Analysis by: Henry Alarcon Jr.


Trojan.MSIL.Agent.qwihbz (Kaspersky), W32/Agent.QWIHBZ!tr (Fortinet)




  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes


This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.


File Size:

153600 bytes

File Type:


Memory Resident:


Initial Samples Received Date:

23 Apr 2019

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.


This Backdoor drops the following files:

  • server.sqlite - SQLite database

Other Details

This Backdoor requires the following additional components to properly run:

  • {Malware filepath}\private.key
  • {Malware filepath}\System.Data.Sqlite.DLL
  • {Malware filepath}\config_server.xml - server configuration and client to connect.

It does the following:

  • It requires password coming from its command manager/ host before it can accepts specific parameters.
  • It displays the following upon execution:

It accepts the following parameters:

  • video (off){optional} VideoName [ProcessName] = command video off disables video recording
  • download [user$Username] {url | plugin name}
  • {stops | starts | without paramenter} ammyy
  • update [cold | hot ] plugin name (updates)
    • If cold (hot update) is not specified, then the specified update is loaded, the file is replaced at startup (service) and starts,
    • at the same time, the current bot is shutting down
    • If cold is specified, the specified update is loaded and the file is replaced in autoload (service)
    • update will take effect only after reboot
  • updklgcfg = loading configuration file from admin for keyloger
  • httpproxy = http proxy server on the specified port is enabled
  • killos = OS is not bootable after reboot
  • tunnel port {server | http | ip:port} = where:
    • port - port number that opens for connection from another bot
    • server - traffic is redirected to the server with which we connect this bot
    • http - http proxy is created to access the admin panel
    • ip:port - all traffic is redirected to the specified address
  • adminka (http, https, socks5) ip:port [del, proxy authorization] = if the del parameter is specified, the proxy settings are removed and the bot connects directly
  • server [force] ip:port [ip:port] [ip:port] = Specifies which ip to communicate with the server
  • user {create | delete} username = creates or deletes a user with rights for RDP
  • rdp {file | mem} = includes rdp on this computer (file - makes edits to the system files on the disk, as a result, after the reboot, the RDP will be enabled
  • mem - edits are made only in memory)
  • secure lsa plugin_name= loads and registers dll bot in HKLM\System\CurrentControlSet\Control\Lsa -v "Notification Packages"
  • del {service | file} {service name | file name} = deletes the specified service or file
  • startcmd any command with arguments = saves the command specified in the arguments in the bot settings and this command will be executed after the reboot
  • runmem [user$Username] {url | plugin name} = file will be launched on behalf of the specified user
  • logonpasswords {server | adminka} = removes logins and passwords using the mimikatz library, the result is sent to the admin area or the server
  • screenshot [user$Username] [server|adminka] = screenshots/full_screen
  • dupl {keylog | screenshot} [stop] = duplicates data sent to the admin in the bot folder files
  • findfiles path mask {adminka|server|adminka_server} name = search for files by the mask mask in the path folder
  • vnc {port | stop} = loads the vnc.plug plugin from the admin panel and starts the vnc session on the specified port, if the stop argument is specified, then the vnc session is closed
  • runfile [user$Username] {file path} = runs the specified file
  • killbot = self-destruction of the bot


Minimum Scan Engine:





26 Apr 2019




27 Apr 2019

Step 1

Before doing any scans, Windows 7, Windows 8, Windows 8.1, and Windows 10 users must disable System Restore to allow full scanning of their computers.

Step 2

Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.

Step 3

Identify and terminate files detected as Backdoor.MSIL.CARBANAK.AA

[ Learn More ]
  1. Windows Task Manager may not display all running processes. In this case, please use a third-party process viewer, preferably Process Explorer, to terminate the malware/grayware/spyware file. You may download the said tool here.
  2. If the detected file is displayed in either Windows Task Manager or Process Explorer but you cannot delete it, restart your computer in safe mode. To do this, refer to this link for the complete steps.
  3. If the detected file is not displayed in either Windows Task Manager or Process Explorer, continue doing the next steps.

Step 4

Search and delete these files

[ Learn More ]
There may be some files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.  
  • {Malware filepath}\private.key
  • {Malware filepath}\System.Data.Sqlite.DLL
  • {Malware filepath}\config_server.xml
  • {Malware filepath}\server.sqlite

Step 5

Scan your computer with your Trend Micro product to delete files detected as Backdoor.MSIL.CARBANAK.AA. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:

Did this description help? Tell us how we did.