qakbot | f673f0789fcfa61d30414464b763356e2d65ef07a596ebed4a615cd512557721

General

Target

12094a47a9659b1c2f7c5b36e21d2b0145c9e7b2e79845a437508efa96e5f305.dll
Size

898KB
MD5

88bbf2a743baaf81f7a312be61f90d76
SHA1

3719aabc29d5eb58d5d2d2a37066047c67bfc2c6
SHA256

12094a47a9659b1c2f7c5b36e21d2b0145c9e7b2e79845a437508efa96e5f305
SHA512

b01f955eb5f840e01f1f65d5f19c0963e155b1f8d03b4e0720eccbd397cc9aee9a19a63000719e3cf8f580573a335bd61f39fe1261f44e1d5371a9c695b60b70
SSDEEP

24576:qTm4c0TXhxdmVQGn88R7XM3Ljluc9KEaJqCjh0LmK8:6jP8Q13LjluSrCj+q/

Score

10^/10

qakbot tchk07 1702975817 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Botnet

tchk07

Campaign

1702975817

C2

116.203.56.11:443

109.107.181.8:443

Attributes

camp_date
2023-12-19 08:50:17 +0000 UTC

Signatures

Detect Qakbot Payload 13 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2828-0-0x0000011F8B550000-0x0000011F8B57F000-memory.dmp	family_qakbot_v5
behavioral2/memory/2828-3-0x0000011F8B520000-0x0000011F8B54D000-memory.dmp	family_qakbot_v5
behavioral2/memory/2828-5-0x0000011F8B580000-0x0000011F8B5AE000-memory.dmp	family_qakbot_v5
behavioral2/memory/2828-6-0x0000011F8B580000-0x0000011F8B5AE000-memory.dmp	family_qakbot_v5
behavioral2/memory/2772-8-0x0000023E19130000-0x0000023E1915E000-memory.dmp	family_qakbot_v5
behavioral2/memory/2828-14-0x0000011F8B580000-0x0000011F8B5AE000-memory.dmp	family_qakbot_v5
behavioral2/memory/2772-15-0x0000023E19130000-0x0000023E1915E000-memory.dmp	family_qakbot_v5
behavioral2/memory/2772-25-0x0000023E19130000-0x0000023E1915E000-memory.dmp	family_qakbot_v5
behavioral2/memory/2772-24-0x0000023E19130000-0x0000023E1915E000-memory.dmp	family_qakbot_v5
behavioral2/memory/2772-26-0x0000023E19130000-0x0000023E1915E000-memory.dmp	family_qakbot_v5
behavioral2/memory/2772-27-0x0000023E19130000-0x0000023E1915E000-memory.dmp	family_qakbot_v5
behavioral2/memory/2772-28-0x0000023E19130000-0x0000023E1915E000-memory.dmp	family_qakbot_v5
behavioral2/memory/2772-30-0x0000023E19130000-0x0000023E1915E000-memory.dmp	family_qakbot_v5

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Modifies registry class 10 IoCs

Processes:

wermgr.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\plixumcqwldc\46e4f9ff = 0639f69827cf03d82f2b3a2a0a5907a3fd4ab41a52bf17be5e2c35e189d83cf84920104dc8ab0c62a6165f88df7522365f348b63992e91e45c9709013aea5a886d0b4ae70abf903184e6a28cfe6db2bec38d636a585f409dc6745c48bf98e2043ba05236a46cd2c2145556169d04bd7a90658968dc0171c941dccbd55bf3eccf1a	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\plixumcqwldc\59abe2d4 = 263b65f548f23cee694a21808b345f955734283da311030bc1a20f17ca80b899fd175f2c3343b9223fb84669a48a15c2c5176ededc7dd49b38245865f67d48635d23507cb56243799e7ea26ae8c377778e	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\plixumcqwldc\9501e24a = a50b26cbe63ab3652bd427caabb94db9bfb23603d434476b18d3b8325c6c4af1aa70c2bf439c5020fac2014839646ed3252b518d49f908e472e13c1488f15e487453d365051cab7a1e36ae058818209d3b0adde2e28fc13974f3a103e70a633ae22981db3314b0043eeb3d1078bbbab4d5	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\plixumcqwldc\4763a478 = 67d40c01d0b27e11d506024a3b00b931f8a63907c3b157a81495a63c0daa3c42943d3773b38949cb9770517369004ba4dd193c2a3fda23e751e67259e020cd073ef643f195bab8bf94b53e3352c2abf36d98bd907034672f48c1742bc5076e401e8e72d8aca9e6b661c30cc8d53fd7f125e477daee21f83d0263588e3e941bab9694a3c2a309127cc57f5f6b8730c0793ab2c199085f68af469cfec6b51bd190e36ab228e0dbc5c76dfe5cebcbcf788582cf133fd95a0887814b77921884234060	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\plixumcqwldc\8a4ef961 = e78722a07086739980ca571fefb79bde6596c1d0dec401f4baea97c9a2d4bf505536d3686c8e2146d6cc9b908480fd85c65e93c8d8bf809e76e069d862527add1f	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\plixumcqwldc\8bc9a4e6 = a760d28ee9750ff953429cfe45ea2dfe6da50a517ee83abf36c2f74803c8d384cefead2f9e499e6027f5aefb1ee815b08c6b3f35a5165549b2e51188750eddfd8c	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\plixumcqwldc\10ccb137 = 66680f2aba84dcb04d3c146a4073449d91371727cafe4160db0159ac37d4fd2a6424cbfeae35b7e0a82d0df3731fbbfad4c4d7411af53b4898176281ee0293969cb5f96ab05973494eae18ca23051f27784ff9dc40ac40ce4d64407e23285a9b8317f2259fa8f219ed430bbc36ca75b1bf	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\plixumcqwldc\114becb0 = 87a5cb02b058d94b40a2d79fa1ea11849e2c01604cad690c7de20c00508af1b55845012a7250b06f37a6736696e8e77fad20be3e706858d23146aa877a38f946c0577634314a2a6a401f202c22ceab6ac19d2db5e4a6a1d165452f14ba5e9ae09c705d14969406a0191f632e36cf7941a8	wermgr.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\plixumcqwldc	wermgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\plixumcqwldc\114becb0 = c49ddb93ad561490cc3f79368f8bbe9dbcc6ae2ddc60f70d8caa1e50ff222b96510cf056bc955bc69cdbcd5619d4abefe0f625d13bf0c661ef589a2ba426deb008b4e9bb3255b7b20599e5b7a167067cc17ba7c40a4487868055c6ff34c47390cd	wermgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exewermgr.exe

pid	process
2828	rundll32.exe
2828	rundll32.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe
2772	wermgr.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2828 wrote to memory of 2772	2828	rundll32.exe	wermgr.exe
PID 2828 wrote to memory of 2772	2828	rundll32.exe	wermgr.exe
PID 2828 wrote to memory of 2772	2828	rundll32.exe	wermgr.exe
PID 2828 wrote to memory of 2772	2828	rundll32.exe	wermgr.exe
PID 2828 wrote to memory of 2772	2828	rundll32.exe	wermgr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\12094a47a9659b1c2f7c5b36e21d2b0145c9e7b2e79845a437508efa96e5f305.dll,#1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2828

C:\Windows\System32\wermgr.exe
C:\Windows\System32\wermgr.exe
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4116 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
1⤵
PID:1544

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2772-24-0x0000023E19130000-0x0000023E1915E000-memory.dmp

Filesize
184KB

Download
memory/2772-30-0x0000023E19130000-0x0000023E1915E000-memory.dmp

Filesize
184KB

Download
memory/2772-28-0x0000023E19130000-0x0000023E1915E000-memory.dmp

Filesize
184KB

Download
memory/2772-27-0x0000023E19130000-0x0000023E1915E000-memory.dmp

Filesize
184KB

Download
memory/2772-7-0x0000023E19160000-0x0000023E19162000-memory.dmp

Filesize
8KB

Download
memory/2772-8-0x0000023E19130000-0x0000023E1915E000-memory.dmp

Filesize
184KB

Download
memory/2772-26-0x0000023E19130000-0x0000023E1915E000-memory.dmp

Filesize
184KB

Download
memory/2772-15-0x0000023E19130000-0x0000023E1915E000-memory.dmp

Filesize
184KB

Download
memory/2772-25-0x0000023E19130000-0x0000023E1915E000-memory.dmp

Filesize
184KB

Download
memory/2828-6-0x0000011F8B580000-0x0000011F8B5AE000-memory.dmp

Filesize
184KB

Download
memory/2828-14-0x0000011F8B580000-0x0000011F8B5AE000-memory.dmp

Filesize
184KB

Download
memory/2828-0-0x0000011F8B550000-0x0000011F8B57F000-memory.dmp

Filesize
188KB

Download
memory/2828-5-0x0000011F8B580000-0x0000011F8B5AE000-memory.dmp

Filesize
184KB

Download
memory/2828-3-0x0000011F8B520000-0x0000011F8B54D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads