Malware Analysis Report

2025-05-28 17:32

Sample ID 230129-wk44ashf4z
Target e45491c8c44f1b09146b967e5a1d5010b1efb3997d6e0e7534a2b0ceb7292e02
SHA256 e45491c8c44f1b09146b967e5a1d5010b1efb3997d6e0e7534a2b0ceb7292e02
Tags
qakbot obama07 1614243368 banker stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e45491c8c44f1b09146b967e5a1d5010b1efb3997d6e0e7534a2b0ceb7292e02

Threat Level: Known bad

The file e45491c8c44f1b09146b967e5a1d5010b1efb3997d6e0e7534a2b0ceb7292e02 was found to be: Known bad.

Malicious Activity Summary

qakbot obama07 1614243368 banker stealer trojan

Qakbot/Qbot

Loads dropped DLL

Program crash

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-29 17:59

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-29 17:59

Reported

2023-01-29 18:02

Platform

win10v2004-20220812-en

Max time kernel

160s

Max time network

164s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\e45491c8c44f1b09146b967e5a1d5010b1efb3997d6e0e7534a2b0ceb7292e02.dll

Signatures

Qakbot/Qbot

trojan banker stealer qakbot

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\regsvr32.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc C:\Windows\SysWOW64\regsvr32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\SysWOW64\regsvr32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc C:\Windows\SysWOW64\regsvr32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\SysWOW64\regsvr32.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4848 wrote to memory of 3044 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4848 wrote to memory of 3044 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4848 wrote to memory of 3044 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3044 wrote to memory of 4964 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 3044 wrote to memory of 4964 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 3044 wrote to memory of 4964 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 3044 wrote to memory of 4964 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 3044 wrote to memory of 4964 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 4964 wrote to memory of 4696 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 4964 wrote to memory of 4696 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 4964 wrote to memory of 4696 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 2016 wrote to memory of 4620 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2016 wrote to memory of 4620 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2016 wrote to memory of 4620 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\e45491c8c44f1b09146b967e5a1d5010b1efb3997d6e0e7534a2b0ceb7292e02.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\e45491c8c44f1b09146b967e5a1d5010b1efb3997d6e0e7534a2b0ceb7292e02.dll

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn bgdjlozzt /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\e45491c8c44f1b09146b967e5a1d5010b1efb3997d6e0e7534a2b0ceb7292e02.dll\"" /SC ONCE /Z /ST 19:02 /ET 19:14

C:\Windows\system32\regsvr32.exe

regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\e45491c8c44f1b09146b967e5a1d5010b1efb3997d6e0e7534a2b0ceb7292e02.dll"

C:\Windows\SysWOW64\regsvr32.exe

-s "C:\Users\Admin\AppData\Local\Temp\e45491c8c44f1b09146b967e5a1d5010b1efb3997d6e0e7534a2b0ceb7292e02.dll"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4620 -ip 4620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 584

Network

Country Destination Domain Proto
N/A 178.79.208.1:80 tcp
N/A 13.89.179.8:443 tcp

Files

memory/3044-132-0x0000000000000000-mapping.dmp

memory/3044-133-0x0000000010000000-0x0000000011000000-memory.dmp

memory/3044-134-0x0000000002DE0000-0x0000000003DE0000-memory.dmp

memory/3044-135-0x0000000010000000-0x0000000011000000-memory.dmp

memory/4964-136-0x0000000000000000-mapping.dmp

memory/4696-137-0x0000000000000000-mapping.dmp

memory/4964-138-0x0000000000EF0000-0x0000000000F25000-memory.dmp

memory/4964-139-0x0000000000EF0000-0x0000000000F25000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e45491c8c44f1b09146b967e5a1d5010b1efb3997d6e0e7534a2b0ceb7292e02.dll

MD5 3743d1321b5216d1bee5361e06637f7a
SHA1 eb2b48326e633c4e9b0e4439403eb5a6658faa25
SHA256 c77a9da4b7eb124bd6b72778e0485038d95fbaffb034f0a9eb27797b0e425a0c
SHA512 cf62dfd92f89c0acf14d2e08a0c7352172736764d9bfdfd1f96f93483eee3e7444ec1a790aa27d4f19339d241379fb27f1e7a2613d3c3866bd7a547569585e52

memory/4620-141-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\e45491c8c44f1b09146b967e5a1d5010b1efb3997d6e0e7534a2b0ceb7292e02.dll

MD5 3743d1321b5216d1bee5361e06637f7a
SHA1 eb2b48326e633c4e9b0e4439403eb5a6658faa25
SHA256 c77a9da4b7eb124bd6b72778e0485038d95fbaffb034f0a9eb27797b0e425a0c
SHA512 cf62dfd92f89c0acf14d2e08a0c7352172736764d9bfdfd1f96f93483eee3e7444ec1a790aa27d4f19339d241379fb27f1e7a2613d3c3866bd7a547569585e52

memory/4620-143-0x0000000010000000-0x0000000011000000-memory.dmp

memory/4620-144-0x0000000010000000-0x0000000011000000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-29 17:59

Reported

2023-01-29 18:02

Platform

win7-20221111-en

Max time kernel

122s

Max time network

33s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\e45491c8c44f1b09146b967e5a1d5010b1efb3997d6e0e7534a2b0ceb7292e02.dll

Signatures

Qakbot/Qbot

trojan banker stealer qakbot

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1728 wrote to memory of 344 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1728 wrote to memory of 344 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1728 wrote to memory of 344 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1728 wrote to memory of 344 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1728 wrote to memory of 344 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1728 wrote to memory of 344 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1728 wrote to memory of 344 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 344 wrote to memory of 564 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 344 wrote to memory of 564 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 344 wrote to memory of 564 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 344 wrote to memory of 564 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 344 wrote to memory of 564 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 344 wrote to memory of 564 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\explorer.exe
PID 564 wrote to memory of 660 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 564 wrote to memory of 660 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 564 wrote to memory of 660 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 564 wrote to memory of 660 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 1664 wrote to memory of 1868 N/A C:\Windows\system32\taskeng.exe C:\Windows\system32\regsvr32.exe
PID 1664 wrote to memory of 1868 N/A C:\Windows\system32\taskeng.exe C:\Windows\system32\regsvr32.exe
PID 1664 wrote to memory of 1868 N/A C:\Windows\system32\taskeng.exe C:\Windows\system32\regsvr32.exe
PID 1664 wrote to memory of 1868 N/A C:\Windows\system32\taskeng.exe C:\Windows\system32\regsvr32.exe
PID 1664 wrote to memory of 1868 N/A C:\Windows\system32\taskeng.exe C:\Windows\system32\regsvr32.exe
PID 1868 wrote to memory of 964 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1868 wrote to memory of 964 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1868 wrote to memory of 964 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1868 wrote to memory of 964 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1868 wrote to memory of 964 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1868 wrote to memory of 964 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1868 wrote to memory of 964 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\e45491c8c44f1b09146b967e5a1d5010b1efb3997d6e0e7534a2b0ceb7292e02.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\e45491c8c44f1b09146b967e5a1d5010b1efb3997d6e0e7534a2b0ceb7292e02.dll

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn jwvrziye /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\e45491c8c44f1b09146b967e5a1d5010b1efb3997d6e0e7534a2b0ceb7292e02.dll\"" /SC ONCE /Z /ST 19:02 /ET 19:14

C:\Windows\system32\taskeng.exe

taskeng.exe {FFAA2679-A510-4305-BC2E-57A8737D8FCF} S-1-5-18:NT AUTHORITY\System:Service:

C:\Windows\system32\regsvr32.exe

regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\e45491c8c44f1b09146b967e5a1d5010b1efb3997d6e0e7534a2b0ceb7292e02.dll"

C:\Windows\SysWOW64\regsvr32.exe

-s "C:\Users\Admin\AppData\Local\Temp\e45491c8c44f1b09146b967e5a1d5010b1efb3997d6e0e7534a2b0ceb7292e02.dll"

Network

N/A

Files

memory/1728-54-0x000007FEFC191000-0x000007FEFC193000-memory.dmp

memory/344-55-0x0000000000000000-mapping.dmp

memory/344-56-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

memory/344-57-0x0000000010000000-0x0000000011000000-memory.dmp

memory/344-58-0x0000000002110000-0x0000000003110000-memory.dmp

memory/564-59-0x0000000000000000-mapping.dmp

memory/564-61-0x0000000074A11000-0x0000000074A13000-memory.dmp

memory/564-62-0x0000000000080000-0x00000000000B5000-memory.dmp

memory/660-63-0x0000000000000000-mapping.dmp

memory/564-64-0x0000000000080000-0x00000000000B5000-memory.dmp

memory/1868-65-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\e45491c8c44f1b09146b967e5a1d5010b1efb3997d6e0e7534a2b0ceb7292e02.dll

MD5 3743d1321b5216d1bee5361e06637f7a
SHA1 eb2b48326e633c4e9b0e4439403eb5a6658faa25
SHA256 c77a9da4b7eb124bd6b72778e0485038d95fbaffb034f0a9eb27797b0e425a0c
SHA512 cf62dfd92f89c0acf14d2e08a0c7352172736764d9bfdfd1f96f93483eee3e7444ec1a790aa27d4f19339d241379fb27f1e7a2613d3c3866bd7a547569585e52

memory/964-68-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\e45491c8c44f1b09146b967e5a1d5010b1efb3997d6e0e7534a2b0ceb7292e02.dll

MD5 3743d1321b5216d1bee5361e06637f7a
SHA1 eb2b48326e633c4e9b0e4439403eb5a6658faa25
SHA256 c77a9da4b7eb124bd6b72778e0485038d95fbaffb034f0a9eb27797b0e425a0c
SHA512 cf62dfd92f89c0acf14d2e08a0c7352172736764d9bfdfd1f96f93483eee3e7444ec1a790aa27d4f19339d241379fb27f1e7a2613d3c3866bd7a547569585e52