← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
QBot malware abuses Windows WordPad EXE to infect devices
WHITE dekaRituraj 2023-05-29 Modified: 2023-06-28
1160
IOCs
HIGH VOLUME
The QBot malware operation has started to abuse a DLL hijacking flaw in the Windows 10 WordPad program to infect computers, using the legitimate program to evade detection by security software. A DLL is a library file containing functions that can be used by more than one program at the same time. When an application is launched, it will attempt to load any required DLLs. It does this by searching through specific Windows folders for the DLL and, when found, loads it. However, Windows applications will prioritize DLLs in the same folder as the executable, loading them before all others.
pathspanscriptbuttonlinkheader dropdowngithubfootertemplateproductformmetacopycodeqakbotenterpriseopenreloadbodyfindwritestarclosedesktopencodedcommandmain
Indicators of Compromise (1 / 1160 total)
All URL FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 fce88b20bceebd0bfed68131820efab6 MD5 of 56460c4133222841796c34b0d177a8c5e52b71de5e37d5b1cd098823bcbe9af0 2023-05-29
References (3)
↗ https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB28_15.05.2023.txt ↗ https://www.bleepingcomputer.com/news/security/qbot-malware-abuses-windows-wordpad-exe-to-infect-devices/ ↗ https://twitter.com/Cryptolaemus1/status/1658152178945601549