Haben Sie Bedenken bezüglich der jüngsten PAN-OS-, Firewall- und VPN-Schwachstellen? Sonderangebot von Zscaler noch heute in Anspruch nehmen

Zscaler Blog

Erhalten Sie die neuesten Zscaler Blog-Updates in Ihrem Posteingang

Security Research

Resurgence of the QakBot Stealer from Newly Registered Domains

Mai 04, 2020 - 8 Lesezeit: Min

The Zscaler ThreatLabZ team is constantly on the lookout for trending and evolving techniques used by malware authors to infiltrate victims' machines, steal information, and carry out other malicious activities. Recently, we observed newly registered domains (NRDs) specifically created to distribute QakBot, a stealer delivered through spam email and bundled with a malicious Microsoft Office attachment.

These malicious Office documents are used for the delivery of payloads and are often involved in targeted attacks. ThreatLabZ has analyzed thousands of malicious documents from different campaigns, and this blog will outline our analysis of the obfuscated macro used to deliver the QakBot stealer.

Malicious Office macro analysis:

We noted a campaign using malicious Office documents with the filename Operating Agreement_<integervalue>.doc and we detonated the file in our sandbox to see what would happen if a user did the same. We observed that the user would receive the following notice before enabling the macro.




The filenames and hashes for these attachments are as follows:

Md5File TypeFile Name
35c410f461d0568449e8e1ce9071c9c8DOCMOperating Agreement_11.doc
fc3ce33366a6a958190e1191381cd88aDOCMOperating Agreement_1.doc
0662a56970ab101c3cc3ffd28f1e8611DOCMOperating Agreement_12.doc
ef5f8a577667c01ca4e888fc92fbc2baDOCMOperating Agreement_4.doc
ff3fb1ca6740a8bcfad9240931f58fd6DOCMOperating Agreement_1.doc
0045b7c3d514c62806f215ad6b2c009dDOCMOperating Agreement_22.doc
78c96b3b71c6dc7c6a9462b85836cc12DOCMOperating Agreement_11.doc
c8a121c6f5c23ee55d2d0d96d8dd6736DOCMOperating Agreement_25.doc
ad00392f05ff38447fbd9cb6adc5e820DOCMOperating Agreement_40.doc
47a48a09467c0627e253da4e0caff9ccDOCMOperating Agreement_33.doc
7f699f567aa1ee82d7d951acd1d1ed95DOCMOperating Agreement_8.doc
9c601faf5047ee6a783ee1d6d2b14327DOCMOperating Agreement_20.doc
bcb055c370178754930305890f763988DOCMOperating Agreement_34.doc


The macro is password-protected, but we were able to extract it after tweaking the code. At first glance, the presence of many userforms in the macro implies that code is placed within it; but it is actually performing actions, including:

  • Copying hardcoded, obfuscated data from the userform and, after decrypting, placing it in the userform again in different “properties” sections, such as captions and tags, and, from there, executing PowerShell to download the payload from the command-and-control (C&C) server.  


Once the macro is enabled, it generates a fake popup window to make the user believe the system is performing a function. This is similar to the activity we examined in the TA505 APT and Emotet campaigns. This window is displayed as malicious activities are being performed by the macro.


File system persistence: 

It drops the .bat files to the following path:

  • C:\Users\Public\tmp.bat
  • Tmp.bat in return makes a directory C:\Users\Public\tmpdir\tmps1.bat

Functionality of tmps1.bat :

C:\Windows\System32\cmd.exe /C choice /C Y /N /D Y /T 2 & C:\Users\Public\tmpdir\[payload].exe

The payload is run by using the choice command when prompted. The choice command was disabled in earlier versions but is available in Windows Vista and later versions.

The choice command allows users to keep batch files and scripts from running while they make a set of choices.

  • /C : Specifies the list of choices to be created. Default list is "YN".
  • Y : Y signifies as YES which is to be displayed on the prompt.
  • /N : Hides the list of choices in the prompt. The message before the prompt is displayed and the choices are still enabled.
  • /D : Specifies the default choice after timeout seconds.
  • /T : The number of seconds to pause before a default choice is made.

Obfuscation and decryption routine:

This macro is highly obfuscated and difficult to analyze because of its added junk code. 

The below snapshot displays copying obfuscated data to the userform.



The above-mentioned string appeared as ubc/qnu]djmcv]tsftV];D. 

We reversed the string before moving on to the decryption algorithm.



After reversing, it appeared as D;]Vtfst]vcmjd]unq/cbu, which was used later for decryption.

Decryption routine: 

We fetched the obfuscated data from a stored variable and then calculated the mid-value of the string (D;]Vtfst]vcmjd]unq/cbu) in a loop. The loop will perform based on string length. After that, the returned value is converted to ASCII and subtracted by 1. The final value will be converted to Chr again.



Using the same decryption routine, it obfuscates the four URLs mentioned in the file and, at the end, encodes the Base64 code which is, again, passed to the PowerShell script.




QakBot analysis:

QakBot is a sophisticated stealer that is distributed by documents downloaded from spam email. It uses different techniques to evade detection and complicate analysis. We checked the timestamp of the unpacked sample and discovered it was from 2010.




Before executing the main code, the malware checks for the presence of antivirus software. It also checks for virtual environments and other monitoring tools by checking the running processes on the victim's computer. It takes a snapshot of the processes using CreateToolhelp32Snapshot and enumerates through all the processes using the Process32First and Process32Next API. Below is the list of processes:


  • ccSvcHst.exe
  • avgcsrvx.exe
  • avgsvcx.exe
  • avgcsrva.exe
  • MsMpEng..exe
  • mcshield.exe
  • avp.exe
  • egui.exe
  • ekrn.exe
  • bdagent.exe
  • vsserv.exe
  • AvastSvc.exe
  • coreServiceShell.exe
  • PccNTMon.exe
  • NTRTScan.exe
  • SAVAdminService.exe
  • SavService.exe
  • fshoster32.exe
  • WRSA.exe
  • vkise.ex
  • isesrv.exe
  • cmdagent.exe
  • MBAMService.exe
  • ByteFence.exe
  • mbamgui.exe
  • fmon.exe
  • Vmnat.exe

Further, the malware copies itself into the %AppData%\Roaming\Microsoft\{Random}\ directory and executes it. It executes the below command to ping itself and replace the original binary with a copy of the legitimate Windows Calculator application: calc.exe.

“C:\Windows\System32\cmd.exe'  /c ping.exe -n 6 & type 'C:\Windows\System32\calc.exe' > 'C:\<main_payload.exe>”

Persistence mechanism:

QakBot establishes persistence by creating a RUN key at the auto startup location and executing the malware at every login. It also creates scheduled tasks to execute the payload once at 5:33 a.m. and delete the scheduled task after execution.


C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn {Random}/tr '\'% AppData%\Roaming\Microsoft\{Random}\{Random.exe}\' /I {Random}' /SC ONCE /Z /ST 05:33 /ET 05:45

Additionally, it creates the explorer.exe process in suspended mode and injects the unacknowledged DLL into it. After executing, it creates a .wpl file that is in JavaScript and creates a scheduled task to execute JavaScript at 12:00 p.m. on Tuesday and Wednesday of every week as shown in the below screenshot.





The JavaScript downloads the updated QakBot form ebook[.]w3wvg.com/datacollectionservice.php3 and executes it. The downloading payload is encrypted and the script decrypts it before dropping it into the system and stealing the following information from the victim’s machine:

  • IP address
  • Hostname
  • Username
  • OS Version
  • Banking credentials

It uses WebInject to alter communication between the victim’s machine and banking websites and steals the credentials.

Apart from this, we have analyzed the POST network activity in QakBot and it is using HTTPS or SSL/TLS traffic to with no associated domain.




QakBot malware is not new—we know it has been active for at least 13 years. But it is ever-evolving and uses different mechanisms and methods to infect machines and to evade detection. The Zscaler ThreatLabZ team is continuously monitoring these types of cyberattacks to keep our customers safe. 

Sandbox detection:



In addition to sandbox detections, the Zscaler Cloud Security Platform detects indicators at various levels:




Indicators of Compromise:

Archive source URL:


Newly registered domains to serve the QakBot payload:

  • econspiracy[.]se/evolving/888888.png
  • blog.buatvideomu[.[.]com/wp-content/uploads/2020/04/last/444444.png
  • intermed19[.]com/wp-content/themes/calliope/previous/444444.png.
  • greenmagicbd[.]com/wp-content/themes/calliope/previous/444444.png
  • y-sani[.]com/docs_bcx/55555.png
  • tianmaouae[.]com/docs_9qu/55555.png
  • dctechdelhi[.]com/wp-content/plugins/advanced-ads-genesis/previous/444444
  • themmacoach[.]com/wp-content/uploads/2020/04/docs_cv0/55555.png

QakBot Md5:


QakBot C&C :




form submtited
Danke fürs Lesen

War dieser Beitrag nützlich?

dots pattern

Erhalten Sie die neuesten Zscaler Blog-Updates in Ihrem Posteingang

Mit dem Absenden des Formulars stimmen Sie unserer Datenschutzrichtlinie zu.