Skip to content

Hide Navigation Hide TOC

Qbot (421a3805-7741-4315-82c2-6c9aa30d0953)

Discovered in 2008 and under constant development, with gaps in operational use in the wild; operators are occasionally known as GOLD LAGOON. Banking Trojan, steals financial data, browser information/hooks, keystrokes, credentials; described by CheckPoint as a “Swiss Army knife”. Known to leverage many other tools; for example, PowerShell and Mimikatz are used for self-propagation. Attempts obfuscation via legitimate process injection. Known to serve as a dropper for ProLock ransomware. Infection vectors are common, with malspam as the most frequent. Active in 2020 – two big campaigns, one from March to June, second Starting in July and ongoing, as part of latest Emotet campaign. Newer version appeared in August.

Cluster A Galaxy A Cluster B Galaxy B Level
Qbot (421a3805-7741-4315-82c2-6c9aa30d0953) Botnet ProLock (c4417bfb-717f-48d9-bd56-bc9e85d07c19) Ransomware 1
Qbot (421a3805-7741-4315-82c2-6c9aa30d0953) Botnet BlackBasta (9db5f425-fe49-4137-8598-840e7290ed0f) Ransomware 1
Conti (201eff54-d41e-4f70-916c-5dfb9301730a) Ransomware BlackBasta (9db5f425-fe49-4137-8598-840e7290ed0f) Ransomware 2
Conti (201eff54-d41e-4f70-916c-5dfb9301730a) Ransomware BlackByte (1c43524e-0f2e-4468-b6b6-8a37f1d0ea87) Ransomware 3
Conti (201eff54-d41e-4f70-916c-5dfb9301730a) Ransomware QuantumLocker (0ca6ac54-ad2b-4945-9580-ac90e702fd2c) Ransomware 3
Mountlocket (7513650c-ba09-49bf-b011-d2974c7ae023) Ransomware QuantumLocker (0ca6ac54-ad2b-4945-9580-ac90e702fd2c) Ransomware 4