qakbot | 30306eb284f9b684b2f0d02cac216563abfe6bb75099100170f160718a18ca09

General

Target

780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3.dll
Size

459KB
MD5

0a29918110937641bbe4a2d5ee5e4272
SHA1

7d4a6976c1ece81e01d1f16ac5506266d5210734
SHA256

780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3
SHA512

998a6ee2fa6b345aeea72afaa91add8433e986a2678dbb8995ead786c30bdc00704c39c4857935b20669005b292736d50e1c6ad38901aa1f29db7b6a597fae3f
SSDEEP

6144:T4+8LGS5U/dvT6+adDaMuMeek1Wg3NkA+8hMzA1W9xCTSI:8fZ5U/dvPadDrNebWg3N+QMc16MOI

Score

10^/10

qakbot tchk06 1702463600 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

tchk06

Campaign

1702463600

C2

45.138.74.191:443

65.108.218.24:443

Attributes

camp_date
2023-12-13 10:33:20 +0000 UTC

Signatures

Detect Qakbot Payload 13 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3880-1-0x000002158B310000-0x000002158B33F000-memory.dmp	family_qakbot_v5
behavioral2/memory/3880-5-0x0000000180000000-0x000000018002E000-memory.dmp	family_qakbot_v5
behavioral2/memory/3880-6-0x000002158B2E0000-0x000002158B30D000-memory.dmp	family_qakbot_v5
behavioral2/memory/3880-7-0x0000000180000000-0x000000018002E000-memory.dmp	family_qakbot_v5
behavioral2/memory/932-9-0x000001F7C6940000-0x000001F7C696E000-memory.dmp	family_qakbot_v5
behavioral2/memory/932-15-0x000001F7C6940000-0x000001F7C696E000-memory.dmp	family_qakbot_v5
behavioral2/memory/3880-25-0x0000000180000000-0x000000018002E000-memory.dmp	family_qakbot_v5
behavioral2/memory/932-26-0x000001F7C6940000-0x000001F7C696E000-memory.dmp	family_qakbot_v5
behavioral2/memory/932-27-0x000001F7C6940000-0x000001F7C696E000-memory.dmp	family_qakbot_v5
behavioral2/memory/932-29-0x000001F7C6940000-0x000001F7C696E000-memory.dmp	family_qakbot_v5
behavioral2/memory/932-28-0x000001F7C6940000-0x000001F7C696E000-memory.dmp	family_qakbot_v5
behavioral2/memory/932-30-0x000001F7C6940000-0x000001F7C696E000-memory.dmp	family_qakbot_v5
behavioral2/memory/932-32-0x000001F7C6940000-0x000001F7C696E000-memory.dmp	family_qakbot_v5

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Modifies registry class 12 IoCs

Processes:

wermgr.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\lpxnimprek	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\lpxnimprek\6abb51d6 = 24a05da935d995859a9bd894f9b8c96dbc7485dbb4f8945d269f760fcea7764c0e0e79d5a16b62165b091fbb772b74094bc6ca388189f38993258ecc6fb56ea127	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\lpxnimprek\225b5fb2 = a5cc027ae539a893866e297421c7e53dfa8adc30110c5e0d2b2816f39cf36523b7b91e1b54cd3bf0d0245aaccf3af22f33c1ece91127cc6bbacc3b1f69a0962c13db8851d65f90e1393e20c5df905e2cc33b14a8654bf5a6ee61495b3318d70b1f43ee6a44e681eafa8c316bfcb35ccab8	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\lpxnimprek\55a23a07 = 865a46db2e53314665dceb9ed352fba710f18602fdfadf9bc23db1f2ffb25ad528055ba4009c7e08af9eb79f1a7fc6a725b3c9c620b43aaecf8924a77480d5b34ecac9b7048c98bb7146e007455ff21c92	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\lpxnimprek\f1be4407 = a72bacd944a1f7571321051b70ab8a1bbce740c0ce2a9f08dbaf22b1e6a57a64ed39e7f43de26d0d8e090af60dc8b31ebee1c6b130e8f121f0f173472e4a069291d707c8cbff6b76b043af05840d43e622	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\lpxnimprek\f0391980 = 87249743b78ff0eb97d6c0add894670c8315e4505e9f5d3913c865fea93058d29e394df9354790b6ee0b202d4445fe883c	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\lpxnimprek\3c93191e = 05810d319297fc2f264266244dcf24166f7cd262390c3eb2a863d182ff0622d96dd75fca25bf78f34e29462863b34ca486ee8227fb257f70c04494169e464a8435bd50d77f43f8c9e0644b9508335f63654a0749f3fba515bcb38ddee06ea407838b0c9792b145dd5a3f8b5c80c4124f7d98973613bcd62cd635138cde5cf483bd	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\lpxnimprek\eef15f2c = c71672327201b29a13933ec3e2c7d27872361ad01ea841d9e38d4381ccf34eac9f62f77f6123598e2f81f2ed2b30334dd8c393ca381100d90665c107a60b5b9aae	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\lpxnimprek\fafc1099 = 056fe967dabb98f4c3cbdd36c01639cac915a96d3660c6757d0457afd5edc88822bf547a0e8fe0f7744d9af35c596ab390e091a790ae5904c1be9f79a10252dcff4958306c5b67904f93988d17b9028558	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\lpxnimprek\3d144499 = a78378144fb84a1213cdc8bf29c49407c10616ec0572061b85c63f666b74d21f6e	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\lpxnimprek\6b3c0c51 = c546414c4eb208c0b728b9cb6d7772b9c0b7b74c51ae4a9001a6209237889f9a39c9d7d7134b70e0374ce980764fd4a95b3aca7a4e9314ad5cc348aaae30b64cdb412e1c8da1ff60ac3752b39708064f8f67c045c8ad7b6b10496b9e74cd185bc3bf9665f9498ff6236d7b13aa11c3fa69ce0f03e3e52aa1331035107c1e98411c	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\lpxnimprek\6abb51d6 = e7bd86c468df928fd37b5ac18d22d04205a28cf385540063e5d950e0f04593558e08f115777c7c2e7624a7694e740ebf0fa5426aeb1f7ab064370852e1c95927c3a55b58fd54afcbd338670cc59683c04b24ba197176ea199fb69811105d038311	wermgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exewermgr.exe

pid	process
3880	rundll32.exe
3880	rundll32.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe
932	wermgr.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3880 wrote to memory of 932	3880	rundll32.exe	wermgr.exe
PID 3880 wrote to memory of 932	3880	rundll32.exe	wermgr.exe
PID 3880 wrote to memory of 932	3880	rundll32.exe	wermgr.exe
PID 3880 wrote to memory of 932	3880	rundll32.exe	wermgr.exe
PID 3880 wrote to memory of 932	3880	rundll32.exe	wermgr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3.dll,#1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3880

C:\Windows\System32\wermgr.exe
C:\Windows\System32\wermgr.exe
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:932

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/932-26-0x000001F7C6940000-0x000001F7C696E000-memory.dmp

Filesize
184KB

Download
memory/932-27-0x000001F7C6940000-0x000001F7C696E000-memory.dmp

Filesize
184KB

Download
memory/932-32-0x000001F7C6940000-0x000001F7C696E000-memory.dmp

Filesize
184KB

Download
memory/932-30-0x000001F7C6940000-0x000001F7C696E000-memory.dmp

Filesize
184KB

Download
memory/932-15-0x000001F7C6940000-0x000001F7C696E000-memory.dmp

Filesize
184KB

Download
memory/932-8-0x000001F7C6970000-0x000001F7C6972000-memory.dmp

Filesize
8KB

Download
memory/932-28-0x000001F7C6940000-0x000001F7C696E000-memory.dmp

Filesize
184KB

Download
memory/932-29-0x000001F7C6940000-0x000001F7C696E000-memory.dmp

Filesize
184KB

Download
memory/932-9-0x000001F7C6940000-0x000001F7C696E000-memory.dmp

Filesize
184KB

Download
memory/3880-7-0x0000000180000000-0x000000018002E000-memory.dmp

Filesize
184KB

Download
memory/3880-0-0x0000000069140000-0x00000000691BE000-memory.dmp

Filesize
504KB

Download
memory/3880-25-0x0000000180000000-0x000000018002E000-memory.dmp

Filesize
184KB

Download
memory/3880-1-0x000002158B310000-0x000002158B33F000-memory.dmp

Filesize
188KB

Download
memory/3880-6-0x000002158B2E0000-0x000002158B30D000-memory.dmp

Filesize
180KB

Download
memory/3880-5-0x0000000180000000-0x000000018002E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads