T1055.012)
[+] Discovery (TA0007)
[+] Credentials from Web Browsers (T1555.003)
[+] Data from Local System (T1005) #Qakbot C2 server:
IP: 92.27.86[.]48
Port: 2222

Additional C2 IP:
23.111.114[.]52
Nov 15, 2022 4 tweets 3 min read
#Qakbot New TTPs IMG File Infection

[+] IMG File instead of ISO 🔥
[+] VBS Script (ShellExecute) instead of LNK 🔥
[+] .tmp (DLL loader) exec via Regsvr32.exe
[+] Process Injection
[+] Discovery commands
[+] C2 connection

#DFIR exec flow: img > vbs > tmp > injection Thank you @pr0xylife for sharing the sample:

bazaar.abuse.ch/sample/ac7c130…