BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details
14
Global rank
41 infographic chevron month
Month rank
20 infographic chevron week
Week rank
7869
IOCs

Qbot is a banking Trojan — a malware designed to collect banking information from victims. Qbot targets organizations mostly in the US. It is equipped with various sophisticated evasion and info-stealing functions and worm-like functionality, and a strong persistence mechanism.

Botnet
Type
Unknown
Origin
1 January, 2009
First seen
18 June, 2024
Last seen
Also known as
Pinkslipbot
QakBot
Quakbot

How to analyze Qbot with ANY.RUN

Type
Unknown
Origin
1 January, 2009
First seen
18 June, 2024
Last seen

IOCs

IP addresses
108.227.161.27
47.202.98.230
216.163.4.91
65.116.179.83
47.153.115.154
47.146.169.85
69.92.54.95
24.201.79.208
72.29.181.77
98.148.177.77
75.110.250.89
96.37.137.42
66.26.160.37
100.38.123.22
97.127.144.203
47.205.231.60
98.219.77.197
104.36.135.227
173.22.120.11
184.180.157.203
Hashes
e582e244c81545e68b7598f2c98c985c0cca311191e433e128b5c00c217d61a3
0e9cc0bc95c14ac788c57dc03c3ea441c751e8ee1e9c1db5b4e124b16d8076f1
fb0c5a4376cb8d28040e456fcc1b8531598573372d33fcfc62362ca8bce823cf
407ec4794f860b8f1f0757087fc65254812c8a979edd566b3956a2d8da84a216
ad3fa1a019ef6a3b413819acf63fcbf4f96754530f70446312957e786facd290
3f1491334743b475f008864497813ce07bd7f6c6c60868a7fd35f7d1b4cb529f
0652d513a2c43aaabbb806eeda3e035aa3b12449a718610d42453896d9f97751
14a9a8278fe267d8717bb1d39d88ee0f28810a745ce39802fae2a0d2c94582e3
4308f2a61ab0b26ba296f7dfdec673ea3e5f3d6821d75cff7a042efe019b08e2
2ed1048061c1be86ac7965685f8d526701c16117d4000e47c88fcb9c8067789c
7c3ec6b43d5f3400f42ac5c62e2d80c2adf097df4655e3782c8c6390d908a119
847acc888e3468525e817eaa45e4b40960c818b7b44555f6595ed60f9f0f1db2
b5d7c7876a93faaf7adecc90437ccf3412a5bac55b1cd6c307a16c2faef8c699
1042f400ed776bc5d2c68becb386fb2ef3116417f96a67c14e8ca5b421ae7bc9
3fc251b619a54a6dd77e30d76d3679eb80e85bdc414c72331e1657e7ec3055d1
5f54132fcd18717284f6d94e4cf63499a5e73c07c0ccb76213863c4de51ce532
5c780d757fed0ecbb7aa490edf37a1a03494d071a5ea97234c1be7831652b43d
b303442f13efc2ce15a8ef3a46301b7efb132cfa35d5ff1d095ef23e144935f4
1697c22eb0bb84c74d9d84c7377c7599c4241d6816866fa259caa44f1e9e1921
5583657c891900210fafe2c6840df8d2386cbaa15bccc4396f979b5bf0a01f4e
Domains
40chorr.com
www.hospitaisipiranga.com.br
whichworx.com
idealcuisine.com.tn
Last Seen at

Recent blog posts

post image
Analyzing Malware Protected with Themida and...
watchers 142
comments 0
post image
ANY.RUN Represented at BSides Canada and Cybe...
watchers 188
comments 0
post image
Search for Malware Mutexes in ANY.RUN Threat...
watchers 339
comments 0

What is Qbot?

Qbot, also known as QakBot, Pinkslipbot, and Quakbot, is a banking trojan — malware designed to steal banking credentials, online banking session information, personal details of the victim, or any other banking data.

Although early versions of Qbot were spotted all the way back in 2009, its creators have maintained this trojan. Today, it continues to be active and features worm-like abilities to spread over networks, supports advanced web-injections techniques, and has a persistence mechanism that some researchers believe to be one of the best in its class. Additionally, the trojan has anti-VM, anti-debug and anti-sandbox functionally that makes research and analysis quite difficult.

Furthermore, Qbot is polymorphic, which means that it can change itself even after it is installed on an endpoint. The Trojan constantly modifies files, and the dropper that the newer version of Qbot continuously cycles through command and control servers.

The combination of these functions makes QakBot highly dangerous malware. Qbot has been used in several successful attacks on organizations and governmental structures and has infected tens of thousands of machines.

General description of QakBot malware

Qbot is dispatched in targeted attacks against businesses. With this trojan, the attackers go after bank accounts of organizations or private users who access their personal online banking cabinets from corporate networks by piggybacking into banking sessions of the victim.

The Trojan uses man-in-the-browser functionality to perform web injections, allowing it to alter what the victims see on the banking website when browsing from an infected machine. Interestingly, while most malware samples that use this technique contain the web injection code in their config file, Qbot can fetch the code from a controlled domain as it performs malicious activity.

Another trait that differentiates Qbot from other Trojans is its worm-like functionality. Qbot can copy itself using shared drives and spread over the network, spreading on its own or after receiving a command from the command and control server. Together with a highly developed persistence mechanism that uses registry runkeys and scheduled tasks, these traits make erasing Qbot from the infected network very difficult. The Trojan is designed to sustain itself despite system reboots and automatically launch itself when the system is turned on again.

This infamous persistence functionality has allegedly caused compromise of sensitive information in two government organizations in Massachusetts in 2011, while worm-like behavior helped the Qbot infiltrate thousands of machines and create a botnet with over 1,500 devices resulting from that attack.

Most of the targets that Qbot goes after are US-based organizations. Only about twenty percent of the new attack businesses are located outside of the United States. Although apart from the government offices, most of the attacks have been directed at banking, tech, and healthcare industries, there is no hard evidence to suggest that the attackers are aiming at specific fields. This means that businesses working in any industry can get hit by QakBot.

It is also important to note that an advanced cybergang operates the malware. Qbot attacks have been appearing on the radar of security researchers periodically, with phases of high activity and intervals when attacks would completely stop. This behavior is likely to avoid attracting too much attention from law enforcement and allows attackers to tweak and improve the malware during their time off.

The group behind Qbot is also notoriously known for pushing out new modified malware samples at astonishing rates. They repack and re-scramble the code daily, making malware identification by means of anti-virus software unreliable.

Unfortunately, people's identities behind Qbot are unknown, but it is widely believed that the cyber gang is based somewhere in Eastern Europe.

Qbot malware analysis

This video recorded in the ANY.RUN interactive malware hunting service shows the execution process of Qbot. You can also research other malware like Netwire and Predator the Thief.

qbot_process_graph

Figure 1: Displays the tree of processes created by the ANY.RUN interactive malware hunting service

QakBot execution process

Since Qbot is mostly targeted at the corporate sector, the main way of its penetration into infected systems is through a malicious document. In our example, maldoc starts several processes, including Powershell through by using a macro. Then, using cmd.exe, this trojan starts a chain of commands and executions, creating folders and temporary files. It utilizes Powershell to download the payload. Notably, the payload's name is as simple as six of the same digits or, less often, letters. Also, the payload often has a .png extension, although it is an executable file.

After that trojan starts its main execution, QakBot tries to evade detection by overwriting itself with the legitimate Windows executable calc.exe using the following commands: cmd.exe /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > “Path to malware executable.” Qbot also injects explorer.exe and adds itself into autorun for persistence.

Qbot distribution

Qbot uses multiple attack vectors to infect victims. The malware uses email spam and phishing campaigns, as well as vulnerability exploits to infiltrate its targets. One of the more recent versions of the malware was observed being distributed by a dropper.

The dropper that installs Qbot is equipped with a delayed execution function. This means that after the dropper itself is downloaded onto a target machine, it waits around fifteen minutes before dropping the payload, likely in an effort to trick automatic sandboxes and avoid detection.

How to detect Qbot using ANY.RUN?

Sometimes Qbot trojan creates files that allow analysts to detect it with a high degree of certainty. To detect Qbot, open the "Files" tab in the lower part of the task's window and take a look at the created folders. If you see folders with names such as "Zulycjadyc" and "imtaykad" within C:\Users\admin\AppData\ Roaming\Microsoft\ directory and .exe or .dat file with a name "ytfovlym," as shown on the figure below, be sure that it is Qbot in front of you.

how_to_detect_qbot

Figure 2: Detecting Qbot by local files

Conclusion

Security researchers successfully reversed a sample of QakBot in a 2020 investigation. Since the researchers managed to pinpoint a command and control server, they could identify the true scale of the attack. What they uncovered was an active Qbot botnet consisting of over 2,000 computers.

If there was any doubt that Qbot is a severe threat, hopefully, this should clear it. Advanced web injections, sophisticated anti-evasion techniques, worm-like functions, and an experienced cyber gang that constantly updates the malware is a dangerous cocktail.

As security researchers, it is essential to analyze malware like Qbot since code obfuscation makes research complicated. Every investigation has the potential to uncover important data that will help businesses avoid attacks or identify and eradicate this Trojan quicker. At the same time, Qbot avoids dynamic analysis with some automatic sandboxes with the delayed execution of its dropper and other tricks, interactive sandboxes like the one presented by the ANY.RUN malware hunting services are not so easily fooled.

ANY.RUN presents a good opportunity to perform dynamic analysis on this malware from a secure online environment and share your findings with fellow researchers in our public malware database.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy