{
	"id": "a79b1392-3407-45ca-a2b5-2c74162dde86",
	"created_at": "2026-04-06T00:18:36.38237Z",
	"updated_at": "2026-04-10T03:19:57.685814Z",
	"deleted_at": null,
	"sha1_hash": "78c0410aa20b48a056db0820c1fb9e9931aa7646",
	"title": "An in-depth malware analysis of QuantLoader",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2818988,
	"plain_text": "An in-depth malware analysis of QuantLoader\r\nBy Malwarebytes Labs\r\nPublished: 2018-03-27 · Archived: 2026-04-05 20:32:18 UTC\r\nThis guest post is written by Vishal Thakur, CSIRT/Salesforce. For more on Vishal, read his bio at the end of the blog.\r\nQuantLoader is a Trojan downloader that has been available for sale on underground forums for quite some time\r\nnow. It has been used in campaigns serving a range of malware, including ransomware, Banking Trojans, and RATs.\r\nThe campaign that we are going to analyze is serving a BackDoor.\r\nIn this post, we’ll take both a high-level look at the campaign flow, as well as a deep dive into how the malware\r\nexecutes, with a focus on the networking functions. We’ll dig into the binary to analyze how the malware executes\r\nand how it connects back to the C2. We’ll also analyze some interesting calls the malware makes, like calling and\r\nexecuting the netsh command to change local firewall rules.\r\nThe latest version of QuantLoader is being served through a phishing campaign using some interesting techniques.\r\nThe campaign starts with a phishing email that comes with a link serving the victim the initial JS downloader. What’s\r\ninteresting is that they’ve opted for a file:// (SMB) protocol rather than the traditional http://—maybe in order to get\r\npast some proxies/firewalls.\r\nAnalysis\r\nFirst of all, let’s have a look at the campaign flow:\r\nPhish \u003e JS downloader \u003e QuantLoader (\u003e C2) \u003e Payload (Backdoor) \u003e C2\r\nThe JS downloader, as always, has lots of code, all obfuscated:\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/03/an-in-depth-malware-analysis-of-quantloader/\r\nPage 1 of 12\n\nWe go ahead and print the output of the main function (AXXA in this case) and we get the stage 2 URLs:\r\nThat was a quick analysis of the JS downloader, to get us the URLs.\r\nQuantLoader executable\r\nWe are going to start by following the execution flow as much as possible:\r\nLet’s take a look at the assembly code:\r\nNext, it will copy itself to the above location before execution:\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/03/an-in-depth-malware-analysis-of-quantloader/\r\nPage 2 of 12\n\nSetting the right permissions (ACL):\r\nHere, we can see that the permission for the user has been set to “Read.”\r\nStack view:\r\nLet’s have a look at the process execution and persistence mechanisms.\r\nAs you can see above, the process spawns a new process after it has successfully copied itself to a different location.\r\nIt is important not to confuse it with dwm.exe, a legit Windows process (Desktop Window Manager). Note that the\r\npersistence mechanism has also been initiated.\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/03/an-in-depth-malware-analysis-of-quantloader/\r\nPage 3 of 12\n\nLet’s take a deeper look into this process that is spawned, and how it is spawned.\r\nFirst, the directory is created:\r\nOnce that is completed, CreateFile is called to create a null file.\r\nAt this point it’s a null file—no data in it. That will be copied over later.\r\nNote that the size of the file at this point is 0 bytes.\r\nThen the file is copied over:\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/03/an-in-depth-malware-analysis-of-quantloader/\r\nPage 4 of 12\n\nNow you can see that the file has been copied over and the size is 46080 bytes:\r\nNow the process will be launched from this location.\r\nYou can modify it if you want:\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/03/an-in-depth-malware-analysis-of-quantloader/\r\nPage 5 of 12\n\nOnce the process has been successfully launched, we want to look at the next important step. It will call the\r\nWININET dll to start establishing a connection back to the admin.\r\nAfter execution, it will try to connect out to its admin server:\r\nAnd here is the connection:\r\nTCP    localhost:49690    49.51.228.205:http    ESTABLISHED \r\nThis is the host you can see is loaded into the stack below.\r\nWe will now take a deeper look into how that unfolds in the stack.\r\nThe first step is to load the WININET DLL. It is called through the LoadLibrary function:\r\nAnd now, let’s take a look at the functions that are of interest to us (highlighted and commented) in the\r\ndisassembler. We will dive into a couple of these later:\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/03/an-in-depth-malware-analysis-of-quantloader/\r\nPage 6 of 12\n\nHere’s the stack, where the above functions can be seen in action (variable values added):”\u003e\r\nAt this point, let’s move on to the next DLL that is called: WINHTTP.dll.\r\nNow let’s have a look at the functions that are called from here on:\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/03/an-in-depth-malware-analysis-of-quantloader/\r\nPage 7 of 12\n\nAs you can see, all of the above functions are “WinHttp”.\r\nLet’s have a look at some of the more interesting functions:\r\nWinHttpCreateUrl\r\nThis will put together the complete URL for the malware by combining the host and the path. Let’s step into it.\r\nAnd here’s the complete URI with jsproxy.dll being called in for WinInet’s auto-proxy support:\r\nFinally, we should have a look at the memory dump to see how the URI loaded into the memory:\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/03/an-in-depth-malware-analysis-of-quantloader/\r\nPage 8 of 12\n\nHave a look at the stack screenshot below. You can see that the URL is loaded onto the stack and ready to be called.\r\nAnd let’s have a look at the memory in parallel. You can see that the URL has been successfully loaded, and is ready\r\nto be called upon, using the URLDownloadToFile call.\r\nInteresting ASCII strings that you can see in the above screenshot show you how the malware is adding a rule to the\r\nfirewall, specifying the process and then the direction (out) for the action “Allow.” This is to make sure that the\r\noutbound request from the malware is allowed and is successful in checking in with the admin.\r\nAnd here’s the view from the stack:\r\nThis is what it looks like in the CPU:\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/03/an-in-depth-malware-analysis-of-quantloader/\r\nPage 9 of 12\n\nThe command used is: netsh.\r\nHere’s a view of the process image:\r\nAnd here are the rules created and deployed successfully on the firewall:\r\nSome other interesting calls:\r\nAnti-VM\r\n77028A50 \u003e-FF25 F4030877 JMP DWORD PTR DS:[\u003c \u0026api-ms-win-core-file\u003e; KERNELBA.GetDiskFreeSpaceExA\r\n0018F234 |7029160E )p ; RETURN from KERNEL32.GetTickCount to WININET.7029160E\r\nEnvironment ID\r\n77028DA0 \u003e-FF25 A8070877 JMP DWORD PTR DS:[\u003c\u0026api-ms-win-core-proc\u003e; KERNELBA.GetEnvironmentStringsA\r\nNetworking\r\n0018E9B8 |7029818C; ASCII \"getaddrinfo\"\r\n*/protocol-independent translation from an ANSI host name to an address\r\n0018E9C0 |70298198 ; ASCII \"getnameinfo\"\r\n*/protocol-independent name resolution from an address to an ANSI host name and from a port number to the ANSI\r\nservice name\r\n0018FB84 [70272C72; /RETURN from DNSAPI.DnsGetProxyInformation to WININET.70272C72 0018FB88\r\n0051E4B0 °äQ ; |Arg1 = UNICODE \"wassronledorhad.in\"\r\n*/returns the proxy information for a DNS server’s name resolution policy table\r\nOnce the connection has been established with the admin server (C2), the payload is served. The payload is picked by\r\nthe administrator for each campaign and can be any malware type. In this campaign, it happened to be a backdoor.\r\nThe URL for the download of the payload was successfully extracted from memory. We will not be analyzing the\r\npayload for the purpose of this exercise, but I have included the details at the end of this post. \r\nhttps://blog.malwarebytes.com/threat-analysis/2018/03/an-in-depth-malware-analysis-of-quantloader/\r\nPage 10 of 12\n\nConclusion\r\nQuantLoader code has some interesting bits and pieces, like the firewall rules manipulation. It is a\r\nfairly straight-forward malware, and does what it has been developed to do. The campaign admins\r\nhave the ability to change final payloads and run different campaigns using the same downloader.\r\nIt has been reported as ransomware, but that seems to be based on a memory-string that has a reference to Locky,\r\nwhich looks like a remnant from an older campaign.\r\nZ:varwww4testfilescryptorsadminLoc2.exe\r\nAlso, it is interesting to see it being served over SMB rather than the traditional HTTP protocol.\r\nFiles from the campaign\r\nJS Downloader:\r\nMD5 – 6f2b5a20dba3cdc2b10c6a7c56a7bf35 SHA256 –\r\ndb078628cdc41e9519e98b7ea56232085e203491bd2d5d8e49ef6708f129e1b8\r\nhttps://www.virustotal.com/#/file/db078628cdc41e9519e98b7ea56232085e203491bd2d5d8e49ef6708f129e1b8/detection\r\nQuantLoader:\r\nMD5 – 4394536e9a53b94a2634c68043e76ef8 SHA256 –\r\n2b53466eebd2c65f81004c567df9025ce68017241e421abcf33799bd3e827900\r\nhttps://www.virustotal.com/#/file/2b53466eebd2c65f81004c567df9025ce68017241e421abcf33799bd3e827900/detection\r\nPayload Backdoor:\r\nMD5 – 6c6d772704abf4426c5d7e5a52c847d7 SHA256 –    \r\n0d100ff26a764c65f283742b9ec9014f4fd64df4f1e586b57f3cdce6eadeedcd\r\nhttps://www.virustotal.com/#/file/0d100ff26a764c65f283742b9ec9014f4fd64df4f1e586b57f3cdce6eadeedcd/detection\r\nVishal Thakur has been working in InfoSec for a number of years, specializing in Incident Response and Malware\r\nAnalysis. Currently, he’s working for Salesforce in CSIRT (Computer Security Incident Response Team), and before\r\nthat was part of the CSIRT for Commonwealth Bank of Australia. \r\nhttps://blog.malwarebytes.com/threat-analysis/2018/03/an-in-depth-malware-analysis-of-quantloader/\r\nPage 11 of 12\n\nSource: https://blog.malwarebytes.com/threat-analysis/2018/03/an-in-depth-malware-analysis-of-quantloader/\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/03/an-in-depth-malware-analysis-of-quantloader/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-analysis/2018/03/an-in-depth-malware-analysis-of-quantloader/"
	],
	"report_names": [
		"an-in-depth-malware-analysis-of-quantloader"
	],
	"threat_actors": [],
	"ts_created_at": 1775434716,
	"ts_updated_at": 1775791197,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/78c0410aa20b48a056db0820c1fb9e9931aa7646.pdf",
		"text": "https://archive.orkl.eu/78c0410aa20b48a056db0820c1fb9e9931aa7646.txt",
		"img": "https://archive.orkl.eu/78c0410aa20b48a056db0820c1fb9e9931aa7646.jpg"
	}
}