qakbot | 110423a9555f7aba13483288abdb3badc6194dc01f825bfe1be174d506625efb

General

Target

third_carved_dll.dll
Size

166KB
MD5

07dfe6aed5e353c8d4cc0ab026c63e3e
SHA1

29fe5ec300aa7e3b5124a223eafaa0c7df39db56
SHA256

110423a9555f7aba13483288abdb3badc6194dc01f825bfe1be174d506625efb
SHA512

7d165bc271fde6a07d65400f4175eaa12710bb4219cb24085b67cfa7559352df9d7dd08814a42f2b17d1b888e7b43093a8d6ad630eb0eb6bfe97014a6ef0bb8a
SSDEEP

3072:9ixYRIgVFK9cJx2I87ZMGCDaZqZu9E/gVAE/dxwtJBdw:9ixYVVQ9G2I8ZMGjZqY9EcAWUB6

Score

10^/10

qakbot tchk06 1702463600 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

tchk06

Campaign

1702463600

C2

45.138.74.191:443

65.108.218.24:443

Attributes

camp_date
2023-12-13 10:33:20 +0000 UTC

Signatures

Detect Qakbot Payload 8 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4308-1-0x000001C923E20000-0x000001C923E4E000-memory.dmp	family_qakbot_v5
behavioral2/memory/4308-7-0x000001C923E20000-0x000001C923E4E000-memory.dmp	family_qakbot_v5
behavioral2/memory/4308-16-0x000001C923E20000-0x000001C923E4E000-memory.dmp	family_qakbot_v5
behavioral2/memory/4308-17-0x000001C923E20000-0x000001C923E4E000-memory.dmp	family_qakbot_v5
behavioral2/memory/4308-19-0x000001C923E20000-0x000001C923E4E000-memory.dmp	family_qakbot_v5
behavioral2/memory/4308-18-0x000001C923E20000-0x000001C923E4E000-memory.dmp	family_qakbot_v5
behavioral2/memory/4308-20-0x000001C923E20000-0x000001C923E4E000-memory.dmp	family_qakbot_v5
behavioral2/memory/4308-22-0x000001C923E20000-0x000001C923E4E000-memory.dmp	family_qakbot_v5

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Modifies registry class 12 IoCs

Processes:

wermgr.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\ioxeehedwlox\11818853 = 07fb913b6eff35abba34a74cf255b0abac1adb78499d280c07840eaff13ec173ce0f5e5522d88d0c23b4d9dfdbf88dafe3f3f1032aee30c4d225fad10b39562fc1b222e82e3a5394748cb7f6ec16f03ce23dc57a43cd3384488d992b95f9c99370	wermgr.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\ioxeehedwlox	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\ioxeehedwlox\8b03c005 = a5d8d492b528c0ec96998b0f3b18918346fddac5021e28e85ced55f4a6400c2f885fbd7192dbe1874d9a16475477f0ad10c6e29405cdb66f88a372998a2e78b8206f6781cfe4159f371819782bcaca5a3df35519797489127c97fe7bdfab250d36	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\ioxeehedwlox\c3e3ce61 = 64a3a426ab8f89af5e6735d8464144865d172cb7c66634c40119fcbea2dbc47ed5754ceeea56c9c0065e6a8e4647b55a6ae8204198edf12d797af2bb0a9f4de26dc645bb434ac2df3dcfb80d70d1bc410563c0153d8d05ea04a1ce55902aff5e1983dc0665f97f74aa4fa610d7e97f5800	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\ioxeehedwlox\1006d5d4 = 468dc1b4912626055393b4c6a0e20ee91efa56cc49dd2073f974a7684d97eb5229be9be187061f5aff165b454d4ddc2431a2552e6904dd6045cc7c60f3b62dd818	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\ioxeehedwlox\dcacd54a = 05b1afd87ab597c90cb70f257ca9a80f6b499057c32f21e6652b86466efb58627cfa921b44d1803b0f4becade9ad1792617f3901d6112daa218ed438e1d0669ea3c7be30a451dfb0fcf5f8770fcf92156f6023287876f48c7e9f04134eaac61d4d773d377ee9c48a9c66f662c8a527d82a	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\ioxeehedwlox\8b03c005 = 45e4227125f9840861e734b547b4e5e4404a8daf73e56749618f18c2488b3b29a97e13988fb8d319b808fd84f8582b392d0441199701480386e342a4fa65eb2eaf16e61757ffcc4bc57c6b5a8724375fde12acecf4e77880e66721f6c2a402581f8e549214117f084ec0ff0a1f596c67b6	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\ioxeehedwlox\dd2b88cd = 470379d7a44383c49d7baaf9fa492dc4a2b86f62d0870e4b64bac9ecb12bcd50f167701bf852f4c4305beeb22643af02c2bb578b996e505b681290315cde74218aafca5dc807407c6725760990328828dc9025eec44be45d9de134974034bdaba1593ceadd6bfcb402eaafa477f713854907d3b48ca28ef43cc8211ade652cd9cbc637d487d10f268f6b315c69d3c4fcc948acbae66e999193bfa4788acfd01d48f31e547ee1d804c75fd021403547aea6375ce3332dfba90ce340af6dc77f4a2235dad7be442c5dbaf734dbf24fb2b927	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\ioxeehedwlox\f49ceff = a579e2610ab2b6c545fdde7ea3c41a67af9403a0bde5cb49bf711e76a4d8d7c0d07dfe156c0651e64e35d716e2bade585f	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\ioxeehedwlox\1b44814a = 67a46c4363705c17400d390d97559eeddb064ce5efe269fc77c76aea359d442fd192ffaa8f981181b516ba2e169a33a672	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\ioxeehedwlox\b41aabd4 = 079cd4653345bdcd6a7dc544a43cca764cd545612eb48cf1700bf4d8d4334ecbd47a2941b9f03cc9560a9d32a25c709d4b68e0f605105260f2883558902eb1b27885f7d1268ebc048b0daaa15260220e6225e8ad7e53e7cfb33fe295a6d7df4f2851c021d62c86cd9053c75872ec00e776	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\ioxeehedwlox\8a849d82 = 864a39c5bbf633ceb9b7d0b2eb570f327a3414fac44d073600348a124d8369911d9b74283b6da8999c66b586fe057dfff75c0c7c74a6c05831579261ad9942cff6330bc15615bb78887ec4eafb6f946306	wermgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exewermgr.exe

pid	process
1828	rundll32.exe
1828	rundll32.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe
4308	wermgr.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1828 wrote to memory of 4308	1828	rundll32.exe	wermgr.exe
PID 1828 wrote to memory of 4308	1828	rundll32.exe	wermgr.exe
PID 1828 wrote to memory of 4308	1828	rundll32.exe	wermgr.exe
PID 1828 wrote to memory of 4308	1828	rundll32.exe	wermgr.exe
PID 1828 wrote to memory of 4308	1828	rundll32.exe	wermgr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\third_carved_dll.dll,#1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1828
- C:\Windows\System32\wermgr.exe
  C:\Windows\System32\wermgr.exe
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4308

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4308-0-0x000001C923E50000-0x000001C923E52000-memory.dmp

Filesize
8KB

Download
memory/4308-1-0x000001C923E20000-0x000001C923E4E000-memory.dmp

Filesize
184KB

Download
memory/4308-7-0x000001C923E20000-0x000001C923E4E000-memory.dmp

Filesize
184KB

Download
memory/4308-16-0x000001C923E20000-0x000001C923E4E000-memory.dmp

Filesize
184KB

Download
memory/4308-17-0x000001C923E20000-0x000001C923E4E000-memory.dmp

Filesize
184KB

Download
memory/4308-19-0x000001C923E20000-0x000001C923E4E000-memory.dmp

Filesize
184KB

Download
memory/4308-18-0x000001C923E20000-0x000001C923E4E000-memory.dmp

Filesize
184KB

Download
memory/4308-20-0x000001C923E20000-0x000001C923E4E000-memory.dmp

Filesize
184KB

Download
memory/4308-22-0x000001C923E20000-0x000001C923E4E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads