{
	"id": "ca188728-fd63-49fe-bb02-6768f85a0dff",
	"created_at": "2026-04-06T00:09:35.681854Z",
	"updated_at": "2026-04-10T03:21:24.501838Z",
	"deleted_at": null,
	"sha1_hash": "65ea1dbfc489d3bb8ab89aaf0b6d652acefd1487",
	"title": "Qakbot analysis – Dangerous malware has been around for more than a decade - VinCSS Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 308241,
	"plain_text": "Qakbot analysis – Dangerous malware has been around for more\r\nthan a decade - VinCSS Blog\r\nBy Yến Hứa\r\nPublished: 2021-03-17 · Archived: 2026-04-05 21:48:52 UTC\r\n1. Overview\r\nQakBot (also known as QBot, QuakBot, Pinkslipbot) is one of the famous Banking Trojan with the main task to\r\nsteal banking credentials, online banking session information, or any other banking data. Although detected by\r\nanti-virus software vendors since 2008, but util now it’s still operating and keep continuously maintained by the\r\ngangs behind it. Qakbot continuously evolves by applying advance or new techniques to evade detection and\r\navoid reverse analysis, making analysis more difficult. In recent reports, it could be used to drop other malware\r\nsuch as ProLock, Egregor ransomware.\r\nSource: CrowdStrike 2021 Global Threat Report\r\nQakbot can be distributed via Emotet, however Emotet has been taken down recently, currently this malware uses\r\nemail spam and phishing campaigns as main method. Unlike Emotet that uses MS-Word in conjunction with VBA\r\nto download malicious payload, Qakbot uses MS-Excel with the support of Excel 4.0 Macro (XLM macro) to\r\ndownload and execute malicious payload on the victim’s computer.\r\nIn this article, we will analyze how QakBot infects after launched by malicious Excel document, the techniques\r\nused to make the analysis difficult, and how to extract the C2 list. QakBot’s persistence can not be detected at\r\nruntime, the run key only created before system shutdown or enter suspended state, and deleted immediately after\r\nQakBot is executed again. Qakbot also applied encryption techniques to conceal information, as well as encrypt\r\nthe payload on memory.\r\nhttps://blog.vincss.net/re021-qakbot-analysis-dangerous-malware-has-been-around-for-more-than-a-decade/\r\nPage 1 of 43\n\nHashes used in this post:\r\nDocument template: a7ba7bd69d41f3be1e69740c33c4fbf8\r\nLoader DLL: c0675c5d2bc7ccf59e50977dd71f28ec\r\nUnpacked DLL (Main payload): 4279ff089ffdb4db21677b96a1364969\r\n2. Document template and XLM macro\r\nQakbot templates are constantly changing depending on the campaign, the final target of attackers for leveraging\r\ntemplates to trick the victims into enabling macros to start the infection. This type of maldocs will usually have a\r\ncell is “Auto_Open cell”, its functionality which is similar to the “Sub AutoOpen()” function in VBA to\r\nhttps://blog.vincss.net/re021-qakbot-analysis-dangerous-malware-has-been-around-for-more-than-a-decade/\r\nPage 2 of 43\n\nautomatically run macros when victim press “Enable Content” button.\r\nAs already mentioned, these templates use Excel 4.0 macros (predate VBA macros), they are composed of\r\nfunctions placed inside cells of a macro sheet. To analyze this form of macro can use following tools:\r\noledump.py and plugin_biff.py\r\nXLMMacroDeobfuscator\r\nCerbero Suite\r\nMicrosoft Excel\r\n2.1. XLMMacroDeobfuscator\r\nThis tool allows to extract the cells’s content, shows which macro sheet has cell is “Auto_Open cell”, and utilizes\r\nan internal XLM emulator to interpret the macros, without fully performing the code.\r\nHowever, cause macros in maldocs usually implement obfuscation techniques, so that the emulate function of the\r\ntool does not always work well:\r\nhttps://blog.vincss.net/re021-qakbot-analysis-dangerous-malware-has-been-around-for-more-than-a-decade/\r\nPage 3 of 43\n\n2.2. Cerbero Suite\r\nCerbero Suite is developed by Erik Pistelli. The latest version added support for the XLSB format, so that now it\r\ncan decompiles both XLS and XLSB formulas and also support previews spreadsheets same as opening in\r\nMicrosoft Excel. Furthermore, it also provides the ability to emulate Microsoft Excel formulas. During the\r\ndiscussion with the author, I and my friend have commented and provided samples to him for improving the\r\nfunctionality of the product.\r\nLike XLMMacroDeobfuscator, when analyzing maldoc, this tool also shows the starting point of execution\r\n(entry point) is the cell containing Auto_Open.\r\nWith the help of emulate feature, we can spot that the maldoc registered an API is URLDownloadToFileA , then\r\nuse this function for downloading payloads from multiple addresses:\r\nhttps://blog.vincss.net/re021-qakbot-analysis-dangerous-malware-has-been-around-for-more-than-a-decade/\r\nPage 4 of 43\n\nIf successfully download one of the above payloads, it will use rundll32.exe to execute:\r\n2.3. Microsoft Excel\r\nThe above mentioned tools based on xlrd2, pyxlsb2 and its own parser to extract cells and other information from\r\nxls, xlsb and xlsm files. Therefore, in case these tools cannot satisfied, using Microsoft Excel is still the best\r\noption.\r\nWhen analyzing with MS Excel, navigate to the cell containing Auto_Open, select the Macros feature and click\r\nStep Into to open the Single Step window:\r\nhttps://blog.vincss.net/re021-qakbot-analysis-dangerous-malware-has-been-around-for-more-than-a-decade/\r\nPage 5 of 43\n\nBy using Step Into or Evaluate to trace each cell in the same column and display the value of each Formula, we\r\nget the following information:\r\nTo sum up, when Qakbot maldoc executes its macro code, it will download payload to victim’s computer and run\r\nthis payload by using rundll32.exe.\r\n3. Loader payload\r\n3.1. Basic analysis\r\nAs analyzed above, the downloaded payload is a DLL. This DLL exports 4 functions, one of which is\r\nDllRegisterServerfunction is called by the command rundll32:\r\nhttps://blog.vincss.net/re021-qakbot-analysis-dangerous-malware-has-been-around-for-more-than-a-decade/\r\nPage 6 of 43\n\nBased on the imported APIs list, we can predictable that it will use it to unpack another payload:\r\nThis DLL is digitally signed to avoid detection by anti-virus software and other detection systems:\r\nhttps://blog.vincss.net/re021-qakbot-analysis-dangerous-malware-has-been-around-for-more-than-a-decade/\r\nPage 7 of 43\n\n3.2. Technical analysis\r\nThis DLL when executed will allocate and unpack the main payload to the allocated memory and execute this\r\npayload:\r\nDump payload from memory to disk for later analysis. Dumped payload is also a DLL, was built with Microsoft\r\nVisual C++,original name is stager_1.dll and exports only one function is DllRegisterServer:\r\nhttps://blog.vincss.net/re021-qakbot-analysis-dangerous-malware-has-been-around-for-more-than-a-decade/\r\nPage 8 of 43\n\nTo make sure the dumped payload is correct, usually in the resource section of this payload must has resource\r\nnames are “308” and “311“.\r\n4. Some techniques used in the main payload\r\n4.1. Junk code\r\nA well-known technique that’s used in many samples, is junk code insertion. With this technique, the malware\r\ninserts lots of code that never gets executed, a call that never returns, or conditional jumps with conditions that\r\nwould never be met. The main goal of this code is to make the code graph look more complicated than it actually\r\nis and to waste the reverse engineer’s time analyzing.\r\nWith Qakbot’s payload, the malware author inserts useless API calls alternating between real instructions, in\r\naddition to the time-consuming goal, it can cause disturbing information when executing in the sandbox\r\nenvironment or via applications that log windows APIs call.\r\nhttps://blog.vincss.net/re021-qakbot-analysis-dangerous-malware-has-been-around-for-more-than-a-decade/\r\nPage 9 of 43\n\n4.2 Use non-standard calling convention\r\nThe common standard calling conventions when analyzing malware are cdecl, stdcall, thiscall or fastcall.\r\nHowerver, to complicate the analysis task, Qakbot added non-standard calling convention that making it difficult\r\nto recognize the parameters passed to the function as well as Hexrays when decompiles will fail.\r\nFor example, the following function takes 3 parameters, in which the first and third parameters are pushed onto\r\nthe stack, and the second parameter is assigned to eax. At this point, Hexrays will miss the parameter when\r\ndecompile code:\r\nIDA supports the user-defined calling convention, read this article. With the above case, we can redefine function\r\nprototype as follows: int __usercall sub_100184FE@\u003ceax\u003e(int arg1, int arg2@\u003ceax\u003e, int arg3). Result:\r\nhttps://blog.vincss.net/re021-qakbot-analysis-dangerous-malware-has-been-around-for-more-than-a-decade/\r\nPage 10 of 43\n\nAnother example, the function below takes an parameter and this parameter is assigned to the eax register.\r\nIncorrect recognition lead to Hexrays decompiles missing a parameter:\r\nTo help Hexrays decompiles correctly, we can explicitly specify the locations of arguments and the return value\r\nlike this: int *__usercall sub_10017EC5@\u003ceax\u003e(unsigned int arg1@\u003ceax\u003e). And here is the result:\r\n4.3. Decrypt strings\r\nLike Emotet, all strings are encrypted and decrypted at runtime into memory only and destroyed right afterwards.\r\nMost of QakBot strings are encrypted and stored in a continuous blob. The decryption function accepts one\r\nargument which is the index to the string, then it xors it with a hardcoded bytes array. During the analysis this\r\npayload, we found 02 byte arrayswhich containing the value of the original string already encrypted:\r\nhttps://blog.vincss.net/re021-qakbot-analysis-dangerous-malware-has-been-around-for-more-than-a-decade/\r\nPage 11 of 43\n\nCorresponding to each above array will have a byte array containing the values used for xor to decode to get the\r\nreal strings:\r\nAs mentioned, The decryption function accepts one argument which is the index to the string. Inside this function\r\nwill call the main routine to decrypt the string that malware need to use:\r\nThe f_decrypt_string in the figure does the following:\r\nBased on the index value passed to the function, computes the length of the string to be decryped.\r\nAllocates memory to store the decrypted string.\r\nThrough the loop to xor with bytes of xor_bytes_arr array to retrieve the original string.\r\nhttps://blog.vincss.net/re021-qakbot-analysis-dangerous-malware-has-been-around-for-more-than-a-decade/\r\nPage 12 of 43\n\nBy using IDAPython, we can rewrite the code to decrypt the strings and add them as comments:\r\nThe results before and after the script execution will make the analysis easier:\r\nhttps://blog.vincss.net/re021-qakbot-analysis-dangerous-malware-has-been-around-for-more-than-a-decade/\r\nPage 13 of 43\n\nDo the same with other decryption functions. However, the strings shown in the above picture are the results\r\nobtained after decrypting pre-assigned indexes in Qakbot’s code. The rest of strings indexes are calculated\r\ndynamically at runtime. For example the following code snippet:\r\nTherefore, to get the entire decrypted strings along with associated index, use the following code:\r\nPlease see the Appendix 1 – Complete list of decrypted strings below.\r\n4.4. Dynamic APIs resolve\r\nhttps://blog.vincss.net/re021-qakbot-analysis-dangerous-malware-has-been-around-for-more-than-a-decade/\r\nPage 14 of 43\n\nBased on the results decrypted strings, get a list of major DLLs that Qakbot will uses to obtain the necessary API\r\nfunctions:\r\nPayload will find the address of the API functions through lookup a pre-computed hash based on the API function\r\nname. For each above DLLs will have an array that stored pre-computed hashes. Below is an illustration of an\r\narray that stores pre-computed hashes of API functions belong to kernel32.dll. (This array will then be overwritten\r\nby the real address of the corresponding API):\r\nFor calculating hashes, the payload uses an additional table containing the values used for xor at address\r\n0x1002B6F8 (g_xor_key_tbl). The search algorithm used by Qakbot as follows:\r\nhttps://blog.vincss.net/re021-qakbot-analysis-dangerous-malware-has-been-around-for-more-than-a-decade/\r\nPage 15 of 43\n\nRewrite the hash function, combine with IDAPython to retrieve a list of APIs and generate a corresponding enum\r\nlist for the calculated hashes:\r\nAnd here is the result:\r\nhttps://blog.vincss.net/re021-qakbot-analysis-dangerous-malware-has-been-around-for-more-than-a-decade/\r\nPage 16 of 43\n\nFrom this result, create a corresponding struct and apply this struct in the relevant code, we will recover the call to\r\nthe API functions. That’s much easier to work with:\r\n4.5. Check protection solutions on victim machine\r\nQakbot create a list of processes related to endpoint protection solutions including the fields: group_id,\r\ngroup_index. Use the loop for decrypting the corresponding strings to get a list of the process names:\r\ngroup_id group_index process name\r\n0x1 0x660 ccSvcHst.exe\r\n0x2 0x8C6 avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe\r\n0x4 0x2E7 MsMpEng.exe\r\n0x8 0x1A6 mcshield.exe\r\n0x10 0x6AD avp.exe;kavtray.exe\r\n0x20 0x398 egui.exe;ekrn.exe\r\n0x40 0x141 bdagent.exe;vsserv.exe;vsservppl.exe\r\n0x80 0x912 AvastSvc.exe\r\n0x100 0x1B3 coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe\r\n0x200 0x90 SAVAdminService.exe;SavService.exe\r\n0x400 0x523 fshoster32.exe\r\n0x800 0x77C WRSA.exe\r\n0x1000 0x8F0 vkise.exe;isesrv.exe;cmdagent.exe\r\n0x2000 0x7F9 ByteFence.exe\r\n0x4000 0x726 MBAMService.exe;mbamgui.exe\r\n0x8000 0xAFA fmon.exe\r\nhttps://blog.vincss.net/re021-qakbot-analysis-dangerous-malware-has-been-around-for-more-than-a-decade/\r\nPage 17 of 43\n\nAfter that, payload uses the functions CreateToolhelp32Snapshot; Process32First; Process32Next to enumerate all\r\nthe processes running on the victim machine, check the name of the process is in the above list. If has:\r\nProcesses belong to the same list, return the corresponding group_id. For example: if has\r\navp.exe;kavtray.exe will return 0x10.\r\nProcesses belong to different lists, the result is or of the corresponding group_id. For example, if hash\r\navp.exe;kavtray.exe and AvastSvc.exe then the result is 0x10 | 0x80 = 0x90.\r\nThis result will affect to the flow of process injection. For example, if the victim machine uses Kaspersky\r\nprotection (has avp.exe process), Qakbot will inject code into mobsync.exe instead of explorer.exe.\r\n4.6. Anti-sandbox\r\n4.6.1. Checking file name\r\nPayload checks whether its name is in the blacklist including:\r\nartifact.exe;mlwr_smpl;sample;sandbox;cuckoo-;virus. Some sandboxes may change the sample file name.\r\n4.6.2 . Checking processes\r\nPayload checks whether the running processes are in the blacklist, including: srvpost.exe;frida-winjector-helper-32.exe;frida-winjector-helper-64.exe.\r\nhttps://blog.vincss.net/re021-qakbot-analysis-dangerous-malware-has-been-around-for-more-than-a-decade/\r\nPage 18 of 43\n\n4.6.3. Checking Device\r\nPayload uses API functions SetupDiGetClassDevsA, SetupDiEnumDeviceInfo,\r\nSetupDiGetDeviceRegistryPropertyA of setupapi.dllto get information about the device on the system, and then\r\ncheck with the blacklist included: A3E64E55_pr;VboxVideo;Red Hat VirtIO;QEMU.\r\n4.6.4. Checking hostname and account\r\nPayload check whether the hostname and logon account in the blacklist list: VIRTUAL-PC and Virtual.\r\nIf it detects any of those, the execution flow will run into an infinite loop:\r\nhttps://blog.vincss.net/re021-qakbot-analysis-dangerous-malware-has-been-around-for-more-than-a-decade/\r\nPage 19 of 43\n\n4.7. Configuration info and List of C2 (IP \u0026 Port)\r\nAs mentioned above, the payload if dumped correctly will have resource names: “308” and “311”. Based on the\r\ndecrypted strings, we can find the code related to these strings:\r\n4.7.1. Decrypt configuration info\r\nQakbot’s configuration is stored in resource 308, the code related to this resource will do:\r\nCall decrypt function with index value 0x3F5 to retrieve the string “308”.\r\nUse API functions of kernel32 are FindResourceA; SizeofResource; LoadResource to load the data stored\r\nin this resource into the allocated memory.\r\nCall the function to decrypt the data.\r\nPayload will re-check the size of the resource and call f_decrypt_res_data_by_using_RC4 function to decrypt:\r\nhttps://blog.vincss.net/re021-qakbot-analysis-dangerous-malware-has-been-around-for-more-than-a-decade/\r\nPage 20 of 43\n\nAccording to the pseudocode, the whole decrypting process as follows:\r\nThe first 20 bytes of data are the RC4 key, and the rest are the actual encrypted data need to be decrypt.\r\nUse RC4 algorithm with the obtained key to decrypt the data. The data after decrypted includes:\r\nThe first 20 bytes of the decrypted data will contain the SHA1 hash calculated over the rest of the\r\ndecrypted data.\r\nDecrypted data is the rest of data after subtracting 20 bytes of SHA1.\r\nSHA1 is used as a verification for correct decryption.\r\nThe entire process above is illustrated as picture below:\r\nThe contents of the decrypted resource “308” are:\r\n10=biden02 –\u003e CampaignID\r\n3=1614154620   –\u003e Unix Timestamp (Wed 24 February 2021 08:17:00 UTC)\r\n4.7.2. C2s list (IP \u0026 Port)\r\nSo by using this method, we can decrypt the other resource “311”:\r\nWe obtained a list of IP addresses and ports separated by the value 01:\r\nhttps://blog.vincss.net/re021-qakbot-analysis-dangerous-malware-has-been-around-for-more-than-a-decade/\r\nPage 21 of 43\n\nPlease see Appendix 2 – C2s list below for the complete list.\r\n4.8. Process Injection\r\nQakbot select which process to inject its unpacked code based on the operating system environment and\r\ngroup_idinformation related to the protection solutions that mentioned above.\r\nNext:\r\nIt uses CreateProcessW starts a new suspended process. But for simplicity we will only follow the\r\nexplorer.exeprocess injection path.\r\nCreate a new memory region on the explorer.exe process with RWX protection by using the\r\nNtCreateSection, NtMapViewOfSection APIs.\r\nCopy the entire Qakbot payload to the memory created above.\r\nhttps://blog.vincss.net/re021-qakbot-analysis-dangerous-malware-has-been-around-for-more-than-a-decade/\r\nPage 22 of 43\n\nUse the GetThreadContext, NtProtectVirtualMemory, NtWriteVirtualMemory functions to overwrite the\r\nexplorer.exe’s entry point with a jump instruction to the function address of the Qakbot payload:\r\nhttps://blog.vincss.net/re021-qakbot-analysis-dangerous-malware-has-been-around-for-more-than-a-decade/\r\nPage 23 of 43\n\nFinally, it resume execution with ResumeThread. At this time, explorer.exe will execute from its entry point, and\r\nexecute the jump to the function address of the Qakbot payload:\r\n4.9. Overwrite payload and encrypt payload on memory\r\nTo make difficult for people who perform incident response, Qakbot does overwrite null bytes on the payload\r\nitself on disk (but keep DOS_HEADER, NT_HEADERS, SECTION_HEADER) and at the same time, it also\r\nencrypts all payloads to store on memory for implementing persistence technique. This ensures that all Qakbot’s\r\nmain code will be executed from the injected process as explorer.exe or mobsync.exe.\r\nhttps://blog.vincss.net/re021-qakbot-analysis-dangerous-malware-has-been-around-for-more-than-a-decade/\r\nPage 24 of 43\n\n4.10. Persistence operation\r\n4.10.1. Run key persistence\r\nCreating persistence made after process injection step. At this point, Qakbot will create a thread that performs the\r\ntask:\r\nCall RegisterClassExA to create a window with random class name.\r\nSetup a callback function f_process_wnd_message for processing windows messages.\r\nhttps://blog.vincss.net/re021-qakbot-analysis-dangerous-malware-has-been-around-for-more-than-a-decade/\r\nPage 25 of 43\n\nWindows messages are processed into f_process_wnd_message as follows:\r\nWhen receive system shutdown message (WM_QUERYENDSESSION) or power-management broadcast\r\nmessage (WM_POWERBROADCAST) that along with event notify the computer enter suspended state\r\n(PBT_APMSUSPEND), call f_install_persistence().\r\nWhen receive power-management broadcast message (WM_POWERBROADCAST) that along with\r\nevents notify the computer enter resume state (PBT_APMRESUMESUSPEND ||\r\nPBT_APMRESUMEAUTOMATIC), call f_uninstall_prev_persistence().\r\nhttps://blog.vincss.net/re021-qakbot-analysis-dangerous-malware-has-been-around-for-more-than-a-decade/\r\nPage 26 of 43\n\nf_install_persistence() perfoms the following tasks:\r\nDecrypt previously encrypted payloads using RC4 into memory.\r\nSetup command for execute payload: regsvr32.exe -s \u003cQakbot_module_path\u003e.\r\nCreate a registry value name which is random alphabet characters at registry key\r\nHKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun for saving above\r\ncommand.\r\nf_uninstall_prev_persistence() perfoms the opposite tasks:\r\nDelete previous created persistence key.\r\nDelete payload on disk.\r\nhttps://blog.vincss.net/re021-qakbot-analysis-dangerous-malware-has-been-around-for-more-than-a-decade/\r\nPage 27 of 43\n\nBy this way, QakBot’s persistence can not be detected at runtime.\r\n4.10.2. Fake scheduled task persistence\r\nIn addition to creating the run key persistence as above, Qakbot also creates a fake persistence which is scheduled\r\ntasks to deceive us. Task is created with a random name through the following command:\r\n“%ssystem32schtasks.exe” /Create /RU “NT AUTHORITYSYSTEM” /tn %s /tr “%s” /SC ONCE /Z /ST\r\n%02u:%02u /ET %02u:%02u\r\nFor example: “C:Windowssystem32schtasks.exe” /Create /RU “NT AUTHORITYSYSTEM” /tn gyfzcixqb /tr\r\n“regsvr32.exe -s “C:UsersREMDesktopQakbot_DLL_unpacked.bin”” /SC ONCE /Z /ST 12:39 /ET 12:51\r\nHowever, at this time the payload on the disk has been erased data, only keep information of DOS_HEADER,\r\nNT_HEADERS, SECTION_HEADER.\r\nhttps://blog.vincss.net/re021-qakbot-analysis-dangerous-malware-has-been-around-for-more-than-a-decade/\r\nPage 28 of 43\n\n4.11. C2 Communication\r\nTo making difficulties for the analyst as well as protection systems, Qakbot will encrypt its POST request before\r\ncommunicate with C2 server. A Qakbot’s POST request will usually look like this:\r\nBefore encrypted, POST request looks like this:\r\nThis POST request will be encrypted and then sent to the C2 server:\r\nhttps://blog.vincss.net/re021-qakbot-analysis-dangerous-malware-has-been-around-for-more-than-a-decade/\r\nPage 29 of 43\n\nIn the above pseudocode:\r\nf_encrypt_POST_request_by_RC4 performs:\r\nCreates an rc4_key with 16 bytes long.\r\nThis rc4_key will be concatenated with the decrypted string is\r\n“jHxastDcds)oMc=jvh7wdUhxcsdt2”. Then use SHA1 to take this data and produce hash value.\r\nUse calculated hash as an rc4_key for encrypting POST request.\r\nThe result is a memory area of the first 16 bytes of rc4_key and the POST request is encrypted.\r\nf_base64_transform will perform encode the entire memory containing rc4_key and ecnryted POST\r\nrequest in base64 format.\r\nFinally, call f_send_POST_request_to_C2 to send this POST request to C2.\r\nBased on the entire process above, here is an implementation of the decryption algorithm:\r\nhttps://blog.vincss.net/re021-qakbot-analysis-dangerous-malware-has-been-around-for-more-than-a-decade/\r\nPage 30 of 43\n\n5. Conclusion\r\nAfter more than a decade, Qakbot still exists, evolve and always is a permanent threat for large organizations\r\ntoday. The use of the XLSB documents leads to lower detection rates by security solutions, which are mostly\r\nfocused on the more common modern VBA macro malware. In addition, QakBot’s payloads also employs a robust\r\nset of anti-analysis features, advanced techniques to evade detection and frustrate analysis. The gangs behind\r\nQakbot are also active in adding more sophisticated techniques for further development and feature expansion. So\r\nfar, the identities of people behind Qbot are unknown. Hopefully, in the near future, Qakbot will be taken down\r\nsimilar to Emotet.\r\n6. References\r\nhttps://www.malware-traffic-analysis.net/2021/02/24/index.html\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot\r\nhttps://any.run/malware-trends/qbot\r\nhttps://isc.sans.edu/forums/diary/Emotet+Qakbot+more+Emotet/26750\r\nDemystifying QBot BankingTrojan – Nick Summerlin and Jorge Rodriguez\r\nDeepAnalysis of QBot Banking Trojan\r\n7. Appendix 1 – Complete list of decrypted strings\r\nindex boundary: 0xB10\r\nindex: 0x0, decrypted string:\r\ntcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe\r\nindex: 0x6d, decrypted string: %SystemRoot%SysWOW64explorer.exe\r\nindex: 0x90, decrypted string: SAVAdminService.exe;SavService.exe\r\nindex: 0xb3, decrypted string: user32.dll\r\nindex: 0xbe, decrypted string: mpr.dll\r\nindex: 0xc6, decrypted string: Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0\r\nhttps://blog.vincss.net/re021-qakbot-analysis-dangerous-malware-has-been-around-for-more-than-a-decade/\r\nPage 31 of 43\n\nindex: 0x108, decrypted string: advapi32.dll\r\nindex: 0x115, decrypted string: %SystemRoot%System32mobsync.exe\r\nindex: 0x137, decrypted string: ntdll.dll\r\nindex: 0x141, decrypted string: bdagent.exe;vsserv.exe;vsservppl.exe\r\nindex: 0x166, decrypted string: Initializing database…\r\nindex: 0x17f, decrypted string: %SystemRoot%SysWOW64mobsync.exe\r\nindex: 0x1a1, decrypted string: .cfg\r\nindex: 0x1a6, decrypted string: mcshield.exe\r\nindex: 0x1b3, decrypted string: coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe\r\nindex: 0x1e2, decrypted string: shell32.dll\r\nindex: 0x1ee, decrypted string: image/jpeg\r\nindex: 0x1f9, decrypted string: image/gif\r\nindex: 0x203, decrypted string: C:INTERNAL__empty\r\nindex: 0x217, decrypted string: %SystemRoot%SysWOW64xwizard.exe\r\nindex: 0x239, decrypted string: t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]\r\nindex: 0x261, decrypted string: abcdefghijklmnopqrstuvwxyz\r\nindex: 0x27c, decrypted string: SOFTWAREWow6432NodeMicrosoft AntiMalwareSpyNet\r\nindex: 0x2ae, decrypted string: sf2.dll\r\nindex: 0x2b7, decrypted string: Content-Type: application/x-www-form-urlencoded\r\nindex: 0x2e7, decrypted string: MsMpEng.exe\r\nindex: 0x2f3, decrypted string: %SystemRoot%SysWOW64explorer.exe\r\nindex: 0x316, decrypted string: image/pjpeg\r\nindex: 0x322, decrypted string: SOFTWAREMicrosoftWindows DefenderExclusionsPaths\r\nindex: 0x357, decrypted string: %SystemRoot%System32xwizard.exe\r\nindex: 0x379, decrypted string: SoftwareMicrosoft\r\nindex: 0x38c, decrypted string: cscript.exe\r\nhttps://blog.vincss.net/re021-qakbot-analysis-dangerous-malware-has-been-around-for-more-than-a-decade/\r\nPage 32 of 43\n\nindex: 0x398, decrypted string: egui.exe;ekrn.exe\r\nindex: 0x3aa, decrypted string: SOFTWAREWow6432NodeMicrosoftWindows DefenderSpynet\r\nindex: 0x3e1, decrypted string: WScript.Sleep %u\r\nSet objWMIService = GetObject(“winmgmts:” \u0026 “{impersonationLevel=impersonate}!\\.%cootcimv2”)\r\nSet objProcess = GetObject(“winmgmts:rootcimv2:Win32_Process”)\r\nerrReturn = objProcess.Create(“%s”, null, nul, nul)\r\nWSCript.Sleep 2000\r\nSet fso = CreateObject(“Scripting.FileSystemObject”)\r\nfso.DeleteFile(“%s”)\r\nindex: 0x523, decrypted string: fshoster32.exe\r\nindex: 0x532, decrypted string: ALLUSERSPROFILE\r\nindex: 0x542, decrypted string: kernel32.dll\r\nindex: 0x54f, decrypted string: application/x-shockwave-flash\r\nindex: 0x56d, decrypted string: Set objWMIService = GetObject(“winmgmts:” \u0026\r\n“{impersonationLevel=impersonate}!\\.%cootcimv2”)\r\nSet objProcess = GetObject(“winmgmts:rootcimv2:Win32_Process”)\r\nerrReturn = objProcess.Create(“%s”, null, nul, nul)\r\nindex: 0x641, decrypted string: %SystemRoot%explorer.exe\r\nindex: 0x65b, decrypted string: c:\\\r\nindex: 0x660, decrypted string: ccSvcHst.exe\r\nindex: 0x66d, decrypted string: %ProgramFiles(x86)%Internet Exploreriexplore.exe\r\nindex: 0x6a0, decrypted string: netapi32.dll\r\nindex: 0x6ad, decrypted string: avp.exe;kavtray.exe\r\nindex: 0x6c1, decrypted string: crypt32.dll\r\nindex: 0x6cd, decrypted string: shlwapi.dll\r\nindex: 0x6d9, decrypted string: snxhk_border_mywnd\r\nindex: 0x6ec, decrypted string: SOFTWAREMicrosoftMicrosoft AntiMalwareSpyNet\r\nhttps://blog.vincss.net/re021-qakbot-analysis-dangerous-malware-has-been-around-for-more-than-a-decade/\r\nPage 33 of 43\n\nindex: 0x71c, decrypted string: wpcap.dll\r\nindex: 0x726, decrypted string: MBAMService.exe;mbamgui.exe\r\nindex: 0x742, decrypted string: \\.pipe\r\nindex: 0x74c, decrypted string: .dll\r\nindex: 0x751, decrypted string: SOFTWAREMicrosoftWindows DefenderSpyNet\r\nindex: 0x77c, decrypted string: WRSA.exe\r\nindex: 0x785, decrypted string: reg.exe ADD “HKLM%s” /f /t %s /v “%s” /d “%s”\r\nindex: 0x7b4, decrypted string: 1234567890\r\nindex: 0x7bf, decrypted string: wmic process call create ‘expand “%S” “%S”‘\r\nindex: 0x7ec, decrypted string: wtsapi32.dll\r\nindex: 0x7f9, decrypted string: ByteFence.exe\r\nindex: 0x807, decrypted string: SubmitSamplesConsent\r\nindex: 0x81c, decrypted string: {%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-\r\n%02X%02X%02X%02X%02X%02X}\r\nindex: 0x863, decrypted string: NTUSER.DAT\r\nindex: 0x86e, decrypted string: .dat\r\nindex: 0x873, decrypted string: cmd.exe\r\nindex: 0x87b, decrypted string: .exe\r\nindex: 0x880, decrypted string: %ssystem32\r\nindex: 0x88d, decrypted string: ws2_32.dll\r\nindex: 0x898, decrypted string: %ProgramFiles%Internet Exploreriexplore.exe\r\nindex: 0x8c6, decrypted string: avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe\r\nindex: 0x8ec, decrypted string: */*\r\nindex: 0x8f0, decrypted string: vkise.exe;isesrv.exe;cmdagent.exe\r\nindex: 0x912, decrypted string: AvastSvc.exe\r\nindex: 0x91f, decrypted string: c:hiberfil.sysss\r\nindex: 0x931, decrypted string: wininet.dll\r\nhttps://blog.vincss.net/re021-qakbot-analysis-dangerous-malware-has-been-around-for-more-than-a-decade/\r\nPage 34 of 43\n\nindex: 0x93d, decrypted string: %SystemRoot%explorer.exe\r\nindex: 0x957, decrypted string: Set objWMIService = GetObject(“winmgmts:” \u0026\r\n“{impersonationLevel=impersonate}!\\.%cootcimv2”)\r\nSet colFiles = objWMIService.ExecQuery(“Select * From CIM_DataFile Where Name = ‘%s'”)\r\nFor Each objFile in colFiles\r\nobjFile.Copy(“%s”)\r\nNext\r\nindex: 0xa43, decrypted string: aabcdeefghiijklmnoopqrstuuvwxyyz\r\nindex: 0xa64, decrypted string: urlmon.dll\r\nindex: 0xa6f, decrypted string: SpyNetReporting\r\nindex: 0xa7f, decrypted string: setupapi.dll\r\nindex: 0xa8c, decrypted string: aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz\r\nindex: 0xab3, decrypted string: SOFTWAREMicrosoftMicrosoft AntimalwareExclusionsPaths\r\nindex: 0xaed, decrypted string: aswhookx.dll\r\nindex: 0xafa, decrypted string: fmon.exe\r\nindex: 0xb03, decrypted string: aswhooka.dll\r\nindex boundary: 0x435\r\nindex: 0x0, decrypted string: System32WindowsPowerShellv1.0powershell.exe\r\nindex: 0x30, decrypted string: srvpost.exe;frida-winjector-helper-32.exe;frida-winjector-helper-64.exe\r\nindex: 0x78, decrypted string: powershell.exe\r\nindex: 0x87, decrypted string: /t4\r\nindex: 0x8b, decrypted string: %s “$%s = \\”%s\\\\; \u0026 $%s”\r\nindex: 0xaa, decrypted string: SOFTWAREMicrosoftWindowsCurrentVersionRun\r\nindex: 0xd8, decrypted string: A3E64E55_pr;VBoxVideo\r\nindex: 0xee, decrypted string: .lnk\r\nindex: 0xf3, decrypted string: at.exe %u:%u “%s” /I\r\nhttps://blog.vincss.net/re021-qakbot-analysis-dangerous-malware-has-been-around-for-more-than-a-decade/\r\nPage 35 of 43\n\nindex: 0x108, decrypted string: Red Hat VirtIO;QEMU\r\nindex: 0x11c, decrypted string: net view /all\r\nindex: 0x12a, decrypted string: nslookup -querytype=ALL -timeout=10 _ldap._tcp.dc._msdcs.%s\r\nindex: 0x166, decrypted string: ipconfig /all\r\nindex: 0x174, decrypted string: SOFTWAREMicrosoftWindows NTCurrentVersionProfileList\r\nindex: 0x1ad, decrypted string: regsvr32.exe -s\r\nindex: 0x1be, decrypted string: %s “$%s = “%s”; \u0026 $%s”\r\nindex: 0x1d7, decrypted string: Microsoft\r\nindex: 0x1e1, decrypted string: Self test FAILED!!!\r\nindex: 0x1f5, decrypted string: 311\r\nindex: 0x1f9, decrypted string: %s %04x.%u %04x.%u res: %s seh_test: %u consts_test: %d vmdetected: %d\r\ncreateprocess: %d\r\nindex: 0x252, decrypted string: whoami /all\r\nindex: 0x25e, decrypted string: cmd /c set\r\nindex: 0x269, decrypted string: qwinsta\r\nindex: 0x271, decrypted string: arp -a\r\nindex: 0x278, decrypted string: nltest /domain_trusts /all_trusts\r\nindex: 0x29a, decrypted string: route print\r\nindex: 0x2a6, decrypted string: “%ssystem32schtasks.exe” /Create /RU “NT AUTHORITYSYSTEM” /tn %s\r\n/tr “%s” /SC ONCE /Z /ST %02u:%02u /ET %02u:%02u\r\nindex: 0x31b, decrypted string: VIRTUAL-PC\r\nindex: 0x326, decrypted string:  /c ping.exe -n 6 127.0.0.1 \u0026  type “%sSystem32calc.exe” \u003e “%s”\r\nindex: 0x368, decrypted string: error res=’%s’ err=%d len=%u\r\nindex: 0x385, decrypted string: net share\r\nindex: 0x38f, decrypted string: Virtual\r\nindex: 0x397, decrypted string: net localgroup\r\nindex: 0x3a6, decrypted string: artifact.exe;mlwr_smpl;sample;sandbox;cuckoo-;virus\r\nhttps://blog.vincss.net/re021-qakbot-analysis-dangerous-malware-has-been-around-for-more-than-a-decade/\r\nPage 36 of 43\n\nindex: 0x3da, decrypted string: Self test OK.\r\nindex: 0x3e8, decrypted string: netstat -nao\r\nindex: 0x3f5, decrypted string: 308\r\nindex: 0x3f9, decrypted string: ProfileImagePath\r\nindex: 0x40a, decrypted string: amstream.dll\r\nindex: 0x417, decrypted string: jHxastDcds)oMc=jvh7wdUhxcsdt2\r\n8. Appendix 2 – C2s list\r\nQakBot C2 List\r\n98.173.34.213:995\r\n160.3.187.114:443\r\n73.25.124.140:2222\r\n24.50.118.93:443\r\n82.127.125.209:990\r\n83.110.109.106:2222\r\n79.129.121.81:995\r\n189.223.234.23:995\r\n125.63.101.62:443\r\n113.22.175.141:443\r\n172.78.30.215:443\r\n47.146.169.85:443\r\n47.22.148.6:443\r\n76.25.142.196:443\r\n78.63.226.32:443\r\n105.198.236.101:443\r\n75.67.192.125:443\r\nhttps://blog.vincss.net/re021-qakbot-analysis-dangerous-malware-has-been-around-for-more-than-a-decade/\r\nPage 37 of 43\n\n176.181.247.197:443\r\n105.96.8.96:443\r\n108.31.15.10:995\r\n176.205.222.30:2078\r\n115.133.243.6:443\r\n83.110.11.244:2222\r\n195.43.173.70:443\r\n197.51.82.72:443\r\n89.137.211.239:995\r\n105.198.236.99:443\r\n144.139.47.206:443\r\n202.188.138.162:443\r\n24.43.22.218:993\r\n69.58.147.82:2078\r\n157.131.108.180:443\r\n92.59.35.196:2222\r\n195.12.154.8:443\r\n86.160.137.132:443\r\n59.90.246.200:443\r\n96.57.188.174:2222\r\n172.87.157.235:3389\r\n189.211.177.183:995\r\n173.184.119.153:995\r\n50.244.112.106:443\r\n144.139.166.18:443\r\n90.65.236.181:2222\r\nhttps://blog.vincss.net/re021-qakbot-analysis-dangerous-malware-has-been-around-for-more-than-a-decade/\r\nPage 38 of 43\n\n81.150.181.168:2222\r\n68.186.192.69:443\r\n74.222.204.82:995\r\n197.161.154.132:443\r\n38.92.225.121:443\r\n197.45.110.165:995\r\n71.117.132.169:443\r\n85.52.72.32:2222\r\n217.133.54.140:32100\r\n193.248.221.184:2222\r\n95.77.223.148:443\r\n83.110.103.152:443\r\n80.227.5.69:443\r\n209.210.187.52:995\r\n50.29.166.232:995\r\n108.160.123.244:443\r\n24.152.219.253:995\r\n81.97.154.100:443\r\n203.198.96.37:443\r\n80.11.173.82:8443\r\n97.69.160.4:2222\r\n196.151.252.84:443\r\n172.115.177.204:2222\r\n98.121.187.78:443\r\n47.187.108.172:443\r\n216.201.162.158:443\r\nhttps://blog.vincss.net/re021-qakbot-analysis-dangerous-malware-has-been-around-for-more-than-a-decade/\r\nPage 39 of 43\n\n140.82.49.12:443\r\n71.199.192.62:443\r\n71.88.193.17:443\r\n182.48.193.200:443\r\n71.187.170.235:443\r\n77.211.30.202:995\r\n77.27.204.204:995\r\n96.37.113.36:993\r\n187.250.39.162:443\r\n122.148.156.131:995\r\n173.21.10.71:2222\r\n119.153.43.235:3389\r\n71.74.12.34:443\r\n75.118.1.141:443\r\n75.136.26.147:443\r\n67.6.12.4:443\r\n71.197.126.250:443\r\n78.185.59.190:443\r\n125.239.152.76:995\r\n45.46.53.140:2222\r\n98.240.24.57:443\r\n199.19.117.131:443\r\n113.211.120.112:443\r\n74.68.144.202:443\r\n73.153.211.227:443\r\n98.252.118.134:443\r\nhttps://blog.vincss.net/re021-qakbot-analysis-dangerous-malware-has-been-around-for-more-than-a-decade/\r\nPage 40 of 43\n\n189.222.59.177:443\r\n187.250.177.33:995\r\n186.28.55.211:443\r\n189.210.115.207:443\r\n90.101.117.122:2222\r\n72.240.200.181:2222\r\n151.205.102.42:443\r\n24.55.112.61:443\r\n82.12.157.95:995\r\n189.146.183.105:443\r\n72.252.201.69:443\r\n109.12.111.14:443\r\n24.229.150.54:995\r\n209.210.187.52:443\r\n67.8.103.21:443\r\n47.196.192.184:443\r\n24.139.72.117:443\r\n79.115.174.55:443\r\n94.53.92.42:443\r\n86.236.77.68:2222\r\n89.3.198.238:443\r\n213.60.147.140:443\r\n84.247.55.190:8443\r\n2.7.116.188:2222\r\n106.51.85.162:443\r\n87.202.87.210:2222\r\nhttps://blog.vincss.net/re021-qakbot-analysis-dangerous-malware-has-been-around-for-more-than-a-decade/\r\nPage 41 of 43\n\n142.117.191.18:2222\r\n196.221.207.137:995\r\n188.26.91.212:443\r\n108.46.145.30:443\r\n125.209.114.182:995\r\n27.223.92.142:995\r\n173.25.45.66:443\r\n32.210.98.6:443\r\n65.27.228.247:443\r\n108.29.32.251:443\r\n189.223.97.175:443\r\n78.97.207.104:443\r\n181.48.190.78:443\r\n2.232.253.79:995\r\n136.232.34.70:443\r\n207.246.77.75:2222\r\n45.77.115.208:443\r\n207.246.77.75:8443\r\n45.63.107.192:443\r\n45.77.117.108:2222\r\n45.77.117.108:8443\r\n45.77.115.208:995\r\n45.77.117.108:443\r\n144.202.38.185:2222\r\n149.28.98.196:995\r\n144.202.38.185:995\r\nhttps://blog.vincss.net/re021-qakbot-analysis-dangerous-malware-has-been-around-for-more-than-a-decade/\r\nPage 42 of 43\n\n149.28.101.90:8443\r\n149.28.99.97:995\r\n45.32.211.207:995\r\nTran Trung Kien (aka m4n0w4r) \r\nMalware Analysis Expert\r\nR\u0026D Center – VinCSS (a member of Vingroup)\r\nSource: https://blog.vincss.net/re021-qakbot-analysis-dangerous-malware-has-been-around-for-more-than-a-decade/\r\nhttps://blog.vincss.net/re021-qakbot-analysis-dangerous-malware-has-been-around-for-more-than-a-decade/\r\nPage 43 of 43\n\n https://blog.vincss.net/re021-qakbot-analysis-dangerous-malware-has-been-around-for-more-than-a-decade/     \nBased on the imported APIs list, we can predictable that it will use it to unpack another payload:\nThis DLL is digitally signed to avoid detection by anti-virus software and other detection systems:\n   Page 7 of 43  \n\ndecompile code: IDA supports the user-defined calling convention, read this article. With the above case, we can redefine function\nprototype as follows: int __usercall sub_100184FE@\u003ceax\u003e(int arg1, int arg2@\u003ceax\u003e, int arg3). Result:\n   Page 10 of 43  \n\nindex: 0xb3, decrypted index: 0xbe, decrypted string: string: user32.dll mpr.dll   \nindex: 0xc6, decrypted string: Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0\n   Page 31 of 43",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.vincss.net/re021-qakbot-analysis-dangerous-malware-has-been-around-for-more-than-a-decade/"
	],
	"report_names": [
		"re021-qakbot-analysis-dangerous-malware-has-been-around-for-more-than-a-decade"
	],
	"threat_actors": [],
	"ts_created_at": 1775434175,
	"ts_updated_at": 1775791284,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/65ea1dbfc489d3bb8ab89aaf0b6d652acefd1487.pdf",
		"text": "https://archive.orkl.eu/65ea1dbfc489d3bb8ab89aaf0b6d652acefd1487.txt",
		"img": "https://archive.orkl.eu/65ea1dbfc489d3bb8ab89aaf0b6d652acefd1487.jpg"
	}
}