Malware Analysis Report

2025-04-03 08:53

Sample ID 230313-xh15asbf43
Target 808b57c523e08bf94b288c419a772c111e7ddd4bffcb5da61b4cc02a1c042220
SHA256 808b57c523e08bf94b288c419a772c111e7ddd4bffcb5da61b4cc02a1c042220
Tags
qakbot bb19 1678708246 banker stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

808b57c523e08bf94b288c419a772c111e7ddd4bffcb5da61b4cc02a1c042220

Threat Level: Known bad

The file 808b57c523e08bf94b288c419a772c111e7ddd4bffcb5da61b4cc02a1c042220 was found to be: Known bad.

Malicious Activity Summary

qakbot bb19 1678708246 banker stealer trojan

Qakbot/Qbot

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-03-13 18:52

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-13 18:52

Reported

2023-03-13 18:53

Platform

win10v2004-20230220-en

Max time kernel

68s

Max time network

70s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\808b57c523e08bf94b288c419a772c111e7ddd4bffcb5da61b4cc02a1c042220.dll XS88

Signatures

Qakbot/Qbot

trojan banker stealer qakbot

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\808b57c523e08bf94b288c419a772c111e7ddd4bffcb5da61b4cc02a1c042220.dll XS88

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\808b57c523e08bf94b288c419a772c111e7ddd4bffcb5da61b4cc02a1c042220.dll XS88

C:\Windows\SysWOW64\wermgr.exe

C:\Windows\SysWOW64\wermgr.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 36.146.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 185.130.69.20.in-addr.arpa udp
NL 52.178.17.2:443 tcp
US 8.248.3.254:80 tcp
US 8.248.3.254:80 tcp
US 8.8.8.8:53 113.238.32.23.in-addr.arpa udp
NL 173.223.113.164:443 tcp
US 8.8.8.8:53 1.77.109.52.in-addr.arpa udp
US 8.248.3.254:80 tcp
US 8.8.8.8:53 203.33.253.131.in-addr.arpa udp

Files

memory/4444-133-0x0000000002E10000-0x0000000002E33000-memory.dmp

memory/4444-138-0x0000000002E10000-0x0000000002E33000-memory.dmp

memory/4444-139-0x0000000001440000-0x0000000001443000-memory.dmp

memory/4444-140-0x0000000002E10000-0x0000000002E33000-memory.dmp

memory/708-142-0x0000000000D00000-0x0000000000D23000-memory.dmp

memory/708-143-0x0000000000D00000-0x0000000000D23000-memory.dmp

memory/708-144-0x0000000000D00000-0x0000000000D23000-memory.dmp

memory/708-145-0x0000000000D00000-0x0000000000D23000-memory.dmp

memory/708-147-0x0000000000D00000-0x0000000000D23000-memory.dmp

memory/708-146-0x0000000000D00000-0x0000000000D23000-memory.dmp

memory/708-148-0x0000000000D00000-0x0000000000D23000-memory.dmp

memory/708-149-0x0000000000D00000-0x0000000000D23000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-13 18:52

Reported

2023-03-13 18:53

Platform

win7-20230220-en

Max time kernel

54s

Max time network

34s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\808b57c523e08bf94b288c419a772c111e7ddd4bffcb5da61b4cc02a1c042220.dll XS88

Signatures

Qakbot/Qbot

trojan banker stealer qakbot

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\808b57c523e08bf94b288c419a772c111e7ddd4bffcb5da61b4cc02a1c042220.dll XS88

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\808b57c523e08bf94b288c419a772c111e7ddd4bffcb5da61b4cc02a1c042220.dll XS88

C:\Windows\SysWOW64\wermgr.exe

C:\Windows\SysWOW64\wermgr.exe

Network

N/A

Files

memory/1640-54-0x0000000000200000-0x0000000000223000-memory.dmp

memory/1640-59-0x0000000000200000-0x0000000000223000-memory.dmp

memory/1640-60-0x0000000000140000-0x0000000000143000-memory.dmp

memory/1208-61-0x00000000000B0000-0x00000000000B2000-memory.dmp

memory/1640-62-0x0000000000200000-0x0000000000223000-memory.dmp

memory/1208-63-0x0000000000080000-0x00000000000A3000-memory.dmp

memory/1208-66-0x0000000000080000-0x00000000000A3000-memory.dmp

memory/1208-67-0x0000000000080000-0x00000000000A3000-memory.dmp

memory/1208-68-0x0000000000080000-0x00000000000A3000-memory.dmp

memory/1208-69-0x0000000000080000-0x00000000000A3000-memory.dmp

memory/1208-71-0x0000000000080000-0x00000000000A3000-memory.dmp