{
	"id": "c1d4697d-3430-4243-8235-1219cc66b8bd",
	"created_at": "2026-04-06T00:14:10.206474Z",
	"updated_at": "2026-04-10T13:12:11.439028Z",
	"deleted_at": null,
	"sha1_hash": "ce83c033fe70c7b8e03234b37be00ec56984d505",
	"title": "QBot Spreads via LNK Files – Detection \u0026 Response - Security Investigation",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 726335,
	"plain_text": "QBot Spreads via LNK Files – Detection \u0026 Response - Security\r\nInvestigation\r\nBy Priyadharshini Balaji\r\nPublished: 2022-07-05 · Archived: 2026-04-05 21:24:34 UTC\r\nQakBot, also known as QBot, QuackBot, or Pinkslipbot, is a banking trojan malware that has existed for over a\r\ndecade. In recent years, QakBot has become one of the leading banking trojans around the globe. Its main purpose\r\nis to steal banking credentials (e.g., logins, passwords, etc.)\r\nMost of the QBot infections are done by the initial vectors of XLS documents. Now, they started using the .lnk\r\nfiles to infect their targeted machines. As usual, this can be done by using spam campaigns or malicious URLs to\r\ndeliver LNK files to their targets.\r\nQBot LNK Infection Chain:\r\nhttps://www.socinvestigation.com/qbot-spreads-via-lnk-files-detection-response/\r\nPage 1 of 5\n\nHere, the initial vector is the .html file which contains a .zip file with the targeted path of .LNK file. Once the user\r\nopens the .LNK file, internal embedded codes will be executed, and it will start its infection chain.\r\nRecent infection can be done by using legitimate applications like PowerShell, CMD, and MSHTA to download\r\nthe malicious payload files.\r\nWhy are LNK files being used?\r\nLNK file is a shortcut or “link” used by Windows as a reference to an original file, folder, or application. It\r\ncontains the shortcut target type, location, and filename as well as the program that opens the target file and an\r\noptional shortcut key. The file can be created in Windows by right-clicking a file, folder, or executable program\r\nand then selecting create a shortcut.\r\nAlso Read: Latest IOCs – Threat Actor URLs , IP’s \u0026 Malware Hashes\r\nIn the .lnk files, we can be able to see the target path if it’s in a shorter range. However, command-line arguments\r\ncan be up to 4096, so malicious actors can that this advantage and pass on long arguments as they will not be\r\nvisible in the properties section.\r\nSample Information:\r\nThe main content of this QBot LNK:\r\nHow does QBot LNK work?\r\nWith reference to edge application, Echo \u003e Ping 15.org \u003e %appdata% \u003e curl.exe \u003e .dat \u003e echo \u003e regsvr.\r\nPing [Packet Internet or Inter-Network Groper ] utility uses the echo request, and echo reply messages within the\r\nInternet Control Message Protocol (ICMP), an integral part of any IP network. Here, the ping sends ICMP packets\r\nto the destination. Then it waits for the echo reply.\r\nhttps://www.socinvestigation.com/qbot-spreads-via-lnk-files-detection-response/\r\nPage 2 of 5\n\nAlso Read: Latest Cyber Security News – Hacker News !\r\nThen, Curl.exe is the main executable for running cURL. a cURL is a command-line tool and library for\r\ntransferring data with URLs. Usually, a generic data file stores information specific to the application it refers to.\r\nTargeted Command Line:\r\nHex_View of the .dat file\r\nHere, the targeted command line clearly reveals the malicious .dat file which will download the payload file.\r\nhttps://www.socinvestigation.com/qbot-spreads-via-lnk-files-detection-response/\r\nPage 3 of 5\n\nAlso Read: Soc Interview Questions and Answers – CYBER SECURITY ANALYST\r\nDetection \u0026 Response:\r\nQradar:\r\nSELECT UTF8(payload) from events where LOGSOURCETYPENAME(devicetype)='Microsoft Windows Security Event Log' and\r\nSplunk:\r\n((ParentImage=\"*\\\\cmd.exe\") AND CommandLine=\"*http://*\" AND CommandLine=\"*ping15.org*\" AND CommandLine=\"*..\\\\*\"\r\nElastic Query:\r\n(process.parent.executable:*\\\\cmd.exe AND process.command_line:*http\\:\\/\\/* AND process.command_line:*ping15.or\r\nArcsight:\r\n(sourceProcessName CONTAINS \"*\\\\cmd.exe\" AND ((deviceCustomString1 CONTAINS \"*http://*\" OR destinationServiceNa\r\nCarbonBlack:\r\n(parent_name:*\\\\cmd.exe AND process_cmdline:*http\\:\\/\\/* AND process_cmdline:*ping15.org* AND process_cmdline:*\r\nCrowdstike:\r\n((ParentBaseFileName=\"*\\\\cmd.exe\") AND (CommandLine=\"*http://*\" OR CommandHistory=\"*http://*\") AND (CommandLine\r\nFireEye:\r\n(metaclass:`windows` pprocess:`*\\cmd.exe` args:`http://` args:`ping15.org` args:`..\\\\` args:`curl.exe` args:`re\r\nGrayLog:\r\n(ParentImage.keyword:*\\\\cmd.exe AND CommandLine.keyword:*http\\:\\/\\/* AND CommandLine.keyword:*ping15.org* AND C\r\nGoogle Chronicle:\r\nprincipal.process.file.full_path = /.*\\\\cmd\\.exe$/ and target.process.command_line = /.*http:\\/\\/.*/ and target\r\nLogpoint:\r\nhttps://www.socinvestigation.com/qbot-spreads-via-lnk-files-detection-response/\r\nPage 4 of 5\n\n(ParentImage IN \"*\\\\cmd.exe\" CommandLine=\"*http://*\" CommandLine=\"*ping15.org*\" CommandLine=\"*..\\\\*\" CommandLin\r\nMicrosoft Defender:\r\nDeviceProcessEvents | where ((InitiatingProcessFolderPath endswith @\"\\cmd.exe\") and ProcessCommandLine contains\r\nMicrosoft Sentinel:\r\nSecurityEvent | where EventID == 4688 | where ((ParentProcessName endswith @'\\cmd.exe') and CommandLine contai\r\nRSA Netwitness:\r\n((ParentImage contains '\\cmd\\.exe') \u0026\u0026 (CommandLine contains 'http://') \u0026\u0026 (CommandLine contains 'ping15.org')\r\nSumoLogic:\r\n(_sourceCategory=*windows* AND (ParentImage = \"*\\cmd.exe\") AND CommandLine=\"*http://*\" AND CommandLine=\"*ping15\r\nAws Opensearch:\r\n(process.parent.executable:*\\\\cmd.exe AND process.command_line:*http\\:\\/\\/* AND process.command_line:*ping15.or\r\nSource: https://www.socinvestigation.com/qbot-spreads-via-lnk-files-detection-response/\r\nhttps://www.socinvestigation.com/qbot-spreads-via-lnk-files-detection-response/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.socinvestigation.com/qbot-spreads-via-lnk-files-detection-response/"
	],
	"report_names": [
		"qbot-spreads-via-lnk-files-detection-response"
	],
	"threat_actors": [],
	"ts_created_at": 1775434450,
	"ts_updated_at": 1775826731,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ce83c033fe70c7b8e03234b37be00ec56984d505.pdf",
		"text": "https://archive.orkl.eu/ce83c033fe70c7b8e03234b37be00ec56984d505.txt",
		"img": "https://archive.orkl.eu/ce83c033fe70c7b8e03234b37be00ec56984d505.jpg"
	}
}