The rise of QakBot

April 15, 2021 | Dax Morrow

This blog was jointly written with Ofer Caspi. Some of the links in this blog require an OTX account, and the QakBot infrastructure tracker will require readers to be customers with access to the Threat Intel subscription.. Thanks to the following researchers and the MalwareBazaar Project:

Executive summary

AT&T Alien Labs closely monitors the evolution of crimeware such as the QakBot (also known as Qbot) malware family and campaigns in connection with QakBot. The jointly coordinated takedown of the actors behind Emotet in late January has left a gap in the cybercrime landscape, which QakBot seems poised to fill.

Key Points:

  • TA551 has added QakBot to its arsenal, which also includes IcedID.
  • QakBot employs anti-virus evasion, anti-detection, and anti-sandbox tactics across the entire spectrum of the attack.
  • The actor(s) behind QakBot possess a modular framework consisting of maldoc builders, signed loaders, and DLLs that produce initially low detection rates at the beginning of the attack, which creates opportunities to deliver additional malware such as Egregor and Cobalt Strike.
  • The actor(s) responsible for QakBot have an active affiliate program.
  • TA551, Cobalt Strike, and QakBot have all been observed jointly within the context of individual campaigns.


Qakbot, also known as QBot or Pinkslipbot, is a modular information stealer. It has been active since 2007 and primarily used by financially motivated actors. It was initially known as a banking Trojan and a loader using C2 servers for payload delivery; however, its use expanded beyond strictly being a banking trojan. The hallmarks of a QakBot infection chain consist of a phishing lure (T1566) delivered via email chain hijacking or spoofed emails that contain context-aware information such as shipping, work orders, urgent requests, invoices, claims, etc. The phishing emails alternate between file attachments (T1566.001) and links (T1566.002). QakBot is often used as a gateway entry, similar to TrickBot or Emotet, that leads to post exploitation operations leveraging frameworks such as Cobalt Strike as well as delivering Ransomware.

QakBot email lures are not the most sophisticated; however, by using contextually aware themes that originate from hijacked email chains or potentially compromised accounts within a user’s social circle, they are effective. Figure 1 below illustrates an example of a recent QakBot lure with the subject “Re: SIGNED QUOTE” and a ZIP file attachment labeled “”.

signed quote screen

Figure 1. QakBot "Signed Quote" Email Lure

The actors further establish the trust and confidence of the targeted user by presenting a semi-official looking DocuSign graphic that guides the user through the process of enabling the Excel 4 Macros. A representative sample, 78ea3550e2697cd06b07df568242f7fc9f57e4d2b297b74f6ce26e97613de53a, seen in a recent QakBot campaign is shown in Figure 2 below.

docusign lure for qakbot

Figure 2. QakBot DocuSign Lure

QakBot Excel spreadsheets often contain hidden spreadsheets, Excel 4.0 macros, spreadsheet formulas, and BIFF records all designed to pass a visual inspection from the user with the added benefit of bypassing detection mechanisms that attempt to parse multiple legacy formats inside the spreadsheet. Figure 3 below shows a screenshot of output from the open-source XLMMacroDeobfuscator tool, which decodes obfuscated Excel 4.0 macros.


Figure 3. XLMMacroDeobfuscator Output for a QakBot Excel 4.0 Macro Spreadsheet

Once the Excel 4.0 macro is decoded it is possible to see the CALL to URLDownloadToFileA, which downloads the QakBot DLL in this campaign from http[:]//rlyrt26rnxw02vqijgs[.]com/fera/frid[.]gif. Next, the EXEC function is evaluated which executes “rundll32.exe nxckew.wle, DllRegisterServer”. It is also a common tactic for QakBot to execute “regsvr32.exe -s nxckew.wle,DllRegisterServer”. Both instances are designed to evade sandbox environments that do not supply the expected command line arguments. A representative QakBot DLL analyzed by Alien Labs, 9a353d4b85b3097762282703f1807c2b459698966b967280c8e4e13cc56d2e28, has two exports: the entry point (0x10005a5d) and DllRegisterServer (0x10029c88)and if DllRegisterServer is not called via regsvr32.exe or rundll32.exe with command line options, then only the entry point is called and the malicious code in DllRegisterServer is not called. Figure 3 below shows improved readability and de-obfuscation of the macro by manually replacing and substituting the cell values and formulas.

better deobfuscation

Figure 3. Better de-obfuscation of the spreadsheet

The results of our additional de-obfuscation efforts are confirmed when the QakBot Excel spreadsheet is run inside a sandbox in Figure 4 below.

otx qakbot

Figure 4. OTX screenshot showing the “rundll32 ..\nxckew.wle, DllRegisterServer'' execution

Before executing the main payload, the QakBot loader will first test the infected system to see if it is a good candidate for infection. The QakBot loader is responsible for checking its environment to include whether it is running on a Virtual Machine, identifying any installed and running security and monitoring tools such as AntiVirus products or common security researcher tools. Figure 5 below shows a high-level execution flow of the QakBot loader.

qakbot execution diagram

Figure 5. QakBot Execution Flow

To make detection and analysis harder, QakBot encrypts its strings and decrypts them at runtime before use. Once the QakBot execution logic is finished using a string, it will immediately delete the string from memory. An example of this can be seen in Figure 6 below, which shows QakBot decrypting a string containing the value for lpProcName passed as a parameter to the GetProcAddress API call. The selected function, which has been labeled in IDA Pro as, “oc_clear_mem” deletes the string memory right after it retrieves the process address.

qakbot clearing memory

Figure 6. QakBot GetProcAddress and clear_mem routines

When executed, QakBot will check whether it has previously been executed on the machine by checking for the specified malware folder. If QakBot discovers it is a first time run, it will relaunch itself from cmd.exe with the /C parameter that will inform the loader to proceed and run its Anti-VM checks on the machine and return the results to the parent process. If QakBot detects it is running in a VM environment, then the final payload will not be decrypted since QakBot uses the return value from these checks in its final decryption routine. Figure 7 below shows the QakBot environment check logic.

qakbot check

Figure 7. QakBot Environment Check Logic

Specifically, QakBot checks the system for the names of running processes that match the strings listed in Table 1 below.


CFF Explorer.exe

Table 1. AntiVM process name checks for security, monitoring, and analysis tools

Figure 8 below shows the decryption routine for the security and monitoring tool strings (T1140).

decryption step

Figure 8. QakBot decrypting tool check strings

QakBot will also add its folder to the Windows Defender exclusions setting located in the Registry (T1112), which prevents Defender from scanning QakBot artifacts. The Registry location can be seen in Figure 9 below.

Qakbot exclusion paths

Figure 9. QakBot adding exclusion paths to Windows Defender settings

In addition to the previously mentioned environment check, QakBot collects system information (T1082) such as computer name, system directories, user profiles, and more, which is shown in Figure 10 below.

system info collected

Figure 10. QakBot system information collection

QakBot will use process hollowing (T1055.012) in order to inject itself into explorer.exe. If it is unsuccessful then QakBot will attempt to inject itself into mobsync.exe or iexplore.exe. The screen shot in Figure 11 illustrates the QakBot process name decryption routine. 

qakbot routine

Figure 11. QakBot routine to decrypt process names for injection

Figure 12 below shows the QakBot logic to overwrite the suspended explorer.exe process and then resume its execution.

process hollowing

Figure 12. QakBot process hollowing routine

Additionally, QakBot abuses the Service Control Manager (SCM) to create a child process, which is then detached from the parent when the SCM terminates the parent process. QakBot C2 communications begin in this stage to make it more difficult to monitor. Figure 13 below shows the SCM spawned process abuse technique.

qakbot abusing SCM

Figure 13. QakBot abusing SCM to spawn a detached process

Figure 14 below shows the QakBot C2 ping during the SCM interaction.

c2 ping

Figure 14. QakBot sending C2 ping

Finally, if the QakBot loader has verified its execution environment has passed its tests, then QakBot will proceed to decrypt and execute the main QakBot payload, which is hidden as resource “307”. The decryption and import table resolution of its main payload is shown in Figure 15 below.

qakbot resolution

Figure 15. QakBot decryption and import table resolution of main payload

The combined anti-analysis and evasion techniques across the infection chain significantly impair antivirus, EDR, and other security defenses from detecting and preventing the initial infection. Despite the limitations and challenges presented by QakBot DLLs there is ample opportunity to detect QakBot loaders signed by revoked and blacklisted malicious certificates. Alien Labs has identified 42 unique signers and signature serial numbers, which are included in Detection Methods section to aid in detection and hunting with YARA and Osquery. Additionally, there are a number of behavioral patterns, Indicators of Behavior (IOB), which provide opportunities for detection.

Recommended actions

  1. Search for a renamed version of “wmic.exe” such as “”, which spawns “regsvr32.exe” and executes files with JPG or GIF file extensions.
  2. Regularly perform process auditing and accounting looking for process oddities such as
    1. parent to child relationships “excel.exe” spawning “rundll32.exe”.
    2. Instances of “WerFault.exe” executing without a command line.
    3. esentutl.exe” executing with a command line containing the term “WebCache”.
  3. Check for unrecognized exclusions, files or folders, in Windows Defender settings.


Alien Labs has observed QakBot over the past three months being used in a role similar to TrickBot, which includes malspam delivery, stealthy maldocs dropping signed loaders, establishing a foothold, and finally post exploitation activities such as lateral movement, access operations, and ransomware delivery. Alien Labs actively tracks the QakBot C2 infrastructure for customers, which is available via OTX here.

Detection methods

The following associated detection methods are in use by Alien Labs. They can be used by defenders to tune or deploy detections in their own environments or for aiding additional research.


SELECT as source_process_id, as source_process, process.path as file_path, authenticode.result, authenticode.serial_number as certificate_serial_number, authenticode.issuer_name as certificate_issuer_name, authenticode.subject_name as certificate_subject_name, parent_processes.path as source_process_parent, parent_processes.cmdline as source_process_parent_commandline, parent_processes.uid as parent_uid, hashes.sha256 AS file_hash_sha256 FROM processes as process LEFT JOIN authenticode ON process.path = authenticode.path LEFT OUTER JOIN processes parent_processes ON process.parent = LEFT JOIN hash AS hashes ON hashes.path = process.path WHERE authenticode.serial_number IN ('00ac307e5257bb814b818d3633b630326f', '186d49fac34ce99775b8e7ffbf50679d', '02b6656292310b84022db5541bc48faf', '17d99cc2f5b29522d422332e681f3e18', '142aac4217e22b525c8587589773ba9b', '00ca646b4275406df639cf603756f63d77', '0cf2d0b5bfdd68cf777a0c12f806a569', '7ab21306b11ff280a93fc445876988ab', '00f097e59809ae2e771b7b9ae5fc3408d7', '00d3356318924c8c42959bf1d1574e6482', '00e38259cf24cc702ce441b683ad578911', '00b61b8e71514059adc604da05c283e514', '51cd5393514f7ace2b407c3dbfb09d8d', '00b2e730b0526f36faf7d093d48d6d9997', '3cee26c125b8c188f316c3fa78d9c2f1', '7156ec47ef01ab8359ef4304e5af1a05', '5c7e78f53c31d6aa5b45de14b47eb5c4', '00dadf44e4046372313ee97b8e394c4079', '00f8c2e08438bb0e9adc955e4b493e5821', '70e1ebd170db8102d8c28e58392e5632', '00c167f04b338b1e8747b92c2197403c43', '00e04a344b397f752a45b128a594a3d6b5', '00a7989f8be0c82d35a19e7b3dd4be30e5', '08622b9dd9d78e67678ecc21e026522e', '3696883055975d571199c6b5d48f3cd5', '5b440a47e8ce3dd202271e5c7a666c78', '690910dc89d7857c3500fb74bed2b08d', '00d59a05955a4a421500f9561ce983aac4', '00c2fc83d458e653837fcfc132c9b03062', '016836311fc39fbb8e6f308bb03cc2b3', '4743e140c05b33f0449023946bd05acb', 'aa28c9bd16d9d304f18af223b27bfa1e', '00d627f1000d12485995514bfbdefc55d9', '6e0ccbdfb4777e10ea6221b90dc350c2', '1249aa2ada4967969b71ce63bf187c38', '00e5ad42c509a7c24605530d35832c091e', '38989ec61ecdb7391ff5647f7d58ad18', '1a311630876f694fe1b75d972a953bca', '4a7f07c5d4ad2e23f9e8e03f0e229dd4', '00d4ef1ab6ab5d3cb35e4efb7984def7a2', '37f3384b16d4eef0a9b3344b50f1d8a3', '4e7545c9fc5938f5198ab9f1749ca31c');



Associated indicators (IOCs)

The following technical indicators are associated with the reported intelligence. A list of indicators is also available in the OTX Pulse. Please note, the pulse may include other activities related but out of the scope of the report.






QakBot C2



QakBot Maldoc Lure



QakBot Loader



QakBot DLL Final Payload



Signed QakBot Loader, Signer “SHOECORP LIMITED”



Signed QakBot Loader, Signer “DILA d.o.o.”



Signed QakBot Loader, Signer “PKV Trading ApS”



Signed QakBot Loader, Signer “A.B. gostinstvo trgovina posredništvo in druge storitve, d.o.o.”

Mapped to MITRE ATT&CK

The findings of this report are mapped to the following MITRE ATT&CK Matrix techniques:

  • Initial Access
    • T1566: Phishing
      • T1566.001: Spearphishing Attachment
      • T1566.002: Spearphishing Link
      • T1566.003: Spearphishing via Service
  • Execution
    • T1204: User Execution
      • T1204.001: Malicious Link
      • T1204.002: Malicious File
    • T1059: Command and Scripting Interpreter
      • T1059.005: Visual Basic
    • T1053: Scheduled Task/Job
      • T1053.005: Scheduled Task
    • T1129: Shared Modules
    • T1106: Native API
    • T1047: Windows Management Instrumentation
  • Defense Evasion
    • T1027: Obfuscated Files or Information
      • T1027.002: Software Packing
    • T1553: Subvert Trust Controls
      • T1553.002: Code Signing
    • T1218: Signed Binary Proxy Execution
      • T1218.010: Regsvr32
    • T1497: Virtualization/Sandbox Evasion
      • T1497.001: System Checks
      • T1497.002: User Activity Based Checks
      • T1497.003: Time Based Evasion
    • T1112: Modify Registry
    • T1070: Indicator Removal on Host
      • T1070.004: File Deletion
    • T1140: De-obfuscate/Decode Files or Information
  • Command and Control
    • T1090: Proxy
      • T1090.003: Multi-hop Proxy
    • T1105: Ingress Tool Transfer
  • Privilege Escalation
    • T1055: Process Injection
      • T1055.012: Process Hollowing
  • Discovery
    • T1082: System Information Discovery
    • T1049: System Network Connections Discovery
    • T1016: System Network Configuration Discovery
    • T1057: Process Discovery
    • T1033: System Owner/User Discovery
    • T1518: Software Discovery
      • T1518.001: Security Software Discovery
  • Persistence
    • T1546: Event Triggered Execution
    • T1547: Boot or Logon Autostart Execution
      • T1547.001: Registry Run Keys / Startup Folder
Dax Morrow

About the Author: Dax Morrow

Dax is a Security Researcher at Alien Labs, a part of AT&T Cybersecurity. He can be found on LinkedIn and Twitter.

Read more posts from Dax Morrow ›


Get the latest security news in your inbox.



Get price Free trial