qakbot | 3c704a8a3b1263e92f07c9d215574789d1ffee30e63244cad63f060b752cfc6e

General

Target

12094a47a9659b1c2f7c5b36e21d2b0145c9e7b2e79845a437508efa96e5f305.dll
Size

898KB
MD5

88bbf2a743baaf81f7a312be61f90d76
SHA1

3719aabc29d5eb58d5d2d2a37066047c67bfc2c6
SHA256

12094a47a9659b1c2f7c5b36e21d2b0145c9e7b2e79845a437508efa96e5f305
SHA512

b01f955eb5f840e01f1f65d5f19c0963e155b1f8d03b4e0720eccbd397cc9aee9a19a63000719e3cf8f580573a335bd61f39fe1261f44e1d5371a9c695b60b70
SSDEEP

24576:qTm4c0TXhxdmVQGn88R7XM3Ljluc9KEaJqCjh0LmK8:6jP8Q13LjluSrCj+q/

Score

10^/10

qakbot tchk07 1702975817 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

tchk07

Campaign

1702975817

C2

116.203.56.11:443

109.107.181.8:443

Attributes

camp_date
2023-12-19 08:50:17 +0000 UTC

Signatures

Detect Qakbot Payload 13 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3480-0-0x000001EE4D2D0000-0x000001EE4D2FF000-memory.dmp	family_qakbot_v5
behavioral2/memory/3480-2-0x000001EE4D2A0000-0x000001EE4D2CD000-memory.dmp	family_qakbot_v5
behavioral2/memory/3480-5-0x000001EE4D300000-0x000001EE4D32E000-memory.dmp	family_qakbot_v5
behavioral2/memory/3480-6-0x000001EE4D300000-0x000001EE4D32E000-memory.dmp	family_qakbot_v5
behavioral2/memory/4584-8-0x0000023FC9330000-0x0000023FC935E000-memory.dmp	family_qakbot_v5
behavioral2/memory/4584-14-0x0000023FC9330000-0x0000023FC935E000-memory.dmp	family_qakbot_v5
behavioral2/memory/3480-15-0x000001EE4D300000-0x000001EE4D32E000-memory.dmp	family_qakbot_v5
behavioral2/memory/4584-24-0x0000023FC9330000-0x0000023FC935E000-memory.dmp	family_qakbot_v5
behavioral2/memory/4584-25-0x0000023FC9330000-0x0000023FC935E000-memory.dmp	family_qakbot_v5
behavioral2/memory/4584-27-0x0000023FC9330000-0x0000023FC935E000-memory.dmp	family_qakbot_v5
behavioral2/memory/4584-26-0x0000023FC9330000-0x0000023FC935E000-memory.dmp	family_qakbot_v5
behavioral2/memory/4584-28-0x0000023FC9330000-0x0000023FC935E000-memory.dmp	family_qakbot_v5
behavioral2/memory/4584-30-0x0000023FC9330000-0x0000023FC935E000-memory.dmp	family_qakbot_v5

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Modifies registry class 10 IoCs

Processes:

wermgr.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\dkunwyyuyiuad	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\dkunwyyuyiuad\8e62b9e4 = c4d4e792bd55ca44e7805800904dff87736dbbaf94726fc0163510a951a057e123011cfb40b055f451161aa2d3bb50dc3f8454d7ea2771c38e09c7447a1b2fd0409e732c3bd492e5e3db3da009ff407e500447b6edec0d69775f258edce2690825bebbca41cc28c8c7e4d2f0588d07087ebb925cb26ea85ec87a47cb76d6a40435	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\dkunwyyuyiuad\912da2cf = c45247a2a5b8558e612d99beb73754d1cc7687cc300973d147f8fd57fad3c85ee04c7ec2df081c674a9a9a035c759eaa5436886b5dbdc51c1a56590337bd81febf	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\dkunwyyuyiuad\c682b780 = 45d6a50e8b89403401eda57cf24a536405d3a54d4ad904b93ff7b601e2d55dd86c520845b42ad281a3075ac5c241930f04e0c5434662e249ca7bc0c2687374d8b8	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\dkunwyyuyiuad\c682b780 = a69e9e243a204c1acfe5ffa12a4ecb4befe5ec1ba9d0abc81907a29aa65d75d84751915b46d09ae480d6a777e2473489ec	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\dkunwyyuyiuad\90aaff48 = 67e75c5fb3f0b360f7efcfadf3caf02d03d97eff27609899b33db30b5f0f8be30008d7d44af112f6b3b8b54712bef6d6427873f718d04a437a343570cc3f7a4d46a5e0c638ff357b76d8f59aee75db76e86594857030041f1220d6eb7c66f174d222a72893ea8366b910dbf725356cec7276b3db4fce0981b1ad9af409f4922713723d3dc892455872c0ce01d47614adee9ece97876b13627f85d53690b0d4aac5d76b1ee954816439c87fb03f303a1241d0d5302ad2d2c0f4613401810155676762c129036ba1c21daa4adede09a5cecdd7a41babf1b8264416fec97807f10040	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\dkunwyyuyiuad\42c8b97a = 651c6bac1ab75405401ba086ef7d3d3cfe265eae9e462a39595032f2724eb56139a0f5899d3cb889efed63c7a525d102c5	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\dkunwyyuyiuad\5d87a251 = 064b03f3467e99eb67a5ca8f97f094cfebbab4467a7d8d487849b324a7996d21150c2b49f300199d95242bb2d2e4a6ba324b617d8dadddc8b03eb1523c445648f7f6459d187be131a469d1258107c75e63	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\dkunwyyuyiuad\5c00ffd6 = 07b89c2b58ee70a1376ea13e6be8419870813b5feff7153252a2a3c92acc56462e9c3cb2d67db04613910cca000ba703f82e7dc4caf8146af26f9db6675fde6fd53c0ad3c282a94175305f4817b0105e85464203e9474fd46b33932780a7fe64067c1ff87723f559a188313779a8262454	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\dkunwyyuyiuad\c705ea07 = 456b4ee38606436f443b6c0433052f470c739735918677a018a09aab77b38af699dc584038da898cce6832b52c776c34a0b2af15b5070a18e1af0ab07b3846034f871d28b01de579697cad65e3f52364bd02c8d8943e4aee000bd9addc48128f63	wermgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exewermgr.exe

pid	process
3480	rundll32.exe
3480	rundll32.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe
4584	wermgr.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3480 wrote to memory of 4584	3480	rundll32.exe	wermgr.exe
PID 3480 wrote to memory of 4584	3480	rundll32.exe	wermgr.exe
PID 3480 wrote to memory of 4584	3480	rundll32.exe	wermgr.exe
PID 3480 wrote to memory of 4584	3480	rundll32.exe	wermgr.exe
PID 3480 wrote to memory of 4584	3480	rundll32.exe	wermgr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\12094a47a9659b1c2f7c5b36e21d2b0145c9e7b2e79845a437508efa96e5f305.dll,#1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3480

C:\Windows\System32\wermgr.exe
C:\Windows\System32\wermgr.exe
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2268 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
1⤵
PID:3016

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3480-0-0x000001EE4D2D0000-0x000001EE4D2FF000-memory.dmp

Filesize
188KB

Download
memory/3480-2-0x000001EE4D2A0000-0x000001EE4D2CD000-memory.dmp

Filesize
180KB

Download
memory/3480-5-0x000001EE4D300000-0x000001EE4D32E000-memory.dmp

Filesize
184KB

Download
memory/3480-6-0x000001EE4D300000-0x000001EE4D32E000-memory.dmp

Filesize
184KB

Download
memory/3480-15-0x000001EE4D300000-0x000001EE4D32E000-memory.dmp

Filesize
184KB

Download
memory/4584-14-0x0000023FC9330000-0x0000023FC935E000-memory.dmp

Filesize
184KB

Download
memory/4584-8-0x0000023FC9330000-0x0000023FC935E000-memory.dmp

Filesize
184KB

Download
memory/4584-7-0x0000023FC9360000-0x0000023FC9362000-memory.dmp

Filesize
8KB

Download
memory/4584-24-0x0000023FC9330000-0x0000023FC935E000-memory.dmp

Filesize
184KB

Download
memory/4584-25-0x0000023FC9330000-0x0000023FC935E000-memory.dmp

Filesize
184KB

Download
memory/4584-27-0x0000023FC9330000-0x0000023FC935E000-memory.dmp

Filesize
184KB

Download
memory/4584-26-0x0000023FC9330000-0x0000023FC935E000-memory.dmp

Filesize
184KB

Download
memory/4584-28-0x0000023FC9330000-0x0000023FC935E000-memory.dmp

Filesize
184KB

Download
memory/4584-30-0x0000023FC9330000-0x0000023FC935E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads