qakbot | 178d7ac90db1700e3c57c160f0ed56230e18f98fc0adfeb1bad581c7bbb4d6f2

General

Target

f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe
Size

4.2MB
MD5

6655347cd176e076ac8c8e509841f1fb
SHA1

2bf60b4709e1e653ad5427761ba70c7b6c22b8ba
SHA256

f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2
SHA512

ca18ce0c69062b42d1fe4b1c563b64b3cc55eb8601a6caef4eb9a246442b152b553df08e7d6cbb200cdf6095205dd8d8c5db8d3923cfe4cdce8e109efab17d5a
SSDEEP

98304:YdPQzF3R/e/hh6FZFLOAkGkzdnEVomFHKnP:YA3AYFZFLOyomFHKnP

Score

10^/10

qakbot bmw02 1706788306 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

bmw02

Campaign

1706788306

C2

62.204.41.234:2222

31.210.173.10:443

185.113.8.123:443

Attributes

camp_date
2024-02-01 11:51:46 +0000 UTC

Signatures

Detect Qakbot Payload 22 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3036-1-0x000001E731120000-0x000001E73117B000-memory.dmp	family_qakbot_v5
behavioral2/memory/3036-2-0x000001E731120000-0x000001E73117B000-memory.dmp	family_qakbot_v5
behavioral2/memory/3036-3-0x000001E731120000-0x000001E73117B000-memory.dmp	family_qakbot_v5
behavioral2/memory/3036-5-0x000001E731120000-0x000001E73117B000-memory.dmp	family_qakbot_v5
behavioral2/memory/3036-4-0x000001E731120000-0x000001E73117B000-memory.dmp	family_qakbot_v5
behavioral2/memory/3036-6-0x000001E731120000-0x000001E73117B000-memory.dmp	family_qakbot_v5
behavioral2/memory/3036-7-0x000001E731120000-0x000001E73117B000-memory.dmp	family_qakbot_v5
behavioral2/memory/3036-8-0x000001E731120000-0x000001E73117B000-memory.dmp	family_qakbot_v5
behavioral2/memory/3036-9-0x000001E731120000-0x000001E73117B000-memory.dmp	family_qakbot_v5
behavioral2/memory/4512-11-0x000001DBB5920000-0x000001DBB5950000-memory.dmp	family_qakbot_v5
behavioral2/memory/3036-17-0x000001E731120000-0x000001E73117B000-memory.dmp	family_qakbot_v5
behavioral2/memory/3036-18-0x000001E731120000-0x000001E73117B000-memory.dmp	family_qakbot_v5
behavioral2/memory/4512-19-0x000001DBB5920000-0x000001DBB5950000-memory.dmp	family_qakbot_v5
behavioral2/memory/4512-20-0x000001DBB5920000-0x000001DBB5950000-memory.dmp	family_qakbot_v5
behavioral2/memory/3036-21-0x000001E731120000-0x000001E73117B000-memory.dmp	family_qakbot_v5
behavioral2/memory/4512-22-0x000001DBB5920000-0x000001DBB5950000-memory.dmp	family_qakbot_v5
behavioral2/memory/4512-32-0x000001DBB5920000-0x000001DBB5950000-memory.dmp	family_qakbot_v5
behavioral2/memory/4512-33-0x000001DBB5920000-0x000001DBB5950000-memory.dmp	family_qakbot_v5
behavioral2/memory/4512-35-0x000001DBB5920000-0x000001DBB5950000-memory.dmp	family_qakbot_v5
behavioral2/memory/4512-34-0x000001DBB5920000-0x000001DBB5950000-memory.dmp	family_qakbot_v5
behavioral2/memory/4512-36-0x000001DBB5920000-0x000001DBB5950000-memory.dmp	family_qakbot_v5
behavioral2/memory/4512-38-0x000001DBB5920000-0x000001DBB5950000-memory.dmp	family_qakbot_v5

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Modifies registry class 10 IoCs

Processes:

wermgr.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\fbiboewkocoo	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\fbiboewkocoo\a294984 = 4628829154740b70097e2c415f77665f9becd88d65bea8cbee7e91e9528cdd7e8c870492e2ef0d39b8c1168ab505f9a58b3a6196127495fda2f608c2526363bf95cd27e0c94172085915782d59b788f1131e94aa5cfd30cf24f59efb8fec049b1d94b7952bd2e1bbfea5b3cfdf1e73df892c5e3027afa1c5fa205f9d834d543ad8176861a16b2ea597913265f648360e56b2b40b5163c01d81b3d51d2d3b27642e2f7a7316daa7cd4ede50dd9a9ab844b3	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\fbiboewkocoo\14e10f28 = c47c1c3bf78260304d9008a27b7cbdb3ffe98c3f2fcc6a49ec20f4b176cfc9e8a46f2e1bedcd21047e3ec9f218ec00bbe8472aa6cd735be616491ab2e5c0d8993b	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\fbiboewkocoo\c704149d = c498ebe3736708510df10c7e8adb3b4cf2acaf991eb770d7b7f1cc0909fa89252bdcd45fd4e7f62007f1ce06b7b9d6ef708954fda831baac7253405886673021be193c10bd04d2f64c34819e0f491b49843b5cd741be4e6cfbf96af070a534cd42	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\fbiboewkocoo\c683491a = 45550a2785add1bb589b5b65d9c456316dcdd680bc8eda3c6c05a4870b1ea14a51b9f66d63e9c652a420158ab46261fdc13d37b8f9ff5b6d3b047184ceebdc4ef0c8dfd945fbb2ed7c5a2cf8dc4b02a4d3	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\fbiboewkocoo\5d865ccb = 27fcd089b4eb35a6624a95028c4b1610c57308c1deb104013f5cbae4b233f1da75	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\fbiboewkocoo\5c01014c = 27817222e3a8252326b194c9b8f464308057e489ecbc25d7f6e415a5cbddfde8007c7510f97299d596ef824d89432ec43326b5cceb38cbb78d61fd02766638625c17baa4033287fa99759357fda7090b53	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\fbiboewkocoo\5c01014c = 65e06535e87b1000916ff7c9b736137e0b6a0a478107fe9b42a81b9d226a568a1bf52921d40a54542f94de29bfae2e2771a3a45c9328b89a8f42d20fcd90f7874b	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\fbiboewkocoo\d84b0fb6 = e725df8d5e78e900da754bb543d239e57749938bb497c20b6189efc4b2c0f44099	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\fbiboewkocoo\bae1403 = 67a044409ec38c016321effa4e4af544683f8611d99d4b9ba376f7acb601319c8c	wermgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exewermgr.exe

pid	process
3036	f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe
3036	f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe
3036	f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe
3036	f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe
4512	wermgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe

pid process

3036 f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe

description	pid	process	target process
PID 3036 wrote to memory of 4512	3036	f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe	wermgr.exe
PID 3036 wrote to memory of 4512	3036	f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe	wermgr.exe
PID 3036 wrote to memory of 4512	3036	f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe	wermgr.exe
PID 3036 wrote to memory of 4512	3036	f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe	wermgr.exe
PID 3036 wrote to memory of 4512	3036	f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe	wermgr.exe

C:\Users\Admin\AppData\Local\Temp\f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe
"C:\Users\Admin\AppData\Local\Temp\f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3036

C:\Windows\System32\wermgr.exe
C:\Windows\System32\wermgr.exe
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4512

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3036-17-0x000001E731120000-0x000001E73117B000-memory.dmp

Filesize
364KB

Download
memory/3036-1-0x000001E731120000-0x000001E73117B000-memory.dmp

Filesize
364KB

Download
memory/3036-0-0x00007FF7C4530000-0x00007FF7C4966000-memory.dmp

Filesize
4.2MB

Download
memory/3036-3-0x000001E731120000-0x000001E73117B000-memory.dmp

Filesize
364KB

Download
memory/3036-18-0x000001E731120000-0x000001E73117B000-memory.dmp

Filesize
364KB

Download
memory/3036-4-0x000001E731120000-0x000001E73117B000-memory.dmp

Filesize
364KB

Download
memory/3036-6-0x000001E731120000-0x000001E73117B000-memory.dmp

Filesize
364KB

Download
memory/3036-7-0x000001E731120000-0x000001E73117B000-memory.dmp

Filesize
364KB

Download
memory/3036-8-0x000001E731120000-0x000001E73117B000-memory.dmp

Filesize
364KB

Download
memory/3036-9-0x000001E731120000-0x000001E73117B000-memory.dmp

Filesize
364KB

Download
memory/3036-29-0x00007FF7C4530000-0x00007FF7C4966000-memory.dmp

Filesize
4.2MB

Download
memory/3036-21-0x000001E731120000-0x000001E73117B000-memory.dmp

Filesize
364KB

Download
memory/3036-2-0x000001E731120000-0x000001E73117B000-memory.dmp

Filesize
364KB

Download
memory/3036-5-0x000001E731120000-0x000001E73117B000-memory.dmp

Filesize
364KB

Download
memory/4512-19-0x000001DBB5920000-0x000001DBB5950000-memory.dmp

Filesize
192KB

Download
memory/4512-20-0x000001DBB5920000-0x000001DBB5950000-memory.dmp

Filesize
192KB

Download
memory/4512-11-0x000001DBB5920000-0x000001DBB5950000-memory.dmp

Filesize
192KB

Download
memory/4512-22-0x000001DBB5920000-0x000001DBB5950000-memory.dmp

Filesize
192KB

Download
memory/4512-10-0x000001DBB5950000-0x000001DBB5952000-memory.dmp

Filesize
8KB

Download
memory/4512-32-0x000001DBB5920000-0x000001DBB5950000-memory.dmp

Filesize
192KB

Download
memory/4512-33-0x000001DBB5920000-0x000001DBB5950000-memory.dmp

Filesize
192KB

Download
memory/4512-35-0x000001DBB5920000-0x000001DBB5950000-memory.dmp

Filesize
192KB

Download
memory/4512-34-0x000001DBB5920000-0x000001DBB5950000-memory.dmp

Filesize
192KB

Download
memory/4512-36-0x000001DBB5920000-0x000001DBB5950000-memory.dmp

Filesize
192KB

Download
memory/4512-38-0x000001DBB5920000-0x000001DBB5950000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads