Malware Analysis Report

2025-05-28 17:32

Sample ID 230109-jc7g8sgh7x
Target 39428e08fb14d18878d147f91f9cfbd32436a2c07e695e4330e39468b08cd1c6.dll
SHA256 39428e08fb14d18878d147f91f9cfbd32436a2c07e695e4330e39468b08cd1c6
Tags
qakbot bb 1663053540 banker stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

39428e08fb14d18878d147f91f9cfbd32436a2c07e695e4330e39468b08cd1c6

Threat Level: Known bad

The file 39428e08fb14d18878d147f91f9cfbd32436a2c07e695e4330e39468b08cd1c6.dll was found to be: Known bad.

Malicious Activity Summary

qakbot bb 1663053540 banker stealer trojan

Qakbot/Qbot

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-09 07:32

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-09 07:32

Reported

2023-01-09 07:33

Platform

win7-20220812-en

Max time kernel

10s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\39428e08fb14d18878d147f91f9cfbd32436a2c07e695e4330e39468b08cd1c6.dll

Signatures

Qakbot/Qbot

trojan banker stealer qakbot

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1392 wrote to memory of 1968 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1392 wrote to memory of 1968 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1392 wrote to memory of 1968 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1392 wrote to memory of 1968 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1392 wrote to memory of 1968 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1392 wrote to memory of 1968 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1392 wrote to memory of 1968 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\39428e08fb14d18878d147f91f9cfbd32436a2c07e695e4330e39468b08cd1c6.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\39428e08fb14d18878d147f91f9cfbd32436a2c07e695e4330e39468b08cd1c6.dll

Network

N/A

Files

memory/1392-54-0x000007FEFBA81000-0x000007FEFBA83000-memory.dmp

memory/1968-55-0x0000000000000000-mapping.dmp

memory/1968-56-0x0000000075521000-0x0000000075523000-memory.dmp

memory/1968-57-0x0000000000140000-0x0000000000162000-memory.dmp

memory/1968-59-0x0000000000140000-0x0000000000162000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-09 07:32

Reported

2023-01-09 07:35

Platform

win10v2004-20220812-en

Max time kernel

150s

Max time network

148s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\39428e08fb14d18878d147f91f9cfbd32436a2c07e695e4330e39468b08cd1c6.dll

Signatures

Qakbot/Qbot

trojan banker stealer qakbot

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\39428e08fb14d18878d147f91f9cfbd32436a2c07e695e4330e39468b08cd1c6.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\39428e08fb14d18878d147f91f9cfbd32436a2c07e695e4330e39468b08cd1c6.dll

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /Z /ST 08:35 /tn rtoetgatg /ET 08:46 /tr "powershell.exe -encodedCommand cgBlAGcAcwB2AHIAMwAyAC4AZQB4AGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMwA5ADQAMgA4AGUAMAA4AGYAYgAxADQAZAAxADgAOAA3ADgAZAAxADQANwBmADkAMQBmADkAYwBmAGIAZAAzADIANAAzADYAYQAyAGMAMAA3AGUANgA5ADUAZQA0ADMAMwAwAGUAMwA5ADQANgA4AGIAMAA4AGMAZAAxAGMANgAuAGQAbABsACIA" /SC ONCE

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 f.7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa udp
N/A 51.132.193.104:443 tcp
N/A 87.248.202.1:80 tcp
N/A 87.248.202.1:80 tcp

Files

memory/1756-132-0x0000000000000000-mapping.dmp

memory/1756-133-0x0000000000D40000-0x0000000000D62000-memory.dmp

memory/2380-134-0x0000000000000000-mapping.dmp

memory/1756-135-0x0000000000D40000-0x0000000000D62000-memory.dmp

memory/2380-136-0x0000000000FD0000-0x0000000000FF2000-memory.dmp

memory/3952-137-0x0000000000000000-mapping.dmp

memory/2380-138-0x0000000000FD0000-0x0000000000FF2000-memory.dmp