What is “Mal/Qbot-P”?

The Mal/Qbot-P is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.

6-day free trial available.

What Mal/Qbot-P virus can do?

Drops a binary and executes it
The binary contains an unknown PE section name indicative of packing
Authenticode signature is invalid
Anomalous binary characteristics

How to determine Mal/Qbot-P?


File Info:
name: EC2400574A481794B7BE.mlw
path: /opt/CAPEv2/storage/binaries/8a560efe495b1b75f30c64e49c3decd880c20602b51d33150ab2c218f4d64ffc
crc32: 390D11DA
md5: ec2400574a481794b7bed05d4a9b1b52
sha1: d6de3935febd2164f5c465d86d3997f5c2d73bb9
sha256: 8a560efe495b1b75f30c64e49c3decd880c20602b51d33150ab2c218f4d64ffc
sha512: a38900fc9737a4aeeca6cefae965b12668f7356b294548851804e252be255b3fc441eeba2fd2eb3124343f37f53187db5873392ac44e32ff681d4f174a6330b3
ssdeep: 6144:XgnfzjrDWRoI+Q/k3HOXCCxilwn9xYwgCPOdoZI6BGwfAleHYmbB:XijrDGB+kslwn9xYFOOyZNINeHYaB
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T166846C22FA00F433C06200BDBA5992B59479B971392A194BF7E4CB2D9FF12919738F57
sha3_384: 5a4bfd10d64b1ab0d4aec78a846faf6f7afdbe09e8ede5d311f00535551caa52e1c2e824a7fc9f6a56701e4140bf3331
ep_bytes: e8ba9f0000e978feffffcccccccccccc
timestamp: 2013-01-20 20:14:04

Version Info:
Comments:                                                                                                                                                                                                                                                                    
CompanyName: Microsoft Corporation
FileDescription: Microsoft RSVP
FileVersion: 5.1.2600.0
InternalName: rsvp.exe
LegalCopyright: ﾩ Microsoft Corporation. All rights reserved.
LegalTrademarks: ﾩ Microsoft Corporation. All rights reserved.
OriginalFilename: rsvp.exe
PrivateBuild: rsvp.exe
ProductName: Microsoftﾮ Windowsﾮ Operating System
ProductVersion: 5.1.2600.0
SpecialBuild: 5.1.2600.0
Translation: 0x0409 0x04b0

Mal/Qbot-P also known as:

Bkav	W32.AIDetectMalware
tehtris	Generic.Malware
MicroWorld-eScan	Gen:Trojan.Malware.yy0@aaZ4U2pi
FireEye	Generic.mg.ec2400574a481794
CAT-QuickHeal	Trojan.Mauvaise.SL1
Skyhigh	BehavesLike.Win32.NetLoader.fh
McAfee	Downloader-FIK!EC2400574A48
Cylance	unsafe
VIPRE	Gen:Trojan.Malware.yy0@aaZ4U2pi
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (D)
Alibaba	Trojan:Win32/Vindor.f3bf77f9
BitDefenderTheta	Gen:NN.ZexaF.36744.yy0@aaZ4U2pi
VirIT	Trojan.Win32.DownLoader8.UBN
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Rodecap.BB
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Trojan.Win32.Generic
BitDefender	Gen:Trojan.Malware.yy0@aaZ4U2pi
Avast	Win32:MalwareX-gen [Trj]
Rising	Ransom.Blocker!8.12A (TFE:5:bCIcjKVkMPC)
Emsisoft	Gen:Trojan.Malware.yy0@aaZ4U2pi (B)
F-Secure	Trojan.TR/Small.bhoumd
DrWeb	Trojan.DownLoader8.13559
TrendMicro	TROJ_RODECAP.SMO
Trapmine	malicious.high.ml.score
Sophos	Mal/Qbot-P
Ikarus	Trojan.Win32.Small
GData	Gen:Trojan.Malware.yy0@aaZ4U2pi
Jiangmin	Trojan/Generic.azpcd
Webroot	W32.Trojan.Gen
Google	Detected
Avira	TR/Small.bhoumd
Antiy-AVL	Trojan/Win32.Unknown
Kingsoft	Win32.Trojan.Generic.a
Xcitium	TrojWare.Win32.Agent.AWR@4ri3wg
Arcabit	Trojan.Malware.E7CF48
ZoneAlarm	HEUR:Trojan.Win32.Generic
Microsoft	Trojan:Win32/Small.BH
Varist	W32/SmallDl.F.gen!Eldorado
AhnLab-V3	Trojan/Win32.Blocker.R82934
Acronis	suspicious
ALYac	Gen:Trojan.Malware.yy0@aaZ4U2pi
MAX	malware (ai score=87)
VBA32	BScope.Trojan.Downloader
Malwarebytes	Generic.Malware.AI.DDS
Panda	Generic Suspicious
TrendMicro-HouseCall	TROJ_RODECAP.SMO
Tencent	Malware.Win32.Gencirc.10b2aee3
Yandex	Trojan.GenAsa!6KhuQuHc76g
SentinelOne	Static AI – Malicious PE
Fortinet	W32/Rodecap.BBC!tr
AVG	Win32:MalwareX-gen [Trj]
Cybereason	malicious.5febd2
DeepInstinct	MALICIOUS

How to remove Mal/Qbot-P?

Mal/Qbot-P removal tool

Download and install GridinSoft Anti-Malware.
Open GridinSoft Anti-Malware and perform a “Standard scan“.
“Move to quarantine” all items.
Open “Tools” tab – Press “Reset Browser Settings“.
Select proper browser and options – Click “Reset”.
Restart your computer.

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

Leave a Comment X