Qakbot Historical Bot Infections Special Report

LAST UPDATED: 2023-09-22

This Special Report contains information about IP addresses and computer systems that are believed to have been infected with Qakbot malware during the period July 2019 to August 2023. It is a result of the US-led law enforcement operation against Qakbot that was announced on August 29th 2023. You can read more about this one-off Special Report in our blog post announcing it here.

Shadowserver Special Reports are unlike all of our other standard free daily network reports. They do not cover a specific daily 24 hour time period.

Instead, we send out Special Reports in situations where we are able to share one-time, high value datasets that we feel should be reported responsibly for maximum public benefit. Sometimes there are incidents when it would be useful to be able to notify potential victims about events or breaches that may have impacted them outside of the previous 24 hour period, when it may take a number of days for incident responders to conduct forensic investigations and analyzed data becomes available for sharing with potential victims. Although the events included in these Special Reports will fall outside of our usual 24 hour daily reporting window, we believe that there would still be significant benefit to our constituents in receiving and hopefully acting on the retrospective data.

If you have missed a Special Report because you were NOT yet a subscriber at the time a report was pushed out, simply subscribe for your network now and specifically request all recent Shadowserver Special Reports – and we will regenerate them specifically for your network, at no cost.

Note that the data shared across special reports may differ on a case by case basis, hence the report formats for different Special Reports may be different.

The data in this Qakbot Historical Bot Infections Special Report was provided to Shadowserver by the FBI to disseminate to National CERTs/CSIRTs and network owners globally, to maximise remediation efforts.

Note that exact timestamps were not available for individual events, so the timestamp field is set to “2023-08-24 00:00:00”. Since only the first and last seen time for an infection was recorded in the Qakbot database, the first and last seen dates for an infected victim system represent a date range when an infection was likely active. However, there could have been multiple infections during that time period for shorter individual time periods (and therefore periods without an active infection).

Filename prefix: 2023-08-24-special. Note: this is accessible in the API using 2023-08-24 as the search date.

Fields

  • timestamp
    The timestamp has been set to "2023-08-24 00:00:00" to represent when this one-off data set was collected
  • ip
    IP address of the affected device. In this case, the last IP address an infected victim bot was using at the last seen time (note that the bot may have changed IP addresses over time, but only the last seen IP address is available)
  • port
    TCP or UDP port identified
  • protocol
    Protocol associated with the malicious activity
  • asn
    Autonomous System Number of the affected device
  • geo
    Country of the affected device
  • region
    Region of the affected device
  • city
    City of the affected device
  • hostname
    Hostname of the affected device (may be from reverse DNS)
  • naics
    North American Industry Classification System Code
  • sector
    Sector of the IP in question
  • tag
    Additional tags for more insight
  • public_source
    Source of the data
  • status
    Status of the affected IP, for example, "infeceted" (was historically infected with the Qakbot malware)
  • detail
    Unused
  • account
    The Microsoft Windows user name of the infected users on the infected victim system
  • first_seen_time
    The time an infected victim bot was first seen by the Qakbot backend
  • last_seen_time
    The time an infected victim bot was last seen by the Qakbot backend (note that there could have been multiple infections, but only the last seen time is available)
  • potential_exposure_time
    The number of seconds between first and last seen times for this bot
  • windows_host_name
    The Microsoft Windows computer host name of the infected victim system
  • windows_domain_name
    The Microsoft Windows active directory name or workgroup name of the infected victim system
  • os_version
    The operating system version of the infected victim system, as reported by the operating system directly
  • os_version_wmi
    The operating system version of the infected victim system, as reported by the operating system via the Windows Management Interface
  • qakbot_exe_path
    The file system path where the Qakbot binary was located on the infected victim system
  • qakbot_exe_timestamp
    The time stamp of the Qakbot binary
  • qakbot_uptime
    The last reported uptime of the Qakbot malware on the infected victim system (malware, not operating system)

Sample

timestamp,ip,port,protocol,asn,geo,region,city,hostname,naics,sector,tag,public_source,status,detail,account,first_seen_time,last_seen_time,potential_exposure_time,windows_host_name,windows_domain_name,os_version,os_version_wmi,qakbot_exe_timestamp,qakbot_uptime
8/24/23 0:00,192.168.0.1,,,64512,ZZ,Region,City,node01.example.com,0,"Communications, Service Provider, and Hosting Service",,qakbot-fbi,infected,,User1,7/16/19 19:37,8/20/20 2:59,34586502,MYPC1,WORKGROUP,6.1.1.7601.1.0.0100,Microsoft Windows 7 Professional,8/18/20 20:00,810636
8/24/23 0:00,192.168.0.2,,,64512,ZZ,Region,City,node02.example.com,0,,,qakbot-fbi,infected,,User2,7/16/19 19:37,8/16/19 14:05,2658464,MYPC2,FINANCE,6.1.1.7600.0.0.0100,Microsoft Windows 7 Professional,8/15/19 19:32,7933
8/24/23 0:00,192.168.0.3,,,64512,ZZ,Region,City,node03.example.com,0,,,qakbot-fbi,infected,,User3,7/16/19 19:37,9/11/19 17:49,4918319,MYPC3,CORPNET,6.3.1.9600.0.0.0100,Microsoft Windows 8.1 Enterprise,9/10/19 10:37,1182

Our 131 Report Types

« Back to Network Reporting