qakbot | 1781baade35306801b764ca5c0e8c1e2bcf8323fe56ac469520ba9e29b13374a

Analysis

max time kernel
149s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17-04-2024 13:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3.dll
Size

459KB
MD5

0a29918110937641bbe4a2d5ee5e4272
SHA1

7d4a6976c1ece81e01d1f16ac5506266d5210734
SHA256

780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3
SHA512

998a6ee2fa6b345aeea72afaa91add8433e986a2678dbb8995ead786c30bdc00704c39c4857935b20669005b292736d50e1c6ad38901aa1f29db7b6a597fae3f
SSDEEP

6144:T4+8LGS5U/dvT6+adDaMuMeek1Wg3NkA+8hMzA1W9xCTSI:8fZ5U/dvPadDrNebWg3N+QMc16MOI

Score

10^/10

qakbot tchk06 1702463600 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

tchk06

Campaign

1702463600

45.138.74.191:443

65.108.218.24:443

Attributes

camp_date
2023-12-13 10:33:20 +0000 UTC

Signatures

Detect Qakbot Payload 13 IoCs

resource	yara_rule
behavioral2/memory/2852-1-0x000001E0D67C0000-0x000001E0D67EF000-memory.dmp	family_qakbot_v5
behavioral2/memory/2852-5-0x000001E0D6790000-0x000001E0D67BD000-memory.dmp	family_qakbot_v5
behavioral2/memory/2852-6-0x0000000180000000-0x000000018002E000-memory.dmp	family_qakbot_v5
behavioral2/memory/2852-7-0x0000000180000000-0x000000018002E000-memory.dmp	family_qakbot_v5
behavioral2/memory/2732-9-0x000001FEEB4F0000-0x000001FEEB51E000-memory.dmp	family_qakbot_v5
behavioral2/memory/2732-15-0x000001FEEB4F0000-0x000001FEEB51E000-memory.dmp	family_qakbot_v5
behavioral2/memory/2852-25-0x0000000180000000-0x000000018002E000-memory.dmp	family_qakbot_v5
behavioral2/memory/2732-26-0x000001FEEB4F0000-0x000001FEEB51E000-memory.dmp	family_qakbot_v5
behavioral2/memory/2732-27-0x000001FEEB4F0000-0x000001FEEB51E000-memory.dmp	family_qakbot_v5
behavioral2/memory/2732-29-0x000001FEEB4F0000-0x000001FEEB51E000-memory.dmp	family_qakbot_v5
behavioral2/memory/2732-28-0x000001FEEB4F0000-0x000001FEEB51E000-memory.dmp	family_qakbot_v5
behavioral2/memory/2732-30-0x000001FEEB4F0000-0x000001FEEB51E000-memory.dmp	family_qakbot_v5
behavioral2/memory/2732-32-0x000001FEEB4F0000-0x000001FEEB51E000-memory.dmp	family_qakbot_v5

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Modifies registry class 12 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\lfimuleiteoeeoa\301ad8fb = 07113cb334d6ac39af4230b8de196ef656cb8b133e6e77979dc6f33d14af8093759af28b4d02f77c3f75d38c4e66a612bd28ec82e4639ece6f5ae93f87fc4bae2887a98d2d5dea372e86d93b446586851b313a31439f8a468435a9a72253e2edec	wermgr.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\lfimuleiteoeeoa	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\lfimuleiteoeeoa\319d857c = 642a0f6dcf0b6a35c839054be459b6821dad41413dc7f64b1269b313eb74ff62a786388741cb5b852d32bac70a1c6b09e5a21b05e3a5c668fa60e7dde2926600cfd4af6bd01e8f02f3b9efcb460bdf00d1	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\lfimuleiteoeeoa\e84eead = 676692cb0cc6532b75466c2dd97cf0f8a55333542e0ebec22a9ca4ba6c6bcc9a0850233e508d34c9174f422a54b6605afaf0a16e73a64399eb550a0dc23c3c6a09291bce354a26a86bb813273f1c9b00a2	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\lfimuleiteoeeoa\aa9890ad = 456365a0d8124020930fbcceab8e120265f60261180d3413e2c8b2ace0ea7d58e9630a380a622a3b6fb42a028a82206869	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\lfimuleiteoeeoa\66329033 = a5667afd6759101d90e2b9e8cc809939dfcb698ecd568d54f78a7c8fac608f82013a4c6db49a3bc950d8a074f295c73664	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\lfimuleiteoeeoa\ab1fcd2a = e6b01454ab15c624e0e4fce302858c2b1437c13482f09ff1913f398bbd3219f23ad6b4c6b261a65dc896f8e0685303e9b204647176320296b556ca4ba443c113bd95c497eece7f3807e46aa015c06e593aad17e42f3cec9121047ff7efe7d2e69ee6d17a8e2bf268678ea5df8d29d9eb75	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\lfimuleiteoeeoa\319d857c = a572c50aa4922380042e40c76dca8422e3ccb5a33acce186410638233330247cc707bcf6e624f8435c5df114572a9b0a5566024e9492f4d88d114a538ccb0cfb9e934ae71451b34bb14f7294669b60438572f9ecde1667bf8fddcbcfc30ad5b05e0e646d3855aaeba2aa3b297f719d7d8d	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\lfimuleiteoeeoa\67b5cdb4 = 471ebec09b6f45b61b0a3ed41125b1e4c6445245468279732f8411954991c7aa0b143e8e3a6b3d04cc4637ea220e88f15d968610baa04169e8f9ec1816ac7a6e6ad2e1375bf0d3d81686a7d465ec346dba76cb7abda56a295fa045a568ec4d8e89d8a452141a5b451e88b0a9fc3611dea5d3627bebec43f40ef5ccf099cd43dc53689686f26a9258b23a8c7abb385c6c56	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\lfimuleiteoeeoa\797d8b18 = 244a25032e04752a473c6c0a53430fda515ccc718ee124b0cdbaadcc9110c050eb7c638214126382df3c8a0bc6ca3b729a	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\lfimuleiteoeeoa\b5d78b86 = 26a2767b240a714f3a33c160416d887abcb77b4c2fd6e19bc725494f67002252b999f401528c2580b535509791c39c886ea678a88cb73ac488212b8770a512c33f2364634f4c598f2618d2c92e54b44323	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\lfimuleiteoeeoa\a1dac433 = 2681c2812b5727abfd571ac778278ac4f6f53cf363a3036a0803f2c0f2ddc82f077223c8410618234a20526262a217bb8697ec7204d8bb73530afbd6f69af5284e22b1abea20e03ab8627e05be402284389192fac8b6e2c8bfef2ef0688f9cd495e8ef68f078afcf3941e562f522dd5dc5	wermgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2852	rundll32.exe
2852	rundll32.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe
2732	wermgr.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 2732	2852	rundll32.exe	84
PID 2852 wrote to memory of 2732	2852	rundll32.exe	84
PID 2852 wrote to memory of 2732	2852	rundll32.exe	84
PID 2852 wrote to memory of 2732	2852	rundll32.exe	84
PID 2852 wrote to memory of 2732	2852	rundll32.exe	84

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\780be7a70ce3567ef268f6c768fc5a3d2510310c603bf481ebffd65e4fe95ff3.dll,#1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Windows\System32\wermgr.exe
  C:\Windows\System32\wermgr.exe
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2732

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2732-26-0x000001FEEB4F0000-0x000001FEEB51E000-memory.dmp

Filesize
184KB

Download
memory/2732-27-0x000001FEEB4F0000-0x000001FEEB51E000-memory.dmp

Filesize
184KB

Download
memory/2732-32-0x000001FEEB4F0000-0x000001FEEB51E000-memory.dmp

Filesize
184KB

Download
memory/2732-30-0x000001FEEB4F0000-0x000001FEEB51E000-memory.dmp

Filesize
184KB

Download
memory/2732-15-0x000001FEEB4F0000-0x000001FEEB51E000-memory.dmp

Filesize
184KB

Download
memory/2732-8-0x000001FEEB520000-0x000001FEEB522000-memory.dmp

Filesize
8KB

Download
memory/2732-28-0x000001FEEB4F0000-0x000001FEEB51E000-memory.dmp

Filesize
184KB

Download
memory/2732-29-0x000001FEEB4F0000-0x000001FEEB51E000-memory.dmp

Filesize
184KB

Download
memory/2732-9-0x000001FEEB4F0000-0x000001FEEB51E000-memory.dmp

Filesize
184KB

Download
memory/2852-7-0x0000000180000000-0x000000018002E000-memory.dmp

Filesize
184KB

Download
memory/2852-0-0x0000000069140000-0x00000000691BE000-memory.dmp

Filesize
504KB

Download
memory/2852-25-0x0000000180000000-0x000000018002E000-memory.dmp

Filesize
184KB

Download
memory/2852-1-0x000001E0D67C0000-0x000001E0D67EF000-memory.dmp

Filesize
188KB

Download
memory/2852-6-0x0000000180000000-0x000000018002E000-memory.dmp

Filesize
184KB

Download
memory/2852-5-0x000001E0D6790000-0x000001E0D67BD000-memory.dmp

Filesize
180KB

Download