{
	"id": "f371edab-6b2c-4ec6-876e-0a020f749422",
	"created_at": "2026-04-06T00:21:11.115031Z",
	"updated_at": "2026-04-10T03:30:57.029357Z",
	"deleted_at": null,
	"sha1_hash": "d6036938100c10036da3c05bf45bfd0e4736b1fb",
	"title": "Qakbot, Data Thief Unmasked: Part I",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 56348,
	"plain_text": "Qakbot, Data Thief Unmasked: Part I\r\nArchived: 2026-04-05 15:41:37 UTC\r\nMotive\r\nWe recently had the opportunity to revisit a threat that first appeared on our radar back in May of this year.\r\nW32.Qakbot (hereafter referred to as Qakbot) is a somewhat benign worm that is capable of spreading through\r\nnetwork shares, downloading additional files and opening a back door on the compromised computer, all in aid of\r\nits ultimate goal. Benign not because it is harmless - stealing login details, reporting keystrokes and uploading\r\nsystem certificates is malicious behavior indeed - but as will become obvious as we describe it in more detail\r\nbelow, because it moves slowly and with caution, trying not to bring attention to its presence.\r\nThe motive of Qakbot is quite clear, to steal information. Taking a peak under the proverbial covers, we see that it \r\nuses several components to accomplish the task, including the following:\r\n_qbot.dll\r\n_qbotinj.exe\r\nmsadvapi32.dll\r\n_qbot.cb\r\nseclog.txt\r\n_qbotnti.exe\r\nsconnect.js\r\nwebfix.txt\r\nWe will discuss each of these components briefly as we walk through the various functionality contained within\r\nand methods employed by this nefarious data thief.\r\nInfection\r\nQakbot initially spreads via web pages containing Javascript which attempts to exploit certain vulnerabilities,\r\nincluding Microsoft Internet Explorer ADODB.Stream Object File Installation Weakness and Apple QuickTime\r\nRTSP URI Remote Buffer Overflow (Symantec IPS detection details here and here) and where those exploits are\r\nsuccessful, downloads its malicious files on to the compromised computer. Once a machine is infected with\r\nQakbot, all Qakbot-related files are stored in the user profile data directory, which typically is C:\\Documents and\r\nSettings\\[USERNAME]\\_qbothome. The first two components the threat downloads are _qbot.dll and\r\n_qbotinj.exe.\r\nThe downloaded file _qbot.dll is the main component of the Qakbot worm and is responsible for collecting certain\r\ninformation from the infected machine and uploading that stolen data to FTP servers under the control of the\r\ncreator, the locations of which are frequently changed. We will talk more about this file later in the article.\r\nInjection\r\nThe _qbotinj.exe file acts as a kind of servant to the _qbot.dll file.  The file explorer.exe, a core Windows process\r\nhttps://web.archive.org/web/20110909041410/http://www.symantec.com/connect/blogs/qakbot-data-thief-unmasked-part-i\r\nPage 1 of 3\n\nand one of the few that runs in memory constantly on Windows operating systems, is compromised by\r\n_qbotinj.exe injecting _qbot.dll into it – that is, into the instance of explorer.exe running in memory. Similarly, the\r\niexplore.exe process, which many readers will recognize as the process responsible for operating the Internet\r\nExplorer browser, is also injected.\r\nThis creates the illusion that all subsequent actions undertaken by the threat appear to be the work of these\r\notherwise legitimate Windows processes. This is in fact a trick often used by many types of threats, as antivirus\r\nproducts, firewalls and other security safeguards are generally programmed to allow such common Windows\r\nprocesses full access to both the Internet and other applications on the infected computer.\r\nstatus_info_edited2.JPG \r\nThe above image represents the worm communicating with its command center via the compromised Internet\r\nExplorer process. For all intents and purposes, this simply appears to be a legitimate browsing instance.\r\nInterestingly however, _qbotinj.exe avoids injecting _qbot.dll into certain processes, presumably in an attempt to\r\navoid being detected (or in some cases to avoid being debugged which would likely result in detection so in\r\nessence is the same thing), including the following:\r\nmsdev.exe \r\ndbgview.exe \r\nmirc.exe\r\nollydbg.exe\r\nccApp.exe\r\nR\u0026Q.exe\r\nphotoed\r\noutlook.exe\r\nmmc.exe\r\nctfmon.exe\r\nSurvival\r\n_qbot.dll also runs two additional threads: “Watchdog” and “Swatcher”. The Watchdog thread monitors for\r\ninstances of Dr. Watson running in memory and  terminates any it finds . The other thread, Swatcher, checks the\r\nregistry subkeys “Run” and “RunOnce” every 30 seconds and updates them if necessary. Qakbot does not add a\r\nregistry value under the “Run” or “RunOnce” subkeys itself, but instead updates the last entry under those keys to\r\ninclude its own EXE file, followed by Qakbot’s parameter and “/c” with the original registry value, which is\r\nlegitimate.\r\nFor example, the last (legitimate) Run key entry might be:\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\\"Test Program\" =\r\n\"C:\\Program Files\\Test Program\\testprogram.exe\"\r\nQakbot will modify it to read:\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\\"C:\\Documents and\r\nhttps://web.archive.org/web/20110909041410/http://www.symantec.com/connect/blogs/qakbot-data-thief-unmasked-part-i\r\nPage 2 of 3\n\nSettings\\All Users\\_qbothome\\_qbotinj.exe\" \" C:\\Documents and Settings\\All Users\\_qbothome\\_qbot.dll\" /C\r\n\"C:\\Program Files\\Test Program\\testprogram.exe\"\r\nQakbot contains several internal commands it uses to do its dirty work. One of them, “getip”, checks the registry\r\nto see if a Citrix product, Microsoft Office or Microsoft Project is installed, by reading the registry key\r\nHKEY_CLASSES_ROOT\\Installer\\Products. If installed, this command does nothing further. If none of those\r\nproducts are found, it continues, checking if it is running on a Virtual Machine. If a VM is discovered, Qakbot\r\nsends the VM information to [http://]hostrmeter.com/cgi-bin/exha[REMOVED] using the POST method, and\r\nchecks for the existence of the file c:\\irclog.txt. If c:\\irclog.txt is found on the compromised computer, Qakbot\r\nuninstalls itself using its own \"uninstall\" command. We'll touch on this again in Part II.\r\nSpread\r\nAnother of Qakbot’s internal commands, “nbscan”, is responsible for its attempts to spread over network shares. It\r\nenumerates network share folders, checking if the share name and user name are contained in the file \"%\r\nCurrentFolder%\\nbl_[USERNAME].txt\". If they are listed in the file, Qakbot skips that network share. If they are\r\nnot listed - and before copying any files to the remote share - Qakbot checks if the files \"%\r\nCurrentFolder%\\_qbot[RANDOM CHARACTERS]\" and \"%CurrentFolder%\\q1.dll\" exist on the remote machine.\r\nIf not, it downloads them. It then copies \"q1.dll\" to either [REMOTE COMPUTER]\\C$\\windows\\q1.dll or\r\n[REMOTE COMPUTER]\\ADMIN$\\q1.dll, and \"_qbot[RANDOM CHARACTERS]\" to either \"[ REMOTE\r\nCOMPUTER]\\C$\\windows\\_qbot[RANDOM CHARACTERS].exe\" or \"[ REMOTE\r\nCOMPUTER]\\ADMIN$\\_qbot [RANDOM CHARACTERS].exe\".  After copying the files, it writes the share\r\nname and user name to the file \"%CurrentFolder%\\nbl_[USERNAME].txt\" stored on the local machine. This of\r\ncourse is the list Qakbot checked at the very beginning of the network share routine, the logic being that it if the\r\nnames are in the list, that machine has already been processed (read infected).\r\nThe file _qbotnti.exe is used to load the file msadvapi.dll into memory. msadvapi.dll is then used to hook APIs in\r\nevery running process. This serves two purposes. Firstly, as a cloaking mechanism. msadvapi.dll hides file names\r\nand registry entries containing “_qbot”, and also hides Internet connections to destination ports between 16666\r\nand 16669. Secondly, it enables the threat to capture sockets where the destination port is 21 (FTP), 110 (POP3) or\r\n143 (IMAP), as well as capturing login credentials to predefined web sites contained in the configuration file\r\nnamed webfix.txt. Qakbot attempts to steal login credentials when the user visits one of the hard-coded URLs\r\nlisted in webfix.txt.\r\nWe’ll finish this two-part series in a subsequent posting where we’ll look briefly at the information Qakbot steals\r\nand how it goes about updating itself. Stay tuned.\r\nA big thanks to Masaki Suenaga and Takayoshi Nakayama for their analysis.\r\nSource: https://web.archive.org/web/20110909041410/http://www.symantec.com/connect/blogs/qakbot-data-thief-unmasked-part-i\r\nhttps://web.archive.org/web/20110909041410/http://www.symantec.com/connect/blogs/qakbot-data-thief-unmasked-part-i\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://web.archive.org/web/20110909041410/http://www.symantec.com/connect/blogs/qakbot-data-thief-unmasked-part-i"
	],
	"report_names": [
		"qakbot-data-thief-unmasked-part-i"
	],
	"threat_actors": [
		{
			"id": "f9806b99-e392-46f1-9c13-885e376b239f",
			"created_at": "2023-01-06T13:46:39.431871Z",
			"updated_at": "2026-04-10T02:00:03.325163Z",
			"deleted_at": null,
			"main_name": "Watchdog",
			"aliases": [
				"Thief Libra"
			],
			"source_name": "MISPGALAXY:Watchdog",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434871,
	"ts_updated_at": 1775791857,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d6036938100c10036da3c05bf45bfd0e4736b1fb.pdf",
		"text": "https://archive.orkl.eu/d6036938100c10036da3c05bf45bfd0e4736b1fb.txt",
		"img": "https://archive.orkl.eu/d6036938100c10036da3c05bf45bfd0e4736b1fb.jpg"
	}
}