Malware Analysis Report

2025-04-03 08:50

Sample ID 230228-t68mhabh3y
Target bbbbbboris.png
SHA256 7193cff8c047bcb00743121f4f90a7df786c93da0b68366bb40d927215f6907b
Tags
qakbot bb17 1677576236 banker stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7193cff8c047bcb00743121f4f90a7df786c93da0b68366bb40d927215f6907b

Threat Level: Known bad

The file bbbbbboris.png was found to be: Known bad.

Malicious Activity Summary

qakbot bb17 1677576236 banker stealer trojan

Qakbot/Qbot

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-02-28 16:41

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-28 16:41

Reported

2023-02-28 16:43

Platform

win7-20230220-en

Max time kernel

31s

Max time network

34s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bbbbbboris.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bbbbbboris.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bbbbbboris.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 224

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-28 16:41

Reported

2023-02-28 16:43

Platform

win10v2004-20230220-en

Max time kernel

150s

Max time network

136s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bbbbbboris.dll,#1

Signatures

Qakbot/Qbot

trojan banker stealer qakbot

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2708 wrote to memory of 1964 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2708 wrote to memory of 1964 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2708 wrote to memory of 1964 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3632 wrote to memory of 2356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3632 wrote to memory of 2356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2356 wrote to memory of 1792 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2356 wrote to memory of 1792 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2356 wrote to memory of 1792 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3632 wrote to memory of 1572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3632 wrote to memory of 1572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1792 wrote to memory of 1416 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 1792 wrote to memory of 1416 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 1792 wrote to memory of 1416 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 1792 wrote to memory of 1416 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 1792 wrote to memory of 1416 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bbbbbboris.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bbbbbboris.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1964 -ip 1964

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 604

C:\Windows\system32\rundll32.exe

rundll32 bbbbbboris.dll,N115

C:\Windows\SysWOW64\rundll32.exe

rundll32 bbbbbboris.dll,N115

C:\Windows\system32\rundll32.exe

rundll32 bbbbbboris.dll,N115

C:\Windows\SysWOW64\wermgr.exe

C:\Windows\SysWOW64\wermgr.exe

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 96.108.152.52.in-addr.arpa udp
US 20.189.173.6:443 tcp
US 8.8.8.8:53 210.81.184.52.in-addr.arpa udp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 160.252.72.23.in-addr.arpa udp

Files

memory/1792-133-0x0000000002760000-0x0000000002783000-memory.dmp

memory/1792-138-0x0000000002760000-0x0000000002783000-memory.dmp

memory/1792-139-0x0000000002540000-0x0000000002543000-memory.dmp

memory/1792-140-0x0000000002760000-0x0000000002783000-memory.dmp

memory/1416-142-0x0000000000820000-0x0000000000843000-memory.dmp

memory/1416-143-0x0000000000820000-0x0000000000843000-memory.dmp

memory/1416-144-0x0000000000820000-0x0000000000843000-memory.dmp

memory/1416-145-0x0000000000820000-0x0000000000843000-memory.dmp

memory/1416-146-0x0000000000820000-0x0000000000843000-memory.dmp

memory/1416-147-0x0000000000820000-0x0000000000843000-memory.dmp

memory/1416-148-0x0000000000820000-0x0000000000843000-memory.dmp