{
	"id": "e97e0992-4cf2-45c7-872e-273158bfa6f7",
	"created_at": "2026-04-06T00:18:02.35697Z",
	"updated_at": "2026-04-10T03:21:11.641189Z",
	"deleted_at": null,
	"sha1_hash": "7b12cdb2922922d98a1327d2c9859d8123e091c5",
	"title": "QakBot technical analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1477476,
	"plain_text": "QakBot technical analysis\r\nBy Anton Kuzmenko\r\nPublished: 2021-09-02 · Archived: 2026-04-05 14:42:41 UTC\r\nMain description\r\nQakBot, also known as QBot, QuackBot and Pinkslipbot, is a banking Trojan that has existed for over a decade. It\r\nwas found in the wild in 2007 and since then it has been continually maintained and developed.\r\nIn recent years, QakBot has become one of the leading banking Trojans around the globe. Its main purpose is to\r\nsteal banking credentials (e.g., logins, passwords, etc.), though it has also acquired functionality allowing it to spy\r\non financial operations, spread itself, and install ransomware in order to maximize revenue from compromised\r\norganizations.\r\nTo this day, QakBot continues to grow in terms of functionality, with even more capabilities and new techniques\r\nsuch as logging keystrokes, a backdoor functionality, and techniques to evade detection. It’s worth mentioning that\r\nthe latter includes virtual environment detection, regular self-updates and cryptor/packer changes. In addition,\r\nQakBot tries to protect itself from being analyzed and debugged by experts and automated tools.\r\nAnother interesting piece of functionality is the ability to steal emails. These are later used by the attackers to send\r\ntargeted emails to the victims, with the obtained information being used to lure victims into opening those emails.\r\nQakBot infection chain\r\nQakBot is known to infect its victims mainly via spam campaigns. In some cases, the emails were delivered with\r\nMicrosoft Office documents (Word, Excel) or password-protected archives with the documents attached. The\r\ndocuments contained macros and victims were prompted to open the attachments with claims that they contained\r\nimportant information (e.g., an invoice). In some cases, the emails contained links to web pages distributing\r\nmalicious documents.\r\nHowever, there is another infection vector that involves a malicious QakBot payload being transferred to the\r\nvictim’s machine via other malware on the compromised machine.\r\nThe initial infection vectors may vary depending on what the threat actors believe has the best chance of success\r\nfor the targeted organization(s). It’s known that various threat actors perform reconnaissance (OSINT) of target\r\norganizations beforehand to decide which infection vector is most suitable.\r\nhttps://securelist.com/qakbot-technical-analysis/103931/\r\nPage 1 of 15\n\nQakBot infection chain\r\nThe infection chain of recent QakBot releases (2020-2021 variants) is as follows:\r\nThe user receives a phishing email with a ZIP attachment containing an Office document with embedded\r\nmacros, the document itself or a link to download malicious document.\r\nThe user opens the malicious attachment/link and is tricked into clicking “Enable content”.\r\nA malicious macro is executed. Some variants perform a ‘GET’ request to a URL requesting a ‘PNG’\r\nHowever, the file is in fact a binary.\r\nThe loaded payload (stager) includes another binary containing encrypted resource modules. One of the\r\nencrypted resources has the DLL binary (loader) which is decrypted later during runtime.\r\nThe ‘Stager’ loads the ‘Loader’ into the memory, which decrypts and runs the payload during runtime. The\r\nconfiguration settings are retrieved from another resource.\r\nThe payload communicates with the C2 server.\r\nAdditional threats such as ProLock ransomware can now be pushed to the infected machine.\r\nTypical QakBot functions\r\nTypical QakBot malicious activity observed in the wild includes:\r\nCollecting information about the compromised host;\r\nCreating scheduled tasks (privilege escalation and persistency);\r\nCredentials harvesting:\r\nCredential dumping (Mimikatz, exe access)*;\r\nPassword stealing (from browser data and cookies);\r\nTargeting web banking links (web injects)*.\r\nPassword brute forcing;\r\nRegistry manipulation (persistence);\r\nCreating a copy of itself;\r\nProcess injection to conceal the malicious process.\r\nCommunication with C2\r\nhttps://securelist.com/qakbot-technical-analysis/103931/\r\nPage 2 of 15\n\nThe QakBot malware contains a list of 150 IP addresses hardcoded into the loader binary resource. Most of these\r\naddresses belong to other infected systems that are used as a proxy to forward traffic to other proxies or the real\r\nС2.\r\nCommunication with the С2 is a HTTPS POST request with Base64-encoded data. The data is encrypted with the\r\nRC4 algorithm. The static string “jHxastDcds)oMc=jvh7wdUhxcsdt2” and a random 16-byte sequence are used\r\nfor encryption. The data itself is in JSON format.\r\nOriginal message in JSON format\r\nHTTPS POST request with encrypted JSON\r\nUsually, after infection the bot sends a ‘PING’ message, ‘SYSTEM INFO’ message and ‘ASK for COMMAND’\r\nmessage, and the C2 replies with ‘ACK’ and ‘COMMAND’ messages. If additional modules were pushed by the\r\nC2, the bot sends a ‘STOLEN INFO’ message containing data stolen by the modules.\r\n‘PING’ message – bot request message to C2 with ‘BOT ID’ in order to check if С2 is active:\r\n‘PING’ message\r\n‘ACK’ message – C2 response message with field “16” containing the external IP address of the infected\r\nsystem, the only valuable information:\r\nhttps://securelist.com/qakbot-technical-analysis/103931/\r\nPage 3 of 15\n\n‘ACK’ message\r\n‘SYSTEM INFO’ message – bot request message to C2 with information collected about the infected\r\nsystem. In addition to general system information such as OS version and bitness, user name, computer\r\nname, domain, screen resolution, system time, system uptime and bot uptime, it also contains the results of\r\nthe following utilities and WMI queries:\r\nwhoami /all\r\narp -a\r\nipconfig /all\r\nnet view /all\r\ncmd /c set\r\nnslookup -querytype=ALL -timeout=10 _ldap._tcp.dc._msdcs.{DOMAIN}\r\nnltest /domain_trusts /all_trusts\r\nnet share\r\nroute print\r\nnetstat -nao\r\nnet localgroup\r\nqwinsta\r\nWMI Query ROOTCIMV2:Win32_BIOS\r\nWMI Query ROOTCIMV2:Win32_DiskDrive\r\nWMI Query ROOTCIMV2:Win32_PhysicalMemory\r\nWMI Query ROOTCIMV2:Win32_Product\r\nWMI Query ROOTCIMV2:Win32_PnPEntity\r\nhttps://securelist.com/qakbot-technical-analysis/103931/\r\nPage 4 of 15\n\n‘SYSTEM INFO’ message\r\n‘ASK for COMMAND’ message – bot command request message to C2. After the ‘SYSTEM INFO’\r\nmessage is sent, the bot starts asking the C2 for a command to execute. One of the main fields is “14” – the\r\nSALT. This field is unique and changes in every request. It is used to protect against hijacking or takeover\r\nof a bot. After receiving this request, the С2 uses the SALT in the signing procedure and places the\r\nsignature in the response, so the bot can check the signed data. Only a valid and signed command will be\r\nexecuted.\r\nhttps://securelist.com/qakbot-technical-analysis/103931/\r\nPage 5 of 15\n\n‘ASK for COMMAND’ message\r\n‘COMMAND’ message – C2 response message with command to execute. The current version of the bot\r\nsupports 24 commands, most of them related to download, execution, drop of additional modules and\r\nmodule configuration files with different options, or setup/update configuration values.\r\nThis type of message contains the signed value of the SALT (obtained from the bot’s request field “14”),\r\nCOMMAND ID and MODULE ID. The other values of the message are not signed.In previous versions,\r\nthe bot received modules and commands immediately after infection and sending a ‘SYSTEM INFO’\r\nmessage. Now, the C2 responds with an empty command for about an hour. Only after that will the C2\r\nsend commands and modules in the response. We believe that this time delay is used to make it difficult to\r\nreceive and analyze new commands and modules in an isolated controlled environment.\r\n‘COMMAND’ C2 response with empty command\r\nIf the C2 pushes some modules, the Base64-encoded binary is placed into field “20” of the message.\r\nhttps://securelist.com/qakbot-technical-analysis/103931/\r\nPage 6 of 15\n\n‘COMMAND’ C2 response with additional module to load\r\n‘STOLEN INFO’ message – bot message to C2 with stolen information like passwords, accounts, emails,\r\netc. Stolen information is RC4 encrypted and Base64 encoded. The key for the RC4 encryption is\r\ngenerated in a different way and based on the infected system ID (aka Bot ID) values, and not based on a\r\nstatic string as in the case of traffic encryption.\r\n‘STOLEN INFO’ message\r\nOnce communication with the C2 server has been established, QakBot is known to download and use additional\r\nmodules in order to perform its malicious operations.\r\nThe additional modules differ from sample to sample and may include: ‘Cookie grabber’, ‘Email Collector’,\r\n‘Credentials grabber’, and ‘Proxy module’ among others.\r\nThese modules may be written by the threat actors themselves or may be borrowed from third-party repositories\r\nand adapted. It can vary from sample to sample. For example, there are older samples that may use Mimikatz for\r\ncredentials dumping.\r\nBelow are some of the modules that we found during our research.\r\nAdditional modules\r\nCookie Grabber – collects cookies from popular browsers (Edge, Firefox, Chrome, Internet Explorer).\r\nHidden VNC – allows threat actors to connect to the infected machine and interact with it without the real\r\nuser knowing.\r\nhttps://securelist.com/qakbot-technical-analysis/103931/\r\nPage 7 of 15\n\nEmail Collector – tries to find Microsoft Outlook on the infected machine, then iterates over the software\r\nfolders and recursively collects emails. Finally, the module exfiltrates the collected emails to the remote\r\nserver.\r\nThe threat actors distributed a debug version of the email collector module at some point\r\nHooking module – hooks a hardcoded set of WinAPI and (if they exist) Mozilla DLL Hooking is used to\r\nperform web injects, sniff traffic and keyboard data and even prevent DNS resolution of certain domains.\r\nHooking works in the following way: QakBot injects a hooking module into the appropriate process, the\r\nmodule finds functions from the hardcoded set and modifies the functions so they jump to custom code.\r\nhttps://securelist.com/qakbot-technical-analysis/103931/\r\nPage 8 of 15\n\nThe module contains a ciphered list of DLLs and functions that the bot will hook\r\nPassgrabber module – collects logins and passwords from various sources: Firefox and Chrome files,\r\nMicrosoft Vault storage, etc. Instead of using Mimikatz as in previous versions, the module collects\r\npasswords using its own algorithms.\r\nProcedure that collects passwords from different sources\r\nProxy module – tries to determine which ports are available to listen to using the UPnP port forwarding\r\nand tier 2 С2 query. Comparing current and old proxy loader versions revealed some interesting things: the\r\nthreat actors decided to remove the cURL dependency from the binary and perform all HTTP\r\nhttps://securelist.com/qakbot-technical-analysis/103931/\r\nPage 9 of 15\n\ncommunications using their own code. Besides removing cURL, they also removed OpenSSL\r\ndependencies and embedded all functions into a single executable – there are no more proxy loaders or\r\nproxy modules, it’s a single file now.\r\nUPnP port forwarding query construction\r\nAfter trying to determine whether ports are open and the machine could act as a C2 tier 2 proxy, the proxy module\r\nalso starts a multithreaded SOCKS5 proxy server. The SOCKS5 protocol is encapsulated into the QakBot proxy\r\nprotocol composed of: QakBot proxy command (1 byte), version (1 byte), session id (4 bytes), total packet length\r\n(dword), data (total packet length-10). Incoming and outgoing packets are stored in the buffers and may be\r\nreceived/transmitted one by one or in multiple packets in a single TCP data segment (streamed).\r\nThe usual proxy module execution flow is as follows:\r\n1. 1 Communicate with the C2, try to forward ports with UPnP and determine available ports and report them\r\nto the C2. The usual C2 communication protocol used here is HTTP POST RC4-ciphered JSON data.\r\n2. 2 Download the OpenSSL library. Instead of saving the downloaded file, QakBot measures the download\r\nspeed and deletes the received file.\r\n3. 3 Set up external PROXY-C2 connection that was received with command 37 (update config)/module 274\r\n(proxy) by the stager.\r\nCommunicating with the external PROXY-C2:\r\n1. 1 Send initial proxy module request. The initial request contains the bot ID, external IP address of the\r\ninfected machine, reverse DNS lookup of the external IP address, internet speed (measured earlier) and\r\nseconds since the proxy module started.\r\n2. 2 Establish a connection (proxy commands sequence 1-\u003e10-\u003e11) with the PROXY-C2.\r\nhttps://securelist.com/qakbot-technical-analysis/103931/\r\nPage 10 of 15\n\n3. 3 Initialize sessions, perform socks5 authorization with login/password (received from PROXY-C2 with\r\ncommand 10).\r\n4. 4 Begin SOCKS5-like communication wrapped into the QakBot proxy module protocol.\r\nQakBot proxy commands are as follows:\r\nCommand Description\r\n1 Hello (bot-\u003eC2)\r\n10 Set up auth credentials (C2-\u003ebot)\r\n11 Confirm credentials setup (bot-\u003eC2)\r\n2 Create new proxy session (C2-\u003ebot)\r\n3 SOCKS5 AUTH (bot-\u003eC2)\r\n4 SOCKS5 requests processing (works for both sides)\r\n5 Close session (works for both sides)\r\n6 Update session state/session state updated notification (works for both sides)\r\n7 Update session state/session state updated notification (works for both sides)\r\n8 PING (C2-\u003ebot)\r\n9 PONG (bot-\u003eC2)\r\n19 Save current time in registry (C2-\u003ebot)\r\nParsed packets from C2\r\nhttps://securelist.com/qakbot-technical-analysis/103931/\r\nPage 11 of 15\n\nTracking single proxy\r\nWeb inject – the configuration file for the hooking module\r\nOnce communication with the C2 is established, one of the additional modules that is downloaded is the\r\nweb-inject module. It intercepts the victim’s traffic by injecting the module into the browser’s process and\r\nhooking the network API. The hooking module gets the execution flow from intercepted APIs, and as soon\r\nas the victim accesses certain web pages related to banking and finance, additional JavaScript is injected\r\ninto the source page.\r\nhttps://securelist.com/qakbot-technical-analysis/103931/\r\nPage 12 of 15\n\nFragment of JavaScript injected into the source page of the Wells Fargo login page\r\nQakBot statistics\r\nWe analyzed statistics on QakBot attacks collected from our Kaspersky Security Network (KSN), where\r\nanonymized data voluntarily provided by Kaspersky users is accumulated and processed. In the first seven months\r\nof 2021 our products detected 181,869 attempts to download or run QakBot. This number is lower than the\r\ndetection number from January to July 2020, though the number of users affected grew by 65% compared to the\r\nprevious year and reached 17,316.\r\nhttps://securelist.com/qakbot-technical-analysis/103931/\r\nPage 13 of 15\n\nNumber of users affected by QakBot attacks from January to July in 2020 and 2021 (download)\r\nWe observed the largest campaigns in Q1 2021 when 12,704 users encountered QakBot, with 8,068 Kaspersky\r\nusers being targeted in January and 4,007 in February.\r\nConclusions\r\nQakBot is a known Trojan-Banker whose techniques may vary from binary to binary (older and newer versions).\r\nIt has been active for over a decade and doesn’t look like going away anytime soon. The malware is continuously\r\nreceiving updates and the threat actors keep adding new capabilities and updating its modules in order to steal\r\ninformation and maximize revenue.\r\nWe know that threat actors change how they perform their malicious activities based on security vendor activities,\r\nusing sophisticated techniques to stay under the radar. Although QakBot uses different techniques to avoid\r\ndetection, for example, process enumeration in order to find running anti-malware solutions, our products are able\r\nto detect the threat using behavior analysis. The verdicts usually assigned to this malware:\r\nBackdoor.Win32.QBot\r\nBackdoor.Win64.QBot\r\nTrojan.JS.QBot\r\nTrojan.MSOffice.QBot\r\nTrojan.MSOffice.QbotLoader\r\nTrojan.Win32.QBot\r\nhttps://securelist.com/qakbot-technical-analysis/103931/\r\nPage 14 of 15\n\nTrojan-Banker.Win32.QBot\r\nTrojan-Banker.Win32.QakBot\r\nTrojan-Banker.Win64.QBot\r\nTrojan-Downloader.JS.QBot\r\nTrojan-PSW.Win32.QBot\r\nTrojan-Proxy.Win32.QBot\r\nIndicators of compromise (C2 server addresses)\r\n* Can be performed as an external command (extended module).\r\nSource: https://securelist.com/qakbot-technical-analysis/103931/\r\nhttps://securelist.com/qakbot-technical-analysis/103931/\r\nPage 15 of 15\n\nreceive ‘COMMAND’ and C2 analyze new commands response with and modules empty command in an isolated controlled environment. \nIf the C2 pushes some modules, the Base64-encoded binary is placed into field “20” of the message.\n    Page 6 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://securelist.com/qakbot-technical-analysis/103931/"
	],
	"report_names": [
		"103931"
	],
	"threat_actors": [],
	"ts_created_at": 1775434682,
	"ts_updated_at": 1775791271,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7b12cdb2922922d98a1327d2c9859d8123e091c5.pdf",
		"text": "https://archive.orkl.eu/7b12cdb2922922d98a1327d2c9859d8123e091c5.txt",
		"img": "https://archive.orkl.eu/7b12cdb2922922d98a1327d2c9859d8123e091c5.jpg"
	}
}