qakbot | b4113c2cf66bd9a06b6ad9ddf322a6297197e37e36261375bc06c45e25474b72

General

Target

2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe
Size

1.3MB
MD5

041f11543edf5591a8fb7b0037e3d115
SHA1

ee5fb2448d4437c2eaefdfb7cac13a0a2162a775
SHA256

2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d
SHA512

3e3e5634cb560178ec75b2a74a92a9bbacedf53f046491ebf9e2d7849b1b1ea5327cf9e8e3cc2ffc3938ca12d6ab281ae466b4446c2b338fa35976ef6f5b83c4
SSDEEP

24576:6H4G8P8VYqjxxT6qZk1rFrXc0lLF5HskwGpLF2:1G8P8VcrlcwLXPpL8

Score

10^/10

qakbot bmw01 1706268333 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

bmw01

Campaign

1706268333

C2

116.202.110.87:443

77.73.39.175:32103

185.156.172.62:443

185.117.90.142:6882

Attributes

camp_date
2024-01-26 11:25:33 +0000 UTC

Signatures

Detect Qakbot Payload 26 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1444-1-0x0000000002010000-0x000000000205E000-memory.dmp	family_qakbot_v5
behavioral2/memory/1444-4-0x0000000002060000-0x00000000020B3000-memory.dmp	family_qakbot_v5
behavioral2/memory/3288-5-0x0000000140000000-0x0000000140030000-memory.dmp	family_qakbot_v5
behavioral2/memory/3288-3-0x0000000140000000-0x0000000140030000-memory.dmp	family_qakbot_v5
behavioral2/memory/3288-6-0x0000000140000000-0x0000000140030000-memory.dmp	family_qakbot_v5
behavioral2/memory/3288-7-0x0000000140000000-0x0000000140030000-memory.dmp	family_qakbot_v5
behavioral2/memory/3288-8-0x0000000140000000-0x0000000140030000-memory.dmp	family_qakbot_v5
behavioral2/memory/3288-9-0x0000000140000000-0x0000000140030000-memory.dmp	family_qakbot_v5
behavioral2/memory/1444-10-0x0000000002060000-0x00000000020B3000-memory.dmp	family_qakbot_v5
behavioral2/memory/3288-11-0x0000000140000000-0x0000000140030000-memory.dmp	family_qakbot_v5
behavioral2/memory/3288-12-0x0000000140000000-0x0000000140030000-memory.dmp	family_qakbot_v5
behavioral2/memory/3288-13-0x0000000140000000-0x0000000140030000-memory.dmp	family_qakbot_v5
behavioral2/memory/3288-14-0x0000000140000000-0x0000000140030000-memory.dmp	family_qakbot_v5
behavioral2/memory/3288-15-0x0000000140000000-0x0000000140030000-memory.dmp	family_qakbot_v5
behavioral2/memory/2876-17-0x00000223F7A10000-0x00000223F7A40000-memory.dmp	family_qakbot_v5
behavioral2/memory/3288-23-0x0000000140000000-0x0000000140030000-memory.dmp	family_qakbot_v5
behavioral2/memory/2876-24-0x00000223F7A10000-0x00000223F7A40000-memory.dmp	family_qakbot_v5
behavioral2/memory/2876-25-0x00000223F7A10000-0x00000223F7A40000-memory.dmp	family_qakbot_v5
behavioral2/memory/3288-26-0x0000000140000000-0x0000000140030000-memory.dmp	family_qakbot_v5
behavioral2/memory/2876-27-0x00000223F7A10000-0x00000223F7A40000-memory.dmp	family_qakbot_v5
behavioral2/memory/2876-37-0x00000223F7A10000-0x00000223F7A40000-memory.dmp	family_qakbot_v5
behavioral2/memory/2876-39-0x00000223F7A10000-0x00000223F7A40000-memory.dmp	family_qakbot_v5
behavioral2/memory/2876-40-0x00000223F7A10000-0x00000223F7A40000-memory.dmp	family_qakbot_v5
behavioral2/memory/2876-38-0x00000223F7A10000-0x00000223F7A40000-memory.dmp	family_qakbot_v5
behavioral2/memory/2876-41-0x00000223F7A10000-0x00000223F7A40000-memory.dmp	family_qakbot_v5
behavioral2/memory/2876-43-0x00000223F7A10000-0x00000223F7A40000-memory.dmp	family_qakbot_v5

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Suspicious use of SetThreadContext 1 IoCs

Processes:

2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe

description	pid	process	target process
PID 1444 set thread context of 3288	1444	2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe	2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe

Modifies registry class 10 IoCs

Processes:

wermgr.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\ckzxeeguyeuo	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\ckzxeeguyeuo\9d3802e8 = 2463b45b3833f198225e305b44568e309891dfb56d3aae905902b55899bcb2bf8613066e4d80388201bf7922adfe09ddabe023e0c7478ef5fade05d9f7c2fdf68aa14ca9e600ffeacc975e790bbf9dd4fe	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\ckzxeeguyeuo\cb104a20 = e629a118f034087555f4c562d9189463f4506385dbce048d6f77926e968b953d628c86a6cb7baf4fdb7f06f5ac9e82cb1df0d69f82383a65adce92e417f0bdd13ba34235ab173e06c15293323ed0e0a9d3a7b4a2a025b706218021a2fbf2c6c23542c7dfbdaa3cda6987b70ebb531ca720c4b34e8d1c985a14393e662df245022208d9360cb5337ff41568c4310b83a1fff0fc1d333f011f9062f5805932a886baaa0619e5c6f3cdd4a74d4c59fcd80663	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\ckzxeeguyeuo\d5d80c8c = 053fdfc23053f13bbce9698c36062c0b77c8340590309b4bb0e31d9aba2852c05f33d4deaca7b2837567a6878a57395e9d507e3be3ee1508314decd6464820e0f69ad1382ed260337554743da8287387d2e746b0e14978e0f52f91d243c0c6bbe7	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\ckzxeeguyeuo\19720c12 = 851bea487375155486c3a36fd8e023ab54b70293fe4a025a99956ab2c7f6f2f2404b5d21f0a80662f75ef1db51b108e540c366de8c6ec2e6746fe4cd442c388b99	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\ckzxeeguyeuo\63d1739 = e67bc4beb42000b289a999d89b77ad00be4b9277eb92dfd08097cec81da1415a7ce56fdb5b5a921c0a7950a71fe785d41e6d10826c8315f9162c0025a58e93add7	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\ckzxeeguyeuo\ca9717a7 = e53d8958b9c8f7b2e504ac8d5befb4fe6da81d8c9bbbd2e6bbcd54f3fe4b5de6b6929083188b70baadd5a305495f80506f5eaf086a50bb060b721f20c662dacb0a	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\ckzxeeguyeuo\7ba4abe = 4677b3c09ad606f9bffc3b2316bd68350d5f6c5bc311ee652402f98ffbb54864af10d9f58b0746f1947116ea3be804fe3cf4551d492a39a68ed0eb759185c993cde6c74e56428b13e1f28f5a749cb86ff8453ace6f879e7d768df6f0ff0f121c1f	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\ckzxeeguyeuo\9cbf5f6f = 6666e863f11ede338cb0dd1df0d0e1f7066b3a1997b0a021daf0b5838cf318dc04aa98fed9699efbe548fbaa841ddd012f00806dbef24aa55e53fadd7152b713b3	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\ckzxeeguyeuo\9d3802e8 = 466ae389ecc87bfb121b21b8c28919b7a189509751325e7df6867881378d6c2580dc27816010a2623a9605492601303b037b499c7f102e958ea5bfdac43b3941e589e0d4c9bd1701f9cee69a084b249e358b83d5f58e3508042d51910c0ee3ab0d0f64f0eef940c9a97cc68dbb8ace958e	wermgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exewermgr.exe

pid	process
3288	2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe
3288	2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe
3288	2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe
3288	2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe
2876	wermgr.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe

description	pid	process	target process
PID 1444 wrote to memory of 3288	1444	2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe	2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe
PID 1444 wrote to memory of 3288	1444	2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe	2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe
PID 1444 wrote to memory of 3288	1444	2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe	2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe
PID 1444 wrote to memory of 3288	1444	2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe	2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe
PID 1444 wrote to memory of 3288	1444	2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe	2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe
PID 1444 wrote to memory of 3288	1444	2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe	2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe
PID 1444 wrote to memory of 3288	1444	2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe	2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe
PID 1444 wrote to memory of 3288	1444	2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe	2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe
PID 3288 wrote to memory of 2876	3288	2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe	wermgr.exe
PID 3288 wrote to memory of 2876	3288	2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe	wermgr.exe
PID 3288 wrote to memory of 2876	3288	2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe	wermgr.exe
PID 3288 wrote to memory of 2876	3288	2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe	wermgr.exe
PID 3288 wrote to memory of 2876	3288	2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe	wermgr.exe

C:\Users\Admin\AppData\Local\Temp\2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe
"C:\Users\Admin\AppData\Local\Temp\2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1444

C:\Users\Admin\AppData\Local\Temp\2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe
"C:\Users\Admin\AppData\Local\Temp\2fb3da959196da5f5972b40e0e7a57571a42f4972a57f586d43318caedcde56d.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3288

C:\Windows\System32\wermgr.exe
C:\Windows\System32\wermgr.exe
3⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2876

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1444-4-0x0000000002060000-0x00000000020B3000-memory.dmp

Filesize
332KB

Download
memory/1444-1-0x0000000002010000-0x000000000205E000-memory.dmp

Filesize
312KB

Download
memory/1444-10-0x0000000002060000-0x00000000020B3000-memory.dmp

Filesize
332KB

Download
memory/2876-40-0x00000223F7A10000-0x00000223F7A40000-memory.dmp

Filesize
192KB

Download
memory/2876-41-0x00000223F7A10000-0x00000223F7A40000-memory.dmp

Filesize
192KB

Download
memory/2876-38-0x00000223F7A10000-0x00000223F7A40000-memory.dmp

Filesize
192KB

Download
memory/2876-16-0x00000223F7A40000-0x00000223F7A42000-memory.dmp

Filesize
8KB

Download
memory/2876-39-0x00000223F7A10000-0x00000223F7A40000-memory.dmp

Filesize
192KB

Download
memory/2876-37-0x00000223F7A10000-0x00000223F7A40000-memory.dmp

Filesize
192KB

Download
memory/2876-27-0x00000223F7A10000-0x00000223F7A40000-memory.dmp

Filesize
192KB

Download
memory/2876-43-0x00000223F7A10000-0x00000223F7A40000-memory.dmp

Filesize
192KB

Download
memory/2876-25-0x00000223F7A10000-0x00000223F7A40000-memory.dmp

Filesize
192KB

Download
memory/2876-24-0x00000223F7A10000-0x00000223F7A40000-memory.dmp

Filesize
192KB

Download
memory/2876-17-0x00000223F7A10000-0x00000223F7A40000-memory.dmp

Filesize
192KB

Download
memory/3288-14-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/3288-26-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/3288-0-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/3288-13-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/3288-23-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/3288-12-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/3288-11-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/3288-15-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/3288-9-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/3288-8-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/3288-7-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/3288-6-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/3288-3-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/3288-5-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download
memory/3288-2-0x0000000140000000-0x0000000140030000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads