Malware Analysis Report

2025-04-03 08:52

Sample ID 230310-nlnhyafb31
Target cdec8947635f7dedc753b6581983ec4eb68b161796ce0990d67a01737766c1f7.zip
SHA256 c64c7c8922d10c146c7709cb9f6dd5040fe048f784057b37291cd66b16a3ea62
Tags
qakbot bb18 1678346091 banker stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c64c7c8922d10c146c7709cb9f6dd5040fe048f784057b37291cd66b16a3ea62

Threat Level: Known bad

The file cdec8947635f7dedc753b6581983ec4eb68b161796ce0990d67a01737766c1f7.zip was found to be: Known bad.

Malicious Activity Summary

qakbot bb18 1678346091 banker stealer trojan

Qakbot/Qbot

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-03-10 11:29

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-10 11:29

Reported

2023-03-10 11:32

Platform

win7-20230220-en

Max time kernel

166s

Max time network

34s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\cdec8947635f7dedc753b6581983ec4eb68b161796ce0990d67a01737766c1f7.dll,#1

Signatures

Qakbot/Qbot

trojan banker stealer qakbot

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\cdec8947635f7dedc753b6581983ec4eb68b161796ce0990d67a01737766c1f7.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\cdec8947635f7dedc753b6581983ec4eb68b161796ce0990d67a01737766c1f7.dll,#1

C:\Windows\SysWOW64\wermgr.exe

C:\Windows\SysWOW64\wermgr.exe

Network

N/A

Files

memory/1132-54-0x00000000006B0000-0x0000000000708000-memory.dmp

memory/1132-55-0x00000000007C0000-0x00000000007E3000-memory.dmp

memory/1132-56-0x00000000007C0000-0x00000000007E3000-memory.dmp

memory/1132-57-0x00000000007C0000-0x00000000007E3000-memory.dmp

memory/1132-58-0x00000000007C0000-0x00000000007E3000-memory.dmp

memory/1132-59-0x0000000000760000-0x0000000000784000-memory.dmp

memory/1132-60-0x00000000007C0000-0x00000000007E3000-memory.dmp

memory/1132-61-0x00000000006B0000-0x0000000000708000-memory.dmp

memory/268-62-0x00000000000F0000-0x00000000000F2000-memory.dmp

memory/1132-63-0x00000000007C0000-0x00000000007E3000-memory.dmp

memory/268-66-0x00000000000C0000-0x00000000000E3000-memory.dmp

memory/268-67-0x00000000000C0000-0x00000000000E3000-memory.dmp

memory/268-68-0x00000000000C0000-0x00000000000E3000-memory.dmp

memory/268-69-0x00000000000C0000-0x00000000000E3000-memory.dmp

memory/268-70-0x00000000000C0000-0x00000000000E3000-memory.dmp

memory/268-71-0x00000000000C0000-0x00000000000E3000-memory.dmp

memory/268-73-0x00000000000C0000-0x00000000000E3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-10 11:29

Reported

2023-03-10 11:31

Platform

win10v2004-20230220-en

Max time kernel

135s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\cdec8947635f7dedc753b6581983ec4eb68b161796ce0990d67a01737766c1f7.dll,#1

Signatures

Qakbot/Qbot

trojan banker stealer qakbot

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3348 wrote to memory of 3252 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3348 wrote to memory of 3252 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3348 wrote to memory of 3252 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\cdec8947635f7dedc753b6581983ec4eb68b161796ce0990d67a01737766c1f7.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\cdec8947635f7dedc753b6581983ec4eb68b161796ce0990d67a01737766c1f7.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3252 -ip 3252

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 616

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 198.209.218.23.in-addr.arpa udp
US 8.8.8.8:53 222.147.198.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 210.81.184.52.in-addr.arpa udp
US 8.8.8.8:53 42.220.44.20.in-addr.arpa udp
US 8.8.8.8:53 234.238.32.23.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 199.176.139.52.in-addr.arpa udp
US 8.8.8.8:53 58.104.205.20.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 45.8.109.52.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 209.197.3.8:80 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp

Files

memory/3252-133-0x00000000008C0000-0x0000000000918000-memory.dmp

memory/3252-134-0x0000000000E40000-0x0000000000E63000-memory.dmp

memory/3252-135-0x0000000000E40000-0x0000000000E63000-memory.dmp

memory/3252-136-0x0000000000DE0000-0x0000000000E04000-memory.dmp

memory/3252-137-0x0000000000E40000-0x0000000000E63000-memory.dmp

memory/3252-139-0x00000000008C0000-0x0000000000918000-memory.dmp