{
	"id": "19d00372-bc79-4843-b80b-3eb35dd23e4c",
	"created_at": "2026-04-06T00:17:28.356588Z",
	"updated_at": "2026-04-10T13:12:27.917573Z",
	"deleted_at": null,
	"sha1_hash": "8d172e25cb43431960572733240d4171f864dbd6",
	"title": "Qakbot Being Distributed via Virtual Disk Files (*.vhd) - ASEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1758084,
	"plain_text": "Qakbot Being Distributed via Virtual Disk Files (*.vhd) - ASEC\r\nBy ATCP\r\nPublished: 2022-12-12 · Archived: 2026-04-05 18:44:24 UTC\r\nThere’s been a recent increase in the distribution of malware using disk image files. Out of these, the Qakbot\r\nmalware has been distributed in ISO and IMG file formats, and the ASEC analysis team discovered that it has\r\nrecently changed its distribution to the use of VHD files. Such use of disk image files (IMG, ISO, VHD) is seen to\r\nbe Qakbot’s method of bypassing Mark of the Web (MOTW). Disk image files can bypass the MOTW feature\r\nbecause when the files inside them are extracted or mounted, MOTW is not inherited to the files.\r\nRelated webpage: https://attack.mitre.org/techniques/T1553/005/\r\nThe phishing email that distributes Qakbot is shown below. Like in previous cases, it has an HTML file\r\nattachment which generates a compressed file.\r\nhttps://asec.ahnlab.com/en/44662/\r\nPage 1 of 6\n\nWhen the attached HTML file is executed, a page that imitates Google Drive is loaded. At this stage, a\r\ncompressed file contained in the HTML script is automatically created by the script. The compressed file is\r\npassword-protected, and the password can be found on the HTML page.\r\nThe compressed file contains a VHD file, which is the virtual disk file.\r\nhttps://asec.ahnlab.com/en/44662/\r\nPage 2 of 6\n\nVHD files can be automatically mounted on Windows 8 and onwards, and files are created internally as shown\r\nbelow.\r\nThe properties of the created LNK file are as below, and it executes the reserved.cmd file created alongside it.\r\nhttps://asec.ahnlab.com/en/44662/\r\nPage 3 of 6\n\nThe reserved.cmd command is shown below. It executes the resting.cmd file, parses a certain string, and transmits\r\nit as an argument.\r\nThe resting.cmd command is as follows. This command combines the string received as an argument and loads the\r\nhogs.tmp file through rundll32. The hogs.tmp file is a DLL file and is the Qakbot malware.\r\nhttps://asec.ahnlab.com/en/44662/\r\nPage 4 of 6\n\nQakbot is a banking malware that executes the normal process wermgr.exe before injecting malicious data. The\r\ninjected process attempts to establish a connection to the C2, and when the attempt is successful, it performs\r\nadditional malicious behaviors such as downloading malicious modules and extorting financial information. The\r\nprocess tree from the execution of LNK to the execution of Qakbot is as follows.\r\nC2 : 2.14.82[.]210:2222\r\nRecently, there has been a surge in malware using disk image files and various methods of distribution to bypass\r\nsecurity features. Users should refrain from opening emails from unknown sources and should not execute their\r\nattachments. AhnLab’s anti-malware product, V3, detects and blocks the malware using the alias below.\r\n[File Detection]\r\nTrojan/Win.BankerX-gen.R538785 (2022.12.08.01)\r\nDropper/BIN.Generic (2022.12.14.00)\r\nDropper/HTML.Qakbot (2022.12.14.00)\r\nTrojan/CMD.Runner (2022.12.14.00)\r\nMD5\r\n1c1deaa10c6beea64661e8afba6ce276\r\n5bd4a0f37a6420a00e1ceb378446f8b8\r\n5cbd45a04efdec84a576398e8ed702e6\r\n63524b4118710e4d6d522b0165d71b71\r\nab4c2e5302c44ddc16f5fe4162640bd0\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nhttps://asec.ahnlab.com/en/44662/\r\nPage 5 of 6\n\nSource: https://asec.ahnlab.com/en/44662/\r\nhttps://asec.ahnlab.com/en/44662/\r\nPage 6 of 6\n\n  https://asec.ahnlab.com/en/44662/     \nVHD files can be automatically mounted on Windows 8 and onwards, and files are created internally as shown\nbelow.       \nThe properties of the created LNK file are as below, and it executes the reserved.cmd file created alongside it.\n   Page 3 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://asec.ahnlab.com/en/44662/"
	],
	"report_names": [
		"44662"
	],
	"threat_actors": [],
	"ts_created_at": 1775434648,
	"ts_updated_at": 1775826747,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8d172e25cb43431960572733240d4171f864dbd6.pdf",
		"text": "https://archive.orkl.eu/8d172e25cb43431960572733240d4171f864dbd6.txt",
		"img": "https://archive.orkl.eu/8d172e25cb43431960572733240d4171f864dbd6.jpg"
	}
}