Full Report
QBot is a modular information stealer also known as Qakbot or Pinkslipbot. It has been active for years since 2007. It has historically been known as a banking Trojan, meaning that it steals financial data from infected systems.
Analysis Summary
# Tool/Technique: QBot (Qakbot/Pinkslipbot)
## Overview
QBot, also known as Qakbot or Pinkslipbot, is a long-standing, modular information stealer first seen active in 2007. It historically functions as a banking Trojan, specializing in stealing financial data from infected systems.
## Technical Details
- Type: Malware family
- Platform: Windows (Inferred from process names like `explorer.exe`, VBS execution, and common Windows API usage)
- Capabilities: Information stealing, banking Trojan functionality, modular architecture, process injection, C2 communication obfuscation, persistence via registry and scheduled tasks.
- First Seen: 2007
## MITRE ATT&CK Mapping
*Note: Mappings are derived from the described techniques (Delivery, Persistence, Process Injection, C2 Communication).*
- T1566 - Initial Access
- T1566.001 - Phishing: Spearphishing Attachment (Delivered via malicious zip/VBS)
- T1037 - Execution
- T1059.003 - Command and Scripting Interpreter: Windows Command Shell (Implied by VBS execution chain)
- T1547 - Persistence
- T1547.001 - Registry Run Keys / Startup Folder (Uses `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run`)
- T1053.005 - Scheduled Task/Job
- T1055 - Process Injection
- T1055.011 - Process Hollowing (Uses `CreateProcessW`, `ZwCreateSection`, `ZwMapViewOfSection`, `ZwWriteVirtualMemory`, `ResumeThread`)
- T1071 - Command and Control
- T1071.001 - Application Layer Protocol: Web Protocols (Implied by HTTP downloads and C2 communication)
## Functionality
### Core Capabilities
- **Delivery Mechanism:** Delivered via Malspam (phishing emails containing links to malicious zipped files, which contain obfuscated VBS files that download the executable).
- **Unpacking:** Utilizes a custom packer, unloading code into memory using `VirtualAlloc()` and `VirtualProtect()`.
- **String Encryption:** Most strings are encrypted and decrypted dynamically using XOR with a hardcoded byte array, based on an index.
- **Configuration Management:** Stores critical information (Campaign ID, C2 details, victim IP) in an RC4 encrypted configuration file.
- **Persistence:** Achieved by creating a registry key in `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run` and creating a scheduled task that runs every 5 hours.
- **Core Module Loading:** Injects code into legitimate processes and loads an RC4-decrypted core DLL resource (Resource ID "307").
### Advanced Features
- **Process Hollowing:** Injects its unpacked code into target processes (`explorer.exe`, `mobsync.exe`, `iexplorer.exe`) by starting them suspended, manipulating memory sections (`Zw*` APIs), and redirecting execution flow (`ResumeThread`).
- **Modular Architecture:** Loads a core module (Resource ID "311") which contains most of the functionality, including the list of C2 servers.
- **C2 Infrastructure Obfuscation:** Uses a large list of C2 servers, many of which act as proxies/intermediate nodes to hide the true backend infrastructure.
- **Resource Decryption:** Uses the first 20 bytes of each resource as the RC4 key for decrypting the remainder of that resource.
- **Self-Overwriting:** Drops an executable copy and overwrites itself with a legitimate executable file (e.g., `"calc.exe"`).
## Indicators of Compromise
- File Hashes: [None provided in the context]
- File Names: QBot executable dropper (likely disguised), `"calc.exe"` (used for overwriting dropped copy).
- Registry Keys: `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run` (for persistence)
- Network Indicators:
* Initial Download Locations (Defanged):
* `hXXp://st29[.]ru/tbzirttmcnmb/88888888.png`
* `hXXp://restaurantbrighton[.]ru/uyqcb/88888888.png`
* `hXXp://royalapartments[.]pl/vtjwwoqxaix/88888888.png`
* `hXXp://alergeny.dietapacjenta[.]pl/pgaakzs/88888888.png`
* `hXXp://egyorg[.]com/vxvipjfembb/88888888.png`
* C2 IPs/Ports (Examples from configuration file and list):
* `187.163.101.137`:995
* Various IPs contacted on ports: 2222, 443, 993, 995, 32102, 465, 53, 2078, 80, 3389 (Full list provided in the context, too extensive to list all).
- Behavioral Indicators: Use of `VirtualAlloc/VirtualProtect` followed by memory manipulation APIs (`ZwCreateSection/ZwMapViewOfSection/ZwWriteVirtualMemory`) indicating unpacking or injection; execution via VBS script; process injection into system processes like `explorer.exe` using Process Hollowing.
## Associated Threat Actors
- The article does not explicitly name a specific threat actor group known to use QBot in this excerpt, but it is historically associated with various cybercriminal groups engaging in financial fraud and ransomware delivery (Emotet often served as a precursor/dropper).
## Detection Methods
- Signature-based detection: Signatures targeting the custom packer or specific XOR/RC4 decryption routines.
- Behavioral detection: Monitoring for suspicious API calls related to memory manipulation in combination with thread suspension/resumption (`CreateProcessW` (suspended) -> `Zw*` APIs -> `ResumeThread`). Monitoring for VBS or script execution downloading executables over HTTP.
- YARA rules: Likely exist targeting the configuration blob structure or known string decryption cross-references (e.g., the script provided could inform rule creation targeting the constant byte array `0x410120`).
## Mitigation Strategies
- **Prevention measures:** Implement robust email filtering to block malicious attachments (like zip files containing scripts). Employ application whitelisting to prevent unsigned/unapproved executables from running.
- **Hardening recommendations:** Disable or restrict VBScript execution engine usage when not strictly necessary. Regularly update systems to patch vulnerabilities that might allow arbitrary code execution from phishing links. Implement strong endpoint protection capable of detecting process hollowing techniques.
## Related Tools/Techniques
- **Emotet:** Mentioned as a malware family that may drop QBot.
- **Banking Trojans:** Similar functionality to Zeus/TrickBot in its historical goal of financial data theft.