Skip to main content
Skip to main content

Mitigating and eliminating info-stealing Qakbot and Emotet in corporate networks

  • Microsoft Defender Security Research Team

The threat to sensitive financial information is greater than ever. Data breaches, phishing attacks, and other forms of information theft are all too common in today’s threat landscape. Point-of-sale systems and ATMs have been targeted by hackers. Information-stealing trojans pose a risk to data and can lead to significant financial loss.

Qakbot and Emotet are information stealers that have been showing renewed activity in recent months. These malware families are technically different, but they share many similarities in behavior. They both have the ultimate goal of stealing online banking credentials that malware operators can then use to steal money from online banking accounts. They can also steal other sensitive information using techniques like keylogging.

Figure 1. Qakbot and Emotet monthly machine encounters show an upward trend. This data doesn’t include Qakbot and Emotet variants blocked by automation and cloud rules.

Even though these malware families are typically known to target individual online banking users, more and more enterprises, small and medium businesses, and other organizations have been affected by indiscriminate infections.

Figure 2. Breakdown of Qakbot and Emotet machine encounters

Recent variants of these malware families have spreading capabilities, which can increase the chances of multiple infections in corporate networks. They can also be spread by other malware during the lateral movement stage of a cyberattack.

Typical Qakbot and Emotet kill chain

Over the years, the cybercriminals behind Qakbot and Emotet have improved the code behind their malware. They have evolved to evade detection, stay under the radar longer, and increase the chances of spreading to other potential victims.

We mapped some of the common behaviors we’ve seen in Qakbot and Emotet variants and see a lot of similarities.

Figure 3. Qakbot and Emotet attack kill chain. Note that some Qakbot and Emotet variants might not exhibit all of the behaviors above and might be capable of unique routines.

Because of similarities in behavior, Qakbot and Emotet can be mitigated by similar security measures.

Steps to mitigate Qakbot and Emotet

Based on our experience helping organizations get rid of Qakbot and Emotet, the following steps mitigate infection and ultimately remove the said malware from corporate networks:

  1. Stop the spread of malware and cut off communication with its command-and-control server

    • Cut off Internet access or disconnect the affected machines from the network until they have been cleaned. Windows Defender Advanced Threat Protection customers can isolate affected machines with one click. You can also block infected machines at the edge firewall, unplug machines from the network, or create rules on Windows Defender Advanced Firewall (and push these out via Group Policy Objects (GPO)).
    • Stop sharing folders that show signs of infection or set shared folders to read-only. Removing admin shares is an option that should only be used as a last resort as this can cause other issues and hinder management
    • Practice credential hygiene. Remove unnecessary privileges, or disable privileged accounts that have been observed to spread malware using SMB.
  2. Look for new service creations and scheduled tasks

    • Look for new service creations by tracking event ID 7045 in the system log. We’ve observed this threat to create services with randomly generated number strings as the name and .exe name, but cleans them up after.
    • You can look for new scheduled tasks using even ID 106 in the task schedule log or 7045 to track down machines.
  3. Remove Qakbot, Emotet, and other related malware

  4. Monitor the network for possible reinfection

    • Determine and address the initial attack vector. Use security solutions like Windows Defender ATP, which provides detailed timelines and other contextual information to understand the nature of attacks and take response actions.
    • Slowly reintroduce network connectivity to the subset of the machines that have been cleaned. Monitor them for reinfection.
    • Reintroduce network connectivity to all affected machines that are believed to be clean.
    • Turn on real-time protection in your antivirus. In Microsoft Security Essentials and Windows Defender Antivirus for Windows 10, enable cloud-based protection and automatic sample submission. With these features enabled, Windows Defender Antivirus provides advanced real-time protection against never-before-seen threats.

Preventing Qakbot and Emotet infections with Windows 10

While the steps above can rid networks of Qakbot and Emotet, preventing infection eliminates opportunities for these threats to steal info. Windows 10 S is a streamlined platform with Microsoft-verified security. It blocks malware like Qakbot and Emotet and other malicious programs by working exclusively with apps from the Windows Store, ensuring that only apps that went through the Store onboarding, vetting, and signing process are allowed to run.

Additionally, Windows 10 has a comprehensive defense stack that can help block and detect malware like Qakbot and Emotet.

Use Microsoft Edge to block Qakbot and Emotet infections from the web. Microsoft Edge opens pages within low privilege app containers and uses reputation-based blocking of malicious downloads. Its click-to-run feature for Flash can stop malware infections that begin with exploit kits. With Windows Defender Application Guard, Microsoft Edge has an additional hardware isolation-level capability on top of its exploit mitigation and sandbox features.

Block malicious emails carrying trojan droppers that install Qakbot and Emotet using Microsoft Exchange Online Protection (EOP), which has built-in anti-spam filtering capabilities that help protect Office 365 customers. Secure mailboxes against email attacks with Office 365 Advanced Threat Protection, which blocks unsafe attachments, malicious links, and linked-to files leveraging time-of-click protection. anti-spam filters also provide protection against malicious emails.

Enable Windows Defender Exploit Guard to block malicious documents (such as those that use macro code to install Qakbot and Emotet, or the more recent DDEDownloader that install other malware) and scripts. The Attack Surface Reduction (ASR) feature in Windows Defender Exploit Guard uses a set of built-in intelligence that can block malicious behaviors observed in malicious documents. ASR rules can also be turned on to block malicious attachments from being run or launched from Microsoft Outlook or webmail (such as Gmail, Hotmail, or Yahoo).

Use Credential Guard to protect domain credentials and help stop malware from spreading using compromised credentials.

Use Local Administrator Password Solution (LAPS) to manage local account passwords and domain joined computers.

Enable Windows Defender AV to detect Qakbot and Emotet variants, as well as all related malware such as droppers and downloaders. Windows Defender AV uses precise machine learning models as well as generic and heuristic techniques and enhanced behavior analysis to detect common and complex malware code. It provides advanced real-time protection against new and unknown files using the Windows Defender AV cloud protection service.

Use Windows Defender Advanced Threat Protection to flag Qakbot or Emotet infections and to enable security operations personnel to stop the spread of these threats in the network. Windows Defender ATP’s enhanced behavioral and machine learning detection libraries flag malicious behavior across the malware infection process, from delivery and installation, to persistence mechanisms, command-and-control communication, and lateral movement. The new process tree visualization and improvements in machine isolation further help security operations to investigate and respond to attacks.

To test how Windows Defender ATP can help your organization detect, investigate, and respond to advanced attacks, sign up for a free trial.

Figure 4. Machine learning-based alert in Windows Defender ATP showing suspicious memory injections and registry modifications

These end-to-end security features in Windows 10 help defend against increasingly complex malware attacks. At Microsoft, we continue to harden Windows 10 against attacks. With Fall Creators Update, we shipped several new and enhanced security features that make Windows 10 the most secure version of Windows yet. Learn more about these features:

It is also important for organizations to augment these security technologies with a security-aware workforce. Educating employees on social engineering attacks and internet safety, and training them to report suspicious emails or websites can go a long way in protecting networks against cyberattacks.


Keith Abluton, Windows Escalation Services

Rodel Finones, Windows Defender Research


Indicators of compromise

The following are IOCs for recent Qakbot and Emotet variants:


Qakbot malware (SHA256):




%APPDATA%\Microsoft\<random folder name>\<random file name>, for example:


%APPDATA%\Microsoft\Cexpalgxx\Cexpalgxx32.dll (configuration file)

Registry modifications:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Sets value: <random value name>

With data: “%APPDATA%\Microsoft\<random folder name>\<random file name>”

In subkey: HKLM\SYSTEM\CurrentControlSet\services\<random service name>

Sets value: ImagePath

With data: “%APPDATA%\Microsoft\<random folder name>\<random file name> /D”

Sets value: Type

With data: dword:00000010

Sets value: “Start”

With data: dword:00000002

Sets value: “DisplayName”

With data: “Remote Procedure Call (RPC) Service”

Sets value: “ErrorControl”

With data: dword:00000000

Sets value: “DependOnService”

With data: “Dnscache”

Sets value: “ObjectName”

With data: “LocalSystem”

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Sets value: ctfmon.exe

With data: “%APPDATA%\Microsoft\<random folder name>\<random file name>” /c “%System Folder%\ctfmon.exe”

Command-and-control servers:


Emotet downloader (SHA256):


Emotet malware (SHA256):




%appdata%\roaming\microsoft\windows\start menu\programs\startup\[random].lnk


%localappdata%\microsoft\windows ex: C:\Windows\System32\netshedule.exe

Registry modifications:

In subkey: ‘HKLM\SYSTEM\ControlSet001\services\netshedule’ <Bug: 5667568 Type & Size>

Sets value: ‘Type’

With data: ‘0x00000010’

In subkey: ‘HKLM\SYSTEM\ControlSet001\services\netshedule’ <Bug: 5667568 Type & Size>

Sets value: ‘Start’

With data: ‘0x00000002’

In subkey: ‘HKLM\SYSTEM\ControlSet001\services\netshedule’ <Bug: 5667568 Type & Size>

Sets value: ‘ErrorControl’

With data: ‘0x00000000’

In subkey: ‘HKLM\SYSTEM\ControlSet001\services\netshedule’ <Bug: 5667568 Type & Size>

Sets value: ‘ImagePath’

With data: ‘C:\Windows\system32\netshedule.exe’

In subkey: ‘HKLM\SYSTEM\ControlSet001\services\netshedule’ <Bug: 5667568 Type & Size>

Sets value: ‘DisplayName’

With data: ‘netshedule’

Command-and-control servers:





Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.