qakbot | f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2

Resubmissions

07-03-2024 08:57

240307-kwpl7sfg22 10

06-02-2024 15:03

240206-se1l5shfg7 3

Analysis

max time kernel
151s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07-03-2024 08:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nitroscorp.png.exe
Size

4.2MB
MD5

6655347cd176e076ac8c8e509841f1fb
SHA1

2bf60b4709e1e653ad5427761ba70c7b6c22b8ba
SHA256

f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2
SHA512

ca18ce0c69062b42d1fe4b1c563b64b3cc55eb8601a6caef4eb9a246442b152b553df08e7d6cbb200cdf6095205dd8d8c5db8d3923cfe4cdce8e109efab17d5a
SSDEEP

98304:YdPQzF3R/e/hh6FZFLOAkGkzdnEVomFHKnP:YA3AYFZFLOyomFHKnP

Score

10^/10

qakbot bmw02 1706788306 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

bmw02

Campaign

1706788306

62.204.41.234:2222

31.210.173.10:443

185.113.8.123:443

Attributes

camp_date
2024-02-01 11:51:46 +0000 UTC

Signatures

Detect Qakbot Payload 21 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1052-2-0x0000022C72BC0000-0x0000022C72C1B000-memory.dmp	family_qakbot_v5
behavioral1/memory/1052-4-0x0000022C72BC0000-0x0000022C72C1B000-memory.dmp	family_qakbot_v5
behavioral1/memory/1052-3-0x0000022C72BC0000-0x0000022C72C1B000-memory.dmp	family_qakbot_v5
behavioral1/memory/1052-5-0x0000022C72BC0000-0x0000022C72C1B000-memory.dmp	family_qakbot_v5
behavioral1/memory/1052-6-0x0000022C72BC0000-0x0000022C72C1B000-memory.dmp	family_qakbot_v5
behavioral1/memory/1052-7-0x0000022C72BC0000-0x0000022C72C1B000-memory.dmp	family_qakbot_v5
behavioral1/memory/1052-8-0x0000022C72BC0000-0x0000022C72C1B000-memory.dmp	family_qakbot_v5
behavioral1/memory/1052-9-0x0000022C72BC0000-0x0000022C72C1B000-memory.dmp	family_qakbot_v5
behavioral1/memory/1052-10-0x0000022C72BC0000-0x0000022C72C1B000-memory.dmp	family_qakbot_v5
behavioral1/memory/3744-12-0x000001FA50430000-0x000001FA50460000-memory.dmp	family_qakbot_v5
behavioral1/memory/1052-18-0x0000022C72BC0000-0x0000022C72C1B000-memory.dmp	family_qakbot_v5
behavioral1/memory/1052-19-0x0000022C72BC0000-0x0000022C72C1B000-memory.dmp	family_qakbot_v5
behavioral1/memory/1052-21-0x0000022C72BC0000-0x0000022C72C1B000-memory.dmp	family_qakbot_v5
behavioral1/memory/3744-22-0x000001FA50430000-0x000001FA50460000-memory.dmp	family_qakbot_v5
behavioral1/memory/3744-20-0x000001FA50430000-0x000001FA50460000-memory.dmp	family_qakbot_v5
behavioral1/memory/3744-23-0x000001FA50430000-0x000001FA50460000-memory.dmp	family_qakbot_v5
behavioral1/memory/3744-33-0x000001FA50430000-0x000001FA50460000-memory.dmp	family_qakbot_v5
behavioral1/memory/3744-34-0x000001FA50430000-0x000001FA50460000-memory.dmp	family_qakbot_v5
behavioral1/memory/3744-36-0x000001FA50430000-0x000001FA50460000-memory.dmp	family_qakbot_v5
behavioral1/memory/3744-35-0x000001FA50430000-0x000001FA50460000-memory.dmp	family_qakbot_v5
behavioral1/memory/3744-37-0x000001FA50430000-0x000001FA50460000-memory.dmp	family_qakbot_v5

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Modifies registry class 10 IoCs

Processes:

wermgr.exe

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pesbuksawajdx\55261433 = 86d804748137051fb96e0f0020ca35a237c73a4f71fd25252c1976427a2927e46bb6cd037dce1d59bf1e167dfd3eaf1ea2	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pesbuksawajdx\30e5cfb = a6639eb704f0fa13f0a1d40cadae38733cdda1fda8b3d7dfda04f929010dc09f90623a7341e16588c00d189210bbab58b2c13ddc7836b3bbbfc3b49667e55688787c83dd00f9daf04c04f77cfc6cf562ac0ac131e1f8cd9b60c7a1c14db301fa832fae2bf57048ee6e15956da4781909e0da1d6a5baabe03417f3ca5a042957d37e1e5076f2fd38320587a351c36c88570cc70a76c4c996b1b63393f45193986af	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pesbuksawajdx\289017c = c478c0173e21003a13812724aa935f450828d5691f918b1a8d1c13cf05a587e88f7771cf72e89bd70eb7699b5634fe01cb	wermgr.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pesbuksawajdx	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pesbuksawajdx\1dc61a57 = e77ee4daef7160feb863db209d2502c1b85b71aff4a341efa290928d0b64fbe6f7426259ba8325d62af59ff1ec05c34abc	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pesbuksawajdx\d16c1ac9 = 4751694b84121e57d2bfdef3a3df1820ad63ef540b3567330ce910006c87b9fffaef0ddab35f69568df7af45a600d324219343d9252a14389250f0369446b484651672950578cbd01bb853a2527867623962b2e21da715c20d19630c14b8282d4c8921575b90b3091e3effbf0a266d03de04d7b39a4b798af83183cf96c8d4c532	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pesbuksawajdx\ce2301e2 = 668056444c9182881ccfb209d8f61f53079ddbbd1e59e0a0d4eae6424515448a8fc4c0e342ce256621adb1c4661bfa0bc325910ad05170b69858623c3c429ea2316fd58cfa4ff14a0604249da17f40e4de4ae185baba6707f9513708e5915c96fe77acc62dd226a554799a7bd45a4629f759fcc4ecd5518884b976f85febb3cd11	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pesbuksawajdx\cfa45c65 = 45919e7490eb279cefd7b668115ab3472e927c2da879043baf40744bdea80a2fe9550120103fcc266d8f463a5ea66fdce3a1f284068104095b1168fbdc1a76c7d8	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pesbuksawajdx\54a149b4 = e5fe25f33a092db441d7631a47ae524db7304df73e0c334c71a09fdd7c6cbba288ae9506ae6f7461c6ebe011dbbfcb29b3da5a87f6936c2562cf61105cc2400247	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\pesbuksawajdx\55261433 = 24acd0b1ac05c49a2c6f2e27ca7dfe833c23a2f31084fb07533f764e6729099f9918f7ce1ebb9b14e591ab8b42f0185878df8a63e7ef9f74d121d7036ad9de11001d0ccc2b400939ef679f5512ac6c222e	wermgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

nitroscorp.png.exewermgr.exe

pid	Process
1052	nitroscorp.png.exe
1052	nitroscorp.png.exe
1052	nitroscorp.png.exe
1052	nitroscorp.png.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe
3744	wermgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

nitroscorp.png.exe

pid	Process
1052	nitroscorp.png.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

nitroscorp.png.exe

description	pid	Process	procid_target
PID 1052 wrote to memory of 3744	1052	nitroscorp.png.exe	107
PID 1052 wrote to memory of 3744	1052	nitroscorp.png.exe	107
PID 1052 wrote to memory of 3744	1052	nitroscorp.png.exe	107
PID 1052 wrote to memory of 3744	1052	nitroscorp.png.exe	107
PID 1052 wrote to memory of 3744	1052	nitroscorp.png.exe	107

C:\Users\Admin\AppData\Local\Temp\nitroscorp.png.exe
"C:\Users\Admin\AppData\Local\Temp\nitroscorp.png.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Windows\System32\wermgr.exe
  C:\Windows\System32\wermgr.exe
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1348 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
1⤵
PID:1336

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1052-6-0x0000022C72BC0000-0x0000022C72C1B000-memory.dmp

Filesize
364KB

Download
memory/1052-8-0x0000022C72BC0000-0x0000022C72C1B000-memory.dmp

Filesize
364KB

Download
memory/1052-2-0x0000022C72BC0000-0x0000022C72C1B000-memory.dmp

Filesize
364KB

Download
memory/1052-4-0x0000022C72BC0000-0x0000022C72C1B000-memory.dmp

Filesize
364KB

Download
memory/1052-3-0x0000022C72BC0000-0x0000022C72C1B000-memory.dmp

Filesize
364KB

Download
memory/1052-5-0x0000022C72BC0000-0x0000022C72C1B000-memory.dmp

Filesize
364KB

Download
memory/1052-1-0x00007FF734140000-0x00007FF734576000-memory.dmp

Filesize
4.2MB

Download
memory/1052-7-0x0000022C72BC0000-0x0000022C72C1B000-memory.dmp

Filesize
364KB

Download
memory/1052-21-0x0000022C72BC0000-0x0000022C72C1B000-memory.dmp

Filesize
364KB

Download
memory/1052-9-0x0000022C72BC0000-0x0000022C72C1B000-memory.dmp

Filesize
364KB

Download
memory/1052-10-0x0000022C72BC0000-0x0000022C72C1B000-memory.dmp

Filesize
364KB

Download
memory/1052-24-0x00007FF734140000-0x00007FF734576000-memory.dmp

Filesize
4.2MB

Download
memory/1052-0-0x00007FF734140000-0x00007FF734576000-memory.dmp

Filesize
4.2MB

Download
memory/1052-18-0x0000022C72BC0000-0x0000022C72C1B000-memory.dmp

Filesize
364KB

Download
memory/1052-19-0x0000022C72BC0000-0x0000022C72C1B000-memory.dmp

Filesize
364KB

Download
memory/3744-12-0x000001FA50430000-0x000001FA50460000-memory.dmp

Filesize
192KB

Download
memory/3744-22-0x000001FA50430000-0x000001FA50460000-memory.dmp

Filesize
192KB

Download
memory/3744-20-0x000001FA50430000-0x000001FA50460000-memory.dmp

Filesize
192KB

Download
memory/3744-23-0x000001FA50430000-0x000001FA50460000-memory.dmp

Filesize
192KB

Download
memory/3744-11-0x000001FA50460000-0x000001FA50462000-memory.dmp

Filesize
8KB

Download
memory/3744-33-0x000001FA50430000-0x000001FA50460000-memory.dmp

Filesize
192KB

Download
memory/3744-34-0x000001FA50430000-0x000001FA50460000-memory.dmp

Filesize
192KB

Download
memory/3744-36-0x000001FA50430000-0x000001FA50460000-memory.dmp

Filesize
192KB

Download
memory/3744-35-0x000001FA50430000-0x000001FA50460000-memory.dmp

Filesize
192KB

Download
memory/3744-37-0x000001FA50430000-0x000001FA50460000-memory.dmp

Filesize
192KB

Download