Malware Analysis Report

2025-04-03 08:52

Sample ID 230224-b8sd7ahh28
Target b6a0458e6ef077b43106ac606f4bd132.bin
SHA256 afd28ea23e2855ea0aebf6bcc375612a6fcd508c093ba3fec3827280aec72102
Tags
qakbot bb16 1677046917 banker stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

afd28ea23e2855ea0aebf6bcc375612a6fcd508c093ba3fec3827280aec72102

Threat Level: Known bad

The file b6a0458e6ef077b43106ac606f4bd132.bin was found to be: Known bad.

Malicious Activity Summary

qakbot bb16 1677046917 banker stealer trojan

Qakbot/Qbot

Checks computer location settings

Loads dropped DLL

Enumerates physical storage devices

Program crash

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-24 01:49

Signatures

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2023-02-24 01:49

Reported

2023-02-24 01:49

Platform

win7-20230220-en

Max time kernel

0s

Command Line

"C:\Users\Admin\AppData\Local\Temp\vibrations\smirch.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\vibrations\smirch.exe

"C:\Users\Admin\AppData\Local\Temp\vibrations\smirch.exe"

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2023-02-24 01:49

Reported

2023-02-24 01:51

Platform

win10v2004-20230220-en

Max time kernel

101s

Max time network

115s

Command Line

"C:\Users\Admin\AppData\Local\Temp\vibrations\smirch.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\vibrations\smirch.exe

"C:\Users\Admin\AppData\Local\Temp\vibrations\smirch.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 226.101.242.52.in-addr.arpa udp
US 8.8.8.8:53 250.108.137.52.in-addr.arpa udp
US 8.8.8.8:53 97.97.242.52.in-addr.arpa udp
US 8.8.8.8:53 164.113.223.173.in-addr.arpa udp
US 8.8.8.8:53 199.176.139.52.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 233.141.123.20.in-addr.arpa udp
US 93.184.221.240:80 tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-24 01:49

Reported

2023-02-24 01:51

Platform

win7-20230220-en

Max time kernel

25s

Max time network

29s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\RR.lnk

Signatures

Enumerates physical storage devices

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1980 wrote to memory of 1708 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 1708 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 1708 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 1708 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1708 wrote to memory of 1512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 1708 wrote to memory of 1512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 1708 wrote to memory of 1512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 1708 wrote to memory of 1512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 1708 wrote to memory of 1512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 1708 wrote to memory of 1512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 1708 wrote to memory of 1512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\RR.lnk

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\SysWOW64\cmd.exe" /q /c vibrations\\disharmony.cmd

C:\Users\Admin\AppData\Local\Temp\vibrations\smirch.exe

vibrations\smirch.exe -decode vibrations\stateswoman.sql c:\users\public\output.txt

C:\Users\Admin\AppData\Local\Temp\vibrations\smirch.exe

"C:\Users\Admin\AppData\Local\Temp\vibrations\smirch.exe" -decode vibrations\stateswoman.sql c:\users\public\output.txt

C:\Users\Admin\AppData\Local\Temp\vibrations\smirch.exe

vibrations\smirch.exe -decode c:\users\public\output.txt c:\users\public\output2.txt

C:\Users\Admin\AppData\Local\Temp\vibrations\smirch.exe

"C:\Users\Admin\AppData\Local\Temp\vibrations\smirch.exe" -decode c:\users\public\output.txt c:\users\public\output2.txt

C:\Windows\SysWOW64\rundll32.exe

rundll32 c:\users\public\output2.txt,N115

Network

N/A

Files

memory/1708-125-0x0000000002200000-0x0000000002201000-memory.dmp

memory/1708-161-0x0000000002200000-0x0000000002201000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-24 01:49

Reported

2023-02-24 01:51

Platform

win10v2004-20230220-en

Max time kernel

150s

Max time network

123s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\RR.lnk

Signatures

Qakbot/Qbot

trojan banker stealer qakbot

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4680 wrote to memory of 4308 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4680 wrote to memory of 4308 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4680 wrote to memory of 4308 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4308 wrote to memory of 2304 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\vibrations\smirch.exe
PID 4308 wrote to memory of 2304 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\vibrations\smirch.exe
PID 4308 wrote to memory of 2020 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\vibrations\smirch.exe
PID 4308 wrote to memory of 2020 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\vibrations\smirch.exe
PID 4308 wrote to memory of 1160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 4308 wrote to memory of 1160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 4308 wrote to memory of 1160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 1160 wrote to memory of 1900 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 1160 wrote to memory of 1900 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 1160 wrote to memory of 1900 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 1160 wrote to memory of 1900 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 1160 wrote to memory of 1900 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\RR.lnk

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\SysWOW64\cmd.exe" /q /c vibrations\\disharmony.cmd

C:\Users\Admin\AppData\Local\Temp\vibrations\smirch.exe

vibrations\smirch.exe -decode vibrations\stateswoman.sql c:\users\public\output.txt

C:\Users\Admin\AppData\Local\Temp\vibrations\smirch.exe

vibrations\smirch.exe -decode c:\users\public\output.txt c:\users\public\output2.txt

C:\Windows\SysWOW64\rundll32.exe

rundll32 c:\users\public\output2.txt,N115

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1160 -ip 1160

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 544

C:\Windows\SysWOW64\wermgr.exe

C:\Windows\SysWOW64\wermgr.exe

Network

Country Destination Domain Proto
US 20.42.73.25:443 tcp
NL 173.223.113.164:443 tcp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp

Files

\??\c:\users\public\output.txt

MD5 89fc5ce67cf242cc5b83d8faa7b5e51d
SHA1 8e895df0b516a0c62b95f54643c90e67395f63ae
SHA256 55fbd2380d89035f0ac744c832ba6f27e3430ae877c3b013cfb8b3577e2a4ad6
SHA512 4aac5fdc2f1e374f2ead608856b087156dda368e0fba523ea1693e6dc1a9332db46bca2c78b2c70bbb8bf5840e353728c991519deebaa4a45bcc4b8eb3dcd91e

\??\c:\users\public\output2.txt

MD5 e167b519cf6baad2089f2bec22012ead
SHA1 ba000e9403ce92eab037edca6f92eaf6cbbcb8f5
SHA256 8152566ab0b74913edaf3cfdc1d5f44d157d6b35545a782c2f5dcf40dc0c5cbe
SHA512 56838ee5dc29457efce3e8923290fbcb82d669844d2453d4ed8bf6688ceaa723c4050c83026f0572c568651e91a41a0bab6ae6c58b8be5821452fa8161d65a8d

C:\Users\Public\output2.txt

MD5 e167b519cf6baad2089f2bec22012ead
SHA1 ba000e9403ce92eab037edca6f92eaf6cbbcb8f5
SHA256 8152566ab0b74913edaf3cfdc1d5f44d157d6b35545a782c2f5dcf40dc0c5cbe
SHA512 56838ee5dc29457efce3e8923290fbcb82d669844d2453d4ed8bf6688ceaa723c4050c83026f0572c568651e91a41a0bab6ae6c58b8be5821452fa8161d65a8d

memory/1160-138-0x0000000010000000-0x0000000010023000-memory.dmp

memory/1160-143-0x0000000010000000-0x0000000010023000-memory.dmp

memory/1160-144-0x00000000011F0000-0x00000000011F3000-memory.dmp

memory/1160-145-0x0000000010000000-0x0000000010023000-memory.dmp

memory/1160-146-0x000000006D700000-0x000000006D7D1000-memory.dmp

memory/1900-148-0x0000000000120000-0x0000000000143000-memory.dmp

memory/1900-149-0x0000000000120000-0x0000000000143000-memory.dmp

memory/1900-150-0x0000000000120000-0x0000000000143000-memory.dmp

memory/1900-151-0x0000000000120000-0x0000000000143000-memory.dmp

memory/1900-152-0x0000000000120000-0x0000000000143000-memory.dmp

memory/1900-154-0x0000000000120000-0x0000000000143000-memory.dmp

memory/1900-156-0x0000000000120000-0x0000000000143000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2023-02-24 01:49

Reported

2023-02-24 01:51

Platform

win7-20230220-en

Max time kernel

30s

Max time network

33s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\vibrations\disharmony.cmd"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1644 wrote to memory of 1588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1644 wrote to memory of 1588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1644 wrote to memory of 1588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\vibrations\disharmony.cmd"

C:\Windows\system32\rundll32.exe

rundll32 c:\users\public\output2.txt,N115

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2023-02-24 01:49

Reported

2023-02-24 01:51

Platform

win10v2004-20230221-en

Max time kernel

110s

Max time network

113s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\vibrations\disharmony.cmd"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 440 wrote to memory of 1456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 440 wrote to memory of 1456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\vibrations\disharmony.cmd"

C:\Windows\system32\rundll32.exe

rundll32 c:\users\public\output2.txt,N115

Network

Country Destination Domain Proto
US 20.44.10.123:443 tcp
US 8.8.8.8:53 0.77.109.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp

Files

N/A