qakbot | a045445c2e59ad2740537b63bb7db3b586b167fb6cdca1e48e7e3d8535690eb2

General

Target

f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe
Size

4.2MB
MD5

6655347cd176e076ac8c8e509841f1fb
SHA1

2bf60b4709e1e653ad5427761ba70c7b6c22b8ba
SHA256

f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2
SHA512

ca18ce0c69062b42d1fe4b1c563b64b3cc55eb8601a6caef4eb9a246442b152b553df08e7d6cbb200cdf6095205dd8d8c5db8d3923cfe4cdce8e109efab17d5a
SSDEEP

98304:YdPQzF3R/e/hh6FZFLOAkGkzdnEVomFHKnP:YA3AYFZFLOyomFHKnP

Score

10^/10

qakbot bmw02 1706788306 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

bmw02

Campaign

1706788306

C2

62.204.41.234:2222

31.210.173.10:443

185.113.8.123:443

Attributes

camp_date
2024-02-01 11:51:46 +0000 UTC

Signatures

Detect Qakbot Payload 21 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4944-2-0x0000022696EA0000-0x0000022696EFB000-memory.dmp	family_qakbot_v5
behavioral2/memory/4944-3-0x0000022696EA0000-0x0000022696EFB000-memory.dmp	family_qakbot_v5
behavioral2/memory/4944-4-0x0000022696EA0000-0x0000022696EFB000-memory.dmp	family_qakbot_v5
behavioral2/memory/4944-6-0x0000022696EA0000-0x0000022696EFB000-memory.dmp	family_qakbot_v5
behavioral2/memory/4944-5-0x0000022696EA0000-0x0000022696EFB000-memory.dmp	family_qakbot_v5
behavioral2/memory/4944-7-0x0000022696EA0000-0x0000022696EFB000-memory.dmp	family_qakbot_v5
behavioral2/memory/4944-8-0x0000022696EA0000-0x0000022696EFB000-memory.dmp	family_qakbot_v5
behavioral2/memory/4944-9-0x0000022696EA0000-0x0000022696EFB000-memory.dmp	family_qakbot_v5
behavioral2/memory/4944-10-0x0000022696EA0000-0x0000022696EFB000-memory.dmp	family_qakbot_v5
behavioral2/memory/1368-12-0x0000016B2B550000-0x0000016B2B580000-memory.dmp	family_qakbot_v5
behavioral2/memory/4944-18-0x0000022696EA0000-0x0000022696EFB000-memory.dmp	family_qakbot_v5
behavioral2/memory/4944-19-0x0000022696EA0000-0x0000022696EFB000-memory.dmp	family_qakbot_v5
behavioral2/memory/1368-20-0x0000016B2B550000-0x0000016B2B580000-memory.dmp	family_qakbot_v5
behavioral2/memory/1368-21-0x0000016B2B550000-0x0000016B2B580000-memory.dmp	family_qakbot_v5
behavioral2/memory/4944-22-0x0000022696EA0000-0x0000022696EFB000-memory.dmp	family_qakbot_v5
behavioral2/memory/1368-23-0x0000016B2B550000-0x0000016B2B580000-memory.dmp	family_qakbot_v5
behavioral2/memory/1368-34-0x0000016B2B550000-0x0000016B2B580000-memory.dmp	family_qakbot_v5
behavioral2/memory/1368-35-0x0000016B2B550000-0x0000016B2B580000-memory.dmp	family_qakbot_v5
behavioral2/memory/1368-33-0x0000016B2B550000-0x0000016B2B580000-memory.dmp	family_qakbot_v5
behavioral2/memory/1368-37-0x0000016B2B550000-0x0000016B2B580000-memory.dmp	family_qakbot_v5
behavioral2/memory/1368-36-0x0000016B2B550000-0x0000016B2B580000-memory.dmp	family_qakbot_v5

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Modifies registry class 10 IoCs

Processes:

wermgr.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\dwkecmyjevyx\de1fd58e = e6ab04983e9cd753c54b75db89e01890e1d7be2a5657bb05ba1b87b8f999f623b091f7ba45d27eb3b933177b9b5db21cf9	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\dwkecmyjevyx\88379d46 = a56eb81a8b749f1ca010e828aa45f163404f1591987c806469405196ed1a459c15924c9c254bd6803d6aa608cc323ac0b11ec8e92218cbd6d0ea1fa09f6556ea7cecaf7ad9993bd15830739008c3f39824f1d54a74c5ce78733abf7bdb3a6405c4badd8f94cb2b1be9d5c423015e55308f429077cd89b3bcd63e3df35aef938f8520e8a3816274c23253a7908e0bd429d78a7718eee47af5a123bc1422b22ad9960de0e6dffb6a3fd1912a322219b69bbf	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\dwkecmyjevyx\96ffdbea = e4276b882e8a4802e7c41aa401b69d7bbcd202120bd7ca2274792d69b841fd3aabc0ea896ca41ef9019b8f6bb9961b76bcbda99d2f82575aa1c1b5f3da0248351be12e27493117589c2a204965dcb300ae078a36c1adfd02fcf75ae44975bd1170	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\dwkecmyjevyx\5a55db74 = 67d8766ba95bd3cb315f910a2e91f5f80aba239c7401a1b196128318348875bf791c4d2661e3d06920ac0089cbf8ff5af9	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\dwkecmyjevyx\df988809 = 67a67d4eed9b097a04e67ce27407adb3d5339db59035a665a51ed0025630e9d2c98d6f428a4abf1090360af9399a4609a5eeb083ec270a4a7428d2c1a6096374a40af2c402afdce95fcbfd7c5c7fcf7cea86fbd8fef4b0c87a90000bd49605eebecc77302dffc56be85203bb39555839ad	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\dwkecmyjevyx\de1fd58e = c617bf0cb75a86090ae2cdaa48a4eceef8d8cc92f5fe43ce1e7d7c29cdec3bf83864c9ecd2e6699fe8e07bd4959a291ac3f0f61cad8e0f3b5415443a011ec182c3a5506d6c2dbfdd01184b6101e1bf70d0	wermgr.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\dwkecmyjevyx	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\dwkecmyjevyx\451ac05f = 6458ee467d1fdb37af8a636db12bec63550d9172c4aed8e3cc08a7a145103dbd4b261034c94a3c14e28ff37f96cea3efe288549173ad267d66d73667c1ef8878ea	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\dwkecmyjevyx\89b0c0c1 = e750fcc2d67e5bc585b58957c62e5e41ec14156bcf969d97230d9cd72d66e6598c4f3000a3a55287a72409cfc7926fdfa5	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\dwkecmyjevyx\449d9dd8 = 6519e6f96a89886726bab913b3c7bb3219abc95011b2dfb477c8e3ba04a3a84fc84bcf4ebaf75ad5917358bf24698528560bb3661fede52d73ffd352cdb1398878	wermgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exewermgr.exe

pid	process
4944	f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe
4944	f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe
4944	f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe
4944	f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe
1368	wermgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe

pid process

4944 f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe

description	pid	process	target process
PID 4944 wrote to memory of 1368	4944	f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe	wermgr.exe
PID 4944 wrote to memory of 1368	4944	f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe	wermgr.exe
PID 4944 wrote to memory of 1368	4944	f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe	wermgr.exe
PID 4944 wrote to memory of 1368	4944	f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe	wermgr.exe
PID 4944 wrote to memory of 1368	4944	f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe	wermgr.exe

C:\Users\Admin\AppData\Local\Temp\f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe
"C:\Users\Admin\AppData\Local\Temp\f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4944

C:\Windows\System32\wermgr.exe
C:\Windows\System32\wermgr.exe
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4068 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
1⤵
PID:3456

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1368-23-0x0000016B2B550000-0x0000016B2B580000-memory.dmp

Filesize
192KB

Download
memory/1368-11-0x0000016B2B580000-0x0000016B2B582000-memory.dmp

Filesize
8KB

Download
memory/1368-12-0x0000016B2B550000-0x0000016B2B580000-memory.dmp

Filesize
192KB

Download
memory/1368-36-0x0000016B2B550000-0x0000016B2B580000-memory.dmp

Filesize
192KB

Download
memory/1368-37-0x0000016B2B550000-0x0000016B2B580000-memory.dmp

Filesize
192KB

Download
memory/1368-33-0x0000016B2B550000-0x0000016B2B580000-memory.dmp

Filesize
192KB

Download
memory/1368-35-0x0000016B2B550000-0x0000016B2B580000-memory.dmp

Filesize
192KB

Download
memory/1368-34-0x0000016B2B550000-0x0000016B2B580000-memory.dmp

Filesize
192KB

Download
memory/1368-21-0x0000016B2B550000-0x0000016B2B580000-memory.dmp

Filesize
192KB

Download
memory/1368-20-0x0000016B2B550000-0x0000016B2B580000-memory.dmp

Filesize
192KB

Download
memory/4944-4-0x0000022696EA0000-0x0000022696EFB000-memory.dmp

Filesize
364KB

Download
memory/4944-22-0x0000022696EA0000-0x0000022696EFB000-memory.dmp

Filesize
364KB

Download
memory/4944-2-0x0000022696EA0000-0x0000022696EFB000-memory.dmp

Filesize
364KB

Download
memory/4944-1-0x00007FF6726D0000-0x00007FF672B06000-memory.dmp

Filesize
4.2MB

Download
memory/4944-7-0x0000022696EA0000-0x0000022696EFB000-memory.dmp

Filesize
364KB

Download
memory/4944-9-0x0000022696EA0000-0x0000022696EFB000-memory.dmp

Filesize
364KB

Download
memory/4944-8-0x0000022696EA0000-0x0000022696EFB000-memory.dmp

Filesize
364KB

Download
memory/4944-10-0x0000022696EA0000-0x0000022696EFB000-memory.dmp

Filesize
364KB

Download
memory/4944-0-0x00007FF6726D0000-0x00007FF672B06000-memory.dmp

Filesize
4.2MB

Download
memory/4944-30-0x00007FF6726D0000-0x00007FF672B06000-memory.dmp

Filesize
4.2MB

Download
memory/4944-19-0x0000022696EA0000-0x0000022696EFB000-memory.dmp

Filesize
364KB

Download
memory/4944-5-0x0000022696EA0000-0x0000022696EFB000-memory.dmp

Filesize
364KB

Download
memory/4944-6-0x0000022696EA0000-0x0000022696EFB000-memory.dmp

Filesize
364KB

Download
memory/4944-18-0x0000022696EA0000-0x0000022696EFB000-memory.dmp

Filesize
364KB

Download
memory/4944-3-0x0000022696EA0000-0x0000022696EFB000-memory.dmp

Filesize
364KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads