qakbot | 30306eb284f9b684b2f0d02cac216563abfe6bb75099100170f160718a18ca09

General

Target

780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3.dll
Size

459KB
MD5

0a29918110937641bbe4a2d5ee5e4272
SHA1

7d4a6976c1ece81e01d1f16ac5506266d5210734
SHA256

780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3
SHA512

998a6ee2fa6b345aeea72afaa91add8433e986a2678dbb8995ead786c30bdc00704c39c4857935b20669005b292736d50e1c6ad38901aa1f29db7b6a597fae3f
SSDEEP

6144:T4+8LGS5U/dvT6+adDaMuMeek1Wg3NkA+8hMzA1W9xCTSI:8fZ5U/dvPadDrNebWg3N+QMc16MOI

Score

10^/10

qakbot tchk06 1702463600 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

tchk06

Campaign

1702463600

C2

45.138.74.191:443

65.108.218.24:443

Attributes

camp_date
2023-12-13 10:33:20 +0000 UTC

Signatures

Detect Qakbot Payload 13 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2156-1-0x0000000001BB0000-0x0000000001BDF000-memory.dmp	family_qakbot_v5
behavioral1/memory/2156-6-0x0000000180000000-0x000000018002E000-memory.dmp	family_qakbot_v5
behavioral1/memory/2156-7-0x0000000180000000-0x000000018002E000-memory.dmp	family_qakbot_v5
behavioral1/memory/2156-5-0x0000000000180000-0x00000000001AD000-memory.dmp	family_qakbot_v5
behavioral1/memory/3056-9-0x0000000000060000-0x000000000008E000-memory.dmp	family_qakbot_v5
behavioral1/memory/3056-16-0x0000000000060000-0x000000000008E000-memory.dmp	family_qakbot_v5
behavioral1/memory/2156-29-0x0000000180000000-0x000000018002E000-memory.dmp	family_qakbot_v5
behavioral1/memory/3056-31-0x0000000000060000-0x000000000008E000-memory.dmp	family_qakbot_v5
behavioral1/memory/3056-32-0x0000000000060000-0x000000000008E000-memory.dmp	family_qakbot_v5
behavioral1/memory/3056-30-0x0000000000060000-0x000000000008E000-memory.dmp	family_qakbot_v5
behavioral1/memory/3056-33-0x0000000000060000-0x000000000008E000-memory.dmp	family_qakbot_v5
behavioral1/memory/3056-34-0x0000000000060000-0x000000000008E000-memory.dmp	family_qakbot_v5
behavioral1/memory/3056-37-0x0000000000060000-0x000000000008E000-memory.dmp	family_qakbot_v5

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Modifies registry class 12 IoCs

Processes:

wermgr.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\ldasuehikoxe	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\ldasuehikoxe\276320f3 = c53eaaabc26201fe94a712d8a26a45cd5d08606c2ff9371cc72ab4629611e4dff07d2eb04a974edc13783e8ec43bbe02e1db7bea8db3bd2d547b18c167be1a9d3bbb4c65e7c44b52a8ffa831affc36886d778b5c946e1c0d4aa7d6b2e47bab2cff9bad4323be40c7c1d891fa677b4d10e0340a44bd5af3d0bbe2c2ee593e25a2c262f5d260e118484f62115214a329cd3f	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\ldasuehikoxe\e10c2974 = c5fb3f9196030522d8a78482b11a512a4b75b0e6a9315c14ee5e09315146b33aa78e8ee59dd1d1822058e4d369aa7061669f2aa003c0760cab51c0ccd58a3c20457eec90181ee7f82229c79c9cd64e3189	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\ldasuehikoxe\26e47d74 = a57ea431df4d0bac75c91689a759c39363e46876293a41a2823501cc7d05948f53b30254e33bd3f41eda0655807affaea5d9c6cfb493d8018991e4191145853bfcd97898c93a9cac3fb494373c4b59bf08d5dd8e8b1873ea22dd426ef84cff8b87973d6d48a5d4e45b08f785694bd7c38d	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\ldasuehikoxe\714b683b = 84fb9496e673c932706dd240c137b31d690466c30b692aada2cc00bbb7d627d029c75655a6ef541b2f2226f49fb461186f588b7f1f5972c0703af945873c8623b10a83c3732a2b2198d7b7c84a6a00df4554ffb8ba2d837a00801b2391fa9f83d22ccfc47946e8f85a395ac14fd628a894	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\ldasuehikoxe\39ab665f = 65be603c6654c7e4606aa642179a44c02136547aef18abce77529ec5f4a9ee12463c163356157ba8466e153de598189b64c3bb88c0442de52688b1c33e9cd386973370bd9eec4053f247219458700bbab26f9a8a61123dc8eebdb9b9565307e11f717e3bb33408c04f4ad8c61ccc10529f0535e1f791d6325773b4eb9d888b3487	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\ldasuehikoxe\f50166c1 = a75247d28243666621eab4a5217491afffe4bbce9ffec6b75922958ca7b203210a40baa96aa22f8e579fcfd085aa2f9ebe661a63b9e4c0c78d7592728ee74b1b7179880c07c4cacf893450304b6a12f6d39ca27fa646b010f23f85ef0b4c9ebaab	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\ldasuehikoxe\4e5203ea = 65b47be696e59c0ef1fcdf00d183c73184ec3b684db9d7dac09c84fe459d939470ed0a8215486829326c12a601044eb708	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\ldasuehikoxe\ea4e7dea = 27122c59e91bbd65e57a6fcebb3b967d20c05f9cf3c853bb26e47424493feec33bcd88b1febe854004474d2613ad9b408d7be9d996764ccb3265f0a49244fe5f602cd1780148ff9d39b1eac846280b6eb4	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\ldasuehikoxe\ebc9206d = 64575fd0df43d10347361d28283d8f77891fb0b11af86cac5e439afc136acf00eae82b9d1c654959c5079ed1c6729db992a645b357bc52821d6ed9bee942f73cbf9727145d2cac2f60cb9c6bc142b604e912c7d10a07ec5f9636791db6db8e16e342586d1bb87c6be0016e55bf945491ab976a7ca8a965716eb879812c7fed6fc7	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\ldasuehikoxe\70cc35bc = e4d4391330fa22298cc46c408abca20190336a78718c32aba9fc88d1becf8052c5d24ec71d8846dff6f88f998d176f5fd3	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\ldasuehikoxe\714b683b = 048d84ab2a55a457d42fb34df698f348ccd7dca04f2c0ea478604ea2e3878e7d4db4c1225eb902e12a3fd2dbd12a82cc51acdaa8d9c1363ff91cc9221e0c63c07b357bef9455f705d6efd7dd5f62c909589d8f17b71247c6c10cbdabb2325eab2b675cf03424f3e1fab457c06bd81a8b5227e90bd1a26819e726172a05b8608123	wermgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exewermgr.exe

pid	process
2156	rundll32.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe
3056	wermgr.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2156 wrote to memory of 3056	2156	rundll32.exe	wermgr.exe
PID 2156 wrote to memory of 3056	2156	rundll32.exe	wermgr.exe
PID 2156 wrote to memory of 3056	2156	rundll32.exe	wermgr.exe
PID 2156 wrote to memory of 3056	2156	rundll32.exe	wermgr.exe
PID 2156 wrote to memory of 3056	2156	rundll32.exe	wermgr.exe
PID 2156 wrote to memory of 3056	2156	rundll32.exe	wermgr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3.dll,#1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2156

C:\Windows\System32\wermgr.exe
C:\Windows\System32\wermgr.exe
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3056

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2156-0-0x0000000069140000-0x00000000691BE000-memory.dmp

Filesize
504KB

Download
memory/2156-1-0x0000000001BB0000-0x0000000001BDF000-memory.dmp

Filesize
188KB

Download
memory/2156-6-0x0000000180000000-0x000000018002E000-memory.dmp

Filesize
184KB

Download
memory/2156-7-0x0000000180000000-0x000000018002E000-memory.dmp

Filesize
184KB

Download
memory/2156-5-0x0000000000180000-0x00000000001AD000-memory.dmp

Filesize
180KB

Download
memory/2156-29-0x0000000180000000-0x000000018002E000-memory.dmp

Filesize
184KB

Download
memory/3056-9-0x0000000000060000-0x000000000008E000-memory.dmp

Filesize
184KB

Download
memory/3056-16-0x0000000000060000-0x000000000008E000-memory.dmp

Filesize
184KB

Download
memory/3056-8-0x0000000000090000-0x0000000000092000-memory.dmp

Filesize
8KB

Download
memory/3056-31-0x0000000000060000-0x000000000008E000-memory.dmp

Filesize
184KB

Download
memory/3056-32-0x0000000000060000-0x000000000008E000-memory.dmp

Filesize
184KB

Download
memory/3056-30-0x0000000000060000-0x000000000008E000-memory.dmp

Filesize
184KB

Download
memory/3056-33-0x0000000000060000-0x000000000008E000-memory.dmp

Filesize
184KB

Download
memory/3056-34-0x0000000000060000-0x000000000008E000-memory.dmp

Filesize
184KB

Download
memory/3056-37-0x0000000000060000-0x000000000008E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads