{
	"id": "28a51a17-4d4b-4698-a214-508890693852",
	"created_at": "2026-04-06T02:13:05.65648Z",
	"updated_at": "2026-04-10T03:20:21.108803Z",
	"deleted_at": null,
	"sha1_hash": "876c290fa7af9167726a8573b4a95ad6fcf4b46c",
	"title": "W32.Qakbot aka W32/Pinkslipbot or infostealer worm",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 113340,
	"plain_text": "W32.Qakbot aka W32/Pinkslipbot or infostealer worm\r\nArchived: 2026-04-06 01:35:51 UTC\r\nW32.Qakbot aka W32/Pinkslipbot or infostealer worm\r\nW32.Qakbot aka W32/Pinkslipbot\r\n  W32.Qakbot in Detail by Symantec Nicolas Falliere\r\nW32.Qakbot is a worm that has been seen spreading through network shares, removable\r\ndrives, and infected webpages, and infecting computers since mid-2009. Its primary\r\npurpose is to steal online banking account information from compromised computers.\r\nThe malware controllers use the stolen information to access client accounts within\r\nvarious financial service websites with the intent of moving currency to accounts from\r\nwhich they can withdraw funds. It employs a classic keylogger, but is unique in that it\r\nalso steals active session authentication tokens and then piggy backs on the existing\r\nonline banking sessions. It then quickly uses that information for malicious purposes.\r\nThe following screenshot is from the paper you see above \r\nhttp://contagiodump.blogspot.com/2010/11/template.html\r\nPage 1 of 6\n\nGeneral File Information\r\nMD5  076bc0533d63826e1e809ad9fcbe2fb8\r\nSHA1 33d9b4a712c29304478da235f17cd28978a93d2f\r\nFile size :55808 bytes\r\nType:  PE32 exe\r\nDistribution: mostly web (worm - spreads through shares, drives, webpages etc)\r\n \r\nMD5 120d845ac973b4a0cde2bc88d8530b3d\r\nSHA1 120d845ac973b4a0cde2bc88d8530b3d\r\nFile size :87040 bytes\r\nType:  PE32 exe\r\nDistribution: mostly web (worm - spreads through shares, drives, webpages etc)\r\nMD5 150d006eab34528e3305fbbb5ad82164\r\nSHA1 551a9f3ce5b86cf77df90eda61be233c821be6b2\r\nFile size :267776 bytes\r\nType:  PE32 exe\r\nDistribution: mostly web (worm - spreads through shares, drives, webpages etc)\r\nDownload\r\nMessage Headers\r\nReceived: (qmail 25793 invoked from network); 19 Nov 2010 08:53:27 -0000\r\nReceived: from msr19.hinet.net (HELO msr19.hinet.net) (168.95.4.119)\r\n  by XXXXXXXXXXXX with SMTP; 19 Nov 2010 08:53:27 -0000\r\nReceived: from elizabethhamrickpc (61-222-104-222.HINET-IP.hinet.net [61.222.104.222])\r\nby msr19.hinet.net (8.9.3/8.9.3) with ESMTP id QAA04206\r\nfor\r\n; Fri, 19 Nov 2010 16:53:09 +0800 (CST)\r\nReply-To: newscomeon@yahoo.com\r\nFrom: \"Elizabeth Hamrick\"\r\nhttp://contagiodump.blogspot.com/2010/11/template.html\r\nPage 2 of 6\n\nTo: XXXXXXXXXXXXXXXXXXXXXXXXXXXXX\r\nSubject: Event Invitation from The Heritage Foundation: The Implications of Taiwan's Big City Elections\r\nDate: Fri, 19 Nov 2010 16:53:09 +0800\r\nMessage-ID:\r\nMIME-Version: 1.0\r\nContent-Type: multipart/mixed;\r\nboundary=\"----=_NextPart_10111916482235810322685_000\"\r\nX-Priority: 3\r\nX-Mailer: DreamMail 4.6.6.0\r\nAutomated Scans\r\nFile name: 076bc0533d63826e1e809ad9fcbe2fb8\r\nSubmission date: 2011-01-04 17:47:53 (UTC)\r\nResult: 38 /41 (92.7%)\r\nCompact Print results Antivirus Version Last Update Result\r\nAhnLab-V3 2011.01.04.03 2011.01.04 Win-Trojan/Injector.55808.U\r\nAntiVir 7.11.1.24 2011.01.04 TR/PSW.Qbot.aff\r\nAntiy-AVL 2.0.3.7 2011.01.04 Trojan/Win32.Qbot.gen\r\nAvast 4.8.1351.0 2011.01.04 Win32:Oficla-BS\r\nAvast5 5.0.677.0 2011.01.04 Win32:Oficla-BS\r\nAVG 9.0.0.851 2011.01.04 PSW.Generic8.AJKY\r\nBitDefender 7.2 2011.01.04 Gen:Variant.Kazy.517\r\nCAT-QuickHeal 11.00 2011.01.04 TrojanPSW.Qbot.aff\r\nCommand 5.2.11.5 2011.01.04 W32/MalwareF.RPCP\r\nComodo 7292 2011.01.04 Heur.Suspicious\r\nDrWeb 5.0.2.03300 2011.01.04 Trojan.DownLoader1.39437\r\neSafe 7.0.17.0 2011.01.02 Win32.GenVariant.Kaz\r\neTrust-Vet 36.1.8080 2011.01.04 Win32/QakbotCryptor\r\nF-Prot 4.6.2.117 2011.01.04 W32/MalwareF.RPCP\r\nF-Secure 9.0.16160.0 2011.01.04 Gen:Variant.Kazy.517\r\nFortinet 4.2.254.0 2011.01.03 W32/Krypt.D!tr.dldr\r\nGData 21 2011.01.04 Gen:Variant.Kazy.517\r\nIkarus T3.1.1.90.0 2011.01.04 Trojan-PWS.Win32.Qbot\r\nK7AntiVirus 9.75.3435 2011.01.04 Password-Stealer\r\nMcAfee 5.400.0.1158 2011.01.04 W32/Pinkslipbot.gen.w\r\nMcAfee-GW-Edition 2010.1C 2011.01.04 W32/Pinkslipbot.gen.w\r\nhttp://contagiodump.blogspot.com/2010/11/template.html\r\nPage 3 of 6\n\nMicrosoft 1.6402 2011.01.04 Backdoor:Win32/Qakbot.gen!A\r\nNOD32 5759 2011.01.04 a variant of Win32/Kryptik.IMP\r\nNorman 6.06.12 2011.01.03 Qakbot.CU\r\nnProtect 2011-01-04.01 2011.01.04 Gen:Variant.Kazy.517\r\nPanda 10.0.2.7 2011.01.04 Bck/Qbot.AO\r\nPCTools 7.0.3.5 2011.01.04 Trojan-PSW.Generic\r\nPrevx 3.0 2011.01.04 High Risk Cloaked Malware\r\nRising 22.81.01.03 2011.01.04 Trojan.Win32.Generic.524A8E11\r\nSophos 4.60.0 2011.01.04 Troj/QBot-AA\r\nSUPERAntiSpyware 4.40.0.1006 2011.01.04 -\r\nSymantec 20101.3.0.103 2011.01.04 Infostealer\r\nTheHacker 6.7.0.1.110 2011.01.03 Trojan/PSW.Qbot.aff\r\nTrendMicro 9.120.0.1004 2011.01.04 BKDR_QAKBOT.SME\r\nTrendMicro-HouseCall 9.120.0.1004 2011.01.04 BKDR_QAKBOT.SME\r\nVBA32 3.12.14.2 2011.01.04 Trojan-PSW.Win32.Qbot.aff\r\nVIPRE 7952 2011.01.04 Backdoor.Win32.Qakbot\r\nViRobot 2011.1.4.4236 2011.01.04 Trojan.Win32.PSWQbot.55808\r\nVirusBuster 13.6.127.0 2011.01.04 Trojan.PWS.Qbot!9zgzgM2LbIY\r\nAdditional informationShow all \r\nMD5   : 076bc0533d63826e1e809ad9fcbe2fb8\r\nfile\r\nhttp://www.virustotal.com/file-scan/report.html?\r\nid=a0fdd16f65c09159c673e82096905a68b772b5efc79259f3cee4cdbba3209724-1287656963\r\nSubmission date: 2010-10-21 10:29:23 (UTC)\r\nResult: 34 /42 (81.0%)\r\nCompact Print results Antivirus Version Last Update Result\r\nAhnLab-V3 2010.10.21.02 2010.10.21 Dropper/Win32.Drooptroop\r\nAntiVir 7.10.13.12 2010.10.21 TR/Irux.A\r\nAuthentium 5.2.0.5 2010.10.21 W32/Bamital.D.gen!Eldorado\r\nAvast 4.8.1351.0 2010.10.21 Win32:Crypt-HTA\r\nAvast5 5.0.594.0 2010.10.21 Win32:Crypt-HTA\r\nAVG 9.0.0.851 2010.10.21 Generic19.BCWJ\r\nBitDefender 7.2 2010.10.21 Trojan.Generic.4934134\r\nCAT-QuickHeal 11.00 2010.10.21 Backdoor.Qakbot.a\r\nComodo 6463 2010.10.21 UnclassifiedMalware\r\neTrust-Vet 36.1.7924 2010.10.21 Win32/Qakbot.EU\r\nF-Prot 4.6.2.117 2010.10.20 W32/Bamital.D.gen!Eldorado\r\nF-Secure 9.0.16160.0 2010.10.21 Trojan.Generic.4934134\r\nFortinet 4.2.249.0 2010.10.21 W32/Krypt.D!tr.dldr\r\nGData 21 2010.10.21 Trojan.Generic.4934134\r\nIkarus T3.1.1.90.0 2010.10.21 Trojan-PWS.Win32.Qbot\r\nhttp://contagiodump.blogspot.com/2010/11/template.html\r\nPage 4 of 6\n\nK7AntiVirus 9.66.2798 2010.10.20 Riskware\r\nKaspersky 7.0.0.125 2010.10.21 Trojan-Dropper.Win32.Drooptroop.gss\r\nMcAfee 5.400.0.1158 2010.10.21 W32/Pinkslipbot.gen.r\r\nMcAfee-GW-Edition 2010.1C 2010.10.21 Generic.dx!uhr\r\nMicrosoft 1.6301 2010.10.21 Backdoor:Win32/Qakbot.gen!A\r\nNOD32 5550 2010.10.21 a variant of Win32/Kryptik.HJF\r\nNorman 6.06.10 2010.10.20 W32/Smalltroj.ZKOE\r\nnProtect 2010-10-21.01 2010.10.21 Trojan.Generic.4934134\r\nPanda 10.0.2.7 2010.10.20 W32/Qbot.W.worm\r\nPCTools 7.0.3.5 2010.10.21 Malware.Qakbot!rem\r\nPrevx 3.0 2010.10.21 Medium Risk Malware\r\nRising 22.70.02.05 2010.10.21 Trojan.Win32.Generic.523C21B2\r\nSophos 4.58.0 2010.10.21 Mal/Oficla-A\r\nSunbelt 7109 2010.10.21 Backdoor.Win32.Qakbot\r\nSUPERAntiSpyware 4.40.0.1006 2010.10.21 -\r\nSymantec 20101.2.0.161 2010.10.21 W32.Qakbot\r\nTheHacker 6.7.0.1.063 2010.10.20 Trojan/Kryptik.hjf\r\nTrendMicro 9.120.0.1004 2010.10.21 BKDR_QAKBOT.EOF\r\nTrendMicro-HouseCall 9.120.0.1004 2010.10.21 BKDR_QAKBOT.EOF\r\nVirusBuster 12.69.9.0 2010.10.20 Trojan.Kryptik.BHXH \r\nMD5   : 120d845ac973b4a0cde2bc88d8530b3d\r\n 150d006eab34528e3305fbbb5ad82164\r\nSubmission date: 2011-02-24 01:01:36 (UTC)\r\nResult: 40 /43 (93.0%)\r\nhttp://www.virustotal.com/file-scan/report.html?\r\nid=50f3460bcb2fbf92e97193391e06c955057cc5b81b5f0141ce7c76bbf1b8d99d-1298509296\r\nCompact Print results Antivirus Version Last Update Result\r\nAhnLab-V3 2011.02.24.00 2011.02.24 Win32/Ircbot.worm.variant\r\nAntiVir 7.11.3.207 2011.02.23 BDS/Bot.130361\r\nAntiy-AVL 2.0.3.7 2011.02.23 Trojan/Win32.Zbot.gen\r\nAvast 4.8.1351.0 2011.02.23 Win32:Oficla-AR\r\nAvast5 5.0.677.0 2011.02.23 Win32:Oficla-AR\r\nAVG 10.0.0.1190 2011.02.23 Generic_r.EW\r\nBitDefender 7.2 2011.02.24 Backdoor.Bot.130361\r\nCAT-QuickHeal 11.00 2011.02.23 TrojanSpy.Zbot.asod\r\nCommtouch 5.2.11.5 2011.02.23 W32/Oficla.R.gen!Eldorado\r\nComodo 7787 2011.02.23 TrojWare.Win32.Fraudpack.ICM\r\nDrWeb 5.0.2.03300 2011.02.24 Trojan.Hottrend.28\r\nEmsisoft 5.1.0.2 2011.02.23 Trojan-Spy.Win32.Zbot!IK\r\neTrust-Vet 36.1.8179 2011.02.23 Win32/Qakbot.FF\r\nF-Prot 4.6.2.117 2011.02.23 W32/Oficla.R.gen!Eldorado\r\nhttp://contagiodump.blogspot.com/2010/11/template.html\r\nPage 5 of 6\n\nF-Secure 9.0.16160.0 2011.02.24 Backdoor.Bot.130361\r\nFortinet 4.2.254.0 2011.02.23 W32/Oficla.AWV!tr\r\nGData 21 2011.02.24 Backdoor.Bot.130361\r\nIkarus T3.1.1.97.0 2011.02.23 Trojan-Spy.Win32.Zbot\r\nJiangmin 13.0.900 2011.02.23 TrojanSpy.Zbot.ryt\r\nK7AntiVirus 9.90.3944 2011.02.23 Spyware\r\nKaspersky 7.0.0.125 2011.02.24 Trojan-Spy.Win32.Zbot.asod\r\nMcAfee 5.400.0.1158 2011.02.24 W32/Pinkslipbot.gen.j\r\nMcAfee-GW-Edition 2010.1C 2011.02.23 W32/Pinkslipbot.gen.j\r\nMicrosoft 1.6603 2011.02.24 Backdoor:Win32/Qakbot.gen!A\r\nNOD32 5901 2011.02.23 Win32/Qbot.AU\r\nNorman 6.07.03 2011.02.23 Qakbot.CH\r\nnProtect 2011-02-10.01 2011.02.15 Trojan-Spy/W32.ZBot.267776.W\r\nPanda 10.0.3.5 2011.02.23 Trj/Downloader.WBX\r\nPCTools 7.0.3.5 2011.02.22 Malware.Qakbot!rem\r\nPrevx 3.0 2011.02.24 Medium Risk Malware\r\nRising 23.46.02.06 2011.02.23 Trojan.Win32.Generic.125E1D4C\r\nSophos 4.61.0 2011.02.23 Mal/Qbot-E\r\nSUPERAntiSpyware 4.40.0.1006 2011.02.24 Trojan.Agent/Gen\r\nSymantec 20101.3.0.103 2011.02.24 W32.Qakbot\r\nTheHacker 6.7.0.1.137 2011.02.23 Trojan/Spy.Zbot.asod\r\nTrendMicro 9.200.0.1012 2011.02.23 BKDR_QAKBOT.USK\r\nTrendMicro-HouseCall 9.200.0.1012 2011.02.24 BKDR_QAKBOT.USK\r\nVBA32 3.12.14.3 2011.02.23 TrojanDownloader.Genome.btgl\r\nVIPRE 8518 2011.02.24 Backdoor.Win32.Qakbot.cd (v)\r\nViRobot 2011.2.23.4325 2011.02.23 -\r\nVirusBuster 13.6.217.0 2011.02.23 TrojanSpy.Zbot!B9r7grTAp/E\r\nAdditional informationShow all\r\nMD5   : 150d006eab34528e3305fbbb5ad82164\r\nSource: http://contagiodump.blogspot.com/2010/11/template.html\r\nhttp://contagiodump.blogspot.com/2010/11/template.html\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"http://contagiodump.blogspot.com/2010/11/template.html"
	],
	"report_names": [
		"template.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775441585,
	"ts_updated_at": 1775791221,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/876c290fa7af9167726a8573b4a95ad6fcf4b46c.pdf",
		"text": "https://archive.orkl.eu/876c290fa7af9167726a8573b4a95ad6fcf4b46c.txt",
		"img": "https://archive.orkl.eu/876c290fa7af9167726a8573b4a95ad6fcf4b46c.jpg"
	}
}