qakbot | 3c704a8a3b1263e92f07c9d215574789d1ffee30e63244cad63f060b752cfc6e

General

Target

12094a47a9659b1c2f7c5b36e21d2b0145c9e7b2e79845a437508efa96e5f305.dll
Size

898KB
MD5

88bbf2a743baaf81f7a312be61f90d76
SHA1

3719aabc29d5eb58d5d2d2a37066047c67bfc2c6
SHA256

12094a47a9659b1c2f7c5b36e21d2b0145c9e7b2e79845a437508efa96e5f305
SHA512

b01f955eb5f840e01f1f65d5f19c0963e155b1f8d03b4e0720eccbd397cc9aee9a19a63000719e3cf8f580573a335bd61f39fe1261f44e1d5371a9c695b60b70
SSDEEP

24576:qTm4c0TXhxdmVQGn88R7XM3Ljluc9KEaJqCjh0LmK8:6jP8Q13LjluSrCj+q/

Score

10^/10

qakbot tchk07 1702975817 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

tchk07

Campaign

1702975817

C2

116.203.56.11:443

109.107.181.8:443

Attributes

camp_date
2023-12-19 08:50:17 +0000 UTC

Signatures

Detect Qakbot Payload 13 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4940-0-0x000001DE5A2C0000-0x000001DE5A2EF000-memory.dmp	family_qakbot_v5
behavioral2/memory/4940-4-0x000001DE5A2F0000-0x000001DE5A31E000-memory.dmp	family_qakbot_v5
behavioral2/memory/4940-5-0x000001DE5A290000-0x000001DE5A2BD000-memory.dmp	family_qakbot_v5
behavioral2/memory/4940-6-0x000001DE5A2F0000-0x000001DE5A31E000-memory.dmp	family_qakbot_v5
behavioral2/memory/1172-8-0x000001F7E2AB0000-0x000001F7E2ADE000-memory.dmp	family_qakbot_v5
behavioral2/memory/1172-14-0x000001F7E2AB0000-0x000001F7E2ADE000-memory.dmp	family_qakbot_v5
behavioral2/memory/4940-23-0x000001DE5A2F0000-0x000001DE5A31E000-memory.dmp	family_qakbot_v5
behavioral2/memory/1172-25-0x000001F7E2AB0000-0x000001F7E2ADE000-memory.dmp	family_qakbot_v5
behavioral2/memory/1172-24-0x000001F7E2AB0000-0x000001F7E2ADE000-memory.dmp	family_qakbot_v5
behavioral2/memory/1172-26-0x000001F7E2AB0000-0x000001F7E2ADE000-memory.dmp	family_qakbot_v5
behavioral2/memory/1172-27-0x000001F7E2AB0000-0x000001F7E2ADE000-memory.dmp	family_qakbot_v5
behavioral2/memory/1172-28-0x000001F7E2AB0000-0x000001F7E2ADE000-memory.dmp	family_qakbot_v5
behavioral2/memory/1172-30-0x000001F7E2AB0000-0x000001F7E2ADE000-memory.dmp	family_qakbot_v5

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Modifies registry class 10 IoCs

Processes:

wermgr.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\joupdhvufa\2b999595 = 85c01dddc3f6a6fc3d98dea38bc9cd8d1a279dd1eea77744f52b6fe6810c73ea2a4f980fa5b468201fb766303a86d2a79e12a4476e39f061439a9589fadb2bf0c812dccb14a1bbbf78d1cd3056952735860a3f6e4feef9ba5c80aa037455f9ce800fff116a83b0522ab53a183f608b2cc6dd86afe7ee7ffd35a253771e055c24c3	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\joupdhvufa\2a1ec812 = 257a746ff4903ff93e5da73ac05e8aa6017d3c3e39351ea9cebf232991c0c4f848034c37b8b44ada9ef986c3f9a1607e93f2a7ecdbb0a3678d578466c76d1fc2c3d6bf568fa305e2427d4bb4d515cbfb32c70ec347b0686576dca56a37209a81ba49404216ec62fac3c4ebde190d7bcfaad55e897aacb3bde26022c694f81a4a31	wermgr.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\joupdhvufa	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\joupdhvufa\b09c8044 = 072c0ea8a428e8a9f602458d2b3366b0bd47bc82cee608de6cab32960f08edcbe747c1d58ff58e24768224d54e6b9ce595	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\joupdhvufa\e6b4c88c = 2783e329ca7020c659fe4ca032485e66f62a23181410a1c8ced2c98988cfd08bc8d62cc6a3595f6644497bcf3dcdc9a9a65188b8de1cb31af4382fd0cafc362f86d26c716b17ec16bae9954c562f6a86cdba1726666bf601b66c76b9271af96a40ca9a3c827a9b0b145ec825d75421a98e55b3e868b761ce326062050eedbe79f38fc7e15746c088c789440e31480b1670610baf00bd7daeb0d92e3cb7d60315848c4f477341cb2f1e21fc153b91027909fa9186265be26f57391acaaddaeb4e00211d94e694bff73f9475666b076ca239b4b46ca394b10ca4b8b41c7c8a4da722	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\joupdhvufa\34d68ebe = 242030180cc28b37310ee6c714de3743aadcc18d4421f50d308e48365cad7e8314a9e6518de1150a35bdca32f5d24db7909aad0ddbf31117404abddd8979e4d88ddbae5d822e47c8d40c002e6e43edf6b79c2f51b7de784b7345179e129c70e17b7a13db3eebdc9d95752a11c62326be18	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\joupdhvufa\f87c8e20 = e5d7f386554707911e05b9b4ffafb6402eeecd76092a3f8495b142e637dbf090189ae498e54386d2d59369dea914b33b33	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\joupdhvufa\e733950b = 04e641861403af7c27c145b93de2e931f82b60f57511d76380139d208a7deb10b960567dfe07f082cf00bee84758b75710628c794dd3eceefb35ec9d4f3c6bb137dded3d38e08dcdec21bf5b0b8862773c6b75928e27d8bafb5c613ff3f74a35705038d24697410f4688397ac11bf2e4c5	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\joupdhvufa\b11bddc3 = 06e4b503c242e80bf3f94a79a73a1607e48445b727b83e7ee3833cddce9484513f114a276202e7f70cb8a5bf19825ea629acfdaa4427a668f6d2dac9d3f245de0db52c1d88cfb9f0d03c933390f1433de387b07a76d03297c763233d56c1157a911a89b0b8be3eb6c4208561906e0fc246563645dd20d1ee92ea5eaf2efc9205c4	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\joupdhvufa\b09c8044 = 6612283ad4af515b608775a157e60f3b5d11e44abbff629f93a310ad3c947276ce9377ee3a75516bbf24e428297218e4004906ba971dbcfb7732a9f97de9ddbd07	wermgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exewermgr.exe

pid	process
4940	rundll32.exe
4940	rundll32.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe
1172	wermgr.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4940 wrote to memory of 1172	4940	rundll32.exe	wermgr.exe
PID 4940 wrote to memory of 1172	4940	rundll32.exe	wermgr.exe
PID 4940 wrote to memory of 1172	4940	rundll32.exe	wermgr.exe
PID 4940 wrote to memory of 1172	4940	rundll32.exe	wermgr.exe
PID 4940 wrote to memory of 1172	4940	rundll32.exe	wermgr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\12094a47a9659b1c2f7c5b36e21d2b0145c9e7b2e79845a437508efa96e5f305.dll,#1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4940

C:\Windows\System32\wermgr.exe
C:\Windows\System32\wermgr.exe
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1172

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1172-24-0x000001F7E2AB0000-0x000001F7E2ADE000-memory.dmp

Filesize
184KB

Download
memory/1172-14-0x000001F7E2AB0000-0x000001F7E2ADE000-memory.dmp

Filesize
184KB

Download
memory/1172-30-0x000001F7E2AB0000-0x000001F7E2ADE000-memory.dmp

Filesize
184KB

Download
memory/1172-28-0x000001F7E2AB0000-0x000001F7E2ADE000-memory.dmp

Filesize
184KB

Download
memory/1172-7-0x000001F7E2AE0000-0x000001F7E2AE2000-memory.dmp

Filesize
8KB

Download
memory/1172-8-0x000001F7E2AB0000-0x000001F7E2ADE000-memory.dmp

Filesize
184KB

Download
memory/1172-27-0x000001F7E2AB0000-0x000001F7E2ADE000-memory.dmp

Filesize
184KB

Download
memory/1172-25-0x000001F7E2AB0000-0x000001F7E2ADE000-memory.dmp

Filesize
184KB

Download
memory/1172-26-0x000001F7E2AB0000-0x000001F7E2ADE000-memory.dmp

Filesize
184KB

Download
memory/4940-0-0x000001DE5A2C0000-0x000001DE5A2EF000-memory.dmp

Filesize
188KB

Download
memory/4940-23-0x000001DE5A2F0000-0x000001DE5A31E000-memory.dmp

Filesize
184KB

Download
memory/4940-4-0x000001DE5A2F0000-0x000001DE5A31E000-memory.dmp

Filesize
184KB

Download
memory/4940-6-0x000001DE5A2F0000-0x000001DE5A31E000-memory.dmp

Filesize
184KB

Download
memory/4940-5-0x000001DE5A290000-0x000001DE5A2BD000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads