Malware Analysis Report

2024-11-30 13:30

Sample ID 241120-3pyweawgrn
Target 929266c5f7930996ec26e09f1d163ea356946cd4eed12523e2606b33448b8fbf.exe
SHA256 929266c5f7930996ec26e09f1d163ea356946cd4eed12523e2606b33448b8fbf
Tags
qakbot tr 1634541613 banker discovery stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

929266c5f7930996ec26e09f1d163ea356946cd4eed12523e2606b33448b8fbf

Threat Level: Known bad

The file 929266c5f7930996ec26e09f1d163ea356946cd4eed12523e2606b33448b8fbf.exe was found to be: Known bad.

Malicious Activity Summary

qakbot tr 1634541613 banker discovery stealer trojan

Qakbot family

Qakbot/Qbot

Loads dropped DLL

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-20 23:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-20 23:42

Reported

2024-11-20 23:44

Platform

win7-20240903-en

Max time kernel

119s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\929266c5f7930996ec26e09f1d163ea356946cd4eed12523e2606b33448b8fbf.dll,#1

Signatures

Qakbot family

qakbot

Qakbot/Qbot

trojan banker stealer qakbot

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2760 wrote to memory of 2772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2760 wrote to memory of 2772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2760 wrote to memory of 2772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2760 wrote to memory of 2772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2760 wrote to memory of 2772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2760 wrote to memory of 2772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2760 wrote to memory of 2772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2772 wrote to memory of 2956 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 2772 wrote to memory of 2956 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 2772 wrote to memory of 2956 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 2772 wrote to memory of 2956 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 2772 wrote to memory of 2956 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 2772 wrote to memory of 2956 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 2956 wrote to memory of 2816 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 2956 wrote to memory of 2816 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 2956 wrote to memory of 2816 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 2956 wrote to memory of 2816 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 3056 wrote to memory of 1868 N/A C:\Windows\system32\taskeng.exe C:\Windows\system32\regsvr32.exe
PID 3056 wrote to memory of 1868 N/A C:\Windows\system32\taskeng.exe C:\Windows\system32\regsvr32.exe
PID 3056 wrote to memory of 1868 N/A C:\Windows\system32\taskeng.exe C:\Windows\system32\regsvr32.exe
PID 3056 wrote to memory of 1868 N/A C:\Windows\system32\taskeng.exe C:\Windows\system32\regsvr32.exe
PID 3056 wrote to memory of 1868 N/A C:\Windows\system32\taskeng.exe C:\Windows\system32\regsvr32.exe
PID 1868 wrote to memory of 1872 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1868 wrote to memory of 1872 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1868 wrote to memory of 1872 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1868 wrote to memory of 1872 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1868 wrote to memory of 1872 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1868 wrote to memory of 1872 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1868 wrote to memory of 1872 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\929266c5f7930996ec26e09f1d163ea356946cd4eed12523e2606b33448b8fbf.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\929266c5f7930996ec26e09f1d163ea356946cd4eed12523e2606b33448b8fbf.dll,#1

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn hojjksaila /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\929266c5f7930996ec26e09f1d163ea356946cd4eed12523e2606b33448b8fbf.dll\"" /SC ONCE /Z /ST 23:44 /ET 23:56

C:\Windows\system32\taskeng.exe

taskeng.exe {53FEE0B6-EF00-43FE-B657-2402B8FB0EB5} S-1-5-18:NT AUTHORITY\System:Service:

C:\Windows\system32\regsvr32.exe

regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\929266c5f7930996ec26e09f1d163ea356946cd4eed12523e2606b33448b8fbf.dll"

C:\Windows\SysWOW64\regsvr32.exe

-s "C:\Users\Admin\AppData\Local\Temp\929266c5f7930996ec26e09f1d163ea356946cd4eed12523e2606b33448b8fbf.dll"

Network

N/A

Files

memory/2772-0-0x0000000074A10000-0x0000000074BBB000-memory.dmp

memory/2772-4-0x0000000074A10000-0x0000000074BBB000-memory.dmp

memory/2772-3-0x0000000074BA0000-0x0000000074BA6000-memory.dmp

memory/2956-5-0x00000000000B0000-0x00000000000B2000-memory.dmp

memory/2956-7-0x0000000000080000-0x00000000000A1000-memory.dmp

memory/2772-8-0x0000000074A10000-0x0000000074BBB000-memory.dmp

memory/2956-11-0x0000000000080000-0x00000000000A1000-memory.dmp

memory/2956-14-0x0000000000080000-0x00000000000A1000-memory.dmp

memory/2956-12-0x0000000000080000-0x00000000000A1000-memory.dmp

memory/2956-13-0x0000000000080000-0x00000000000A1000-memory.dmp

memory/2956-15-0x0000000000080000-0x00000000000A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\929266c5f7930996ec26e09f1d163ea356946cd4eed12523e2606b33448b8fbf.dll

MD5 1c399b307dc2464ace2fe06e227171c9
SHA1 073d37ed9ee2a7f2090118925785636dbaf1cb6c
SHA256 929266c5f7930996ec26e09f1d163ea356946cd4eed12523e2606b33448b8fbf
SHA512 64fa64b1e9fbaf67e0f54375bd0236b5338ed5fe4bea7a89123fdfe452084bd663f4085ad3e01d3c982ad20b6cf6cd08212f4adfc4a8a5be65784bab10f3250a

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-20 23:42

Reported

2024-11-20 23:44

Platform

win10v2004-20241007-en

Max time kernel

116s

Max time network

97s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\929266c5f7930996ec26e09f1d163ea356946cd4eed12523e2606b33448b8fbf.dll,#1

Signatures

Qakbot family

qakbot

Qakbot/Qbot

trojan banker stealer qakbot

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1956 wrote to memory of 3452 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1956 wrote to memory of 3452 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1956 wrote to memory of 3452 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3452 wrote to memory of 2460 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 3452 wrote to memory of 2460 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 3452 wrote to memory of 2460 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 3452 wrote to memory of 2460 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 3452 wrote to memory of 2460 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\explorer.exe
PID 2460 wrote to memory of 2392 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 2460 wrote to memory of 2392 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 2460 wrote to memory of 2392 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 4256 wrote to memory of 1688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4256 wrote to memory of 1688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4256 wrote to memory of 1688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\929266c5f7930996ec26e09f1d163ea356946cd4eed12523e2606b33448b8fbf.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\929266c5f7930996ec26e09f1d163ea356946cd4eed12523e2606b33448b8fbf.dll,#1

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn qxwiirv /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\929266c5f7930996ec26e09f1d163ea356946cd4eed12523e2606b33448b8fbf.dll\"" /SC ONCE /Z /ST 23:44 /ET 23:56

C:\Windows\system32\regsvr32.exe

regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\929266c5f7930996ec26e09f1d163ea356946cd4eed12523e2606b33448b8fbf.dll"

C:\Windows\SysWOW64\regsvr32.exe

-s "C:\Users\Admin\AppData\Local\Temp\929266c5f7930996ec26e09f1d163ea356946cd4eed12523e2606b33448b8fbf.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 138.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/3452-0-0x0000000074CB0000-0x0000000074E5B000-memory.dmp

memory/3452-4-0x0000000074CB0000-0x0000000074E5B000-memory.dmp

memory/3452-3-0x0000000074E40000-0x0000000074E46000-memory.dmp

memory/3452-1-0x0000000074CB0000-0x0000000074E5B000-memory.dmp

memory/3452-5-0x0000000074CB0000-0x0000000074E5B000-memory.dmp

memory/2460-6-0x0000000000190000-0x00000000001B1000-memory.dmp

memory/3452-7-0x0000000074CB0000-0x0000000074E5B000-memory.dmp

memory/2460-11-0x0000000000190000-0x00000000001B1000-memory.dmp

memory/2460-12-0x0000000000190000-0x00000000001B1000-memory.dmp

memory/2460-10-0x0000000000190000-0x00000000001B1000-memory.dmp

memory/2460-14-0x0000000000190000-0x00000000001B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\929266c5f7930996ec26e09f1d163ea356946cd4eed12523e2606b33448b8fbf.dll

MD5 1c399b307dc2464ace2fe06e227171c9
SHA1 073d37ed9ee2a7f2090118925785636dbaf1cb6c
SHA256 929266c5f7930996ec26e09f1d163ea356946cd4eed12523e2606b33448b8fbf
SHA512 64fa64b1e9fbaf67e0f54375bd0236b5338ed5fe4bea7a89123fdfe452084bd663f4085ad3e01d3c982ad20b6cf6cd08212f4adfc4a8a5be65784bab10f3250a