top of page

QBOT Malware Analysis

QBOT, also known as QAKBOT, is a modular Trojan active since 2007 used to download and run binaries on a target machine. QBOT is a multistage, multiprocess binary that has capabilities for evading detection, escalating privileges, configuring persistence, and communicating with C2 through a set of IP addresses. The C2 can update QBOT, upload new IP addresses, upload and run fileless binaries, and execute shell commands.


ATT&CK IDS: T1057 - Process Discovery, T1059 - Command and Scripting Interpreter, T1104 - Multi-Stage Channels, T1547 - Boot or Logon Autostart Execution, T1095 - Non-Application Layer Protocol, T1102 - Web Service, T1010 - Application Window Discovery, T1027 - Obfuscated Files or Information, T1033 - System Owner/User Discovery, T1055 - Process Injection, T1071 - Application Layer Protocol, T1082 - System Information Discovery, T1083 - File and Directory Discovery, T1112 - Modify Registry, T1218 - Signed Binary Proxy Execution, T1518 - Software Discovery, T1614 - System Location Discovery

Read More:



Commenting has been turned off.
bottom of page