qakbot | 27533192aec64955397ab96dea1d14e5826d678373d151fbbbff14e23e421d27

General

Target

f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe
Size

4.2MB
MD5

6655347cd176e076ac8c8e509841f1fb
SHA1

2bf60b4709e1e653ad5427761ba70c7b6c22b8ba
SHA256

f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2
SHA512

ca18ce0c69062b42d1fe4b1c563b64b3cc55eb8601a6caef4eb9a246442b152b553df08e7d6cbb200cdf6095205dd8d8c5db8d3923cfe4cdce8e109efab17d5a
SSDEEP

98304:YdPQzF3R/e/hh6FZFLOAkGkzdnEVomFHKnP:YA3AYFZFLOyomFHKnP

Score

10^/10

qakbot bmw02 1706788306 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

bmw02

Campaign

1706788306

C2

62.204.41.234:2222

31.210.173.10:443

185.113.8.123:443

Attributes

camp_date
2024-02-01 11:51:46 +0000 UTC

Signatures

Detect Qakbot Payload 21 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4660-1-0x00000277EA6A0000-0x00000277EA6FB000-memory.dmp	family_qakbot_v5
behavioral2/memory/4660-3-0x00000277EA6A0000-0x00000277EA6FB000-memory.dmp	family_qakbot_v5
behavioral2/memory/4660-2-0x00000277EA6A0000-0x00000277EA6FB000-memory.dmp	family_qakbot_v5
behavioral2/memory/4660-5-0x00000277EA6A0000-0x00000277EA6FB000-memory.dmp	family_qakbot_v5
behavioral2/memory/4660-4-0x00000277EA6A0000-0x00000277EA6FB000-memory.dmp	family_qakbot_v5
behavioral2/memory/4660-6-0x00000277EA6A0000-0x00000277EA6FB000-memory.dmp	family_qakbot_v5
behavioral2/memory/4660-7-0x00000277EA6A0000-0x00000277EA6FB000-memory.dmp	family_qakbot_v5
behavioral2/memory/4660-8-0x00000277EA6A0000-0x00000277EA6FB000-memory.dmp	family_qakbot_v5
behavioral2/memory/4660-9-0x00000277EA6A0000-0x00000277EA6FB000-memory.dmp	family_qakbot_v5
behavioral2/memory/2288-11-0x000001D793840000-0x000001D793870000-memory.dmp	family_qakbot_v5
behavioral2/memory/4660-17-0x00000277EA6A0000-0x00000277EA6FB000-memory.dmp	family_qakbot_v5
behavioral2/memory/4660-18-0x00000277EA6A0000-0x00000277EA6FB000-memory.dmp	family_qakbot_v5
behavioral2/memory/2288-19-0x000001D793840000-0x000001D793870000-memory.dmp	family_qakbot_v5
behavioral2/memory/2288-20-0x000001D793840000-0x000001D793870000-memory.dmp	family_qakbot_v5
behavioral2/memory/4660-21-0x00000277EA6A0000-0x00000277EA6FB000-memory.dmp	family_qakbot_v5
behavioral2/memory/2288-22-0x000001D793840000-0x000001D793870000-memory.dmp	family_qakbot_v5
behavioral2/memory/2288-32-0x000001D793840000-0x000001D793870000-memory.dmp	family_qakbot_v5
behavioral2/memory/2288-34-0x000001D793840000-0x000001D793870000-memory.dmp	family_qakbot_v5
behavioral2/memory/2288-33-0x000001D793840000-0x000001D793870000-memory.dmp	family_qakbot_v5
behavioral2/memory/2288-35-0x000001D793840000-0x000001D793870000-memory.dmp	family_qakbot_v5
behavioral2/memory/2288-36-0x000001D793840000-0x000001D793870000-memory.dmp	family_qakbot_v5

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Modifies registry class 10 IoCs

Processes:

wermgr.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\atcrbdswwis\638a11bf = c5926f86f9cfdd914290bf046c6d4a19b91ed81106325eb481f58dadde057308b5ddbe0d18d27df7bc8672bcbae5a9230015f62cf152985ffd141c5cc1cede4ada3ad212d62346f4ac8d778d3496a2d97be60d0c50c11b81a77396dbc4f5ebcb3106d74a6559faec3a637182828b5ea7b74c70ab5c1a68b26f20bc9c6bdc8b1a7e	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\atcrbdswwis\af201121 = e69cef940a8f6ee79f99142c01458b8dba7c1c354ee9932eae1879561185817d812bff46885f44e3abf41006a3a87d388a2aab13e107a7d76ec110bbcf7574e5e3e47affea258b1c996c9bbf7b886f355ee9494d270fddb89fab61656ccfbc2e7fb235e99335be65eeb37897f9c8d20d4f379daf94c63b348c93cb8e4f4fd23ddc	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\atcrbdswwis\b1e8578d = 45a1af223fb7676f3129e9a44168f5e0bfd3522415e0294cddc4317567491d597050bb65f1629987674daeb199efaa72acc997615c0e1639006db6b7e6a1ab0885	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\atcrbdswwis\2aed425c = 46c78a1a21b46792ec9bd1d3987b22f98ebe1a98d7074c6ad70fdf8e897f0c6f9aa1ef1cde25cfcb0ceed3fbf9fa7a87cd967678b4a61f3d2c567cc1a577af9769	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\atcrbdswwis\2b6a1fdb = a7962ebc0dc5be935522429d73d51c6682fd8439335f5686c64ba73d2fa01709f57ace426b2ffbdb70313aa00d83a14653e4a94b3f4915588ea62f1dc1de169e6f573312ba802d780bf12f5459f1bfdb25ded6fef82224160d2c1090b8e884531eed8e18ebc3f495100a786781bdf2f6e5e4ad8d184964c48ba29ee6aaeff1f07892807c17908294c256cdebdbff026890	wermgr.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\atcrbdswwis	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\atcrbdswwis\2b6a1fdb = 841ec0250e1007429c2bd18339655715adb059792510424f2f54b04ba8241e51ca99bb4e6a3f3b758a408ec26de693884ecf6f5e53296741e1b9af414b3dc9ca84bba70fb5574d28da68a23391b933d1847eb2eab330dba8c4de1fbfedceafc4b4a1bf19fde7e2d1f42585ca04a08cc2ab	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\atcrbdswwis\7d425713 = c42bb8382403fa19e47feafe3e6d3ab7d358b560fd1125ea703517f59bc393a02a231ef7a2972888303409f337c7e592203232c5da3772e4e8180141a34420cce237b234da357c0c76998a3c96f9bd75ea82b709e9e5f0711b6984bf847fc87b4673a35e09a8a0c24441fd10d2882a31af191dff0b705598209ff69582d68b7fe17a0523c978dc454648ed8901e4226dcdd8892c3fbae5665e355d16d7ef4a1defe38e830168f47601d725fa4a0670f7f7	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\atcrbdswwis\b06f0a0a = 447f8c6ab46b620143dbd0bb417733e715ecf754aabc303abac8ba0202e6fe719f724882ef0a06114ed4afa35bd1481aac1a867e1e6a5590e6ca1f4d3172fd69b994809702fa98303f05631ff376a174b2aaf86d9f8adb118b8cf665b9ad7de045	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\atcrbdswwis\7cc50a94 = 444b5fe302a6addd3f21d85e73c51d6f580692e6cbd3d2af657cdc1ad74f6a4a36d0f832908ed494469c3bd219b65e3550f1777024d6f8a624d53ef1ceb141f5220bd6a1e25e2581c380ddb1d5bc30bf0b7fb07de28c56f17fd92021b3cb1e6f50	wermgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exewermgr.exe

pid	process
4660	f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe
4660	f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe
4660	f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe
4660	f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe
2288	wermgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe

pid process

4660 f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe

description	pid	process	target process
PID 4660 wrote to memory of 2288	4660	f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe	wermgr.exe
PID 4660 wrote to memory of 2288	4660	f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe	wermgr.exe
PID 4660 wrote to memory of 2288	4660	f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe	wermgr.exe
PID 4660 wrote to memory of 2288	4660	f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe	wermgr.exe
PID 4660 wrote to memory of 2288	4660	f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe	wermgr.exe

C:\Users\Admin\AppData\Local\Temp\f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe
"C:\Users\Admin\AppData\Local\Temp\f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4660
- C:\Windows\System32\wermgr.exe
  C:\Windows\System32\wermgr.exe
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2288

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2288-10-0x000001D793870000-0x000001D793872000-memory.dmp

Filesize
8KB

Download
memory/2288-36-0x000001D793840000-0x000001D793870000-memory.dmp

Filesize
192KB

Download
memory/2288-35-0x000001D793840000-0x000001D793870000-memory.dmp

Filesize
192KB

Download
memory/2288-33-0x000001D793840000-0x000001D793870000-memory.dmp

Filesize
192KB

Download
memory/2288-34-0x000001D793840000-0x000001D793870000-memory.dmp

Filesize
192KB

Download
memory/2288-32-0x000001D793840000-0x000001D793870000-memory.dmp

Filesize
192KB

Download
memory/2288-22-0x000001D793840000-0x000001D793870000-memory.dmp

Filesize
192KB

Download
memory/2288-20-0x000001D793840000-0x000001D793870000-memory.dmp

Filesize
192KB

Download
memory/2288-19-0x000001D793840000-0x000001D793870000-memory.dmp

Filesize
192KB

Download
memory/2288-11-0x000001D793840000-0x000001D793870000-memory.dmp

Filesize
192KB

Download
memory/4660-17-0x00000277EA6A0000-0x00000277EA6FB000-memory.dmp

Filesize
364KB

Download
memory/4660-6-0x00000277EA6A0000-0x00000277EA6FB000-memory.dmp

Filesize
364KB

Download
memory/4660-0-0x00007FF790C50000-0x00007FF791086000-memory.dmp

Filesize
4.2MB

Download
memory/4660-18-0x00000277EA6A0000-0x00000277EA6FB000-memory.dmp

Filesize
364KB

Download
memory/4660-8-0x00000277EA6A0000-0x00000277EA6FB000-memory.dmp

Filesize
364KB

Download
memory/4660-7-0x00000277EA6A0000-0x00000277EA6FB000-memory.dmp

Filesize
364KB

Download
memory/4660-21-0x00000277EA6A0000-0x00000277EA6FB000-memory.dmp

Filesize
364KB

Download
memory/4660-9-0x00000277EA6A0000-0x00000277EA6FB000-memory.dmp

Filesize
364KB

Download
memory/4660-31-0x00007FF790C50000-0x00007FF791086000-memory.dmp

Filesize
4.2MB

Download
memory/4660-4-0x00000277EA6A0000-0x00000277EA6FB000-memory.dmp

Filesize
364KB

Download
memory/4660-5-0x00000277EA6A0000-0x00000277EA6FB000-memory.dmp

Filesize
364KB

Download
memory/4660-2-0x00000277EA6A0000-0x00000277EA6FB000-memory.dmp

Filesize
364KB

Download
memory/4660-3-0x00000277EA6A0000-0x00000277EA6FB000-memory.dmp

Filesize
364KB

Download
memory/4660-1-0x00000277EA6A0000-0x00000277EA6FB000-memory.dmp

Filesize
364KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads