Malware Analysis Report

2025-04-03 08:52

Sample ID 230224-cfhjysbg8y
Target d4006bece2a7933ca9bef826b85e17bb.bin
SHA256 4baa8cff75dc94e6ab11a40119c31b503220ba97ade4b416ef20af8ea16b34a7
Tags
qakbot bb16 1677046917 banker stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4baa8cff75dc94e6ab11a40119c31b503220ba97ade4b416ef20af8ea16b34a7

Threat Level: Known bad

The file d4006bece2a7933ca9bef826b85e17bb.bin was found to be: Known bad.

Malicious Activity Summary

qakbot bb16 1677046917 banker stealer trojan

Qakbot/Qbot

Checks computer location settings

Loads dropped DLL

Enumerates physical storage devices

Program crash

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-24 02:01

Signatures

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2023-02-24 02:00

Reported

2023-02-24 02:03

Platform

win10v2004-20230221-en

Max time kernel

112s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\vibrations\airtightness.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\vibrations\airtightness.exe

"C:\Users\Admin\AppData\Local\Temp\vibrations\airtightness.exe"

Network

Country Destination Domain Proto
US 20.189.173.3:443 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2023-02-24 02:00

Reported

2023-02-24 02:03

Platform

win7-20230220-en

Max time kernel

30s

Max time network

33s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\vibrations\polaroid.cmd"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1476 wrote to memory of 892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1476 wrote to memory of 892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1476 wrote to memory of 892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\vibrations\polaroid.cmd"

C:\Windows\system32\rundll32.exe

rundll32 c:\users\public\output2.txt,N115

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2023-02-24 02:00

Reported

2023-02-24 02:03

Platform

win10v2004-20230220-en

Max time kernel

64s

Max time network

124s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\vibrations\polaroid.cmd"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2424 wrote to memory of 3980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2424 wrote to memory of 3980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\vibrations\polaroid.cmd"

C:\Windows\system32\rundll32.exe

rundll32 c:\users\public\output2.txt,N115

Network

Country Destination Domain Proto
US 8.8.8.8:53 210.81.184.52.in-addr.arpa udp
NL 52.178.17.3:443 tcp
US 93.184.220.29:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 203.151.224.20.in-addr.arpa udp
NL 173.223.113.164:443 tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-24 02:00

Reported

2023-02-24 02:03

Platform

win7-20230220-en

Max time kernel

28s

Max time network

32s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\RR.lnk

Signatures

Enumerates physical storage devices

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 316 wrote to memory of 1384 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 316 wrote to memory of 1384 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 316 wrote to memory of 1384 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 316 wrote to memory of 1384 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 1384 wrote to memory of 912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 1384 wrote to memory of 912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 1384 wrote to memory of 912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 1384 wrote to memory of 912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 1384 wrote to memory of 912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 1384 wrote to memory of 912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\RR.lnk

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\SysWOW64\cmd.exe" /q /c vibrations\\polaroid.cmd

C:\Users\Admin\AppData\Local\Temp\vibrations\airtightness.exe

vibrations\airtightness.exe -decode vibrations\croaks.sql c:\users\public\output.txt

C:\Users\Admin\AppData\Local\Temp\vibrations\airtightness.exe

"C:\Users\Admin\AppData\Local\Temp\vibrations\airtightness.exe" -decode vibrations\croaks.sql c:\users\public\output.txt

C:\Users\Admin\AppData\Local\Temp\vibrations\airtightness.exe

vibrations\airtightness.exe -decode c:\users\public\output.txt c:\users\public\output2.txt

C:\Users\Admin\AppData\Local\Temp\vibrations\airtightness.exe

"C:\Users\Admin\AppData\Local\Temp\vibrations\airtightness.exe" -decode c:\users\public\output.txt c:\users\public\output2.txt

C:\Windows\SysWOW64\rundll32.exe

rundll32 c:\users\public\output2.txt,N115

Network

N/A

Files

memory/1384-125-0x0000000002560000-0x0000000002561000-memory.dmp

memory/1384-161-0x0000000002560000-0x0000000002561000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-24 02:00

Reported

2023-02-24 02:03

Platform

win10v2004-20230220-en

Max time kernel

150s

Max time network

68s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\RR.lnk

Signatures

Qakbot/Qbot

trojan banker stealer qakbot

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1800 wrote to memory of 64 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 64 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 64 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 64 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\vibrations\airtightness.exe
PID 64 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\vibrations\airtightness.exe
PID 64 wrote to memory of 1764 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\vibrations\airtightness.exe
PID 64 wrote to memory of 1764 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\vibrations\airtightness.exe
PID 64 wrote to memory of 1160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 64 wrote to memory of 1160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 64 wrote to memory of 1160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 1160 wrote to memory of 4612 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 1160 wrote to memory of 4612 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 1160 wrote to memory of 4612 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 1160 wrote to memory of 4612 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 1160 wrote to memory of 4612 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\RR.lnk

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\SysWOW64\cmd.exe" /q /c vibrations\\polaroid.cmd

C:\Users\Admin\AppData\Local\Temp\vibrations\airtightness.exe

vibrations\airtightness.exe -decode vibrations\croaks.sql c:\users\public\output.txt

C:\Users\Admin\AppData\Local\Temp\vibrations\airtightness.exe

vibrations\airtightness.exe -decode c:\users\public\output.txt c:\users\public\output2.txt

C:\Windows\SysWOW64\rundll32.exe

rundll32 c:\users\public\output2.txt,N115

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1160 -ip 1160

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 556

C:\Windows\SysWOW64\wermgr.exe

C:\Windows\SysWOW64\wermgr.exe

Network

Country Destination Domain Proto
NL 40.126.32.133:443 tcp
US 8.8.8.8:53 210.81.184.52.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 20.189.173.4:443 tcp
US 93.184.221.240:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp

Files

\??\c:\users\public\output.txt

MD5 22cfe9eedc2e6c8ff516656b6242ac41
SHA1 f59c6a1431ad36bb9035dc8043ca2aa7f151607d
SHA256 ffc649866a338db3fd611a8ad361674ce83d20dfaf547f76fdd37c0442c287c4
SHA512 1c02a208d0ff6142247ef9eb2ffbf73ea06b0f3c06903462c46b55c0cd3420b9c471d6f29aa6bdd844b32c489828bdb6c4455fc1fff838cf2c4fc3d923eb2b03

\??\c:\users\public\output2.txt

MD5 a6baa56cc1fb0fb73ad86142aa7b55d9
SHA1 8651cf4de25617b9727afd4004fe70e516f05c6f
SHA256 860f6be05c43522e405e9bfd862ee9a02c16c406ee87d8da662764d0cb3c39cd
SHA512 cbbb171a14fb0376924302cc160a8130b82403cd9644af424baf96617774f463813ae90cf8c7a676cebfffd5c2441ef283f2ddb890cc051fed283059a61e43e3

C:\Users\Public\output2.txt

MD5 a6baa56cc1fb0fb73ad86142aa7b55d9
SHA1 8651cf4de25617b9727afd4004fe70e516f05c6f
SHA256 860f6be05c43522e405e9bfd862ee9a02c16c406ee87d8da662764d0cb3c39cd
SHA512 cbbb171a14fb0376924302cc160a8130b82403cd9644af424baf96617774f463813ae90cf8c7a676cebfffd5c2441ef283f2ddb890cc051fed283059a61e43e3

memory/1160-138-0x0000000010000000-0x0000000010023000-memory.dmp

memory/1160-143-0x0000000010000000-0x0000000010023000-memory.dmp

memory/1160-144-0x0000000000550000-0x0000000000553000-memory.dmp

memory/1160-145-0x0000000010000000-0x0000000010023000-memory.dmp

memory/1160-146-0x000000006D700000-0x000000006D7D1000-memory.dmp

memory/4612-148-0x0000000000BB0000-0x0000000000BD3000-memory.dmp

memory/4612-149-0x0000000000BB0000-0x0000000000BD3000-memory.dmp

memory/4612-150-0x0000000000BB0000-0x0000000000BD3000-memory.dmp

memory/4612-151-0x0000000000BB0000-0x0000000000BD3000-memory.dmp

memory/4612-152-0x0000000000BB0000-0x0000000000BD3000-memory.dmp

memory/4612-154-0x0000000000BB0000-0x0000000000BD3000-memory.dmp

memory/4612-155-0x0000000000BB0000-0x0000000000BD3000-memory.dmp

memory/4612-157-0x0000000000BB0000-0x0000000000BD3000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2023-02-24 02:00

Reported

2023-02-24 02:01

Platform

win7-20230220-en

Max time kernel

0s

Command Line

"C:\Users\Admin\AppData\Local\Temp\vibrations\airtightness.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\vibrations\airtightness.exe

"C:\Users\Admin\AppData\Local\Temp\vibrations\airtightness.exe"

Network

N/A

Files

N/A