Threat Research

Securonix Threat Labs Security Advisory: Qbot/QakBot Malware’s New Initial Execution Uses Grifted Regsvr32 Binary to Run DLL Payload

Securonix

QakBot (Qbot) uses obfuscated Regsvr32-based execution to load its DLL payload, often by moving or renaming system binaries and triggering execution via LNK and batch files. The threat starts with phishing delivering a password-protected ZIP/ISO, leading to user-driven code execution and a stealthy loader delivery; the article also covers detections and MITRE mapping for these techniques. #QakBot #Regsvr32

Keypoints

  • QakBot employs obfuscated Regsvr32.exe usage to load a DLL payload (provenance.dat) from within an ISO delivered via phishing.
  • The initial infection uses a phishing email containing a URL to a password-protected ZIP/ISO, with a .LNK file triggering code execution after mounting.
  • Batch scripts break the path into parts and call regsvr32.exe in obfuscated ways to run the DLL payload.
  • Some samples copy Regsvr32.exe to the %tmp% directory and rename it (e.g., to in.exe) to evade detections focused on the binary path.
  • Sysmon logs show Regsvr32.exe being moved/renamed (e.g., enquireAbstractor.scr) and used to execute provenance.dat, with specific detection angles (original filename, non-system32 paths).
  • The article maps the activity to MITRE techniques and provides detection guidance and specific Securonix queries for related detections.

MITRE Techniques

  • [T1566] Phishing – A phishing email is sent to the target address with a URL in the message body which links to a remote password protected zip file. “A phishing email is sent to the target address with a URL in the message body which links to a remote password protected zip file.”
  • [T1059.003] Command and Scripting Interpreter: Windows Command Shell – The batch file executes cmd.exe with parameters, e.g., “C:WindowsSystem32cmd.exe /c relativesmembered.cmd regs”.
  • [T1218] System Binary Proxy Execution: Regsvr32 – The loader uses regsvr32.exe to run provenance.dat. “regsvr32 relativesprovenance.dat”
  • [T1036] Masquerading – The malware obfuscates or renames system utilities to evade detection (e.g., renaming regsvr32.exe or moving it to temp). “Masquerading: Rename System Utilities”

Indicators of Compromise

  • [Hash] context – be10d1f0565240319903cbbe2590d898721fbdd8ce2062e790185fbfd16486d2, 37aff6406e6a0d5caccec17202737e4b0610d19560a6c791aad95385cb1581fb, and 4 more hashes
  • [File Name] context – provenance.dat, enquireAbstractor.scr, in.exe, relativesmembered.cmd, and 2 more file names
  • [Path] context – C:WindowsSystem32, C:UsersusernameAppDataLocalTemp

Read more: https://www.securonix.com/blog/qbot-qakbot-malwares-new-initial-execution/