{
	"id": "9fa72167-dca9-4af7-bc51-02559e4b7865",
	"created_at": "2026-04-06T01:32:13.591597Z",
	"updated_at": "2026-04-10T03:21:32.90574Z",
	"deleted_at": null,
	"sha1_hash": "a69bcd67dbb4723a15e7eddf1030f1a19ba1cffa",
	"title": "Bypassing Qakbot Anti-Analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 377617,
	"plain_text": "Bypassing Qakbot Anti-Analysis\r\nPublished: 2023-03-24 · Archived: 2026-04-06 00:28:24 UTC\r\nQakBot is a banking trojan that has been evolving since its first version was discovered in 2008. According to the\r\n2022 report published by CISA, it was one of the most active variants in 2021, and during 2022 and so far in 2023\r\nit has remained quite active. Taking a brief look at the latests news of QakBot it has been updating its tactics\r\nconstantly, for example, using a Windows zero-day to avoid displaying the MoTW or the most recent one, using\r\nOneNote files to drop QakBot.\r\nIn this case we are particularly interested in the anti-analysis techniques used by QakBot during the early\r\nstages of its execution. These techniques can make malware analysis harder if they are not known, so learning to\r\nidentify and bypass them is essential to get to see the malware’s operation at its full potential. Furthermore, there\r\nare techniques that can replicate / adopt different types of malware, so knowking them opens the door to the study\r\nof different samples.\r\nThis article is structured according to the verifications carried out using the following sample, focusing of those\r\naspects that are most remarkable.\r\nmd5 58e1c32eeb0130da19625e55ee48cf1e\r\nsha1 00ae1c5066f67e5e71285de99bea8d8b67085743\r\nsha256 f5ff6dbf5206cc2db098b41f5af14303f6dc43e36c5ec02604a50d5cfecf4790\r\nThe following image summarizes the checks performed by QakBot before executing its payload. This article is\r\nstructured following this chain of checks, which corresponds to the anti-analysis techniques used by the sample.\r\nhttps://lab52.io/blog/bypassing-qakbot-anti-analysis-tactics/\r\nPage 1 of 13\n\nAnti-analyis checks performed by Qakbot\r\nWindows Defender\r\nAt the beginning of the program execution, QakBot will perform a first inevitable check since this sample is\r\nintended for Windows systems: to verify if Windows Defender is active. QakBot will perform this check by\r\nsearching for representative files.\r\nllustration 1 Call to the first check function\r\nInside the function we can observe a mov to the EAX register and then a call to a function used recurrently during\r\nthe whole execution of the program. This function has been renamed to mw_decode since its objective is to\r\ndecode text strings, taking the EAX register as parameter and performing the XOR operation.\r\nhttps://lab52.io/blog/bypassing-qakbot-anti-analysis-tactics/\r\nPage 2 of 13\n\nIllustration 2 Call to mw_decode\r\nIllustration 3 mw_decode content\r\nAfter performing all iterations of the loop, the decrypted string is visible when looking at the address of the ECX\r\nregister. During all the checks performed by QakBot, this behavior can be seen.\r\nIn this case, the string refers to Windows Defender, since it is part of the empty files created by this utility.\r\nhttps://lab52.io/blog/bypassing-qakbot-anti-analysis-tactics/\r\nPage 3 of 13\n\nIllustration 4 Decrypted string related to Windows Defender: C:\\INTERNAL\\_empty\r\nFrom here, taking the value C:\\INTERNAL\\_empty as a parameter, it makes a call to the function\r\nGetFileAttributesA of the Windows API. Then, checks if this file already exists in the system.\r\nThis check is made to know if Windows Defender is present in the system, since the file C:\\INTERNAL_empty is\r\npart of the files that Windows Defender creates.\r\nIllustration 5 Call to GetFileAttributesA with representative string\r\nIn case, after making the API call, it detects that the Windows Defender-related file is present in the system, the\r\nsample execution will be stopped. Otherwise, QakBot will continue with its execution, to continue with the\r\nchecks.\r\nRepresentative processes in execution\r\nhttps://lab52.io/blog/bypassing-qakbot-anti-analysis-tactics/\r\nPage 4 of 13\n\nThe next check is on the system processes. The main objective is to evaluate if there is any security application\r\nthat can be used to detect or to anlyse malware, such as antivirus applications or applications used by reserarchers,\r\nor in sandboxes. In order to do so, Qakbot analyses the list of process and compares it with known representative\r\nnames of processes.\r\nThe first thing Qakbot will do is to load several hexadecimal values.\r\nIllustration 6 Loading values in hexadecimal\r\nAs mentioned before, mw_decode will continue to be used to decode the strings used by the malware, so the\r\nhexadecimal value 0x621, seen before at the start of the function, is saved in the EAX register.\r\nIllustration 7 Call to mw_decode with value 0x621 entered as a parameter\r\nAfter calling the function in charge of decrypting the strings, it will start a loop to obtain all the processes names\r\nfor which it will check their existence in the system.\r\nFor example, the following image shows a list of processes subject to check with the names: avgcsrvx.exe,\r\navgsvcx.exe and avgcsrva.exe. These are representative processes of AVG Free Antivirus.\r\nhttps://lab52.io/blog/bypassing-qakbot-anti-analysis-tactics/\r\nPage 5 of 13\n\nIllustration 8 Some names of processes that will be checked\r\nOnce it has the strings to check, to obtain the first running process in the system it proceeds with calls to the\r\nCreateToolhelp32Snapshot and Process32First functions.\r\nIllustration 9 Calls to CreatToolhelp32Snapshot and Process32First\r\nQakbot then checks if the processes names obtained above match any currently active process in the system.\r\nhttps://lab52.io/blog/bypassing-qakbot-anti-analysis-tactics/\r\nPage 6 of 13\n\nIllustration 10 Iteration to compare processes names\r\nIt will perform this operation with all the processes, if any of them is equal to the ones it has defined, it will\r\nterminate the execution. In particular, the following processes names have been found to be subject to analysis.\r\nThey are ordered with relation to the type of application in the following table.\r\nType Name of process\r\nAntivirus\r\nAvgcsrvx.exe Avgsvcx.exe Avgcsrva.exe ccSvcHst.exe MsMpEng.exe\r\nmcshield.exe Avp.exe kavtray.exe Egui.exe ekrn.exe Bdagent.exe Vsserv.exe\r\nvsservppl.exe AvastSvc.exe coreServiceShell.exe PccNTMon.exe\r\nNTRTScan.exe SAVAdminService.exe SavService.exe fshoster32.exe\r\nWRSA.exe Vkise.exe Isesrv.exe cmdagent.exe ByteFence.exe\r\nMBAMService.exe mbamgui.exe fmon.exe Dwengine.exe\r\nDwarkdaemon.exe dwwatcher.exe bds-vision-agent-nai.exe bds-vision-apis.exe bds-vision-agent-app.exe\r\nMalware\r\nAnalysis\r\nFiddler.exe lordpe.exe regshot.exe Autoruns.exe Dsniff.exe\r\nHashMyFiles.exe ProcessHacker.exe Procmon.exe Procmon64.exe\r\nNetmon.exe pr0c3xp.exe ProcessHacker.exe CFF Explorer.exe dumpcap.exe\r\nWireshark.exe idaq.exe Idaq64.exe ResourceHacker.exe\r\nMultiAnalysis_v1.0.294.exe x32dbg.exe Tcpview.exe OLLYDBG.EXE\r\nwindbg.exe samp1e.exe sample.exe runsample.exe\r\nVirtualization\r\nEnvironments\r\nVBoxTray.exe vmtoolsd.exe vm3dservice.exe VGAuthService.exe\r\nTPAutoConnect.exe vmacthlp.exe VBoxTray.exe VboxService.exe\r\nAs anticipated, this point groups together checks involving both user protection and analysis tools. It is to be\r\nexpected that successive versions of QakBot will update the previous list.\r\nIf QakBot does not find any process with the above names, it continues its execution with the next check.\r\nModules\r\nhttps://lab52.io/blog/bypassing-qakbot-anti-analysis-tactics/\r\nPage 7 of 13\n\nIf it passes the above check, it will make use of the Module32First and Module32Next APIs to get all the modules\r\nfor each of the processes in the system.\r\nIllustration 11 Use of Module32First\r\nIf any of the system modules contain the string ivm-inject.dll or SbieDll.dll it will terminate its execution.\r\nIllustration 12 String ivm-inject.dll\r\nIllustration 13 String SbieDll.dll\r\nThe names of the DLLs have been identified as part of the Sandboxie program, used to run programs in isolated\r\nenvironments. If any program uses these modules, it could be an indication that this analysis tool is on the system,\r\nhttps://lab52.io/blog/bypassing-qakbot-anti-analysis-tactics/\r\nPage 8 of 13\n\nand QakBot would stop its execution.\r\nIt is worth noting, for example, that the Sandboxie-Plus version could incorporate utilities to hide the presence of\r\nSbieDll.dll.\r\nCharacteristic names given to the sample\r\nAnalysts have some habits that QakBot will check. In this case, it will check if in the name of the binary itself (the\r\nmalware) is present any of the characteristic strings that could be used by analysts to rename the sample, before its\r\nexecution, such as “sample”, “mlwr_sm”, “artifact.exe”. Again, these strings will be observed after the execution\r\nof mw_decode.\r\nIllustration 14 String sample\r\nIf any of these strings are found as part of the filename, it will stop the execution of the program. In addition, this\r\ncheck is not case-sensitive, i.e. it does not distinguish between upper and lower case.\r\nIt is curious, for example, that it does not also check that the name of the binary may correspond to a sha256\r\npattern, since samples downloaded from platforms such as VirusTotal or other systems retain in their name the\r\nhash of the binary, which the analyst may or may not rename.\r\nAnti-VM Techniques\r\nQakBot performs specific checks to determine if it is running in a virtual environment. These checks are described\r\nbelow.\r\nVMware version\r\nThe malware will evaluate whether it is running within a VMWare virtual machine. To do that, QakBot will make\r\nuse of a special VMWare I/O port. In particular, the verification at this point focuses on the port used by the\r\nofficial VMWare tools to perform the communications.\r\nVMWare uses I/O port 0x5658 to communicate internally with the deployed virtual machines, so the first step\r\nexecuted by QakBot is to save in the DX register the value corresponding to the I/O port. After this step, the value\r\n0x564D5868 is stored in EAX. This value corresponds to the string ‘VMXh‘, which is the VMWare magic\r\nnumber.\r\nFinally, the internal VMWare command is specified. In this case 0x0A is used, which corresponds to the command\r\nto obtain information from VMWare.\r\nhttps://lab52.io/blog/bypassing-qakbot-anti-analysis-tactics/\r\nPage 9 of 13\n\nIllustration 15 Check code: VMware\r\nAfter performing the “in” instruction, the EBX and ECX registers will be modified.\r\nIn the EBX register the magic number of Vmware will be written, while in the ECX register the value\r\ncorresponding to VMWare products will be stored. The following values are known:\r\n– 01h = Express\r\n– 02h = ESX Server\r\n– 03h = GSX Server\r\n– 04h = Workstation\r\nRAM memory size\r\nIf the previous check is passed, QakBot proceeds to obtain the size of the memory allocated to the system. This\r\ncheck is performed, like the previous check, using the I/O port, but in this case it uses the value 0x14 as the\r\ncommand. The resulting value will be stored in the EAX register, to later perform a move to EBP. It is important\r\nto note that, if the previous check does not detect that it is running in a VM and passes to this check, here it makes\r\nagain use of the I/O port, which would be a contradiction.\r\nhttps://lab52.io/blog/bypassing-qakbot-anti-analysis-tactics/\r\nPage 10 of 13\n\nIllustration 16 Check code: PC memory\r\nQakBot will decide if it is inside a VM at this point by comparing the value stored in the EBP register, which\r\ncontains the size of the machine’s RAM, against the value 0x2000, which is equivalent to 8192 in decimal. It\r\nmeans that, if the machine has less than 8 Gbytes of RAM, QakBot will decide that it is in a virtual machine.\r\nIllustration 17 RAM size check\r\nNote that QakBot only performs this check if it has previously detected that it is not running in a virtual machine\r\nusing the VMWare I/O port. However, it is curious that the malware uses the VMWare I/O port again during this\r\ncheck, as it should not be able to obtain a valid RAM value when it is not running in a VMWare environment.\r\nCPU Characteristics\r\nFor the last check QakBot will make use of the cpuid instruction. This instruction returns different values based\r\non the value stored in EAX. In this case an EAX xor operation is performed on EAX, which results in a 0 always.\r\nhttps://lab52.io/blog/bypassing-qakbot-anti-analysis-tactics/\r\nPage 11 of 13\n\nIllustration 18 cpuid instruction\r\nWhen cpuid has a 0 as EAX value, it returns the CPU manufacturer, which is precisely the target pursued by the\r\nmalware in this step. Then, it performs three memcpy operations to reorder the resulting string.\r\nIllustration 19 memcpy instructions\r\nAfter the operations the final string will correspond to the CPU manufacturer of the system.\r\nOnce it has obtained this data, it moves the value 1 to EAX to call cpuid again. When cpuid is called with EAX\r\nvalue 1, this operation returns the processor information.\r\nIllustration 20 Processor information request\r\nThe information received in ECX after the execution of the cpuid instruction will always end with a value of 0 in\r\nthe case of a physical machine, but in the case of a virtual machine it will be 1.\r\nIt should be noted at this point that for both VMware and VirtualBox system execution a value of 3 is received, so\r\nthat for both platforms it would be possible to bypass this check.\r\nhttps://lab52.io/blog/bypassing-qakbot-anti-analysis-tactics/\r\nPage 12 of 13\n\nIllustration 21 Return value for VMware\r\nConclusions\r\nThis analysis has focused on the anti-analysis capabilities employed by QakBot in order to help overcome these\r\nobstacles before starting the analysis. The anti-analysis techniques detailed here can be used by different malware,\r\nso it is very important to be aware of them. However, it is important to note that this analysis is based on a specific\r\nsample of QakBot malware, and there are various other families of malware that employ different anti-analysis\r\ntechniques that have not been covered in this report. These techniques may be explored in future posts.\r\nRegarding the analysis performed, it is also interesting to highlight the checks made by Qakbot to detect if it is\r\nunder a virtualized environment, as these checks only applyies to VMWare software when using VMWare’s own\r\nI/O port, and searching by its unique magic number.\r\nReferences\r\nVMware Backdoor I/O Port\r\nCPUID instruction reference\r\nWindows Defender DB dump and VDLL’s\r\nSource: https://lab52.io/blog/bypassing-qakbot-anti-analysis-tactics/\r\nhttps://lab52.io/blog/bypassing-qakbot-anti-analysis-tactics/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://lab52.io/blog/bypassing-qakbot-anti-analysis-tactics/"
	],
	"report_names": [
		"bypassing-qakbot-anti-analysis-tactics"
	],
	"threat_actors": [],
	"ts_created_at": 1775439133,
	"ts_updated_at": 1775791292,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a69bcd67dbb4723a15e7eddf1030f1a19ba1cffa.pdf",
		"text": "https://archive.orkl.eu/a69bcd67dbb4723a15e7eddf1030f1a19ba1cffa.txt",
		"img": "https://archive.orkl.eu/a69bcd67dbb4723a15e7eddf1030f1a19ba1cffa.jpg"
	}
}