qakbot | f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2

Resubmissions

07-03-2024 08:57

240307-kwpl7sfg22 10

06-02-2024 15:03

240206-se1l5shfg7 3

Analysis

max time kernel
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
submitted
06-02-2024 15:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nitroscorp.png.exe
Size

4.2MB
MD5

6655347cd176e076ac8c8e509841f1fb
SHA1

2bf60b4709e1e653ad5427761ba70c7b6c22b8ba
SHA256

f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2
SHA512

ca18ce0c69062b42d1fe4b1c563b64b3cc55eb8601a6caef4eb9a246442b152b553df08e7d6cbb200cdf6095205dd8d8c5db8d3923cfe4cdce8e109efab17d5a
SSDEEP

98304:YdPQzF3R/e/hh6FZFLOAkGkzdnEVomFHKnP:YA3AYFZFLOyomFHKnP

Score

10^/10

qakbot bmw02 1706788306 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

bmw02

Campaign

1706788306

62.204.41.234:2222

31.210.173.10:443

185.113.8.123:443

Attributes

camp_date
2024-02-01 11:51:46 +0000 UTC

Signatures

Detect Qakbot Payload 22 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4520-3-0x00000234BBB40000-0x00000234BBB9B000-memory.dmp	family_qakbot_v5
behavioral2/memory/4520-2-0x00000234BBB40000-0x00000234BBB9B000-memory.dmp	family_qakbot_v5
behavioral2/memory/4520-1-0x00000234BBB40000-0x00000234BBB9B000-memory.dmp	family_qakbot_v5
behavioral2/memory/4520-5-0x00000234BBB40000-0x00000234BBB9B000-memory.dmp	family_qakbot_v5
behavioral2/memory/4520-4-0x00000234BBB40000-0x00000234BBB9B000-memory.dmp	family_qakbot_v5
behavioral2/memory/4520-21-0x00000234BBB40000-0x00000234BBB9B000-memory.dmp	family_qakbot_v5
behavioral2/memory/1744-22-0x0000021CCFB40000-0x0000021CCFB70000-memory.dmp	family_qakbot_v5
behavioral2/memory/1744-20-0x0000021CCFB40000-0x0000021CCFB70000-memory.dmp	family_qakbot_v5
behavioral2/memory/1744-32-0x0000021CCFB40000-0x0000021CCFB70000-memory.dmp	family_qakbot_v5
behavioral2/memory/1744-35-0x0000021CCFB40000-0x0000021CCFB70000-memory.dmp	family_qakbot_v5
behavioral2/memory/1744-36-0x0000021CCFB40000-0x0000021CCFB70000-memory.dmp	family_qakbot_v5
behavioral2/memory/1744-34-0x0000021CCFB40000-0x0000021CCFB70000-memory.dmp	family_qakbot_v5
behavioral2/memory/1744-33-0x0000021CCFB40000-0x0000021CCFB70000-memory.dmp	family_qakbot_v5
behavioral2/memory/1744-19-0x0000021CCFB40000-0x0000021CCFB70000-memory.dmp	family_qakbot_v5
behavioral2/memory/4520-18-0x00000234BBB40000-0x00000234BBB9B000-memory.dmp	family_qakbot_v5
behavioral2/memory/4520-17-0x00000234BBB40000-0x00000234BBB9B000-memory.dmp	family_qakbot_v5
behavioral2/memory/1744-11-0x0000021CCFB40000-0x0000021CCFB70000-memory.dmp	family_qakbot_v5
behavioral2/memory/4520-9-0x00000234BBB40000-0x00000234BBB9B000-memory.dmp	family_qakbot_v5
behavioral2/memory/4520-8-0x00000234BBB40000-0x00000234BBB9B000-memory.dmp	family_qakbot_v5
behavioral2/memory/4520-7-0x00000234BBB40000-0x00000234BBB9B000-memory.dmp	family_qakbot_v5
behavioral2/memory/4520-6-0x00000234BBB40000-0x00000234BBB9B000-memory.dmp	family_qakbot_v5
behavioral2/memory/1744-38-0x0000021CCFB40000-0x0000021CCFB70000-memory.dmp	family_qakbot_v5

Qakbot family
qakbot
Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Modifies registry class 10 IoCs

Processes:

wermgr.exe

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\ifanpqqqeyppo\9775e912 = e6c5e4c458d6252617c3bdee53aea21f5bdee5b3b50ae83a3066be01764fadbbf5	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\ifanpqqqeyppo\12b8ba6f = c7f12e7fce6dfd9d7232acbba3fe8f5d2447d77db2f72bf8e8bb6087a8e3c9cbe8dd10940d31b3998bc2a429ab5d40326020b2b3383ce22762c06d2c7e064a25b7dc1b86f903d1d6aa517c3a836c7bca18ac4d1965c5f6b80de69997d743e6e60c	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\ifanpqqqeyppo\89bdafbe = 6474bfb3a55b24ea3a51676ba09bd6ebf374ec96d8e49d14ff5be646d27bd3ac29f7e9fbd68562a1eaf7d2686473f970328bf28ca43c88c95f2c6acf2c51ff3886e23ed9d292ba8a249d85d23ad3247f5b	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\ifanpqqqeyppo\133fe7e8 = c663cb00d7c1744f82cb9724ae234c8aeb8c04ad22720e95ee0805f11ebe190950a25fdf16bf4f5394950981d36a494a5283a9f2f58cb81820d5767acb22288c07	wermgr.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\ifanpqqqeyppo	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\ifanpqqqeyppo\133fe7e8 = c5593b77270f874511f532d1455b096c89ff25387ad1a7c81f3a78e818fe0b1197bd0e7f21a79fb71c5c81c5e398ba2b0b	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\ifanpqqqeyppo\4517af20 = a4abe68928ec7d66c4a951d63cff60b343e70b1bba6affce0ef399c380a0678bedc5b8063d0cdefca4744cd85e39462b2202f734660f4c6ea71e369079f17f988831f4e9e99266e1ec15ced1898abce97d68eff80a516bd1bd267dca08cfed6cfc56a41a6ba51ca814086ffb4c81ee13b1c5a7f76216b86fa02c85c4e2745c341c	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\ifanpqqqeyppo\5bdfe98c = 0615d64eef6e94d76b15cff067b1aa8156d41fba5ba0782c405b06f233b7365ffb0220a038b57b71e464e1e77c14c5b5fe28898f76e43e548c4186aa834d3a6a58	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\ifanpqqqeyppo\883af239 = c7d3c5ac3b7e063efc76c52d24edc395d6645816bdf4b6a4b5db7aeef3670caaeb	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\ifanpqqqeyppo\4490f2a7 = 6402a270888c6b0ae45a088d8680a65749d0558fd3cbfea0bce3a79668ac35588425a3ac6804fedc1616b6e58470c07e5d30dbbae934db9592eedd3a4ca676c5320248a87129504355083c9925bc7e40ce	wermgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

nitroscorp.png.exewermgr.exe

pid	Process
4520	nitroscorp.png.exe
4520	nitroscorp.png.exe
4520	nitroscorp.png.exe
4520	nitroscorp.png.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe
1744	wermgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

nitroscorp.png.exe

pid	Process
4520	nitroscorp.png.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

nitroscorp.png.exe

description	pid	Process	procid_target
PID 4520 wrote to memory of 1744	4520	nitroscorp.png.exe	91
PID 4520 wrote to memory of 1744	4520	nitroscorp.png.exe	91
PID 4520 wrote to memory of 1744	4520	nitroscorp.png.exe	91
PID 4520 wrote to memory of 1744	4520	nitroscorp.png.exe	91
PID 4520 wrote to memory of 1744	4520	nitroscorp.png.exe	91

C:\Users\Admin\AppData\Local\Temp\nitroscorp.png.exe
"C:\Users\Admin\AppData\Local\Temp\nitroscorp.png.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4520
- C:\Windows\System32\wermgr.exe
  C:\Windows\System32\wermgr.exe
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1744

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1744-11-0x0000021CCFB40000-0x0000021CCFB70000-memory.dmp

Filesize
192KB

Download
memory/1744-10-0x0000021CCFB70000-0x0000021CCFB72000-memory.dmp

Filesize
8KB

Download
memory/1744-36-0x0000021CCFB40000-0x0000021CCFB70000-memory.dmp

Filesize
192KB

Download
memory/1744-38-0x0000021CCFB40000-0x0000021CCFB70000-memory.dmp

Filesize
192KB

Download
memory/1744-34-0x0000021CCFB40000-0x0000021CCFB70000-memory.dmp

Filesize
192KB

Download
memory/1744-19-0x0000021CCFB40000-0x0000021CCFB70000-memory.dmp

Filesize
192KB

Download
memory/1744-35-0x0000021CCFB40000-0x0000021CCFB70000-memory.dmp

Filesize
192KB

Download
memory/1744-33-0x0000021CCFB40000-0x0000021CCFB70000-memory.dmp

Filesize
192KB

Download
memory/1744-22-0x0000021CCFB40000-0x0000021CCFB70000-memory.dmp

Filesize
192KB

Download
memory/1744-20-0x0000021CCFB40000-0x0000021CCFB70000-memory.dmp

Filesize
192KB

Download
memory/1744-32-0x0000021CCFB40000-0x0000021CCFB70000-memory.dmp

Filesize
192KB

Download
memory/4520-0-0x00007FF6B9AB0000-0x00007FF6B9EE6000-memory.dmp

Filesize
4.2MB

Download
memory/4520-17-0x00000234BBB40000-0x00000234BBB9B000-memory.dmp

Filesize
364KB

Download
memory/4520-5-0x00000234BBB40000-0x00000234BBB9B000-memory.dmp

Filesize
364KB

Download
memory/4520-23-0x00007FF6B9AB0000-0x00007FF6B9EE6000-memory.dmp

Filesize
4.2MB

Download
memory/4520-4-0x00000234BBB40000-0x00000234BBB9B000-memory.dmp

Filesize
364KB

Download
memory/4520-21-0x00000234BBB40000-0x00000234BBB9B000-memory.dmp

Filesize
364KB

Download
memory/4520-2-0x00000234BBB40000-0x00000234BBB9B000-memory.dmp

Filesize
364KB

Download
memory/4520-18-0x00000234BBB40000-0x00000234BBB9B000-memory.dmp

Filesize
364KB

Download
memory/4520-8-0x00000234BBB40000-0x00000234BBB9B000-memory.dmp

Filesize
364KB

Download
memory/4520-9-0x00000234BBB40000-0x00000234BBB9B000-memory.dmp

Filesize
364KB

Download
memory/4520-3-0x00000234BBB40000-0x00000234BBB9B000-memory.dmp

Filesize
364KB

Download
memory/4520-7-0x00000234BBB40000-0x00000234BBB9B000-memory.dmp

Filesize
364KB

Download
memory/4520-6-0x00000234BBB40000-0x00000234BBB9B000-memory.dmp

Filesize
364KB

Download
memory/4520-1-0x00000234BBB40000-0x00000234BBB9B000-memory.dmp

Filesize
364KB

Download