OSINT - Mitigating and eliminating info-stealing Qakbot and Emotet in corporate networks
The threat to information is greater than ever, with data breaches, phishing attacks, and other forms of information theft like point-of-sale malware and ATM hacks becoming all too common in today's threat landscape. Information-stealing trojans are in the same category of threats that deliver a steady stream of risk to data and can lead to significant financial loss. Qakbot and Emotet are information stealers that have been showing renewed activity in recent months. These malware families are technically different, but they share many similarities in behavior. They both have the ultimate goal of stealing online banking credentials that malware operators can then use to steal money from online banking accounts. They can also steal other sensitive information using techniques like keylogging.
AI Analysis
Technical Summary
Qakbot and Emotet are two prominent families of information-stealing malware that have been active threats in corporate networks, particularly targeting online banking credentials and other sensitive data. Both malware strains operate primarily as banking trojans, designed to infiltrate systems, harvest credentials, and facilitate financial theft. Although technically distinct, they share behavioral similarities such as keylogging, credential harvesting, and lateral movement within compromised networks. Emotet initially emerged as a banking trojan but evolved into a modular malware loader, often delivering additional payloads including ransomware. Qakbot is known for its worm-like propagation capabilities, enabling it to spread rapidly across networked systems. These malware families typically gain initial access through phishing campaigns, malicious email attachments, or exploit kits, leveraging social engineering to bypass user defenses. Once inside a corporate environment, they establish persistence, evade detection through obfuscation and anti-analysis techniques, and exfiltrate data to attacker-controlled servers. The renewed activity of these malware strains in recent months underscores their continued relevance and adaptability in the evolving threat landscape. Their impact extends beyond direct financial theft, as compromised credentials can facilitate further intrusions, data breaches, and disruption of business operations. The technical details indicate a moderate threat level (3) and analysis score (2), reflecting ongoing but controlled risk. No known exploits in the wild or specific affected product versions are listed, suggesting these threats rely on social engineering and existing vulnerabilities rather than zero-day exploits. Overall, Qakbot and Emotet represent persistent, sophisticated threats to corporate information security, particularly targeting financial data and user credentials.
Potential Impact
For European organizations, the impact of Qakbot and Emotet infections can be substantial. The primary risk is financial loss due to theft of online banking credentials, which can lead to unauthorized transactions and direct monetary theft. Beyond immediate financial damage, these malware families can compromise the confidentiality and integrity of sensitive corporate data, including intellectual property and personal data protected under GDPR. The lateral movement capabilities of Qakbot increase the risk of widespread network compromise, potentially disrupting business continuity and causing operational downtime. Additionally, stolen credentials can be leveraged for further attacks such as ransomware deployment or spear-phishing campaigns, amplifying the overall risk. The reputational damage and regulatory penalties resulting from data breaches can also be significant for European entities. Given the modular nature of Emotet, infected systems may serve as entry points for other malware, escalating the threat landscape. The renewed activity of these trojans highlights the need for vigilance, especially in sectors with high-value financial transactions or sensitive data, such as banking, finance, healthcare, and critical infrastructure within Europe.
Mitigation Recommendations
To effectively mitigate Qakbot and Emotet threats, European organizations should implement a multi-layered defense strategy tailored to these malware's characteristics. First, enhance email security by deploying advanced phishing detection and sandboxing solutions that analyze attachments and links for malicious behavior. Implement strict email filtering policies and user training focused on recognizing phishing attempts. Network segmentation is critical to limit lateral movement; isolate critical systems and restrict unnecessary internal communications. Employ endpoint detection and response (EDR) tools capable of identifying behavioral indicators of these trojans, such as unusual credential access or keylogging activities. Regularly update and patch all software to close known vulnerabilities that could be exploited for initial infection. Deploy multi-factor authentication (MFA) on all remote access and critical systems to reduce the risk of credential misuse. Conduct frequent threat hunting exercises focusing on known Qakbot and Emotet indicators and monitor network traffic for anomalous outbound connections to command-and-control servers. Additionally, maintain robust backup and recovery procedures to mitigate the impact of potential ransomware payloads delivered by these malware. Finally, collaborate with threat intelligence sharing platforms to stay informed about emerging variants and attack campaigns targeting European organizations.
Affected Countries
Germany, United Kingdom, France, Italy, Netherlands, Spain, Poland, Belgium
Indicators of Compromise
- link: https://blogs.technet.microsoft.com/mmpc/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/
- comment: The threat to information is greater than ever, with data breaches, phishing attacks, and other forms of information theft like point-of-sale malware and ATM hacks becoming all too common in today's threat landscape. Information-stealing trojans are in the same category of threats that deliver a steady stream of risk to data and can lead to significant financial loss. Qakbot and Emotet are information stealers that have been showing renewed activity in recent months. These malware families are technically different, but they share many similarities in behavior. They both have the ultimate goal of stealing online banking credentials that malware operators can then use to steal money from online banking accounts. They can also steal other sensitive information using techniques like keylogging.
- hash: da00823090dae3dae452ddc8a4c2a3c087389b4aacf1f0c12d13c83c9fcaef9c
- hash: ca2d536b91b15e7fc44ec93bbed1f0f46ae65c723b8a4823253a2a91b8241f9a
- file: %APPDATA%\Microsoft\Cexpalgxx\Cexpalgxx.exe
- file: %APPDATA%\Microsoft\Cexpalgxx\Cexpalgxx32.dll
- regkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- ip: 104.236.252.178
- ip: 162.243.159.58
- ip: 45.33.55.157
- ip: 77.244.245.37
- ip: 192.81.212.79
- ip: 173.212.192.45
- ip: 103.16.131.20
- ip: 195.78.33.200
- ip: 50.116.54.16
- ip: 212.83.166.45
- ip: 137.74.254.64
- ip: 104.227.137.34
- ip: 188.165.220.214
- ip: 85.143.221.180
- ip: 119.82.27.246
- ip: 194.88.246.7
- ip: 206.214.220.79
- ip: 173.230.136.67
- ip: 173.224.218.25
- regkey: %appdata%\roaming\microsoft\windows\start menu\programs\startup\[random].lnk
- file: %Appdata%\local\[random]\[random].exe
- regkey: %localappdata%\microsoft\windows
- file: %WINDIR%\System32\netshedule.exe
- hash: 4ce5366c7eef1fff1260d5d7a0aec72c1246621838bf8df07f4a6ab3e5369d96
- hash: ffcb204da3ff72d268c8ac065c2e7cce5c65fafc2f549d92d0c280c6099bd440
- hash: 59639027a7fd487295bad10db896528ea223684e6595cae4ce9a0bec8d809087
- hash: 9214359938285f26785f7eaf25a74dddea678065
- hash: 5aa9fa89cee3ffc4c3009e34db830de0
- link: https://www.virustotal.com/file/59639027a7fd487295bad10db896528ea223684e6595cae4ce9a0bec8d809087/analysis/1506215055/
- hash: a33763608d07880c5ca31fd68e30355c04201c92
- hash: 03b933fb1b471d7710d82d8b3f6c62b1
- link: https://www.virustotal.com/file/ffcb204da3ff72d268c8ac065c2e7cce5c65fafc2f549d92d0c280c6099bd440/analysis/1510558151/
- hash: 82519982e32708e94c54ffce3c652714049a04f6
- hash: 517d9598ac8aa0ef0cb7145ffd64805e
- link: https://www.virustotal.com/file/4ce5366c7eef1fff1260d5d7a0aec72c1246621838bf8df07f4a6ab3e5369d96/analysis/1510180240/
- hash: 74153fa3ca1a97b68fdd31fa02c3e16daa03ac59
- hash: 54240940b30c9f21e006d87371f490e6
- link: https://www.virustotal.com/file/ca2d536b91b15e7fc44ec93bbed1f0f46ae65c723b8a4823253a2a91b8241f9a/analysis/1510257822/
- hash: 4c04c92cf88dc1a0cc4829229786ac50c1a51aa5
- hash: 692802635dbd973b7944ebc8dbc22e2a
- link: https://www.virustotal.com/file/da00823090dae3dae452ddc8a4c2a3c087389b4aacf1f0c12d13c83c9fcaef9c/analysis/1510111314/
- port: 995
- ip: 64.183.173.170
- port: 993
- ip: 67.213.243.228
- port: 443
- ip: 96.67.244.225
- port: 443
- ip: 173.25.234.18
- port: 443
- ip: 24.123.151.58
- port: 995
- ip: 76.164.161.46
- port: 443
- ip: 68.115.254.146
- port: 443
- ip: 198.57.88.73
- port: 443
- ip: 47.21.79.34
- port: 465
- ip: 174.51.185.121
- port: 993
- ip: 71.3.55.80
- port: 443
- ip: 88.244.177.127
- port: 443
- ip: 180.93.148.41
- port: 443
- ip: 101.51.40.175
- port: 443
- ip: 73.166.94.110
- port: 443
- ip: 71.88.202.122
- port: 990
- ip: 74.5.136.50
- port: 443
- ip: 89.43.179.209
- port: 995
- ip: 211.27.18.233
- port: 443
- ip: 96.82.91.67
- port: 443
- ip: 98.194.132.179
- port: 443
- ip: 98.113.137.220
- port: 2222
- ip: 24.184.200.177
- port: 443
- ip: 105.224.247.34
OSINT - Mitigating and eliminating info-stealing Qakbot and Emotet in corporate networks
Description
The threat to information is greater than ever, with data breaches, phishing attacks, and other forms of information theft like point-of-sale malware and ATM hacks becoming all too common in today's threat landscape. Information-stealing trojans are in the same category of threats that deliver a steady stream of risk to data and can lead to significant financial loss. Qakbot and Emotet are information stealers that have been showing renewed activity in recent months. These malware families are technically different, but they share many similarities in behavior. They both have the ultimate goal of stealing online banking credentials that malware operators can then use to steal money from online banking accounts. They can also steal other sensitive information using techniques like keylogging.
AI-Powered Analysis
Technical Analysis
Qakbot and Emotet are two prominent families of information-stealing malware that have been active threats in corporate networks, particularly targeting online banking credentials and other sensitive data. Both malware strains operate primarily as banking trojans, designed to infiltrate systems, harvest credentials, and facilitate financial theft. Although technically distinct, they share behavioral similarities such as keylogging, credential harvesting, and lateral movement within compromised networks. Emotet initially emerged as a banking trojan but evolved into a modular malware loader, often delivering additional payloads including ransomware. Qakbot is known for its worm-like propagation capabilities, enabling it to spread rapidly across networked systems. These malware families typically gain initial access through phishing campaigns, malicious email attachments, or exploit kits, leveraging social engineering to bypass user defenses. Once inside a corporate environment, they establish persistence, evade detection through obfuscation and anti-analysis techniques, and exfiltrate data to attacker-controlled servers. The renewed activity of these malware strains in recent months underscores their continued relevance and adaptability in the evolving threat landscape. Their impact extends beyond direct financial theft, as compromised credentials can facilitate further intrusions, data breaches, and disruption of business operations. The technical details indicate a moderate threat level (3) and analysis score (2), reflecting ongoing but controlled risk. No known exploits in the wild or specific affected product versions are listed, suggesting these threats rely on social engineering and existing vulnerabilities rather than zero-day exploits. Overall, Qakbot and Emotet represent persistent, sophisticated threats to corporate information security, particularly targeting financial data and user credentials.
Potential Impact
For European organizations, the impact of Qakbot and Emotet infections can be substantial. The primary risk is financial loss due to theft of online banking credentials, which can lead to unauthorized transactions and direct monetary theft. Beyond immediate financial damage, these malware families can compromise the confidentiality and integrity of sensitive corporate data, including intellectual property and personal data protected under GDPR. The lateral movement capabilities of Qakbot increase the risk of widespread network compromise, potentially disrupting business continuity and causing operational downtime. Additionally, stolen credentials can be leveraged for further attacks such as ransomware deployment or spear-phishing campaigns, amplifying the overall risk. The reputational damage and regulatory penalties resulting from data breaches can also be significant for European entities. Given the modular nature of Emotet, infected systems may serve as entry points for other malware, escalating the threat landscape. The renewed activity of these trojans highlights the need for vigilance, especially in sectors with high-value financial transactions or sensitive data, such as banking, finance, healthcare, and critical infrastructure within Europe.
Mitigation Recommendations
To effectively mitigate Qakbot and Emotet threats, European organizations should implement a multi-layered defense strategy tailored to these malware's characteristics. First, enhance email security by deploying advanced phishing detection and sandboxing solutions that analyze attachments and links for malicious behavior. Implement strict email filtering policies and user training focused on recognizing phishing attempts. Network segmentation is critical to limit lateral movement; isolate critical systems and restrict unnecessary internal communications. Employ endpoint detection and response (EDR) tools capable of identifying behavioral indicators of these trojans, such as unusual credential access or keylogging activities. Regularly update and patch all software to close known vulnerabilities that could be exploited for initial infection. Deploy multi-factor authentication (MFA) on all remote access and critical systems to reduce the risk of credential misuse. Conduct frequent threat hunting exercises focusing on known Qakbot and Emotet indicators and monitor network traffic for anomalous outbound connections to command-and-control servers. Additionally, maintain robust backup and recovery procedures to mitigate the impact of potential ransomware payloads delivered by these malware. Finally, collaborate with threat intelligence sharing platforms to stay informed about emerging variants and attack campaigns targeting European organizations.
Affected Countries
Technical Details
- Threat Level
- 3
- Analysis
- 2
- Uuid
- 5a0ac036-6fbc-4855-83af-422b950d210f
- Original Timestamp
- 1511184352
Indicators of Compromise
Link
| Value | Description | Copy |
|---|---|---|
linkhttps://blogs.technet.microsoft.com/mmpc/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/ | — | |
linkhttps://www.virustotal.com/file/59639027a7fd487295bad10db896528ea223684e6595cae4ce9a0bec8d809087/analysis/1506215055/ | Emotet malware - Xchecked via VT: 59639027a7fd487295bad10db896528ea223684e6595cae4ce9a0bec8d809087 | |
linkhttps://www.virustotal.com/file/ffcb204da3ff72d268c8ac065c2e7cce5c65fafc2f549d92d0c280c6099bd440/analysis/1510558151/ | Emotet malware - Xchecked via VT: ffcb204da3ff72d268c8ac065c2e7cce5c65fafc2f549d92d0c280c6099bd440 | |
linkhttps://www.virustotal.com/file/4ce5366c7eef1fff1260d5d7a0aec72c1246621838bf8df07f4a6ab3e5369d96/analysis/1510180240/ | Emotet downloader - Xchecked via VT: 4ce5366c7eef1fff1260d5d7a0aec72c1246621838bf8df07f4a6ab3e5369d96 | |
linkhttps://www.virustotal.com/file/ca2d536b91b15e7fc44ec93bbed1f0f46ae65c723b8a4823253a2a91b8241f9a/analysis/1510257822/ | Qakbot malware - Xchecked via VT: ca2d536b91b15e7fc44ec93bbed1f0f46ae65c723b8a4823253a2a91b8241f9a | |
linkhttps://www.virustotal.com/file/da00823090dae3dae452ddc8a4c2a3c087389b4aacf1f0c12d13c83c9fcaef9c/analysis/1510111314/ | Qakbot malware - Xchecked via VT: da00823090dae3dae452ddc8a4c2a3c087389b4aacf1f0c12d13c83c9fcaef9c |
Comment
| Value | Description | Copy |
|---|---|---|
commentThe threat to information is greater than ever, with data breaches, phishing attacks, and other forms of information theft like point-of-sale malware and ATM hacks becoming all too common in today's threat landscape. Information-stealing trojans are in the same category of threats that deliver a steady stream of risk to data and can lead to significant financial loss.
Qakbot and Emotet are information stealers that have been showing renewed activity in recent months. These malware families are technically different, but they share many similarities in behavior. They both have the ultimate goal of stealing online banking credentials that malware operators can then use to steal money from online banking accounts. They can also steal other sensitive information using techniques like keylogging. | — |
Hash
| Value | Description | Copy |
|---|---|---|
hashda00823090dae3dae452ddc8a4c2a3c087389b4aacf1f0c12d13c83c9fcaef9c | Qakbot malware | |
hashca2d536b91b15e7fc44ec93bbed1f0f46ae65c723b8a4823253a2a91b8241f9a | Qakbot malware | |
hash4ce5366c7eef1fff1260d5d7a0aec72c1246621838bf8df07f4a6ab3e5369d96 | Emotet downloader | |
hashffcb204da3ff72d268c8ac065c2e7cce5c65fafc2f549d92d0c280c6099bd440 | Emotet malware | |
hash59639027a7fd487295bad10db896528ea223684e6595cae4ce9a0bec8d809087 | Emotet malware | |
hash9214359938285f26785f7eaf25a74dddea678065 | Emotet malware - Xchecked via VT: 59639027a7fd487295bad10db896528ea223684e6595cae4ce9a0bec8d809087 | |
hash5aa9fa89cee3ffc4c3009e34db830de0 | Emotet malware - Xchecked via VT: 59639027a7fd487295bad10db896528ea223684e6595cae4ce9a0bec8d809087 | |
hasha33763608d07880c5ca31fd68e30355c04201c92 | Emotet malware - Xchecked via VT: ffcb204da3ff72d268c8ac065c2e7cce5c65fafc2f549d92d0c280c6099bd440 | |
hash03b933fb1b471d7710d82d8b3f6c62b1 | Emotet malware - Xchecked via VT: ffcb204da3ff72d268c8ac065c2e7cce5c65fafc2f549d92d0c280c6099bd440 | |
hash82519982e32708e94c54ffce3c652714049a04f6 | Emotet downloader - Xchecked via VT: 4ce5366c7eef1fff1260d5d7a0aec72c1246621838bf8df07f4a6ab3e5369d96 | |
hash517d9598ac8aa0ef0cb7145ffd64805e | Emotet downloader - Xchecked via VT: 4ce5366c7eef1fff1260d5d7a0aec72c1246621838bf8df07f4a6ab3e5369d96 | |
hash74153fa3ca1a97b68fdd31fa02c3e16daa03ac59 | Qakbot malware - Xchecked via VT: ca2d536b91b15e7fc44ec93bbed1f0f46ae65c723b8a4823253a2a91b8241f9a | |
hash54240940b30c9f21e006d87371f490e6 | Qakbot malware - Xchecked via VT: ca2d536b91b15e7fc44ec93bbed1f0f46ae65c723b8a4823253a2a91b8241f9a | |
hash4c04c92cf88dc1a0cc4829229786ac50c1a51aa5 | Qakbot malware - Xchecked via VT: da00823090dae3dae452ddc8a4c2a3c087389b4aacf1f0c12d13c83c9fcaef9c | |
hash692802635dbd973b7944ebc8dbc22e2a | Qakbot malware - Xchecked via VT: da00823090dae3dae452ddc8a4c2a3c087389b4aacf1f0c12d13c83c9fcaef9c |
File
| Value | Description | Copy |
|---|---|---|
file%APPDATA%\Microsoft\Cexpalgxx\Cexpalgxx.exe | — | |
file%APPDATA%\Microsoft\Cexpalgxx\Cexpalgxx32.dll | — | |
file%Appdata%\local\[random]\[random].exe | — | |
file%WINDIR%\System32\netshedule.exe | — |
Regkey
| Value | Description | Copy |
|---|---|---|
regkeyHKCU\Software\Microsoft\Windows\CurrentVersion\Run | — | |
regkey%appdata%\roaming\microsoft\windows\start menu\programs\startup\[random].lnk | — | |
regkey%localappdata%\microsoft\windows | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip104.236.252.178 | — | |
ip162.243.159.58 | — | |
ip45.33.55.157 | — | |
ip77.244.245.37 | — | |
ip192.81.212.79 | — | |
ip173.212.192.45 | — | |
ip103.16.131.20 | — | |
ip195.78.33.200 | — | |
ip50.116.54.16 | — | |
ip212.83.166.45 | — | |
ip137.74.254.64 | — | |
ip104.227.137.34 | — | |
ip188.165.220.214 | — | |
ip85.143.221.180 | — | |
ip119.82.27.246 | — | |
ip194.88.246.7 | — | |
ip206.214.220.79 | — | |
ip173.230.136.67 | — | |
ip173.224.218.25 | — | |
ip64.183.173.170 | — | |
ip67.213.243.228 | — | |
ip96.67.244.225 | — | |
ip173.25.234.18 | — | |
ip24.123.151.58 | — | |
ip76.164.161.46 | — | |
ip68.115.254.146 | — | |
ip198.57.88.73 | — | |
ip47.21.79.34 | — | |
ip174.51.185.121 | — | |
ip71.3.55.80 | — | |
ip88.244.177.127 | — | |
ip180.93.148.41 | — | |
ip101.51.40.175 | — | |
ip73.166.94.110 | — | |
ip71.88.202.122 | — | |
ip74.5.136.50 | — | |
ip89.43.179.209 | — | |
ip211.27.18.233 | — | |
ip96.82.91.67 | — | |
ip98.194.132.179 | — | |
ip98.113.137.220 | — | |
ip24.184.200.177 | — | |
ip105.224.247.34 | — |
Port
| Value | Description | Copy |
|---|---|---|
port995 | — | |
port993 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port995 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port465 | — | |
port993 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port990 | — | |
port443 | — | |
port995 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port2222 | — | |
port443 | — |
Threat ID: 682b81078ee1a77b717bd777
Added to database: 5/19/2025, 7:05:43 PM
Last enriched: 6/18/2025, 7:33:50 PM
Last updated: 2/7/2026, 10:27:04 AM
Views: 43
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
ThreatFox IOCs for 2026-02-06
MediumThreatFox IOCs for 2026-02-05
MediumThreatFox IOCs for 2026-02-04
MediumThreatFox IOCs for 2026-02-03
MediumNotepad++ Official Update Mechanism Hijacked to Deliver Malware to Select Users
LowActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.