qakbot | 50579f60434dc090c747bf01985ddfb348b19ced73767a2d6030cda4babad6cc

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
02-04-2024 10:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3.dll
Size

459KB
MD5

0a29918110937641bbe4a2d5ee5e4272
SHA1

7d4a6976c1ece81e01d1f16ac5506266d5210734
SHA256

780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3
SHA512

998a6ee2fa6b345aeea72afaa91add8433e986a2678dbb8995ead786c30bdc00704c39c4857935b20669005b292736d50e1c6ad38901aa1f29db7b6a597fae3f
SSDEEP

6144:T4+8LGS5U/dvT6+adDaMuMeek1Wg3NkA+8hMzA1W9xCTSI:8fZ5U/dvPadDrNebWg3N+QMc16MOI

Score

10^/10

qakbot tchk06 1702463600 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

tchk06

Campaign

1702463600

45.138.74.191:443

65.108.218.24:443

Attributes

camp_date
2023-12-13 10:33:20 +0000 UTC

Signatures

Detect Qakbot Payload 13 IoCs

resource	yara_rule
behavioral1/memory/756-1-0x0000000001D20000-0x0000000001D4F000-memory.dmp	family_qakbot_v5
behavioral1/memory/756-5-0x0000000001CF0000-0x0000000001D1D000-memory.dmp	family_qakbot_v5
behavioral1/memory/756-6-0x0000000180000000-0x000000018002E000-memory.dmp	family_qakbot_v5
behavioral1/memory/756-7-0x0000000180000000-0x000000018002E000-memory.dmp	family_qakbot_v5
behavioral1/memory/2340-9-0x0000000000060000-0x000000000008E000-memory.dmp	family_qakbot_v5
behavioral1/memory/2340-16-0x0000000000060000-0x000000000008E000-memory.dmp	family_qakbot_v5
behavioral1/memory/756-29-0x0000000180000000-0x000000018002E000-memory.dmp	family_qakbot_v5
behavioral1/memory/2340-30-0x0000000000060000-0x000000000008E000-memory.dmp	family_qakbot_v5
behavioral1/memory/2340-31-0x0000000000060000-0x000000000008E000-memory.dmp	family_qakbot_v5
behavioral1/memory/2340-32-0x0000000000060000-0x000000000008E000-memory.dmp	family_qakbot_v5
behavioral1/memory/2340-33-0x0000000000060000-0x000000000008E000-memory.dmp	family_qakbot_v5
behavioral1/memory/2340-34-0x0000000000060000-0x000000000008E000-memory.dmp	family_qakbot_v5
behavioral1/memory/2340-37-0x0000000000060000-0x000000000008E000-memory.dmp	family_qakbot_v5

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Modifies registry class 12 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\yiutxwcrolrku\8ac00da0 = 67db4ac987930acba34d4d13aed6a709fb9b7ebfaeb7bfce9255fe374131f4c795f27b08ded5a3ce8694c3d9cb7c8b5b3bb4bc1e80462cf5ec124ac45a29f8256af087a4b007d92673e6726425e48d8916630716506d81862838e9ebadfda1107e	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\yiutxwcrolrku\8182593e = 84ef89c031600486a8e63d25577af294e7827ebb923df400c51e76f2506466852ca8a327f6f165e3bf008c59c1e132200b919f604ec7e2e6c8d0423e1274024aff360a9bc36a3238b52f6caf7bacee93f1a1ffd90534c689c8f5121d09d6d942732b978bf4c938d53843b681515f7e47a3159b44b57344bc95e948fa9f1d948bb2	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\yiutxwcrolrku\1a874cef = c5a9bfc12f8f3aa275811656beac9369e8aeafd4a608bee0167cf11481b7776c16525508e674ab9e305b48c6539507845f8c19becf27561e34b703324f5daf71ef77e711bbf34fecb0eeec24fd6bd1a2c9cb5b3522e5b9b8f71afbc860e0a4e107	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\yiutxwcrolrku\1a874cef = 257a131d8968a7f50a8b60b41df48423826e5d4beaf1f2d6466e29939ea6cd9df08c1d8e34d395b970fa5f7c8f061451bf97d51ed024bfd6c539345af80ad748f0	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\yiutxwcrolrku\5267428b = e6b7ce2b10bc86c28a4c5429f3504acdaf8773c86a24fcd565d3e335aebbb311c8033ec97f3f4eaa1bb7a1222bf086a3452fbfd15659d0e1cac25eba2b70db779b3c217eb5a35ef72adb0067432a3006a83c37723b884bc2985fb438516fbdeb3a72280649c9f544de2c4e6920c522577f18eed3134bea7ea5b3bddd62637e71dc	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\yiutxwcrolrku\9ecd4215 = 64ed99626dbb440ba44e5a684cd7a15df32c53599cb89e5c8118a1c876c95bf36cbe85615e6f4e1362206f24d35889dce2b3848f0e69229a5a81347bc6c0a53367	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\yiutxwcrolrku\4d2859a0 = 6604299b1966f3dfa692ba04059c97a4ccb3262e79a9c02760e9174c2008444ea8f00de6b09777084b86d6a26d5eba7202cfdd0b2862e7a8c7667e5824b94381101f48c575466af2e3c8752e3c07acee1738f9811f451c7e09eccf779509fc9208	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\yiutxwcrolrku\800504b9 = 856469900b7435cafe37d75d24946eb670e4b940212589bb26e849e15950df215fee05c9dccc1a746059895092b5620c8f8afce3d51c9c68bf9b4c2609bda94b7d09034d73adbff468e776d9529c336257	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\yiutxwcrolrku\1b001168 = 06e046e35c6cdedf69e7489a0a929025ad49064142db207e42583005d778b07af9f04455c37df8cbedfb9fdea00d6b66b234a84b430ae026c8abca72fd7e2bc4d237fc690aa06773e48867bc21535c9da753f728aa9efb2dc8f9ad2222be117c2e	wermgr.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\yiutxwcrolrku	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\yiutxwcrolrku\4caf0427 = e73589cd56c1619bead22edb0ceeb5dbf072504457f9a1367bd879133f88298e6d1bbc949bc1fcca2c56432a4162b0761b5b4a5236f41520d71a9243980c56dd17d24f9f96388673393a21051476e3c75f89689f74145f46c270a090f89578d7ab76d96ce1df2047c7d019fb6ad508a8ca688b0f4f886d25ae84681a3b1a36ba3b75e6c199fbc98030717a5ee383c5490c0a91e45bac5ce89b0cb647b99da9d0e9	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\yiutxwcrolrku\259e273e = 65958b006e0cb3434cd6a5acd8e696901f4d8d8df362c67dbd0951509ce2941fd0d406ef28e5939207512ba99f65160b468d5cf95e2db1a7114558abc1198485718351123ff5a8d50132c54bc86caddca9cb4460c780b3af3a799e7953a312cfa7	wermgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
756	rundll32.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe
2340	wermgr.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 756 wrote to memory of 2340	756	rundll32.exe	28
PID 756 wrote to memory of 2340	756	rundll32.exe	28
PID 756 wrote to memory of 2340	756	rundll32.exe	28
PID 756 wrote to memory of 2340	756	rundll32.exe	28
PID 756 wrote to memory of 2340	756	rundll32.exe	28
PID 756 wrote to memory of 2340	756	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3.dll,#1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:756
- C:\Windows\System32\wermgr.exe
  C:\Windows\System32\wermgr.exe
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2340

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/756-0-0x0000000069140000-0x00000000691BE000-memory.dmp

Filesize
504KB

Download
memory/756-1-0x0000000001D20000-0x0000000001D4F000-memory.dmp

Filesize
188KB

Download
memory/756-5-0x0000000001CF0000-0x0000000001D1D000-memory.dmp

Filesize
180KB

Download
memory/756-6-0x0000000180000000-0x000000018002E000-memory.dmp

Filesize
184KB

Download
memory/756-7-0x0000000180000000-0x000000018002E000-memory.dmp

Filesize
184KB

Download
memory/756-29-0x0000000180000000-0x000000018002E000-memory.dmp

Filesize
184KB

Download
memory/2340-9-0x0000000000060000-0x000000000008E000-memory.dmp

Filesize
184KB

Download
memory/2340-16-0x0000000000060000-0x000000000008E000-memory.dmp

Filesize
184KB

Download
memory/2340-8-0x0000000000090000-0x0000000000092000-memory.dmp

Filesize
8KB

Download
memory/2340-30-0x0000000000060000-0x000000000008E000-memory.dmp

Filesize
184KB

Download
memory/2340-31-0x0000000000060000-0x000000000008E000-memory.dmp

Filesize
184KB

Download
memory/2340-32-0x0000000000060000-0x000000000008E000-memory.dmp

Filesize
184KB

Download
memory/2340-33-0x0000000000060000-0x000000000008E000-memory.dmp

Filesize
184KB

Download
memory/2340-34-0x0000000000060000-0x000000000008E000-memory.dmp

Filesize
184KB

Download
memory/2340-37-0x0000000000060000-0x000000000008E000-memory.dmp

Filesize
184KB

Download