qakbot | f45707044c3f97917cc5f3aa1b08dba628c0c801ec4c09b5b356041f65702c2d

General

Target

dfe1abe2c591590f0f3b931aa439e966c380d5fdc6a9e74e6012f47f53eca699.exe
Size

1.3MB
MD5

5fec958eac0d6cd761e99616b86f9cf2
SHA1

fe0515cb74a579b293b3ea2d2cd88b0192326455
SHA256

dfe1abe2c591590f0f3b931aa439e966c380d5fdc6a9e74e6012f47f53eca699
SHA512

7cf78df279f4cf31fa763a7ddbaa70879c5e697adf9fac8cd4650b1e6454ad874a0e058da99a886620740bdd526eb4a8eabb1c9693e991b492a3d627bdcdbe6c
SSDEEP

24576:pH4G8P8VYqjxxT6qZk1rFrXc0lLF5HskwGpLF2:GG8P8VcrlcwLXPpL8

Score

10^/10

qakbot bmw01 1706268333 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

bmw01

Campaign

1706268333

C2

116.202.110.87:443

77.73.39.175:32103

185.156.172.62:443

185.117.90.142:6882

Attributes

camp_date
2024-01-26 11:25:33 +0000 UTC

Signatures

Detect Qakbot Payload 26 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4892-3-0x0000000002010000-0x0000000002063000-memory.dmp	family_qakbot_v5
behavioral2/memory/4008-12-0x0000000140000000-0x0000000140030000-memory.dmp	family_qakbot_v5
behavioral2/memory/4008-11-0x0000000140000000-0x0000000140030000-memory.dmp	family_qakbot_v5
behavioral2/memory/4892-10-0x0000000002010000-0x0000000002063000-memory.dmp	family_qakbot_v5
behavioral2/memory/4008-9-0x0000000140000000-0x0000000140030000-memory.dmp	family_qakbot_v5
behavioral2/memory/4008-8-0x0000000140000000-0x0000000140030000-memory.dmp	family_qakbot_v5
behavioral2/memory/4008-7-0x0000000140000000-0x0000000140030000-memory.dmp	family_qakbot_v5
behavioral2/memory/4008-6-0x0000000140000000-0x0000000140030000-memory.dmp	family_qakbot_v5
behavioral2/memory/4008-5-0x0000000140000000-0x0000000140030000-memory.dmp	family_qakbot_v5
behavioral2/memory/4008-4-0x0000000140000000-0x0000000140030000-memory.dmp	family_qakbot_v5
behavioral2/memory/4892-0-0x0000000001FC0000-0x000000000200E000-memory.dmp	family_qakbot_v5
behavioral2/memory/4008-13-0x0000000140000000-0x0000000140030000-memory.dmp	family_qakbot_v5
behavioral2/memory/4008-14-0x0000000140000000-0x0000000140030000-memory.dmp	family_qakbot_v5
behavioral2/memory/4008-26-0x0000000140000000-0x0000000140030000-memory.dmp	family_qakbot_v5
behavioral2/memory/1976-28-0x00000183B4120000-0x00000183B4150000-memory.dmp	family_qakbot_v5
behavioral2/memory/1976-24-0x00000183B4120000-0x00000183B4150000-memory.dmp	family_qakbot_v5
behavioral2/memory/1976-38-0x00000183B4120000-0x00000183B4150000-memory.dmp	family_qakbot_v5
behavioral2/memory/1976-37-0x00000183B4120000-0x00000183B4150000-memory.dmp	family_qakbot_v5
behavioral2/memory/1976-39-0x00000183B4120000-0x00000183B4150000-memory.dmp	family_qakbot_v5
behavioral2/memory/1976-41-0x00000183B4120000-0x00000183B4150000-memory.dmp	family_qakbot_v5
behavioral2/memory/1976-40-0x00000183B4120000-0x00000183B4150000-memory.dmp	family_qakbot_v5
behavioral2/memory/1976-25-0x00000183B4120000-0x00000183B4150000-memory.dmp	family_qakbot_v5
behavioral2/memory/4008-23-0x0000000140000000-0x0000000140030000-memory.dmp	family_qakbot_v5
behavioral2/memory/1976-17-0x00000183B4120000-0x00000183B4150000-memory.dmp	family_qakbot_v5
behavioral2/memory/4008-15-0x0000000140000000-0x0000000140030000-memory.dmp	family_qakbot_v5
behavioral2/memory/1976-43-0x00000183B4120000-0x00000183B4150000-memory.dmp	family_qakbot_v5

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Suspicious use of SetThreadContext 1 IoCs

Processes:

dfe1abe2c591590f0f3b931aa439e966c380d5fdc6a9e74e6012f47f53eca699.exe

description	pid	process	target process
PID 4892 set thread context of 4008	4892	dfe1abe2c591590f0f3b931aa439e966c380d5fdc6a9e74e6012f47f53eca699.exe	dfe1abe2c591590f0f3b931aa439e966c380d5fdc6a9e74e6012f47f53eca699.exe

Modifies registry class 10 IoCs

Processes:

wermgr.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\ofofdovtnay	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\ofofdovtnay\5704d669 = e6b634d1cc09ac8f4cc614dc005e50992323c0187fbbda7df1d89e86bede8dceb10b5e2ada8242cf31307eabae47cae414	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\ofofdovtnay\9baed6f7 = 06f2a709debcdf9d2ec9b6233c5d066c65531a847b322c15147f7877ab955d03a29e4a4d9f51cc8d7040115133b5999e28c45e33667e6b7044446e896821c821d54e97d065bf66f8a391aa8873504b394e01261ebc2f7a7102f0cf2a8ad9b08b32048e02d5dfa8914226d496f497a3c085	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\ofofdovtnay\84e1cddc = 6540610fbedf738e7fdd9b3aa0e68d78b96e25aa3da19e56fa9f71edd0f7e6278afdb7331bc85de77cf7bf2ac7e0dde2a327cbc2ad5ded2ecbd64aa8be44c632bc00465b1e85fa6645d5b7eada0e0cdf129a03fe067d98ed02fc93a1e702e02e71f475019b3d262d365dea394f5eb9c18f22926f04c1216be9520667c89e04b7e6	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\ofofdovtnay\484bcd42 = 64aaf2442fcfeae2298670bbd6baa211579eaf7584e64afab6ded57528992c8a536212e304cb890940523fd655b709d3cf0aa03bbc19916b7d266d59a3e5e8d466cfbf6b1e41313028ee243dcc40138eac	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\ofofdovtnay\8566905b = 274b63aeb758f81fe778d934c373222d1419c2e03d67691ae734c899741450f142b7d6b9ccc49263efd46bdb6a03f0b745bcf196069cef2eea52d51596efb62390d93c3cb34d02bf60883c9f46b5cd28bf0c3b2c4e4d40140466a1e0655728dd18	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\ofofdovtnay\1fe4d80d = 64a1703f8fdad5edb9d47c2f82c384b1bfb500ae77e9fb9daf19d35a7fc25cbd0d	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\ofofdovtnay\49cc90c5 = 66376ee7b8575da5802bbb01b65417b73997b123080109399fcacd7d890e3693e01e065bf732f7bd79efc6099627ff78a1519228c2460fdefaf19d59a893ee0d3ea2dc019254aa504811077948d863327755dbdb9583ec9f991d5a8f9f90b749e3241628274b3756994bf2374feaad7c5cebb453a446593b116e00345dcc79ef3e4096af01007c1360da04c3d38d09e483c0755518b88fa54930ded8d2c734fdc3ede565079f6fad8d691206c8b0a1843434df86d93c58376a297dd72b121d0f924522a1e9a02ea6b6f63b2f1ed1867f0d	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\ofofdovtnay\1e63858a = 6754949df1a471026bf012679e1d5debf2b19dc2edf50f33293905169956936315ed26fa85b3b2ae9aea19c7b8e7e50541065b1ee8e5af49d3c84a81fb9c648e65483ea5a29e828460df18ac5272256617f27dca83bc1333e34976d24eff85a4772027e694d4f78ac473d2e3e86e804dc0	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\ofofdovtnay\1fe4d80d = c4103bfe8982dde0222f51b37a878a43d74623766b190a942574c305da4d27bd2650264696585b5e4475ef876ffa54ad9e4f78c4e8fb2fab9fcf8a23a58a8deeaa	wermgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

dfe1abe2c591590f0f3b931aa439e966c380d5fdc6a9e74e6012f47f53eca699.exewermgr.exe

pid	process
4008	dfe1abe2c591590f0f3b931aa439e966c380d5fdc6a9e74e6012f47f53eca699.exe
4008	dfe1abe2c591590f0f3b931aa439e966c380d5fdc6a9e74e6012f47f53eca699.exe
4008	dfe1abe2c591590f0f3b931aa439e966c380d5fdc6a9e74e6012f47f53eca699.exe
4008	dfe1abe2c591590f0f3b931aa439e966c380d5fdc6a9e74e6012f47f53eca699.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe
1976	wermgr.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

dfe1abe2c591590f0f3b931aa439e966c380d5fdc6a9e74e6012f47f53eca699.exedfe1abe2c591590f0f3b931aa439e966c380d5fdc6a9e74e6012f47f53eca699.exe

description	pid	process	target process
PID 4892 wrote to memory of 4008	4892	dfe1abe2c591590f0f3b931aa439e966c380d5fdc6a9e74e6012f47f53eca699.exe	dfe1abe2c591590f0f3b931aa439e966c380d5fdc6a9e74e6012f47f53eca699.exe
PID 4892 wrote to memory of 4008	4892	dfe1abe2c591590f0f3b931aa439e966c380d5fdc6a9e74e6012f47f53eca699.exe	dfe1abe2c591590f0f3b931aa439e966c380d5fdc6a9e74e6012f47f53eca699.exe
PID 4892 wrote to memory of 4008	4892	dfe1abe2c591590f0f3b931aa439e966c380d5fdc6a9e74e6012f47f53eca699.exe	dfe1abe2c591590f0f3b931aa439e966c380d5fdc6a9e74e6012f47f53eca699.exe
PID 4892 wrote to memory of 4008	4892	dfe1abe2c591590f0f3b931aa439e966c380d5fdc6a9e74e6012f47f53eca699.exe	dfe1abe2c591590f0f3b931aa439e966c380d5fdc6a9e74e6012f47f53eca699.exe
PID 4892 wrote to memory of 4008	4892	dfe1abe2c591590f0f3b931aa439e966c380d5fdc6a9e74e6012f47f53eca699.exe	dfe1abe2c591590f0f3b931aa439e966c380d5fdc6a9e74e6012f47f53eca699.exe
PID 4892 wrote to memory of 4008	4892	dfe1abe2c591590f0f3b931aa439e966c380d5fdc6a9e74e6012f47f53eca699.exe	dfe1abe2c591590f0f3b931aa439e966c380d5fdc6a9e74e6012f47f53eca699.exe
PID 4892 wrote to memory of 4008	4892	dfe1abe2c591590f0f3b931aa439e966c380d5fdc6a9e74e6012f47f53eca699.exe	dfe1abe2c591590f0f3b931aa439e966c380d5fdc6a9e74e6012f47f53eca699.exe
PID 4892 wrote to memory of 4008	4892	dfe1abe2c591590f0f3b931aa439e966c380d5fdc6a9e74e6012f47f53eca699.exe	dfe1abe2c591590f0f3b931aa439e966c380d5fdc6a9e74e6012f47f53eca699.exe
PID 4008 wrote to memory of 1976	4008	dfe1abe2c591590f0f3b931aa439e966c380d5fdc6a9e74e6012f47f53eca699.exe	wermgr.exe
PID 4008 wrote to memory of 1976	4008	dfe1abe2c591590f0f3b931aa439e966c380d5fdc6a9e74e6012f47f53eca699.exe	wermgr.exe
PID 4008 wrote to memory of 1976	4008	dfe1abe2c591590f0f3b931aa439e966c380d5fdc6a9e74e6012f47f53eca699.exe	wermgr.exe
PID 4008 wrote to memory of 1976	4008	dfe1abe2c591590f0f3b931aa439e966c380d5fdc6a9e74e6012f47f53eca699.exe	wermgr.exe
PID 4008 wrote to memory of 1976	4008	dfe1abe2c591590f0f3b931aa439e966c380d5fdc6a9e74e6012f47f53eca699.exe	wermgr.exe

C:\Users\Admin\AppData\Local\Temp\dfe1abe2c591590f0f3b931aa439e966c380d5fdc6a9e74e6012f47f53eca699.exe
"C:\Users\Admin\AppData\Local\Temp\dfe1abe2c591590f0f3b931aa439e966c380d5fdc6a9e74e6012f47f53eca699.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4892

C:\Users\Admin\AppData\Local\Temp\dfe1abe2c591590f0f3b931aa439e966c380d5fdc6a9e74e6012f47f53eca699.exe
"C:\Users\Admin\AppData\Local\Temp\dfe1abe2c591590f0f3b931aa439e966c380d5fdc6a9e74e6012f47f53eca699.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4008

C:\Windows\System32\wermgr.exe
C:\Windows\System32\wermgr.exe
3⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1976

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1976-28-0x00000183B4120000-0x00000183B4150000-memory.dmp

Filesize
192KB

Download
memory/1976-43-0x00000183B4120000-0x00000183B4150000-memory.dmp

Filesize
192KB

Download
memory/1976-16-0x00000183B4150000-0x00000183B4152000-memory.dmp

Filesize
8KB

Download
memory/1976-17-0x00000183B4120000-0x00000183B4150000-memory.dmp

Filesize
192KB

Download
memory/1976-25-0x00000183B4120000-0x00000183B4150000-memory.dmp

Filesize
192KB

Download
memory/1976-40-0x00000183B4120000-0x00000183B4150000-memory.dmp

Filesize
192KB

Download
memory/1976-41-0x00000183B4120000-0x00000183B4150000-memory.dmp

Filesize
192KB

Download
memory/1976-39-0x00000183B4120000-0x00000183B4150000-memory.dmp

Filesize
192KB

Download
memory/1976-37-0x00000183B4120000-0x00000183B4150000-memory.dmp

Filesize
192KB

Download
memory/1976-38-0x00000183B4120000-0x00000183B4150000-memory.dmp

Filesize
192KB

Download
memory/1976-24-0x00000183B4120000-0x00000183B4150000-memory.dmp

Filesize
192KB

Download
memory/4008-6-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/4008-23-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/4008-13-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/4008-14-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/4008-26-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/4008-1-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/4008-4-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/4008-2-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/4008-5-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/4008-12-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/4008-7-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/4008-8-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/4008-9-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/4008-15-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/4008-11-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/4892-10-0x0000000002010000-0x0000000002063000-memory.dmp

Filesize
332KB

Download
memory/4892-0-0x0000000001FC0000-0x000000000200E000-memory.dmp

Filesize
312KB

Download
memory/4892-3-0x0000000002010000-0x0000000002063000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads