qakbot | 30306eb284f9b684b2f0d02cac216563abfe6bb75099100170f160718a18ca09

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
02-04-2024 13:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3.dll
Size

459KB
MD5

0a29918110937641bbe4a2d5ee5e4272
SHA1

7d4a6976c1ece81e01d1f16ac5506266d5210734
SHA256

780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3
SHA512

998a6ee2fa6b345aeea72afaa91add8433e986a2678dbb8995ead786c30bdc00704c39c4857935b20669005b292736d50e1c6ad38901aa1f29db7b6a597fae3f
SSDEEP

6144:T4+8LGS5U/dvT6+adDaMuMeek1Wg3NkA+8hMzA1W9xCTSI:8fZ5U/dvPadDrNebWg3N+QMc16MOI

Score

10^/10

qakbot tchk06 1702463600 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

tchk06

Campaign

1702463600

45.138.74.191:443

65.108.218.24:443

Attributes

camp_date
2023-12-13 10:33:20 +0000 UTC

Signatures

Detect Qakbot Payload 13 IoCs

resource	yara_rule
behavioral1/memory/1784-1-0x0000000000130000-0x000000000015F000-memory.dmp	family_qakbot_v5
behavioral1/memory/1784-5-0x0000000000100000-0x000000000012D000-memory.dmp	family_qakbot_v5
behavioral1/memory/1784-6-0x0000000180000000-0x000000018002E000-memory.dmp	family_qakbot_v5
behavioral1/memory/1784-7-0x0000000180000000-0x000000018002E000-memory.dmp	family_qakbot_v5
behavioral1/memory/2044-9-0x00000000000E0000-0x000000000010E000-memory.dmp	family_qakbot_v5
behavioral1/memory/2044-15-0x00000000000E0000-0x000000000010E000-memory.dmp	family_qakbot_v5
behavioral1/memory/1784-29-0x0000000180000000-0x000000018002E000-memory.dmp	family_qakbot_v5
behavioral1/memory/2044-31-0x00000000000E0000-0x000000000010E000-memory.dmp	family_qakbot_v5
behavioral1/memory/2044-30-0x00000000000E0000-0x000000000010E000-memory.dmp	family_qakbot_v5
behavioral1/memory/2044-32-0x00000000000E0000-0x000000000010E000-memory.dmp	family_qakbot_v5
behavioral1/memory/2044-33-0x00000000000E0000-0x000000000010E000-memory.dmp	family_qakbot_v5
behavioral1/memory/2044-34-0x00000000000E0000-0x000000000010E000-memory.dmp	family_qakbot_v5
behavioral1/memory/2044-37-0x00000000000E0000-0x000000000010E000-memory.dmp	family_qakbot_v5

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000_CLASSES\ymipivhvxy	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000_CLASSES\ymipivhvxy\fb1bc68 = 65e5d243f8e379c3b0df5ef7041221ff4221cd2c7ab5f3cc4134c0281e670f873bbcb45bb83f09101dbbdc8dbd1ab75c93bbaedff8dfebcc8fd5a63b894302b76e666876bc21e6872bfbe20079b345df39	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000_CLASSES\ymipivhvxy\6707c2f6 = c5b4724aac4c0b7cea63bd92c9dd24a40f4a692d019dbc72dd19641d491c802b6099f77b23dc8a6aa7a06f0c2c4de3601b9d2e77875cea3bfec47c7b7d06dedc18a29e72139275d24ac7d49863b53a1d0fddaa556851c09ce2240949eaf2f027f3f0ffa51eaaaa7cda7b870f65a284dea6e4b8d303224c2db2c93b2f6eaaf0e14a	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000_CLASSES\ymipivhvxy\312f8a3e = 653dfddd43debd72d1ec1424a6a08f6df8cdc54ec547bef96de4f4a20070a864331ab3488a158134d3bfa9c841c130d16fbe26e5e0cb8c079b831b613e60fadbaf	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000_CLASSES\ymipivhvxy\30a8d7b9 = 043406e7c83599778d36a0d4b92eb0a58b84ba9ac2becc7176345c57716c109a9138b54be82f14e170b1b41589af6254f0e915e908080275d9f59ef14748430840aa2584ba89da48486560ebbc9aba58ba2e83deec9924ea898e27f4fcb26405c1	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000_CLASSES\ymipivhvxy\aa2a9fef = 67cd3a7dad09326056e8d7b636e56d4ff720a8b0c643a643b886c84dc4ad0300dad55780f93de01a9f8ad3071ed8fba91cdb8367a42d5e097c01d69dc0affb624a172402e7687ab11b23673ba06db1cb83732166609d097d3e02bfb12f6734ecabe2d56ebe3a118dc23a072e83a188e590b6c01546c9e397c09b2b8829662ffb04	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000_CLASSES\ymipivhvxy\30a8d7b9 = 64f83faae9c6e7358a48fbf5a7fb0162edd1a97367567b0281757644ff6b71c3dd015b6f9f4a713ee50a4d9693991ac36efdb2aaa790662c0308a21a8dafbdb814	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000_CLASSES\ymipivhvxy\66809f71 = 47414501e07b4ef92d44010bd9613f160d3209b5f983c1b72f13f99ca282782b82770476221a141507fe2a39680ec01a34e57e09ae0a574422496c78c0448ffc98b73bffa7900e3763918b127addb6ba4dde8ded012cb46a8dd1497e42797bff363d2538e4b8820fd7586b4e5847bd77071fa20d18fb5929b8f0e4c93804d0692e24fd3af59ab6830d17dc63bdb9473a527f10acf48062e1328fbb5b65b614813e	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000_CLASSES\ymipivhvxy\7848d9dd = 2495649fdfef0e2be47df631d2fb443d905d8987030978e1dfc0df57ccc55d2508e374960a7ef6a1503692cdd1b50affdfcd644fbd77a1ca69a9e404adcc2d1b29a7ee3ef69e66d5193b4a000c8eb8f03e	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000_CLASSES\ymipivhvxy\b4e2d943 = 060e65629be4ec9bebb3a8c7c84ffcd3c109a96099d9553d7e84525e7dfaee7039620d5472b80851335cf2f744a4963adf	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000_CLASSES\ymipivhvxy\a0ef96f6 = 44d5ca9de76d82252fc17fcb184e7d88e996d7beecb941c92382f5add1a322b1c4513d8f5e5b5a3c7779160b22eec55161fb0d65b11037633857d0c901ec8e6e05fd26bcdf0b1ea6cce3bdc9e16a3c6fd525143bedb4e68e7f8f7113d529876a7d5583d2c4bd0472591de607543457c84d	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000_CLASSES\ymipivhvxy\abadc268 = e4c685400e7f05a801dc73b7800c38b73f361a918981b9c711ed0bac6077e3bc6d353ee4d584ad4af8ff3c774623b392a3	wermgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1784	rundll32.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe
2044	wermgr.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1784 wrote to memory of 2044	1784	rundll32.exe	28
PID 1784 wrote to memory of 2044	1784	rundll32.exe	28
PID 1784 wrote to memory of 2044	1784	rundll32.exe	28
PID 1784 wrote to memory of 2044	1784	rundll32.exe	28
PID 1784 wrote to memory of 2044	1784	rundll32.exe	28
PID 1784 wrote to memory of 2044	1784	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3.dll,#1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Windows\System32\wermgr.exe
  C:\Windows\System32\wermgr.exe
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2044

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1784-0-0x0000000069140000-0x00000000691BE000-memory.dmp

Filesize
504KB

Download
memory/1784-1-0x0000000000130000-0x000000000015F000-memory.dmp

Filesize
188KB

Download
memory/1784-5-0x0000000000100000-0x000000000012D000-memory.dmp

Filesize
180KB

Download
memory/1784-6-0x0000000180000000-0x000000018002E000-memory.dmp

Filesize
184KB

Download
memory/1784-7-0x0000000180000000-0x000000018002E000-memory.dmp

Filesize
184KB

Download
memory/1784-29-0x0000000180000000-0x000000018002E000-memory.dmp

Filesize
184KB

Download
memory/2044-9-0x00000000000E0000-0x000000000010E000-memory.dmp

Filesize
184KB

Download
memory/2044-15-0x00000000000E0000-0x000000000010E000-memory.dmp

Filesize
184KB

Download
memory/2044-8-0x0000000000110000-0x0000000000112000-memory.dmp

Filesize
8KB

Download
memory/2044-31-0x00000000000E0000-0x000000000010E000-memory.dmp

Filesize
184KB

Download
memory/2044-30-0x00000000000E0000-0x000000000010E000-memory.dmp

Filesize
184KB

Download
memory/2044-32-0x00000000000E0000-0x000000000010E000-memory.dmp

Filesize
184KB

Download
memory/2044-33-0x00000000000E0000-0x000000000010E000-memory.dmp

Filesize
184KB

Download
memory/2044-34-0x00000000000E0000-0x000000000010E000-memory.dmp

Filesize
184KB

Download
memory/2044-37-0x00000000000E0000-0x000000000010E000-memory.dmp

Filesize
184KB

Download