Been on a few IR engagements that involves Qakbot. I've been using the 'Microsoft-Windows-VHDMP' ETW Provider to hunt for Qakbot activities on a large scale of systems. %LOCALAPPDATA%\Temp that contains a ZIP starting with Temp1_* or some random .ISO file is a good indicator.
@DebugPrivilege
We added this artifact to
@velocidex
to pull from this log any image mounts from Users\**
Filter obvious legit images and stack for easy wins 🙂
Another good detection for QBot is xrw memory segments with the malpedia yara.
@DebugPrivilege
For those wanting to take a similar investigative approach,
@keydet89
’s Event Ripper’s has a great plugin for that suits this task:
@chrissanders88
Retrieve the VHDMP Event Log, and then deploy
@keydet89
's dedicated plugin from Event Ripper
We use this IRL for Qakbot's latest iteration, which enjoys mounting ISOs.
The plugin gives us date and path, which usually informs username too.
@DebugPrivilege
Seeing lots of IMG too. Depending on your EDR, you may be able to hunt lnk and suspect extensions running from the root, or direct child folder of a drive not "C:\"