Malware Analysis Report

2025-05-05 23:45

Sample ID 230207-w6e2asgd5z
Target 60852.dat
SHA256 6decda40aeeccbcb423bcf2b34cf19840e127ebfeb9d79022a891b1f2e1518c3
Tags
qakbot obama237 1675763776 banker stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6decda40aeeccbcb423bcf2b34cf19840e127ebfeb9d79022a891b1f2e1518c3

Threat Level: Known bad

The file 60852.dat was found to be: Known bad.

Malicious Activity Summary

qakbot obama237 1675763776 banker stealer trojan

Qakbot/Qbot

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-02-07 18:31

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-07 18:31

Reported

2023-02-07 18:34

Platform

win7-20221111-en

Max time kernel

31s

Max time network

33s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\60852.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\60852.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\60852.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 224

Network

N/A

Files

memory/2016-54-0x0000000000000000-mapping.dmp

memory/2016-55-0x00000000760D1000-0x00000000760D3000-memory.dmp

memory/1252-56-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-07 18:31

Reported

2023-02-07 18:34

Platform

win10v2004-20220812-en

Max time kernel

150s

Max time network

147s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\60852.dll,#1

Signatures

Qakbot/Qbot

trojan banker stealer qakbot

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A
N/A N/A C:\Windows\SysWOW64\msra.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1972 wrote to memory of 4144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1972 wrote to memory of 4144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1972 wrote to memory of 4144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3056 wrote to memory of 332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3056 wrote to memory of 332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3056 wrote to memory of 1904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3056 wrote to memory of 1904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 332 wrote to memory of 2824 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 332 wrote to memory of 2824 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 332 wrote to memory of 2824 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1904 wrote to memory of 4648 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1904 wrote to memory of 4648 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1904 wrote to memory of 4648 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4648 wrote to memory of 912 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 4648 wrote to memory of 912 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 4648 wrote to memory of 912 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 2824 wrote to memory of 1732 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 2824 wrote to memory of 1732 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 2824 wrote to memory of 1732 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 2824 wrote to memory of 1420 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 2824 wrote to memory of 1420 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 2824 wrote to memory of 1420 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 4648 wrote to memory of 4192 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 4648 wrote to memory of 4192 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 4648 wrote to memory of 4192 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 2824 wrote to memory of 1420 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 4648 wrote to memory of 4192 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 4648 wrote to memory of 4192 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 2824 wrote to memory of 1420 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 2824 wrote to memory of 4536 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\msra.exe
PID 2824 wrote to memory of 4536 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\msra.exe
PID 2824 wrote to memory of 4536 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\msra.exe
PID 4648 wrote to memory of 5080 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\msra.exe
PID 4648 wrote to memory of 5080 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\msra.exe
PID 4648 wrote to memory of 5080 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\msra.exe
PID 2824 wrote to memory of 4536 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\msra.exe
PID 4648 wrote to memory of 5080 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\msra.exe
PID 2824 wrote to memory of 4536 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\msra.exe
PID 4648 wrote to memory of 5080 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\msra.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\60852.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\60852.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4144 -ip 4144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 600

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\rundll32.exe

rundll32.exe 60852.dll,Wind

C:\Windows\system32\rundll32.exe

rundll32.exe 60852.dll,Wind

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe 60852.dll,Wind

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe 60852.dll,Wind

C:\Windows\SysWOW64\wermgr.exe

C:\Windows\SysWOW64\wermgr.exe

C:\Windows\SysWOW64\wermgr.exe

C:\Windows\SysWOW64\wermgr.exe

C:\Windows\SysWOW64\wermgr.exe

C:\Windows\SysWOW64\wermgr.exe

C:\Windows\SysWOW64\wermgr.exe

C:\Windows\SysWOW64\wermgr.exe

C:\Windows\SysWOW64\msra.exe

C:\Windows\SysWOW64\msra.exe

C:\Windows\SysWOW64\msra.exe

C:\Windows\SysWOW64\msra.exe

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 204.79.197.200:443 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 r.bing.com udp
NL 95.101.74.148:443 r.bing.com tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 a-ring-fallback.msedge.net udp
US 131.253.33.254:443 a-ring-fallback.msedge.net tcp
NL 104.80.225.205:443 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp

Files

memory/4144-132-0x0000000000000000-mapping.dmp

memory/332-133-0x0000000000000000-mapping.dmp

memory/1904-134-0x0000000000000000-mapping.dmp

memory/2824-135-0x0000000000000000-mapping.dmp

memory/4648-136-0x0000000000000000-mapping.dmp

memory/2824-137-0x0000000010000000-0x0000000010023000-memory.dmp

memory/2824-147-0x0000000000870000-0x0000000000873000-memory.dmp

memory/1420-149-0x0000000000000000-mapping.dmp

memory/4192-148-0x0000000000000000-mapping.dmp

memory/4536-150-0x0000000000000000-mapping.dmp

memory/5080-151-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\60852.dll

MD5 ffd8f30a0e9e989b1eece2153710e605
SHA1 1859a59c4123596702e9ecd1eb4cb4fee3dd8bfb
SHA256 99380a83c65d0e9333b62bd487b96e011070fce7fe74598ba484383f19aaddbf
SHA512 3b7fa1e57d417f35cf2bf051b1f297f01fc9f3a8d2d5fd4fd9b3fa61b85eb4ca4202531fdc4fdd85625828c07fb2332fa9687fb8dda6afeba5d8caba47421699

memory/5080-153-0x00000000010D0000-0x00000000010F3000-memory.dmp

memory/4536-154-0x0000000000910000-0x0000000000933000-memory.dmp

memory/4536-155-0x0000000000910000-0x0000000000933000-memory.dmp