qakbot | f35586c200e7b9c2939d750eed00acd9ae4f3d29e86ab4db233f40e53fe9d44c

General

Target

2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe
Size

1.3MB
MD5

041f11543edf5591a8fb7b0037e3d115
SHA1

ee5fb2448d4437c2eaefdfb7cac13a0a2162a775
SHA256

2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d
SHA512

3e3e5634cb560178ec75b2a74a92a9bbacedf53f046491ebf9e2d7849b1b1ea5327cf9e8e3cc2ffc3938ca12d6ab281ae466b4446c2b338fa35976ef6f5b83c4
SSDEEP

24576:6H4G8P8VYqjxxT6qZk1rFrXc0lLF5HskwGpLF2:1G8P8VcrlcwLXPpL8

Score

10^/10

qakbot bmw01 1706268333 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

bmw01

Campaign

1706268333

C2

116.202.110.87:443

77.73.39.175:32103

185.156.172.62:443

185.117.90.142:6882

Attributes

camp_date
2024-01-26 11:25:33 +0000 UTC

Signatures

Detect Qakbot Payload 26 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3104-2-0x0000000140000000-0x0000000140030000-memory.dmp	family_qakbot_v5
behavioral2/memory/1196-4-0x0000000001FF0000-0x000000000203E000-memory.dmp	family_qakbot_v5
behavioral2/memory/1196-6-0x0000000002040000-0x0000000002093000-memory.dmp	family_qakbot_v5
behavioral2/memory/3104-7-0x0000000140000000-0x0000000140030000-memory.dmp	family_qakbot_v5
behavioral2/memory/3104-5-0x0000000140000000-0x0000000140030000-memory.dmp	family_qakbot_v5
behavioral2/memory/3104-3-0x0000000140000000-0x0000000140030000-memory.dmp	family_qakbot_v5
behavioral2/memory/3104-8-0x0000000140000000-0x0000000140030000-memory.dmp	family_qakbot_v5
behavioral2/memory/3104-9-0x0000000140000000-0x0000000140030000-memory.dmp	family_qakbot_v5
behavioral2/memory/1196-10-0x0000000002040000-0x0000000002093000-memory.dmp	family_qakbot_v5
behavioral2/memory/3104-11-0x0000000140000000-0x0000000140030000-memory.dmp	family_qakbot_v5
behavioral2/memory/3104-12-0x0000000140000000-0x0000000140030000-memory.dmp	family_qakbot_v5
behavioral2/memory/3104-13-0x0000000140000000-0x0000000140030000-memory.dmp	family_qakbot_v5
behavioral2/memory/3104-14-0x0000000140000000-0x0000000140030000-memory.dmp	family_qakbot_v5
behavioral2/memory/3104-15-0x0000000140000000-0x0000000140030000-memory.dmp	family_qakbot_v5
behavioral2/memory/744-17-0x000001FF2D400000-0x000001FF2D430000-memory.dmp	family_qakbot_v5
behavioral2/memory/3104-23-0x0000000140000000-0x0000000140030000-memory.dmp	family_qakbot_v5
behavioral2/memory/3104-26-0x0000000140000000-0x0000000140030000-memory.dmp	family_qakbot_v5
behavioral2/memory/744-25-0x000001FF2D400000-0x000001FF2D430000-memory.dmp	family_qakbot_v5
behavioral2/memory/744-24-0x000001FF2D400000-0x000001FF2D430000-memory.dmp	family_qakbot_v5
behavioral2/memory/744-27-0x000001FF2D400000-0x000001FF2D430000-memory.dmp	family_qakbot_v5
behavioral2/memory/744-37-0x000001FF2D400000-0x000001FF2D430000-memory.dmp	family_qakbot_v5
behavioral2/memory/744-38-0x000001FF2D400000-0x000001FF2D430000-memory.dmp	family_qakbot_v5
behavioral2/memory/744-39-0x000001FF2D400000-0x000001FF2D430000-memory.dmp	family_qakbot_v5
behavioral2/memory/744-40-0x000001FF2D400000-0x000001FF2D430000-memory.dmp	family_qakbot_v5
behavioral2/memory/744-41-0x000001FF2D400000-0x000001FF2D430000-memory.dmp	family_qakbot_v5
behavioral2/memory/744-43-0x000001FF2D400000-0x000001FF2D430000-memory.dmp	family_qakbot_v5

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Suspicious use of SetThreadContext 1 IoCs

Processes:

2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe

description	pid	process	target process
PID 1196 set thread context of 3104	1196	2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe	2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe

Modifies registry class 10 IoCs

Processes:

wermgr.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\uivqayannhffvz\c439031f = 24b8136ecf732eacfd39db4db3e0f6ec12c4ca6693f2094d9f753d7607e6f7ccafcac0aa5b2f7b167d078db0bd15011a15a1de36b355138aebec5bbe4b8892932600d9bc2da35ccb8413dc4953b7ba5e4f	wermgr.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\uivqayannhffvz	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\uivqayannhffvz\92114bd7 = 8770ba65d91f30db9fe49bc4ed58dd5f515be0566b624545b76b43e5c29fa99fd4d05931317183c1c36364234359636e483d047d0d4fd73d398e41711b679e2eae2cac8e147d984bae22bb0420b01c6a8e0a0276c3dac1f19100d194b232435bbcf21665233a00b7c886948d192fb2bdf0d2ecf578b1da1963a5be11307b984c98afec74456df705f3a3053ac978b3c995488d4d4427c9b88ee89061decaeb1ed4bb07cca28e37ed635566e155376ef177	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\uivqayannhffvz\40730de5 = 46a7436810dc1564f2be0b1ea3efb7c063b0d09e2a6c14f4c1217302db56b2c941f14da054686f8157550a2a00e60c4076	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\uivqayannhffvz\5f3c16ce = 4511a0d1d3456bfa08caf05232b3733a6e4ff6aed80098af7b22d61cf19f390f484cbab0e1bf4b916ba3db8dd4b9e447e4b3be66ccb97e0bec5e9d61336273cce5	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\uivqayannhffvz\c5be5e98 = 04608d602068aa9579ab1a2b6efb6b0ba237ef814ed2562f30bded302db0d102ee874bb67ddc5e95b675a65de8957d9d8d405e07dfee6b31b387784b449b3e468d42394cebbbbbef47a7b3f9adb1518c82ae848e6a5ae5233d98178b306d30fc5410cc052156e2ead891075d39a57e2d61a5458d8976316ce80cc81e5a3e2dafbc	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\uivqayannhffvz\c439031f = a66238b863ecf50bd16f96000945db4bdcd786683fa8c932e9831bc6f6b027c0131ce9ff2a25cd97568b12f5fcca4accd324ac397e47edd92be36744a636a2d0f5	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\uivqayannhffvz\8cd90d7b = 04a95f5532fae4697ff7a64bfcff7b44d1b50598e4db4c511fa7ccf5d25684a6a3994f91b3f09d92747ced31f773fe8c728678f9317809f161b47e9ba690a93b65	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\uivqayannhffvz\93961650 = 67d70c7b075d5aa6c808fdceb26e5694b388c69f7c3113c88d6e9059409b5d830d7673af822a22e4a70e50bf3d5238459f4d901b91a16204d6d833d328733dc8ee745b5db56bc37d2dd4664a65c8486df3	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\uivqayannhffvz\5ebb4b49 = 068fe3fc960e53415838c38a736b283cb66ea7954b4debd28d6e2c28358fc2071f833c3ed689070af3eb8f53e94a9ba6915d64e4103444753fe4c2fdb6ceda8626	wermgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exewermgr.exe

pid	process
3104	2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe
3104	2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe
3104	2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe
3104	2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe
744	wermgr.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe

description	pid	process	target process
PID 1196 wrote to memory of 3104	1196	2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe	2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe
PID 1196 wrote to memory of 3104	1196	2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe	2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe
PID 1196 wrote to memory of 3104	1196	2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe	2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe
PID 1196 wrote to memory of 3104	1196	2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe	2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe
PID 1196 wrote to memory of 3104	1196	2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe	2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe
PID 1196 wrote to memory of 3104	1196	2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe	2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe
PID 1196 wrote to memory of 3104	1196	2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe	2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe
PID 1196 wrote to memory of 3104	1196	2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe	2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe
PID 3104 wrote to memory of 744	3104	2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe	wermgr.exe
PID 3104 wrote to memory of 744	3104	2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe	wermgr.exe
PID 3104 wrote to memory of 744	3104	2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe	wermgr.exe
PID 3104 wrote to memory of 744	3104	2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe	wermgr.exe
PID 3104 wrote to memory of 744	3104	2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe	wermgr.exe

C:\Users\Admin\AppData\Local\Temp\2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe
"C:\Users\Admin\AppData\Local\Temp\2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Users\Admin\AppData\Local\Temp\2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe
  "C:\Users\Admin\AppData\Local\Temp\2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3104
- - C:\Windows\System32\wermgr.exe
    C:\Windows\System32\wermgr.exe
    3⤵
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:744

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/744-27-0x000001FF2D400000-0x000001FF2D430000-memory.dmp

Filesize
192KB

Download
memory/744-37-0x000001FF2D400000-0x000001FF2D430000-memory.dmp

Filesize
192KB

Download
memory/744-41-0x000001FF2D400000-0x000001FF2D430000-memory.dmp

Filesize
192KB

Download
memory/744-17-0x000001FF2D400000-0x000001FF2D430000-memory.dmp

Filesize
192KB

Download
memory/744-25-0x000001FF2D400000-0x000001FF2D430000-memory.dmp

Filesize
192KB

Download
memory/744-40-0x000001FF2D400000-0x000001FF2D430000-memory.dmp

Filesize
192KB

Download
memory/744-43-0x000001FF2D400000-0x000001FF2D430000-memory.dmp

Filesize
192KB

Download
memory/744-39-0x000001FF2D400000-0x000001FF2D430000-memory.dmp

Filesize
192KB

Download
memory/744-24-0x000001FF2D400000-0x000001FF2D430000-memory.dmp

Filesize
192KB

Download
memory/744-16-0x000001FF2D430000-0x000001FF2D432000-memory.dmp

Filesize
8KB

Download
memory/744-38-0x000001FF2D400000-0x000001FF2D430000-memory.dmp

Filesize
192KB

Download
memory/1196-10-0x0000000002040000-0x0000000002093000-memory.dmp

Filesize
332KB

Download
memory/1196-6-0x0000000002040000-0x0000000002093000-memory.dmp

Filesize
332KB

Download
memory/1196-4-0x0000000001FF0000-0x000000000203E000-memory.dmp

Filesize
312KB

Download
memory/3104-3-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/3104-11-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/3104-14-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/3104-13-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/3104-23-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/3104-26-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/3104-12-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/3104-15-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/3104-9-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/3104-8-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/3104-0-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/3104-5-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/3104-7-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/3104-2-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/3104-1-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads