{
	"id": "9978edd0-11c8-4874-8182-1003fbdfc6c5",
	"created_at": "2026-04-06T00:06:16.744852Z",
	"updated_at": "2026-04-10T03:24:24.530921Z",
	"deleted_at": null,
	"sha1_hash": "189c94dee22eabd3305acd683e5fb1d2124c081e",
	"title": "Recent Qakbot (Qbot) activity - SANS Internet Storm Center",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5072341,
	"plain_text": "Recent Qakbot (Qbot) activity - SANS Internet Storm Center\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-05 17:35:16 UTC\r\nIntroduction\r\nToday's diary is a review of a Qakbot (Qbot) infection I generated on Tuesday 2020-12-08.\r\nQakbot generally includes follow-up malware like Cobalt Strike (such as this example), but my infection on\r\nTuesday 2020-12-08 was a basic Qakbot infection that didn't run long enough for follow-up malware or other\r\nactivity.\r\nOf note, in late-November 2020, Qakbot underwent a version update.  I've noticed this in my day-to-day research,\r\nbut nothing comprehensive has been published yet.  A few tweets about it:\r\nhttps://twitter.com/lazyactivist192/status/1332363179729575938\r\nhttps://twitter.com/_alex_il_/status/1333737189990158337\r\nhttps://twitter.com/0verfl0w_/status/1331598884431421441\r\nI'll review some of the changes I've noticed about the update in today's diary.\r\nShown above:  Chain of events for the Qakbot infection we're reviewing today.\r\nThe malspam\r\nMalspam examples I found from Tuesday 2020-12-08 were fake replies to legitimate email chains, although the\r\nexample shown below might be a Qakbot-generated reply for an unsolicited spam message.\r\nhttps://isc.sans.edu/diary/rss/26862\r\nPage 1 of 9\n\nShown above:  An example of Qakbot malspam from Tuesday 2020-12-08.\r\nThe attached ZIP archive has an Excel spreadsheet with macros designed to infect a vulnerable Windows host with\r\nQakbot malware.  Even with the version update, these spreadsheets distributing Qakbot have the same template\r\nwe've seen for the past several months.\r\nhttps://isc.sans.edu/diary/rss/26862\r\nPage 2 of 9\n\nShown above:  Excel spreadsheet extracted from the ZIP attachment.\r\nInfection activity\r\nTypical for Qakbot, we see an HTTP GET request for a URL ending in .jpg that returned a Windows binary (in\r\nthis case a DLL).  This often is an HTTPS URL, where we would not see the Windows binary in a pcap.  In recent\r\nmoths, I've seen as many HTTPS URLs for this as I have regular HTTP URLs.\r\nhttps://isc.sans.edu/diary/rss/26862\r\nPage 3 of 9\n\nShown above:  HTTP traffic that returned a Windows DLL file for Qakbot.\r\nFiltering the traffic in Wireshark, we find typical Qakbot post-infection activity.  But approximately 3 hours after\r\nthe initial infection, I also saw web traffic to wellsfargo[.]com, which was unusual--especially since no browser\r\nhad opened on the desktop of the infected Windows host.\r\nhttps://isc.sans.edu/diary/rss/26862\r\nPage 4 of 9\n\nShown above:  Traffic from the infection filtered in Wireshark.\r\nThe user-agent string in HTTP traffic to wellsfargo[.]com indicated it may have been caused by Google Chrome. \r\nKeep in mind the user-agent string is often spoofed during malware infections.  I also saw web traffic associated\r\nwith the Firefox web browser.  This traffic is likely related to one of the Qakbot modules; however, I could not\r\nfind any modules saved to disk on my infected host.\r\nShown above:  Filtering the traffic in Wireshark to show Firefox traffic, and other web traffic to wellsfargo[.]com\r\nfrom the infected host.\r\nhttps://isc.sans.edu/diary/rss/26862\r\nPage 5 of 9\n\nShown above: Traffic to wellsfargo[.]com appears to be from Chrome, if the user-agent string is correct.\r\nQakbot malware version update\r\nSometime in late-November 2020, Qakbot malware was updated.  I know of at least 3 related things that are\r\nnoticeably different than before.\r\n1) The Qakbot binary retrieved by Microsoft Office macros changed from an EXE to a DLL.\r\nPrior to the update, the initial Qakbot binary was an EXE made persistent through a Windows registry\r\nupdate at HKCU\\SOFTWARE\\Microsoft\\WIndows\\CurrentVersion\\Run.\r\nAfter the update, the initial Qakbot binary has been a DLL file, and there is no longer a Windows registry\r\nupdate at HKCU\\SOFTWARE\\Microsoft\\WIndows\\CurrentVersion\\Run.\r\n2) Qakbot now creates other Windows registry updates.  These updates are located at\r\nHKCU\\SOFTWARE\\Microsoft under a key that consists of a unique alphabetical string for each infected host.  It\r\nconsists of several entries containing encoded binary data as shown in the example below.\r\nhttps://isc.sans.edu/diary/rss/26862\r\nPage 6 of 9\n\nShown above:  An example of Windows registry update caused by the newest version of Qakbot.\r\n3) The directory for Qakbot artifacts under C:\\Users\\[username]\\AppData\\Roaming\\Microsoft now has fewer\r\nfiles.  Before the version update, we  saw a Windows EXE for Qakbot in this directory, and it was kept persistent\r\nin the Windows registry (see item 1 above).  Now, the folder no longer has an EXE and some other files are\r\nmissing.  Compare the two images below.\r\nShown above:  An example of artifact caused by the old version of Qakbot.\r\nhttps://isc.sans.edu/diary/rss/26862\r\nPage 7 of 9\n\nShown above:  Artifacts stores to the same type of directory after the late-November 2020 version update of\r\nQakbot.\r\nQakbot's version update has resulted in other characteristics of the malware, and I'm certain someone will publish\r\na more detailed write-up about it.  These three changes are the one's I've noticed, but I focus mostly on dynamic\r\nanalysis (not code analysis or reverse engineering).\r\nIndicators of Compromise (IoC)\r\nThe following are IoCs from my Qakbot infection from Tuesday 2020-12-08.\r\nZIP archives from 4 malspam examples:\r\n2ccc14f2bab2e9eb1d7228e225afda558fd4b52ed670303a912ace1984b35b06  Document_1204350147-\r\nCopy.zip\r\nfa9935e6cda06866cb5aa062c16a73fdc85bd4146dca67202d22e225ddd3193b  Document_1356928040-\r\nCopy.zip\r\n0a3a6163a5e8e372fa96efbef3feb793463f4e39bd2c4d6ea03afce045f90636  Document_1495694596-\r\nCopy.zip\r\n66036cf566386c159e49191125497c77c13c75778492519000b9f61a4afdedad  Document_501487929-\r\nCopy.zip\r\nExcel spreadsheets extracted from the above ZIP archives:\r\nadad807fa22f398e0a40396ed65d0827f9f14baf7e1281b713dfb17e2683d743  Document_1204350147-\r\nCopy.xls\r\ne14f6ab34e3506d6985816af85935932fb6faf8bad9d2c7dd96d6011d7c21a33  Document_1356928040-\r\nCopy.xls\r\n4e2f37d4228e78faa1f34121ee934f58e1a9862ad6f183edf4c24e08cda20363  Document_1495694596-\r\nCopy.xls\r\n94d759f43bcc647f7233e19ddc160a6b43458dcde6d2ea4274c8c06b2890def2  Document_501487929-\r\nCopy.xls\r\nHTTP traffic after enabling that returned a Qakbot DLL file:\r\nhttps://isc.sans.edu/diary/rss/26862\r\nPage 8 of 9\n\n35.208.146[.]4 port 80 - supyouryoga[.]com - GET /svgqcnjto/590906.jpg\r\nQakbot post-infection traffic:\r\n62.38.114[.]12 port 2222 - HTTPS traffic caused by Qakbot\r\n197.45.110[.]165 port 995 - HTTPS traffic caused by Qakbot\r\nport 443 - www.openssl[.]org - connectivity check caused by Qakbot\r\n54.36.108[.]120 port 65400 - TCP traffic caused by Qakbot\r\nUnusual (to me) activity from Qakbot-infected host:\r\nport 80 - wellsfargo[.]com - GET /\r\nvarious IP addresses over TCP port 443 - Wells Fargo-related domains - traffic caused by viewing\r\nwellsfargo[.[com\r\nFirefox-related HTTP and HTTPS web traffic\r\nMalware from an infected Windows host:\r\nSHA256 hash: 5060806228d3f2c1afd09566d0d2fa6b2e56f844cd044c4c4e6e7ade9fef3a22\r\nFile size: 350,928 bytes\r\nFile retrieved from: hxxp://supyouryoga[.]com/svgqcnjto/590906.jpg\r\nFile saved to victim as: C:\\Users\\[username]\\AppData\\Kipofe.mmaallaauu\r\nFile description: DLL file for Qakbot retrieved by macro from Document_1495694596-Copy.xls\r\nRun method: Rundll32.exe [filename],DllRegisterServer\r\nFinal words\r\nQakbot been active for several years, and it continues to evolve.  The latest version update has some significant\r\nchanges, but infection traffic on vulnerable Windows hosts remains similar to what we've seen before with\r\nQakbot.\r\nA pcap of the infection traffic reviewed in this dairy and 4 examples of Qakbot malspam are available here.\r\n---\r\nBrad Duncan\r\nbrad [at] malware-traffic-analysis.net\r\nSource: https://isc.sans.edu/diary/rss/26862\r\nhttps://isc.sans.edu/diary/rss/26862\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://isc.sans.edu/diary/rss/26862"
	],
	"report_names": [
		"26862"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775433976,
	"ts_updated_at": 1775791464,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/189c94dee22eabd3305acd683e5fb1d2124c081e.pdf",
		"text": "https://archive.orkl.eu/189c94dee22eabd3305acd683e5fb1d2124c081e.txt",
		"img": "https://archive.orkl.eu/189c94dee22eabd3305acd683e5fb1d2124c081e.jpg"
	}
}