qakbot | d71d1b53db8a84f458dd0e1d09753e566da818fa792c2ea4d2e89fb59d83939a

Analysis

max time kernel
161s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02-04-2024 10:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12094a47a9659b1c2f7c5b36e21d2b0145c9e7b2e79845a437508efa96e5f305.dll
Size

898KB
MD5

88bbf2a743baaf81f7a312be61f90d76
SHA1

3719aabc29d5eb58d5d2d2a37066047c67bfc2c6
SHA256

12094a47a9659b1c2f7c5b36e21d2b0145c9e7b2e79845a437508efa96e5f305
SHA512

b01f955eb5f840e01f1f65d5f19c0963e155b1f8d03b4e0720eccbd397cc9aee9a19a63000719e3cf8f580573a335bd61f39fe1261f44e1d5371a9c695b60b70
SSDEEP

24576:qTm4c0TXhxdmVQGn88R7XM3Ljluc9KEaJqCjh0LmK8:6jP8Q13LjluSrCj+q/

Score

10^/10

qakbot tchk07 1702975817 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

tchk07

Campaign

1702975817

116.203.56.11:443

109.107.181.8:443

Attributes

camp_date
2023-12-19 08:50:17 +0000 UTC

Signatures

Detect Qakbot Payload 13 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1848-0-0x0000012DD1960000-0x0000012DD198F000-memory.dmp	family_qakbot_v5
behavioral2/memory/1848-4-0x0000012DD1930000-0x0000012DD195D000-memory.dmp	family_qakbot_v5
behavioral2/memory/1848-5-0x0000012DD1990000-0x0000012DD19BE000-memory.dmp	family_qakbot_v5
behavioral2/memory/1848-6-0x0000012DD1990000-0x0000012DD19BE000-memory.dmp	family_qakbot_v5
behavioral2/memory/1752-8-0x00000148496C0000-0x00000148496EE000-memory.dmp	family_qakbot_v5
behavioral2/memory/1752-15-0x00000148496C0000-0x00000148496EE000-memory.dmp	family_qakbot_v5
behavioral2/memory/1848-14-0x0000012DD1990000-0x0000012DD19BE000-memory.dmp	family_qakbot_v5
behavioral2/memory/1752-24-0x00000148496C0000-0x00000148496EE000-memory.dmp	family_qakbot_v5
behavioral2/memory/1752-26-0x00000148496C0000-0x00000148496EE000-memory.dmp	family_qakbot_v5
behavioral2/memory/1752-25-0x00000148496C0000-0x00000148496EE000-memory.dmp	family_qakbot_v5
behavioral2/memory/1752-27-0x00000148496C0000-0x00000148496EE000-memory.dmp	family_qakbot_v5
behavioral2/memory/1752-28-0x00000148496C0000-0x00000148496EE000-memory.dmp	family_qakbot_v5
behavioral2/memory/1752-30-0x00000148496C0000-0x00000148496EE000-memory.dmp	family_qakbot_v5

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Modifies registry class 10 IoCs

Processes:

wermgr.exe

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tecyyesidrne\101403b5 = e4e8ed36da9cb5c21d2f3a3a9bcdd1985a423f15eea19f0c139bc271b7e852f6d8a97cd6b66444bdcd20f4e401cc615d570e7067b18594883ce84ef9a0c7af8716	wermgr.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tecyyesidrne	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tecyyesidrne\47bb16fa = 054af5a75798d32738243897283c97e9da2ef455b461e89a541332981354f91bafb33de7e084a3c3fd929a761595f0df47d652b0c3cafffd2cad182050655314a59db255fa64eebec4ec429e388532a79b94fab3e9605401768ad277f3b6537ef196cc2a7f38e68c5338afe767a02dad89031e604960846ed4967d92d30b0a5d28459256a687102a7df68c618bbebd524f	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tecyyesidrne\8a964be3 = e6a221825cf5156b2438c0bc71a89aaa0b8fda6d30a5c4756c4ec2923f252d6cdbc6de693bfb4e8302246e788d0ac81bbfc18e8d999aff7519b6430ea22a2fc3370f5045a69335c2e849520b8e164afa519889addbdbe62b91e23c739492d0297c8dadceff1bc2a212c49ca2b6b4cb4077	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tecyyesidrne\463c4b7d = 06385ae9ac573d1fb95783ae9fbaefc198d777f2a9fff7218349f4e68274d2177bcb37ff1fa340c8eb11c9a0e23882a523	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tecyyesidrne\8b111664 = 07846ac0847d4bd911007d7f0d2395601bc5ebe8ebc3d1c41bbb733783da4be2fd4df9ab4072d0ae23ab575243be9ceb8f721945bcbae267ab53709ab9aa7f6198c25cc14ea5d60dd0279f408b440997e59c3908a67da984a54a01962fd403d10c	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tecyyesidrne\11935e32 = a5b26b506d2029a64fb075ce0adda6922a754620e6affe0636790f91d8ed532db8ce74203f189fce435a07901b08f7b618db284eea004c4ed2b6f44dce555dd00e76f625b5407981a890a99f41f552b1617c8c7942897c1c1fb9d62861dba3a56860eb1c755c02f246efedad828790d83a	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tecyyesidrne\11935e32 = 651b6a87c35748c9a157f94f04a8198ced25c4f61f830af0bd9762733918a4f150de62a2b254b52e82c90fee75eaa5fbde2f57a96b6d2acee1f281a523686d34f5eaa0683916de9c6ae737f174e51ea671	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tecyyesidrne\59735056 = 864cf2e7bab95cfb818f7c859a237489b4ccc74840cafea8e801897157301de1309b6ff6154c451a9b46627284ab84980eb369d0e9567a7242f8b2f8101cacd2b5f97a55086b577b61a92e2c30818bfdc84684da73110173cb2a512d0d8c106e8d	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\tecyyesidrne\95d950c8 = 0584291aac67f8e74254582341e08447b4f65dc9386fdfe582c00697a4144ef17531baed69945d89e0f04a51dac7d28a65ce27f12d9c987edecb7379646a7c9a19	wermgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exewermgr.exe

pid	Process
1848	rundll32.exe
1848	rundll32.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe
1752	wermgr.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

rundll32.exe

description	pid	Process	procid_target
PID 1848 wrote to memory of 1752	1848	rundll32.exe	94
PID 1848 wrote to memory of 1752	1848	rundll32.exe	94
PID 1848 wrote to memory of 1752	1848	rundll32.exe	94
PID 1848 wrote to memory of 1752	1848	rundll32.exe	94
PID 1848 wrote to memory of 1752	1848	rundll32.exe	94

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\12094a47a9659b1c2f7c5b36e21d2b0145c9e7b2e79845a437508efa96e5f305.dll,#1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Windows\System32\wermgr.exe
  C:\Windows\System32\wermgr.exe
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
1⤵
PID:848

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1752-26-0x00000148496C0000-0x00000148496EE000-memory.dmp

Filesize
184KB

Download
memory/1752-15-0x00000148496C0000-0x00000148496EE000-memory.dmp

Filesize
184KB

Download
memory/1752-30-0x00000148496C0000-0x00000148496EE000-memory.dmp

Filesize
184KB

Download
memory/1752-28-0x00000148496C0000-0x00000148496EE000-memory.dmp

Filesize
184KB

Download
memory/1752-7-0x00000148496F0000-0x00000148496F2000-memory.dmp

Filesize
8KB

Download
memory/1752-8-0x00000148496C0000-0x00000148496EE000-memory.dmp

Filesize
184KB

Download
memory/1752-27-0x00000148496C0000-0x00000148496EE000-memory.dmp

Filesize
184KB

Download
memory/1752-24-0x00000148496C0000-0x00000148496EE000-memory.dmp

Filesize
184KB

Download
memory/1752-25-0x00000148496C0000-0x00000148496EE000-memory.dmp

Filesize
184KB

Download
memory/1848-0-0x0000012DD1960000-0x0000012DD198F000-memory.dmp

Filesize
188KB

Download
memory/1848-14-0x0000012DD1990000-0x0000012DD19BE000-memory.dmp

Filesize
184KB

Download
memory/1848-4-0x0000012DD1930000-0x0000012DD195D000-memory.dmp

Filesize
180KB

Download
memory/1848-6-0x0000012DD1990000-0x0000012DD19BE000-memory.dmp

Filesize
184KB

Download
memory/1848-5-0x0000012DD1990000-0x0000012DD19BE000-memory.dmp

Filesize
184KB

Download