W32/Qbot.BK!tr

description-logoAnalysis



  • It drops the following files:
    • undefinedLocalAppDataundefined\Microsoft\[RandomName_1].wpl: This file is detected as JS/Obfuscated!tr
    • undefinedAppDataundefined\Microsoft\[RandomName_1]i\[RandomName_2].dll: This is a none malicious data file.
    • undefinedAppDataundefined\Microsoft\[RandomName_1]i\[RandomName_1].exe: This file is detected as W32/Qbot.BK!tr

  • The following registry modifications are applied:
      • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
        • [RandomName_3] = ""undefinedAppDataundefined\Microsoft\[RandomName_4]\[RandomName_1].exe""
        This automatically executes the dropped file every time the infected user logs on.

  • It performs DNS queries on the following names:
    • kohd{Removed}.com
    • wv{Removed}.org
    • rvc{Removed}.net
    • 5.30{Removed}98
    • 15.23{Removed}111
    • 18.167{Removed}148
    • 23.58{Removed}146
    • 60.169{Removed}106
    • 61.107{Removed}143
    • 71.154{Removed}112
    • 77.114{Removed}219
    • 81.67{Removed}212
    • 92.169{Removed}106
    • 96.76{Removed}135
    • 124.61{Removed}155
    • 152.30{Removed}98
    • 196.12{Removed}88
    • 217.167{Removed}176
    • 218.70{Removed}210


  • recommended-action-logoRecommended Action

    • Make sure that your FortiGate/FortiClient system is using the latest AV database.
    • Quarantine/delete files that are detected and replace infected files with clean backup copies.

    Telemetry logoTelemetry

    Detection Availability

    FortiGate
    Extreme
    FortiClient
    Extended
    FortiMail
    Extended
    FortiSandbox
    Extended
    FortiWeb
    Extended
    Web Application Firewall
    Extended
    FortiIsolator
    Extended
    FortiDeceptor
    Extended
    FortiEDR

    Version Updates

    Date Version Detail
    2021-04-27 85.00761
    2019-12-31 74.20000 Sig Updated
    2019-11-19 73.20100 Sig Updated
    2019-11-19 73.18900 Sig Added
    2019-10-22 72.51600 Sig Updated
    2019-09-08 71.46900 Sig Added