qakbot | 1cabd00e7dfb01e346b6d4478c5dfbcda2da1ffd3526baf91c1f4dc28f7d63b3

General

Target

f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe
Size

4.2MB
MD5

6655347cd176e076ac8c8e509841f1fb
SHA1

2bf60b4709e1e653ad5427761ba70c7b6c22b8ba
SHA256

f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2
SHA512

ca18ce0c69062b42d1fe4b1c563b64b3cc55eb8601a6caef4eb9a246442b152b553df08e7d6cbb200cdf6095205dd8d8c5db8d3923cfe4cdce8e109efab17d5a
SSDEEP

98304:YdPQzF3R/e/hh6FZFLOAkGkzdnEVomFHKnP:YA3AYFZFLOyomFHKnP

Score

10^/10

qakbot bmw02 1706788306 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

bmw02

Campaign

1706788306

C2

62.204.41.234:2222

31.210.173.10:443

185.113.8.123:443

Attributes

camp_date
2024-02-01 11:51:46 +0000 UTC

Signatures

Detect Qakbot Payload 22 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1824-1-0x000001D1B3710000-0x000001D1B376B000-memory.dmp	family_qakbot_v5
behavioral2/memory/1824-2-0x000001D1B3710000-0x000001D1B376B000-memory.dmp	family_qakbot_v5
behavioral2/memory/1824-3-0x000001D1B3710000-0x000001D1B376B000-memory.dmp	family_qakbot_v5
behavioral2/memory/1824-5-0x000001D1B3710000-0x000001D1B376B000-memory.dmp	family_qakbot_v5
behavioral2/memory/1824-4-0x000001D1B3710000-0x000001D1B376B000-memory.dmp	family_qakbot_v5
behavioral2/memory/1824-6-0x000001D1B3710000-0x000001D1B376B000-memory.dmp	family_qakbot_v5
behavioral2/memory/1824-7-0x000001D1B3710000-0x000001D1B376B000-memory.dmp	family_qakbot_v5
behavioral2/memory/1824-8-0x000001D1B3710000-0x000001D1B376B000-memory.dmp	family_qakbot_v5
behavioral2/memory/1824-9-0x000001D1B3710000-0x000001D1B376B000-memory.dmp	family_qakbot_v5
behavioral2/memory/3548-11-0x0000021F4B120000-0x0000021F4B150000-memory.dmp	family_qakbot_v5
behavioral2/memory/1824-17-0x000001D1B3710000-0x000001D1B376B000-memory.dmp	family_qakbot_v5
behavioral2/memory/1824-18-0x000001D1B3710000-0x000001D1B376B000-memory.dmp	family_qakbot_v5
behavioral2/memory/3548-19-0x0000021F4B120000-0x0000021F4B150000-memory.dmp	family_qakbot_v5
behavioral2/memory/1824-21-0x000001D1B3710000-0x000001D1B376B000-memory.dmp	family_qakbot_v5
behavioral2/memory/3548-20-0x0000021F4B120000-0x0000021F4B150000-memory.dmp	family_qakbot_v5
behavioral2/memory/3548-22-0x0000021F4B120000-0x0000021F4B150000-memory.dmp	family_qakbot_v5
behavioral2/memory/3548-32-0x0000021F4B120000-0x0000021F4B150000-memory.dmp	family_qakbot_v5
behavioral2/memory/3548-33-0x0000021F4B120000-0x0000021F4B150000-memory.dmp	family_qakbot_v5
behavioral2/memory/3548-34-0x0000021F4B120000-0x0000021F4B150000-memory.dmp	family_qakbot_v5
behavioral2/memory/3548-35-0x0000021F4B120000-0x0000021F4B150000-memory.dmp	family_qakbot_v5
behavioral2/memory/3548-36-0x0000021F4B120000-0x0000021F4B150000-memory.dmp	family_qakbot_v5
behavioral2/memory/3548-38-0x0000021F4B120000-0x0000021F4B150000-memory.dmp	family_qakbot_v5

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Modifies registry class 10 IoCs

Processes:

wermgr.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\wicmlakmste\d8292eb5 = 0477aa798ec348096a7f1b63fbc8f5d25a3881da4c5da7066038d4557fe12aeac4fee08c74278d97b62d3354341141fcf831f2670ecc7b9dcf8a0625155d1309a58d4114e2d8442c053cf52e7e6782b340ff4c131c73ca5b7015979861d7c65e48	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\wicmlakmste\c766359e = c5eb63adbad21275b84bba1052253f119480e86366ce4eb9ee1a349ccceb855c409ef17e0d289de67b940e47e6a89e0f8eaff2a70eac7bb48deb8e9f8c76490597f665f23e49cccea82665a796384b2cd82e80484b82fd7bb6dea9b26422e0cf4dce5985f67e10f5315d75538d4564abbfd63b7aa2ed5401f6bb24f52fc708091a	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\wicmlakmste\bcc3500 = 27b9290740b1ddd7ce783948a5be94c383c0249dbfbdb8d68061b19766ba82017536a6a9e56e1085c3e76bb396475e210423b15642af6f891287351effdbbac210d7c7a30ca2674b913ca084757190c69cfb5fb616478b8460b52c5564538aecb3ed5738dbcf8b19bb8f841d0adbd7e507	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\wicmlakmste\5de47dc8 = c41194727c20a232298061b6eb7a8560d18bc0ab993113b635b732516c61fa3d9ff65f3c12bb067eb9bf93f75d3967e8d6592787f3c7106310b1db9cf8eda0d7ec043504a86bf6e491ba4b4bf1165d7e03	wermgr.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\wicmlakmste	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\wicmlakmste\5c63204f = c5dfab980e3eae248876db88a13477272cd83edaf1ec417475dbb39813f77a351622c16c5ded3cac26efb44b8882694bb52b7c1ec1aa90662376869a3c8077b0d0f83b318a6af751e9ac9e67b46e61443c38640428f446d7f26ee61b5c9a481aa3b52de00f25e49397bf5bbf059147a42412b4c5bd095aa6bc93eb8a3e500d402a	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\wicmlakmste\a4b6887 = c486c5f5b0eaf3e1b559082da6ca7e2234c936afee0f63408e13d550611e9a5fb59534d5df4396478dffee519959b1b51747d62bebfdca24e7a57609bf7acf3c7105faf3623f40b0c4080b4907447e060e0c5c57e5655f75b8cd0e7d7f84fda5e361cbf4f3543ca55ef45647f50416675c7e721bea986ec42bc7cb51b771e282694c5be49b507eb391e043fbc3219cc01fdcb9f165d54b55d3ca76bbc7bac5846db38da1645e28c91714900658623adbcc00a529bcde26666988663f6024113ddc4269dd63bad3aa5798a26e41dc8283ae	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\wicmlakmste\14832e2b = 6676fb2c45336df194b2222529b7255523dc33225a6d995219dabd4a18a738c277440ddfc05b43c95c029638494875af517d2d17e88ec54f6b1e2519ce075a9cb3cba7e12e8598812455ce5f58be12da15	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\wicmlakmste\c6e16819 = e5da531aff83c42c0c5f64165ee2fd1bd813c65bc6cdd977125d21f925428b2545a7a3b5726f7995e68cc13763036b1f541527f61014e9d9599d7b57ff1b0ca814ff283e57fb8637d796181c6b4409640387f6f7cec9e57121cb8ae9d839a00426	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\wicmlakmste\5c63204f = 260bdc47790c0153c1cccdc4bd7da12d886868c2119db29395e46c6ce54c2253e2bc0f3b20b0eea615aad4b604746a8ab41584da2fe293f8d9ddf69f845466d393ac0306ac00e03185ecc650caf39c2fd226ba770bb59cce1ddcb19871d670a61301f9aa90de402484137120c04aa96b2a846fd9374087e5a4e002abe444af66116ffc5726d4162f50d213ea210f3d2bf41ae5cabe91eb870e9172faf218c5e003	wermgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exewermgr.exe

pid	process
1824	f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe
1824	f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe
1824	f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe
1824	f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe
3548	wermgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe

pid process

1824 f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe

description	pid	process	target process
PID 1824 wrote to memory of 3548	1824	f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe	wermgr.exe
PID 1824 wrote to memory of 3548	1824	f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe	wermgr.exe
PID 1824 wrote to memory of 3548	1824	f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe	wermgr.exe
PID 1824 wrote to memory of 3548	1824	f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe	wermgr.exe
PID 1824 wrote to memory of 3548	1824	f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe	wermgr.exe

C:\Users\Admin\AppData\Local\Temp\f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe
"C:\Users\Admin\AppData\Local\Temp\f4bb0089dcf3629b1570fda839ef2f06c29cbf846c5134755d22d419015c8bd2.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\System32\wermgr.exe
C:\Windows\System32\wermgr.exe
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3548

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1824-17-0x000001D1B3710000-0x000001D1B376B000-memory.dmp

Filesize
364KB

Download
memory/1824-1-0x000001D1B3710000-0x000001D1B376B000-memory.dmp

Filesize
364KB

Download
memory/1824-0-0x00007FF7A23B0000-0x00007FF7A27E6000-memory.dmp

Filesize
4.2MB

Download
memory/1824-3-0x000001D1B3710000-0x000001D1B376B000-memory.dmp

Filesize
364KB

Download
memory/1824-18-0x000001D1B3710000-0x000001D1B376B000-memory.dmp

Filesize
364KB

Download
memory/1824-4-0x000001D1B3710000-0x000001D1B376B000-memory.dmp

Filesize
364KB

Download
memory/1824-6-0x000001D1B3710000-0x000001D1B376B000-memory.dmp

Filesize
364KB

Download
memory/1824-7-0x000001D1B3710000-0x000001D1B376B000-memory.dmp

Filesize
364KB

Download
memory/1824-8-0x000001D1B3710000-0x000001D1B376B000-memory.dmp

Filesize
364KB

Download
memory/1824-31-0x00007FF7A23B0000-0x00007FF7A27E6000-memory.dmp

Filesize
4.2MB

Download
memory/1824-9-0x000001D1B3710000-0x000001D1B376B000-memory.dmp

Filesize
364KB

Download
memory/1824-21-0x000001D1B3710000-0x000001D1B376B000-memory.dmp

Filesize
364KB

Download
memory/1824-2-0x000001D1B3710000-0x000001D1B376B000-memory.dmp

Filesize
364KB

Download
memory/1824-5-0x000001D1B3710000-0x000001D1B376B000-memory.dmp

Filesize
364KB

Download
memory/3548-19-0x0000021F4B120000-0x0000021F4B150000-memory.dmp

Filesize
192KB

Download
memory/3548-11-0x0000021F4B120000-0x0000021F4B150000-memory.dmp

Filesize
192KB

Download
memory/3548-20-0x0000021F4B120000-0x0000021F4B150000-memory.dmp

Filesize
192KB

Download
memory/3548-22-0x0000021F4B120000-0x0000021F4B150000-memory.dmp

Filesize
192KB

Download
memory/3548-10-0x0000021F4B150000-0x0000021F4B152000-memory.dmp

Filesize
8KB

Download
memory/3548-32-0x0000021F4B120000-0x0000021F4B150000-memory.dmp

Filesize
192KB

Download
memory/3548-33-0x0000021F4B120000-0x0000021F4B150000-memory.dmp

Filesize
192KB

Download
memory/3548-34-0x0000021F4B120000-0x0000021F4B150000-memory.dmp

Filesize
192KB

Download
memory/3548-35-0x0000021F4B120000-0x0000021F4B150000-memory.dmp

Filesize
192KB

Download
memory/3548-36-0x0000021F4B120000-0x0000021F4B150000-memory.dmp

Filesize
192KB

Download
memory/3548-38-0x0000021F4B120000-0x0000021F4B150000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads